Support certificate based authentication when using an exec command in the kubeconfig. Add unit tests

Pablo Galache · Pablo Galache · commit 007bbb345b3b · 2022-03-16T11:21:27.000+01:00
diff --git a/util/src/main/java/io/kubernetes/client/util/KubeConfig.java b/util/src/main/java/io/kubernetes/client/util/KubeConfig.java
@@ -48,6 +48,9 @@ public class KubeConfig {
   public static final String ENV_HOME = "HOME";
   public static final String KUBEDIR = ".kube";
   public static final String KUBECONFIG = "config";
+  public static final String CRED_TOKEN_KEY = "token";
+  public static final String CRED_CLIENT_CERTIFICATE_DATA_KEY = "clientCertificateData";
+  public static final String CRED_CLIENT_KEY_DATA_KEY = "clientKeyData";
   private static Map<String, Authenticator> authenticators = new HashMap<>();
 
   // Note to the reader: I considered creating a Config object
@@ -198,11 +201,13 @@ public String getPassword() {
   }
 
   @SuppressWarnings("unchecked")
-  public String getAccessToken() {
+  public Map<String, String> getCredentials() {
     if (currentUser == null) {
       return null;
     }
 
+    Map<String, String> credentials = new HashMap<>();
+
     Object authProvider = currentUser.get("auth-provider");
     if (authProvider != null) {
       Map<String, Object> authProviderMap = (Map<String, Object>) authProvider;
@@ -221,25 +226,28 @@ public String getAccessToken() {
               }
             }
           }
-          return auth.getToken(authConfig);
+          credentials.put(CRED_TOKEN_KEY, auth.getToken(authConfig));
+          return credentials;
         } else {
           log.error("Unknown auth provider: " + name);
         }
       }
     }
-    String tokenViaExecCredential =
-        tokenViaExecCredential((Map<String, Object>) currentUser.get("exec"));
-    if (tokenViaExecCredential != null) {
-      return tokenViaExecCredential;
+    Map<String, String> credentialsViaExecCredential =
+        credentialsViaExecCredential((Map<String, Object>) currentUser.get("exec"));
+    if (credentialsViaExecCredential != null) {
+      return credentialsViaExecCredential;
     }
     if (currentUser.containsKey("token")) {
-      return (String) currentUser.get("token");
+      credentials.put(CRED_TOKEN_KEY, (String) currentUser.get("token"));
+      return credentials;
     }
     if (currentUser.containsKey("tokenFile")) {
       String tokenFile = (String) currentUser.get("tokenFile");
       try {
         byte[] data = Files.readAllBytes(FileSystems.getDefault().getPath(tokenFile));
-        return new String(data, StandardCharsets.UTF_8);
+        credentials.put(CRED_TOKEN_KEY, new String(data, StandardCharsets.UTF_8));
+        return credentials;
       } catch (IOException ex) {
         log.error("Failed to read token file", ex);
       }
@@ -248,17 +256,20 @@ public String getAccessToken() {
   }
 
