kubeclient 4.1.2 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '036441648e04f1ead9f4c15517c8f8ae31ecf521a77e08601fcfc4d298bbaa28'
-  data.tar.gz: 6ee8cd72c57fb7a10334d7ceebd7f51a7f38e1eced12a40b12d50c7180e56945
+  metadata.gz: 2bc02012cb0c78fc1ec3335e836c2749973e432022083fb3b95bed3d702332a5
+  data.tar.gz: 7b5d68aa1c1200d387a086a09f3a8ca628e892c84c590ef76180b37f60f8ca88
 SHA512:
-  metadata.gz: 97f3c94d05d1cc79d889c1f851a52b82162a8093ada781444f1e10209d7a3896081fdf423807598c3bae95ce107234005a149b08bf71cf7f3248398631a3dad7
-  data.tar.gz: 9924a65f531452cccd20c1fe03457acfb9ec779af055513e2dc3532849dd089613011ed3bea005f2e1a5d80243b168940620dca0a21c8842f2be4e4112ebac7f
+  metadata.gz: a5c2c2d281b9ed728faf12b8a7937283225b509d6eb4ca4dc7c6245024e1677799ced3adc1a14bf111dab9092b9061af41b0b7924d54dbef5a9f72ff90d554e9
+  data.tar.gz: 7c55c0f9c3595045ecb98b1c35d682d8aa8bb3907c3a208c33a32980890e702fca58faa927d0c82b59a69e27e5508cf1efce119ea76846c4f7b5c4bd4ee85944

data/.rubocop.yml

@@ -25,3 +25,5 @@ Security/MarshalLoad:
 Style/MethodCallWithArgsParentheses:
   IgnoredMethods:
   - require_relative
+Style/RegexpLiteral:
+  Enabled: false

data/CHANGELOG.md

@@ -4,14 +4,22 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
-## 4.1.2 — 2018-12-26
+## 4.2.0 — 2018-12-20
 
-### Fixed
-- For resources that contain dashes in name, there will be an attempt to resolve the method name based on singular name prefix or by replacing the dash in names with underscores (#382).
+### Added
+- Support `user: exec: ...` credential plugins like in Go client (#363, #375).
+
+### Security
+- Really made `Kubeclient::Config.new(data, nil)` prevent external file lookups. (#372)
+  README documented this since 3.1.1 (#334) but alas that was a lie — absolute paths always worked.
+  Now this also prevents credential plugin execution.
+
+  Even in this mode, using config from untrusted sources is not recommended.
 
 ## 4.1.1 — 2018-12-17
 
 ### Fixed
+
 - Fixed method names for non-suffix plurals such as y -> ies  (#377).
 
 ## 4.1.0 — 2018-11-28 — REGRESSION

data/README.md

@@ -268,6 +268,11 @@ If you've been using `kubectl` and have a `.kube/config` file (possibly referenc
 config = Kubeclient::Config.read(ENV['KUBECONFIG'] || '/path/to/.kube/config')
 ```
 
+This will lookup external files; relative paths will be resolved relative to the file's directory, if config refers to them with relative path.
+This includes external [`exec:` credential plugins][exec] to be executed.
+
+[exec]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
+
 You can also construct `Config` directly from nested data. For example if you have JSON or YAML config data in a variable:
 
