From 12e41d783fcb5fa58edd61c31cc55781bda4c6f6 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Tue, 26 Jan 2021 16:49:03 -0800 Subject: [PATCH] Refactored execCredentialForImpersonationProxy to be shared --- cmd/pinniped/cmd/login_oidc.go | 22 +++++++++----- cmd/pinniped/cmd/login_static.go | 52 ++------------------------------ 2 files changed, 16 insertions(+), 58 deletions(-) diff --git a/cmd/pinniped/cmd/login_oidc.go b/cmd/pinniped/cmd/login_oidc.go index 999fd8a7c..b4eb62eed 100644 --- a/cmd/pinniped/cmd/login_oidc.go +++ b/cmd/pinniped/cmd/login_oidc.go @@ -189,7 +189,7 @@ func runOIDCLogin(cmd *cobra.Command, deps oidcLoginCommandDeps, flags oidcLogin if concierge != nil && flags.useImpersonationProxy { // Put the token into a TokenCredentialRequest // put the TokenCredentialRequest in an ExecCredential - req, err := execCredentialForImpersonationProxy(token, flags) + req, err := execCredentialForImpersonationProxy(token.IDToken.Token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, token.IDToken.Expiry) if err != nil { return err } @@ -257,10 +257,16 @@ func mustGetConfigDir() string { return filepath.Join(home, ".config", xdgAppName) } -func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLoginFlags) (*clientauthv1beta1.ExecCredential, error) { +func execCredentialForImpersonationProxy( + idToken string, + conciergeAuthenticatorType string, + conciergeNamespace string, + conciergeAuthenticatorName string, + tokenExpiry metav1.Time, +) (*clientauthv1beta1.ExecCredential, error) { // TODO maybe de-dup this with conciergeclient.go var kind string - switch strings.ToLower(flags.conciergeAuthenticatorType) { + switch strings.ToLower(conciergeAuthenticatorType) { case "webhook": kind = "WebhookAuthenticator" case "jwt": @@ -270,18 +276,18 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin } reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{ ObjectMeta: metav1.ObjectMeta{ - Namespace: flags.conciergeNamespace, + Namespace: conciergeNamespace, }, TypeMeta: metav1.TypeMeta{ Kind: "TokenCredentialRequest", APIVersion: loginv1alpha1.GroupName + "/v1alpha1", }, Spec: loginv1alpha1.TokenCredentialRequestSpec{ - Token: token.IDToken.Token, // TODO + Token: idToken, // TODO Authenticator: corev1.TypedLocalObjectReference{ APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, Kind: kind, - Name: flags.conciergeAuthenticatorName, + Name: conciergeAuthenticatorName, }, }, }) @@ -298,8 +304,8 @@ func execCredentialForImpersonationProxy(token *oidctypes.Token, flags oidcLogin Token: encodedToken, }, } - if !token.IDToken.Expiry.IsZero() { - cred.Status.ExpirationTimestamp = &token.IDToken.Expiry + if !tokenExpiry.IsZero() { + cred.Status.ExpirationTimestamp = &tokenExpiry } return cred, nil } diff --git a/cmd/pinniped/cmd/login_static.go b/cmd/pinniped/cmd/login_static.go index 7477dfd4a..3b90c29c2 100644 --- a/cmd/pinniped/cmd/login_static.go +++ b/cmd/pinniped/cmd/login_static.go @@ -5,22 +5,17 @@ package cmd import ( "context" - "encoding/base64" "encoding/json" "fmt" "io" "os" - "strings" "time" - corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/spf13/cobra" clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" - authenticationv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/authentication/v1alpha1" - loginv1alpha1 "go.pinniped.dev/generated/1.20/apis/concierge/login/v1alpha1" "go.pinniped.dev/pkg/conciergeclient" "go.pinniped.dev/pkg/oidcclient/oidctypes" ) @@ -129,9 +124,10 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams } } if concierge != nil && flags.useImpersonationProxy { + var nilExpiry metav1.Time // Put the token into a TokenCredentialRequest // put the TokenCredentialRequest in an ExecCredential - req, err := execCredentialForImpersonationProxyStatic(token, flags) + req, err := execCredentialForImpersonationProxy(token, flags.conciergeAuthenticatorType, flags.conciergeNamespace, flags.conciergeAuthenticatorName, nilExpiry) if err != nil { return err } @@ -139,47 +135,3 @@ func runStaticLogin(out io.Writer, deps staticLoginDeps, flags staticLoginParams } return json.NewEncoder(out).Encode(cred) } - -func execCredentialForImpersonationProxyStatic(token string, flags staticLoginParams) (*clientauthv1beta1.ExecCredential, error) { - // TODO maybe de-dup this with conciergeclient.go - var kind string - switch strings.ToLower(flags.conciergeAuthenticatorType) { - case "webhook": - kind = "WebhookAuthenticator" - case "jwt": - kind = "JWTAuthenticator" - default: - return nil, fmt.Errorf(`invalid authenticator type: %q, supported values are "webhook" and "jwt"`, kind) - } - reqJSON, err := json.Marshal(&loginv1alpha1.TokenCredentialRequest{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: flags.conciergeNamespace, - }, - TypeMeta: metav1.TypeMeta{ - Kind: "TokenCredentialRequest", - APIVersion: loginv1alpha1.GroupName + "/v1alpha1", - }, - Spec: loginv1alpha1.TokenCredentialRequestSpec{ - Token: token, // TODO - Authenticator: corev1.TypedLocalObjectReference{ - APIGroup: &authenticationv1alpha1.SchemeGroupVersion.Group, - Kind: kind, - Name: flags.conciergeAuthenticatorName, - }, - }, - }) - if err != nil { - return nil, err - } - encodedToken := base64.RawURLEncoding.EncodeToString(reqJSON) - cred := &clientauthv1beta1.ExecCredential{ - TypeMeta: metav1.TypeMeta{ - Kind: "ExecCredential", - APIVersion: "client.authentication.k8s.io/v1beta1", - }, - Status: &clientauthv1beta1.ExecCredentialStatus{ - Token: encodedToken, - }, - } - return cred, nil -}