   /**
-   * Attempt to create an access token by running a configured external program.
+   * Attempt to create an access token or client certificate by running a configured external program.
    *
    * @see <a
    *     href="https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins">
    *     Authenticating » client-go credential plugins</a>
    */
   @SuppressWarnings("unchecked")
-  private String tokenViaExecCredential(Map<String, Object> execMap) {
+  private Map<String, String> credentialsViaExecCredential(Map<String, Object> execMap) {
     if (execMap == null) {
       return null;
     }
+
+    Map<String, String> credentials = new HashMap<>();
+
     String apiVersion = (String) execMap.get("apiVersion");
     if (!"client.authentication.k8s.io/v1beta1".equals(apiVersion)
         && !"client.authentication.k8s.io/v1alpha1".equals(apiVersion)) {
@@ -281,13 +292,19 @@ private String tokenViaExecCredential(Map<String, Object> execMap) {
     JsonObject status = root.getAsJsonObject().get("status").getAsJsonObject();
     JsonElement token = status.get("token");
     if (token == null) {
-      // TODO handle clientCertificateData/clientKeyData
-      // (KubeconfigAuthentication is not yet set up for that to be dynamic)
-      log.warn("No token produced by {}", command);
-      return null;
+      if (status.get("clientCertificateData") != null && status.get("clientKeyData") != null) {
+        log.debug("Obtained a client certificate from {}", command);
+        credentials.put(CRED_CLIENT_CERTIFICATE_DATA_KEY, status.get("clientCertificateData").getAsString());
+        credentials.put(CRED_CLIENT_KEY_DATA_KEY, status.get("clientKeyData").getAsString());
+        return credentials;
+      } else {
+        log.warn("No token or certificates produced by {}", command);
+        return null;
+      }
     }
     log.debug("Obtained a token from {}", command);
-    return token.getAsString();
+    credentials.put(CRED_TOKEN_KEY, token.getAsString());
+    return credentials;
     // TODO cache tokens between calls, up to .status.expirationTimestamp
     // TODO a 401 is supposed to force a refresh,
     // but KubeconfigAuthentication hardcodes AccessTokenAuthentication which does not support
diff --git a/util/src/main/java/io/kubernetes/client/util/credentials/KubeconfigAuthentication.java b/util/src/main/java/io/kubernetes/client/util/credentials/KubeconfigAuthentication.java
@@ -15,6 +15,8 @@
 import io.kubernetes.client.openapi.ApiClient;
 import io.kubernetes.client.util.KubeConfig;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
 import org.apache.commons.lang3.StringUtils;
 
 /**
@@ -53,11 +55,20 @@ public KubeconfigAuthentication(final KubeConfig config) throws IOException {
       return;
     }
 
-    // 3. honors bearer token
-    String token = config.getAccessToken();
-    if (StringUtils.isNotEmpty(token)) {
-      delegateAuthentication = new AccessTokenAuthentication(token);
-      return;
+    // 3. honors bearer token or client certificate generated by exec command
+    Map<String, String> credentials = config.getCredentials();
+    if (credentials != null) {
+      if (StringUtils.isNotEmpty(credentials.get(KubeConfig.CRED_TOKEN_KEY))) {
+        delegateAuthentication = new AccessTokenAuthentication(credentials.get(KubeConfig.CRED_TOKEN_KEY));
+        return;
+      } else if (StringUtils.isNotEmpty(credentials.get(KubeConfig.CRED_CLIENT_CERTIFICATE_DATA_KEY))
+          && StringUtils.isNotEmpty(credentials.get(KubeConfig.CRED_CLIENT_KEY_DATA_KEY))) {
+        delegateAuthentication =
+            new ClientCertificateAuthentication(
+                credentials.get(KubeConfig.CRED_CLIENT_CERTIFICATE_DATA_KEY).getBytes(StandardCharsets.UTF_8),
+                credentials.get(KubeConfig.CRED_CLIENT_KEY_DATA_KEY).getBytes(StandardCharsets.UTF_8));
+        return;
+      }
     }
 
     // 4. falling back to dummy authentication
diff --git a/util/src/test/java/io/kubernetes/client/util/KubeConfigTest.java b/util/src/test/java/io/kubernetes/client/util/KubeConfigTest.java
@@ -61,7 +61,7 @@ public class KubeConfigTest {
   @Test
   public void testToken() {
     KubeConfig config = KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_TOKEN));
-    assertEquals(config.getAccessToken(), "foobaz");
+    assertEquals(config.getCredentials().get(KubeConfig.CRED_TOKEN_KEY), "foobaz");
   }
 
   @Test
@@ -73,7 +73,7 @@ public void testTokenFile() throws IOException {
     String replace = KUBECONFIG_TOKEN.replace("foobaz", tokenFile.getCanonicalPath());
     replace = replace.replace("token:", "tokenFile:");
     KubeConfig config = KubeConfig.loadKubeConfig(new StringReader(replace));
-    assertEquals(config.getAccessToken(), token);
+    assertEquals(config.getCredentials().get(KubeConfig.CRED_TOKEN_KEY), token);
   }
 
   public static String GCP_CONFIG =
@@ -108,7 +108,7 @@ public void testGCPAuthProvider() {
       writer.close();
 