 ```ruby
@@ -277,7 +282,7 @@ config = Kubeclient::Config.new(JSON.parse(json_text), nil)
 ```
 
 The 2nd argument is a base directory for finding external files, if config refers to them with relative path.
-Setting it to `nil` disables file lookups.  (A config can be self-contained by using inline fields such as `client-certificate-data`.)
+Setting it to `nil` disables file lookups, and `exec:` execution - such configs will raise an exception.  (A config can be self-contained by using inline fields such as `client-certificate-data`.)
 
 To create a client based on a Config object:
 
@@ -297,7 +302,9 @@ Kubeclient::Client.new(
 
 #### Security: Don't use config from untrusted sources
 
-Kubeclient was never reviewed for behaving safely with malicious / malformed config.
+`Config.read` is catastrophically unsafe — it will execute arbitrary command lines specified by the config!
+
+`Config.new(data, nil)` is better but Kubeclient was never reviewed for behaving safely with malicious / malformed config.
 It might crash / misbehave in unexpected ways...
 
 #### namespace
@@ -604,9 +611,9 @@ Checking the type of a resource can be done using:
 
 update_* delete_* and patch_* now return a RecursiveOpenStruct like the get_* methods
 
-The gem raises Kubeclient::HttpError or subclasses now. Catching KubeException still works but is deprecated.
+The `Kubeclient::Client` class raises `Kubeclient::HttpError` or subclasses now. Catching `KubeException` still works but is deprecated.
 
-`Kubeclient::Config#context` raises KeyError instead of RuntimeError for non-existent context name.
+`Kubeclient::Config#context` raises `KeyError` instead of `RuntimeError` for non-existent context name.
 
 <a name="past_version_1.2.0">
 

data/RELEASING.md

@@ -55,7 +55,9 @@ bundle exec rake test rubocop
 
 Create and push the tag:
 ```bash
-gem tag --destination https://github.com/abonas/kubeclient
+gem tag --no-push
+git push --tags --dry-run https://github.com/abonas/kubeclient  # Check for unexpected tags
+git push --tags https://github.com/abonas/kubeclient
 ```
 
 Release onto rubygems.org:

data/lib/kubeclient.rb

@@ -5,6 +5,7 @@ require 'kubeclient/common'
 require 'kubeclient/config'
 require 'kubeclient/entity_list'
 require 'kubeclient/google_application_default_credentials'
+require 'kubeclient/exec_credentials'
 require 'kubeclient/http_error'
 require 'kubeclient/missing_kind_compatibility'
 require 'kubeclient/resource'

data/lib/kubeclient/common.rb

@@ -163,7 +163,8 @@ module Kubeclient
             method_names = [prefix_underscores + singular_suffix,      # "network_policy"
                             prefix_underscores + plural_suffix]        # "network_policies"
           else
-            method_names = resolve_unconventional_method_names(name, kind, singular_name)
+            # Something weird, can't infer underscores for plural so just give them up
+            method_names = [singular_name, name]
           end
         end
       end
@@ -175,17 +176,6 @@ module Kubeclient
       )
     end
 
-    def self.resolve_unconventional_method_names(name, kind, singular_name)
-      underscored_name = name.tr('-', '_')
-      singular_underscores = ClientMixin.underscore_entity(kind)
-      if underscored_name.start_with?(singular_underscores)
-        [singular_underscores, underscored_name]
-      else
-        # fallback to lowercase, no separators for both names
-        [singular_name, underscored_name.tr('_', '')]
-      end
-    end
-
     def handle_uri(uri, path)
       raise ArgumentError, 'Missing uri' unless uri
       @api_endpoint = (uri.is_a?(URI) ? uri : URI.parse(uri))

data/lib/kubeclient/config.rb

@@ -18,12 +18,17 @@ module Kubeclient
       end
     end
 
-    def initialize(kcfg, kcfg_path)
-      @kcfg = kcfg
+    # data (Hash) - Parsed kubeconfig data.
+    # kcfg_path (string) - Base directory for resolving relative references to external files.
+    #   If set to nil, all external lookups & commands are disabled (even for absolute paths).
+    # See also the more convenient Config.read
+    def initialize(data, kcfg_path)
+      @kcfg = data
       @kcfg_path = kcfg_path
       raise 'Unknown kubeconfig version' if @kcfg['apiVersion'] != 'v1'
     end
 
+    # Builds Config instance by parsing given file, with lookups relative to file's directory.
     def self.read(filename)
       parsed = YAML.safe_load(File.read(filename), [Date, Time])
       Config.new(parsed, File.dirname(filename))
@@ -65,10 +70,35 @@ module Kubeclient
 
     private
 
+    def allow_external_lookups?
+      @kcfg_path != nil
+    end
+
     def ext_file_path(path)
+      unless allow_external_lookups?
+        raise "Kubeclient::Config: external lookups disabled, can't load '#{path}'"
