-
Notifications
You must be signed in to change notification settings - Fork 7
/
oidc.go
173 lines (154 loc) · 4.57 KB
/
oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
package populator
import (
"encoding/base64"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"sync/atomic"
"github.com/nerdalize/nerd/nerd/conf"
v1payload "github.com/nerdalize/nerd/nerd/client/auth/v1/payload"
"github.com/pkg/errors"
"k8s.io/client-go/tools/clientcmd/api"
// this blank import is necessary to load the oidc plugin for client-go
_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
)
const (
// DirPermissions are the output directory's permissions.
DirPermissions = 0755
)
// Client provides necessary information to successfully use OIDC
type Client struct {
// Secret necessary for OpenID connect
Secret string
// ID is a client id that all tokens must be issued for.
ID string
// IDPIssuerURL is the URL of the provider which allows the API server to discover public signing keys.
IDPIssuerURL string
}
//OIDCPopulator is an implementation of the P interface using on Open ID Connect credentials.
type OIDCPopulator struct {
// kubeConfigFile is the path where the kube config is stored
// Only access this with atomic ops
kubeConfigFile atomic.Value
project *v1payload.GetProjectOutput
homedir string
client *Client
}
func newOIDC(c *Client, kubeConfigFile, homedir string, project *v1payload.GetProjectOutput) *OIDCPopulator {
o := &OIDCPopulator{
project: project,
homedir: homedir,
client: c,
}
o.kubeConfigFile.Store(kubeConfigFile)
return o
}
//GetKubeConfigFile returns the path where the kube config is stored.
func (o *OIDCPopulator) GetKubeConfigFile() string {
return o.kubeConfigFile.Load().(string)
}
//RemoveConfig deletes the precised project context and cluster info.
func (o *OIDCPopulator) RemoveConfig(project string) error {
// read existing config or create new if does not exist
kubecfg, err := ReadConfigOrNew(o.GetKubeConfigFile())
if err != nil {
return err
}
delete(kubecfg.Clusters, project)
delete(kubecfg.AuthInfos, project)
delete(kubecfg.Contexts, fmt.Sprintf("%s-%s", Prefix, project))
kubecfg.CurrentContext = ""
// write back to disk
if err := WriteConfig(kubecfg, o.GetKubeConfigFile()); err != nil {
return errors.Wrap(err, "could not write kubeconfig")
}
return nil
}
// PopulateKubeConfig populates an api.Config object and set the current context to the provided project.
func (o *OIDCPopulator) PopulateKubeConfig(project string) error {
cluster := api.NewCluster()
if o.project.Services.Cluster.B64CaData == "" {
cluster.InsecureSkipTLSVerify = true
} else {
cert, err := o.createCertificate(o.project.Services.Cluster.B64CaData, project, o.homedir)
if err != nil {
return err
}
cluster.CertificateAuthority = cert
}
cluster.Server = o.project.Services.Cluster.Address
filename, err := conf.GetDefaultSessionLocation()
if err != nil {
return err
}
ss := conf.NewSession(filename)
if err != nil {
return err
}
config, err := ss.Read()
if err != nil {
return err
}
auth := api.NewAuthInfo()
auth.AuthProvider = &api.AuthProviderConfig{
Name: "oidc",
Config: map[string]string{
"client-id": o.client.ID,
"client-secret": o.client.Secret,
"id-token": config.OAuth.IDToken,
"idp-issuer-url": o.client.IDPIssuerURL,
"refresh-token": config.OAuth.RefreshToken,
},
}
// context
context := api.NewContext()
context.Cluster = project
context.AuthInfo = project
context.Namespace = project
clusterName := fmt.Sprintf("%s-%s", Prefix, project)
// read existing config or create new if does not exist
kubecfg, err := ReadConfigOrNew(o.GetKubeConfigFile())
if err != nil {
return err
}
kubecfg.Clusters[project] = cluster
kubecfg.CurrentContext = clusterName
kubecfg.AuthInfos[project] = auth
kubecfg.Contexts[clusterName] = context
// write back to disk
if err := WriteConfig(kubecfg, o.GetKubeConfigFile()); err != nil {
return errors.Wrap(err, "could not write kubeconfig")
}
return nil
}
func (o *OIDCPopulator) createCertificate(data, project, homedir string) (string, error) {
if data == "" {
return "", nil
}
dir := filepath.Join(homedir, ".nerd", "certs")
filename := filepath.Join(dir, project+".cert")
_, err := os.Stat(dir)
if err != nil {
if !os.IsNotExist(err) {
return "", errors.Errorf("'%v' is not a path", dir)
}
err = os.MkdirAll(dir, DirPermissions)
if err != nil {
return "", errors.Wrap(err, fmt.Sprintf("The provided path '%s' does not exist and could not be created.", dir))
}
_, err = os.Stat(dir)
if err != nil {
return "", err
}
}
d, err := base64.StdEncoding.DecodeString(data)
if err != nil {
return "", err
}
err = ioutil.WriteFile(filename, d, 0644)
if err != nil {
return "", err
}
return filename, nil
}