       KubeConfig kc = KubeConfig.loadKubeConfig(new FileReader(config));
-      assertEquals("fake-token", kc.getAccessToken());
+      assertEquals("fake-token", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
     } catch (Exception ex) {
       ex.printStackTrace();
       fail("Unexpected exception: " + ex);
@@ -147,7 +147,7 @@ public void testGCPAuthProviderStringDate() {
       writer.close();
 
       KubeConfig kc = KubeConfig.loadKubeConfig(new FileReader(config));
-      assertEquals("fake-token", kc.getAccessToken());
+      assertEquals("fake-token", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
     } catch (Exception ex) {
       ex.printStackTrace();
       fail("Unexpected exception: " + ex);
@@ -198,7 +198,7 @@ public void testGCPAuthProviderExpiredTokenWithinGCloud() {
     KubeConfig.registerAuthenticator(new GCPAuthenticator(mockPB, null));
     try {
       KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(gcpConfigExpiredToken));
-      assertEquals("new-fake-token", kc.getAccessToken());
+      assertEquals("new-fake-token", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
     } catch (Exception ex) {
       ex.printStackTrace();
       fail("Unexpected exception: " + ex);
@@ -233,7 +233,7 @@ public void testGCPAuthProviderExpiredTokenWithoutGCloud() {
     KubeConfig.registerAuthenticator(new GCPAuthenticator(null, mockGC));
     try {
       KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(gcpConfigExpiredToken));
-      assertEquals(fakeToken, kc.getAccessToken());
+      assertEquals(fakeToken, kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
     } catch (Exception ex) {
       ex.printStackTrace();
       fail("Unexpected exception: " + ex);
@@ -262,7 +262,7 @@ public void testAzureAuthProvider() {
             + "      name: azure\n";
     try {
       KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(azureConfig));
-      assertEquals("fake-azure-token", kc.getAccessToken());
+      assertEquals("fake-azure-token", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
     } catch (Exception ex) {
       ex.printStackTrace();
       fail("Unexpected exception: " + ex);
@@ -331,8 +331,8 @@ public void testRefreshToken() {
     fake.token = "someNewToken";
     fake.refresh = "refreshToken";
 
-    String token = config.getAccessToken();
-    assertEquals(token, fake.token);
+    Map<String, String> credentials = config.getCredentials();
+    assertEquals(credentials.get(KubeConfig.CRED_TOKEN_KEY), fake.token);
   }
 
   private static final String KUBECONFIG_EXEC =
@@ -360,7 +360,7 @@ public void testExecCredentials() throws Exception {
     }
     KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_EXEC));
     kc.setFile(folder.newFile()); // just making sure it is ignored
-    assertEquals("abc123", kc.getAccessToken());
+    assertEquals("abc123", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
   }
 
   @Test
@@ -371,7 +371,7 @@ public void testExecCredentialsAlpha1() throws Exception {
     }
     KubeConfig kc =
         KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_EXEC.replace("v1beta1", "v1alpha1")));
-    assertEquals("abc123", kc.getAccessToken());
+    assertEquals("abc123", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
   }
 
   private static final String KUBECONFIG_EXEC_ENV =
@@ -403,7 +403,7 @@ public void testExecCredentialsEnv() throws Exception {
     }
 
     KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_EXEC_ENV));
-    assertEquals("abc123", kc.getAccessToken());
+    assertEquals("abc123", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
   }
 