+      end
       Pathname(path).absolute? ? path : File.join(@kcfg_path, path)
     end
 
+    def ext_command_path(path)
+      unless allow_external_lookups?
+        raise "Kubeclient::Config: external lookups disabled, can't execute '#{path}'"
+      end
+      # Like go client https://github.com/kubernetes/kubernetes/pull/59495#discussion_r171138995,
+      # distinguish 3 cases:
+      # - absolute (e.g. /path/to/foo)
+      # - $PATH-based (e.g. curl)
+      # - relative to config file's dir (e.g. ./foo)
+      if Pathname(path).absolute?
+        path
+      elsif File.basename(path) == path
+        path
+      else
+        File.join(@kcfg_path, path)
+      end
+    end
+
     def fetch_context(context_name)
       context = @kcfg['contexts'].detect do |x|
         break x['context'] if x['name'] == context_name
@@ -119,6 +149,10 @@ module Kubeclient
       options = {}
       if user.key?('token')
         options[:bearer_token] = user['token']
+      elsif user.key?('exec')
+        exec_opts = user['exec'].dup
+        exec_opts['command'] = ext_command_path(exec_opts['command']) if exec_opts['command']
+        options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
       else
         %w[username password].each do |attr|
           options[attr.to_sym] = user[attr] if user.key?(attr)

data/lib/kubeclient/exec_credentials.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Kubeclient
+  # An exec-based client auth provide
+  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration
+  # Inspired by https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go
+  class ExecCredentials
+    class << self
+      def token(opts)
+        require 'open3'
+        require 'json'
+
+        raise ArgumentError, 'exec options are required' if opts.nil?
+
+        cmd = opts['command']
+        args = opts['args']
+        env = map_env(opts['env'])
+
+        # Validate exec options
+        validate_opts(opts)
+
+        out, err, st = Open3.capture3(env, cmd, *args)
+
+        raise "exec command failed: #{err}" unless st.success?
+
+        creds = JSON.parse(out)
+        validate_credentials(opts, creds)
+        creds['status']['token']
+      end
+
+      private
+
+      def validate_opts(opts)
+        raise KeyError, 'exec command is required' unless opts['command']
+      end
+
+      def validate_credentials(opts, creds)
+        # out should have ExecCredential structure
+        raise 'invalid credentials' if creds.nil?
+
+        # Verify apiVersion?
+        api_version = opts['apiVersion']
+        if api_version && api_version != creds['apiVersion']
+          raise "exec plugin is configured to use API version #{api_version}, " \
+            "plugin returned version #{creds['apiVersion']}"
+        end
+
+        raise 'exec plugin didn\'t return a status field' if creds['status'].nil?
+        raise 'exec plugin didn\'t return a token' if creds['status']['token'].nil?
+      end
+
+      # Transform name/value pairs to hash
+      def map_env(env)
+        return {} unless env
+
+        Hash[env.map { |e| [e['name'], e['value']] }]
+      end
+    end
+  end
+end

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.1.2'.freeze
+  VERSION = '4.2.0'.freeze
 end

data/test/config/execauth.kubeconfig

@@ -0,0 +1,62 @@
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://localhost:8443
+    insecure-skip-tls-verify: true
+  name: localhost:8443
+contexts:
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: system:admin:exec-search-path
+  name: localhost/system:admin:exec-search-path
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: system:admin:exec-relative-path
+  name: localhost/system:admin:exec-relative-path
+- context:
+    cluster: localhost:8443
+    namespace: default
+    user: system:admin:exec-absolute-path
+  name: localhost/system:admin:exec-absolute-path
+kind: Config
+preferences: {}
+users:
+- name: system:admin:exec-search-path
+  user:
+    exec:
+      # Command to execute. Required.
+      command: "example-exec-plugin"
+
+      # API version to use when decoding the ExecCredentials resource. Required.
+      #
+      # The API version returned by the plugin MUST match the version listed here.
+      #
+      # To integrate with tools that support multiple versions (such as client.authentication.k8s.io/v1alpha1),
+      # set an environment variable or pass an argument to the tool that indicates which version the exec plugin expects.
+      apiVersion: "client.authentication.k8s.io/v1beta1"
+
+      # Environment variables to set when executing the plugin. Optional.
+      env:
+      - name: "FOO"
+        value: "bar"
+
+      # Arguments to pass when executing the plugin. Optional.
+      args:
+      - "arg1"
+      - "arg2"
+
+- name: system:admin:exec-relative-path
+  user:
+    exec:
+      # Command to execute. Required.
+      command: "dir/example-exec-plugin"
+      apiVersion: "client.authentication.k8s.io/v1beta1"
+
+- name: system:admin:exec-absolute-path
+  user:
+    exec:
+      # Command to execute. Required.
+      command: "/abs/path/example-exec-plugin"
+      apiVersion: "client.authentication.k8s.io/v1beta1"

data/test/test_common.rb

@@ -81,11 +81,6 @@ class CommonTest < MiniTest::Test
       LatinDatum latindata latin_datum latin_data
       Noseparator noseparators noseparator noseparators
       lowercase lowercases lowercase lowercases
-      TestWithDash test-with-dashes test_with_dash test_with_dashes
-      TestUnderscore test_underscores test_underscore test_underscores
-      TestMismatch other-odd-name testmismatch otheroddname
-      MixedDashMinus mixed-dash_minuses mixed_dash_minus mixed_dash_minuses
-      SameUptoWordboundary sameup-toword-boundarys sameuptowordboundary sameuptowordboundarys
     ].each_slice(4) do |kind, plural, expected_single, expected_plural|
       method_names = Kubeclient::ClientMixin.parse_definition(kind, plural).method_names
       assert_equal(method_names[0], expected_single)

data/test/test_config.rb

@@ -1,5 +1,6 @@
 require_relative 'test_helper'
 require 'yaml'
+require 'open3'
 
 # Testing Kubernetes client configuration
 class KubeclientConfigTest < MiniTest::Test
@@ -28,18 +29,18 @@ class KubeclientConfigTest < MiniTest::Test
     # kcfg_path = nil should prevent file access
     config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
     assert_raises(StandardError) do
-      config.context.ssl_options
+      config.context
     end
   end
 
   def test_external_nopath_absolute
     yaml = File.read(config_file('external.kubeconfig'))
     # kcfg_path = nil should prevent file access, even if absolute path specified
-    ca_absolute_path = File.absolute_path(config_file('external.kubeconfig').path)
-    yaml = yaml.gsub('external-ca.pem', ca_absolute_path)
+    ca_absolute_path = File.absolute_path(config_file('external-'))
+    yaml = yaml.gsub('external-', ca_absolute_path)
     config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
     assert_raises(StandardError) do
-      config.context.ssl_options
+      config.context
     end
   end
 
@@ -73,6 +74,55 @@ class KubeclientConfigTest < MiniTest::Test
     Kubeclient::Config.read(config_file('timestamps.kubeconfig'))
   end
 
+  def test_user_exec
+    token = '0123456789ABCDEF0123456789ABCDEF'
+    creds = {
+      'apiVersion': 'client.authentication.k8s.io/v1beta1',
+      'status': {
+        'token': token
+      }
+    }
+
+    config = Kubeclient::Config.read(config_file('execauth.kubeconfig'))
+    assert_equal(['localhost/system:admin:exec-search-path',
+                  'localhost/system:admin:exec-relative-path',
+                  'localhost/system:admin:exec-absolute-path'],
+                 config.contexts)
+
+    # A bare command name in config means search PATH, so it's executed as bare command.
+    stub_exec(%r{^example-exec-plugin$}, creds) do
+      context = config.context('localhost/system:admin:exec-search-path')
+      check_context(context, ssl: false)
+      assert_equal(token, context.auth_options[:bearer_token])
+    end
+
+    # A relative path is taken relative to the dir of the kubeconfig.
+    stub_exec(%r{.*config/dir/example-exec-plugin$}, creds) do
+      context = config.context('localhost/system:admin:exec-relative-path')
+      check_context(context, ssl: false)
+      assert_equal(token, context.auth_options[:bearer_token])
+    end
+
+    # An absolute path is taken as-is.
+    stub_exec(%r{^/abs/path/example-exec-plugin$}, creds) do
+      context = config.context('localhost/system:admin:exec-absolute-path')
+      check_context(context, ssl: false)
+      assert_equal(token, context.auth_options[:bearer_token])
+    end
+  end
+
+  def test_user_exec_nopath
+    yaml = File.read(config_file('execauth.kubeconfig'))
+    config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
+    config.contexts.each do |context_name|
+      Open3.stub(:capture3, proc { flunk 'should not execute command' }) do
+        assert_raises(StandardError) do
+          config.context(context_name)
+        end
+      end
+    end
+  end
+
   private
 
   def check_context(context, ssl: true)
@@ -102,6 +152,20 @@ class KubeclientConfigTest < MiniTest::Test
   end
 
   def config_file(name)
-    File.new(File.join(File.dirname(__FILE__), 'config', name))
+    File.join(File.dirname(__FILE__), 'config', name)
+  end
+
+  def stub_exec(command_regexp, creds)