   private static final String KUBECONFIG_EXEC_BASEDIR =
@@ -448,7 +448,36 @@ public void testExecCredentialsBasedir() throws Exception {
     try (FileReader reader = new FileReader(config)) {
       KubeConfig kc = KubeConfig.loadKubeConfig(reader);
       kc.setFile(config);
-      assertEquals("abc123", kc.getAccessToken());
+      assertEquals("abc123", kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
     }
   }
+
+  private static final String KUBECONFIG_EXEC_CERTIFICATE =
+      "apiVersion: v1\n"
+          + "current-context: c\n"
+          + "contexts:\n"
+          + "- name: c\n"
+          + "  context:\n"
+          + "    user: u\n"
+          + "users:\n"
+          + "- name: u\n"
+          + "  user:\n"
+          + "    exec:\n"
+          + "      apiVersion: client.authentication.k8s.io/v1beta1\n"
+          + "      command: echo\n"
+          + "      args:\n"
+          + "        - >-\n"
+          + "          {\"kind\":\"ExecCredential\",\"apiVersion\":\"client.authentication.k8s.io/v1beta1\", \"status\":{\"clientCertificateData\":\"cert\",\"clientKeyData\":\"key\"}}";
+
+  @Test
+  public void testExecCredentialsCertificate() throws Exception {
+    // TODO: test exec on Windows
+    if (System.getProperty("os.name").contains("Windows")) {
+      return;
+    }
+    KubeConfig kc = KubeConfig.loadKubeConfig(new StringReader(KUBECONFIG_EXEC_CERTIFICATE));
+    assertEquals("cert", kc.getCredentials().get(KubeConfig.CRED_CLIENT_CERTIFICATE_DATA_KEY));
+    assertEquals("key", kc.getCredentials().get(KubeConfig.CRED_CLIENT_KEY_DATA_KEY));
+    assertNull(kc.getCredentials().get(KubeConfig.CRED_TOKEN_KEY));
+  }
 }
diff --git a/util/src/test/java/io/kubernetes/client/util/credentials/KubeconfigAuthenticationTest.java b/util/src/test/java/io/kubernetes/client/util/credentials/KubeconfigAuthenticationTest.java
@@ -0,0 +1,89 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package io.kubernetes.client.util.credentials;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import io.kubernetes.client.util.KubeConfig;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class KubeconfigAuthenticationTest {
+
+  @Mock private KubeConfig kubeConfig;
+
+  @Test
+  public void testCertificateAuthenticationFromExecCommand() throws IOException {
+    Map<String, String> certCredentials = new HashMap<>();
+    certCredentials.put(KubeConfig.CRED_CLIENT_CERTIFICATE_DATA_KEY, "cert");
+    certCredentials.put(KubeConfig.CRED_CLIENT_KEY_DATA_KEY, "key");
+    when(kubeConfig.getCredentials()).thenReturn(certCredentials);
+
+    KubeconfigAuthentication kubeconfigAuthentication = new KubeconfigAuthentication(kubeConfig);
+
+    assertThat(kubeconfigAuthentication.getDelegateAuthentication())
+        .isInstanceOf(ClientCertificateAuthentication.class);
+  }
+
+  @Test
+  public void testCertificateAuthenticationFromKubeConfig() throws IOException {
+    when(kubeConfig.getDataOrFileRelative(any(), any())).thenReturn("data".getBytes());
+
+    KubeconfigAuthentication kubeconfigAuthentication = new KubeconfigAuthentication(kubeConfig);
+
+    assertThat(kubeconfigAuthentication.getDelegateAuthentication())
+        .isInstanceOf(ClientCertificateAuthentication.class);
+    verify(kubeConfig, times(2)).getDataOrFileRelative(any(), any());
+  }
+
+  @Test
+  public void testUsernamePasswordAuthenticationFromKubeConfig() throws IOException {
+    when(kubeConfig.getUsername()).thenReturn("user");
+    when(kubeConfig.getPassword()).thenReturn("password");
+
+    KubeconfigAuthentication kubeconfigAuthentication = new KubeconfigAuthentication(kubeConfig);
+
+    assertThat(kubeconfigAuthentication.getDelegateAuthentication())
+        .isInstanceOf(UsernamePasswordAuthentication.class);
+  }
+
+  @Test
+  public void testAccessTokenAuthenticationFromExecComand() throws IOException {
+    Map<String, String> certCredentials = new HashMap<>();
+    certCredentials.put(KubeConfig.CRED_TOKEN_KEY, "token");
+    when(kubeConfig.getCredentials()).thenReturn(certCredentials);
+
+    KubeconfigAuthentication kubeconfigAuthentication = new KubeconfigAuthentication(kubeConfig);
+
+    assertThat(kubeconfigAuthentication.getDelegateAuthentication())
+        .isInstanceOf(AccessTokenAuthentication.class);
+  }
+
+  @Test
+  public void testDummyAuthentication() throws IOException {
+    KubeconfigAuthentication kubeconfigAuthentication = new KubeconfigAuthentication(kubeConfig);
+
+    assertThat(kubeconfigAuthentication.getDelegateAuthentication())
+        .isInstanceOf(DummyAuthentication.class);
+  }
+}