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    capture3_stub = lambda do |_env, command, *_args|
+      assert_match command_regexp, command
+      [JSON.dump(creds), nil, st]
+    end
+
+    Open3.stub(:capture3, capture3_stub) do
+      yield
+    end
   end
 end

data/test/test_exec_credentials.rb

@@ -0,0 +1,125 @@
+require_relative 'test_helper'
+require 'open3'
+
+# Unit tests for the ExecCredentials token provider
+class ExecCredentialsTest < MiniTest::Test
+  def test_exec_opts_missing
+    expected_msg =
+      'exec options are required'
+    exception = assert_raises(ArgumentError) do
+      Kubeclient::ExecCredentials.token(nil)
+    end
+    assert_equal(expected_msg, exception.message)
+  end
+
+  def test_exec_command_missing
+    expected_msg =
+      'exec command is required'
+    exception = assert_raises(KeyError) do
+      Kubeclient::ExecCredentials.token({})
+    end
+    assert_equal(expected_msg, exception.message)
+  end
+
+  def test_exec_command_failure
+    err = 'Error'
+    expected_msg =
+      "exec command failed: #{err}"
+
+    st = Minitest::Mock.new
+    st.expect(:success?, false)
+
+    opts = { 'command' => 'dummy' }
+
+    Open3.stub(:capture3, [nil, err, st]) do
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.token(opts)
+      end
+      assert_equal(expected_msg, exception.message)
+    end
+  end
+
+  def test_token
+    opts = { 'command' => 'dummy' }
+
+    creds = JSON.dump(
+      'apiVersion': 'client.authentication.k8s.io/v1alpha1',
+      'status': {
+        'token': '0123456789ABCDEF0123456789ABCDEF'
+      }
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      assert_equal('0123456789ABCDEF0123456789ABCDEF', Kubeclient::ExecCredentials.token(opts))
+    end
+  end
+
+  def test_status_missing
+    opts = { 'command' => 'dummy' }
+
+    creds = JSON.dump('apiVersion': 'client.authentication.k8s.io/v1alpha1')
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    expected_msg = 'exec plugin didn\'t return a status field'
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.token(opts)
+      end
+      assert_equal(expected_msg, exception.message)
+    end
+  end
+
+  def test_token_missing
+    opts = { 'command' => 'dummy' }
+
+    creds = JSON.dump(
+      'apiVersion': 'client.authentication.k8s.io/v1alpha1',
+      'status': {}
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    expected_msg = 'exec plugin didn\'t return a token'
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.token(opts)
+      end
+      assert_equal(expected_msg, exception.message)
+    end
+  end
+
+  def test_api_version_mismatch
+    api_version = 'client.authentication.k8s.io/v1alpha1'
+    expected_version = 'client.authentication.k8s.io/v1beta1'
+
+    opts = {
+      'command' => 'dummy',
+      'apiVersion' => expected_version
+    }
+
+    creds = JSON.dump(
+      'apiVersion': api_version
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    expected_msg = "exec plugin is configured to use API version #{expected_version}," \
+      " plugin returned version #{api_version}"
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.token(opts)
+      end
+      assert_equal(expected_msg, exception.message)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.1.2
+  version: 4.2.0
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-12-26 00:00:00.000000000 Z
+date: 2018-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -191,6 +191,7 @@ files:
 - lib/kubeclient/common.rb
 - lib/kubeclient/config.rb
 - lib/kubeclient/entity_list.rb
+- lib/kubeclient/exec_credentials.rb
 - lib/kubeclient/google_application_default_credentials.rb
 - lib/kubeclient/http_error.rb
 - lib/kubeclient/missing_kind_compatibility.rb
@@ -200,6 +201,7 @@ files:
 - lib/kubeclient/watch_stream.rb
 - test/cassettes/kubernetes_guestbook.yml
 - test/config/allinone.kubeconfig
+- test/config/execauth.kubeconfig
 - test/config/external-ca.pem
 - test/config/external-cert.pem
 - test/config/external-key.rsa
@@ -268,6 +270,7 @@ files:
 - test/test_component_status.rb
 - test/test_config.rb
 - test/test_endpoint.rb
+- test/test_exec_credentials.rb
 - test/test_google_application_default_credentials.rb
 - test/test_guestbook_go.rb
 - test/test_helper.rb
@@ -318,6 +321,7 @@ summary: A client for Kubernetes REST api
 test_files:
 - test/cassettes/kubernetes_guestbook.yml
 - test/config/allinone.kubeconfig
+- test/config/execauth.kubeconfig
 - test/config/external-ca.pem
 - test/config/external-cert.pem
 - test/config/external-key.rsa
@@ -386,6 +390,7 @@ test_files:
 - test/test_component_status.rb
 - test/test_config.rb
 - test/test_endpoint.rb
+- test/test_exec_credentials.rb
 - test/test_google_application_default_credentials.rb
 - test/test_guestbook_go.rb
 - test/test_helper.rb