kubeclient 4.9.0 → 4.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3c8f79b61300006829c55c6b13715e6073a1cf9517ad8334959ff64706bee4ca
-  data.tar.gz: 04ae220b4f78422992e34538e5b47a0dbf0a832aa2eb9f1ac86d3f1c221cd088
+  metadata.gz: 3f402a08fef66f160df49d507487769073b248828869a2c874d78e947b1d6686
+  data.tar.gz: 5d371f47861538f1e3e9deced8d1c41be1e0ca857ab8ed0607a75417948bb6f6
 SHA512:
-  metadata.gz: b7c9ab202ff3e30f5884fd2f80987fe87a3a65a86fa1a3ecdba16383cbb958fdb98f02dd48a00a5ac50fac828b335a33b33f634f7e2cbe7913883e5aa9a81fa4
-  data.tar.gz: 52078faf6ec204c2b08658d83604fb84c7e68ad409d754ada7ae9d0d989fbce01ae53b2c33993dc71a6bed5851904fe22b6cd3688f67fa1c4bf9cd7704c43f71
+  metadata.gz: f06a16d02e150194d06a4aa2c37a23bd1b7bbef4daca379ed7f60dd9581310b98cd3026d86e90b1b23d861fe6186d05e003d41380cb1edeaf7a2e52ccc594520
+  data.tar.gz: 7fbceb84c48af3bf4f28eadb05a2807a61196a26a66d72eb836ee5faa23d9a22fb1bd8e76fd16febd794007f1f0fd487000db40f543143789d33225c2350ccd0

data/.github/workflows/actions.yml

@@ -0,0 +1,42 @@
+name: CI
+on:
+  push:
+    branches:
+    - '**'
+    tags:
+    - '**'
+  pull_request:
+    branches:
+    - '**'
+jobs:
+  build:
+    continue-on-error: true
+    runs-on: ${{ matrix.os_and_command.os }}
+    strategy:
+      matrix:
+        ruby: [ '2.5', '2.6', '2.7', '3.0', '3.1', 'ruby-head', 'truffleruby-head' ]
+        os_and_command:
+        - os: 'macos-latest'
+          command: 'env TESTOPTS="--verbose" bundle exec rake test'
+        - os: ubuntu-latest
+          # Sometimes minitest starts and then just hangs printing nothing.
+          # Github by default kills after 6hours(!). Hopefully SIGTERM may let it print some details?
+          command: 'timeout --signal=TERM 3m env TESTOPTS="--verbose" test/config/update_certs_k0s.rb'
+        include:
+        # run rubocop against lowest supported ruby
+        - os: ubuntu-latest
+          ruby: '2.5'
+          command: 'bundle exec rake rubocop'
+    name: ${{ matrix.os_and_command.os }} ${{ matrix.ruby }} rake ${{ matrix.os_and_command.command }}
+    steps:
+    - uses: actions/checkout@v2
+    # actions/setup-ruby did not support truffle or bundler caching
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: false # disable running 'bundle install' and caching installed gems see https://github.com/httprb/http/issues/572
+    - run: gem install rake bundler
+    - run: bundle install
+    - run: ${{ matrix.os_and_command.command }}
+    timeout-minutes: 10
+

data/CHANGELOG.md

@@ -4,6 +4,60 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.9.3 — 2021-03-23
+
+### Fixed
+
+- VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
+  (normal situation for production clusters with public domain and certificate!),
+  `Config` was returning ssl_options[:verify_ssl] hard-coded to `VERIFY_NONE` :-(
+
+  Assuming you passed those ssl_options to Kubeclient::Client, this means that
+  instead of checking server's certificate against your system CA store,
+  it would accept ANY certificate, allowing easy man-in-the middle attacks.
+
+  This is especially dangerous with user/password or token credentials
+  because MITM attacker could simply steal those credentials to the cluster
+  and do anything you could do on the cluster.
+
+  This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
+  [`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).
+
+- Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
+  When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.
+
+  Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
+  `insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.
+
+- `Config`: fixed parsing of `certificate-authority` file containing concatenation of
+  several certificates.  Previously, server's cert was checked against only first CA cert,
+  resulting in possible "certificate verify failed" errors.
+
+  An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA
+  itself is signed by another custom CA.
+  But also helps when you simply concatenate independent certs. (#461, #552)
+
+  - Still broken (#460): inline `certificate-authority-data` is still parsed using `add_cert`
+    method that handles only one cert.
+
+These don't affect code that supplies `Client` parameters directly,
+only code that uses `Config`.
+
+## 4.9.2 — 2021-05-30
+
+### Added
+- Ruby 3.0 compatibility (#500, #505).
+
+### Removed
+- Reduce .gem size by dropping test/ directory, it's useless at run time (#502).
+
+## 4.9.1 — 2020-08-31
+### Fixed
+- Now should work with apiserver deployed not at root of domain but a sub-path,
+  which is standard with Rancher.
+  Notably, `create_...` methods were sending bad apiVersion and getting 400 error.
+  (#457, hopefully fixes #318, #418 and https://gitlab.com/gitlab-org/gitlab/-/issues/22043)
+
 ## 4.9.0 - 2020-08-03
 ### Added
 - Support for `user: exec` credential plugins using TLS client auth (#453)

data/README.md

@@ -9,6 +9,13 @@ The client supports GET, POST, PUT, DELETE on all the entities available in kube
 The client currently supports Kubernetes REST api version v1.
 To learn more about groups and versions in kubernetes refer to [k8s docs](https://kubernetes.io/docs/api/)
 
+## VULNERABILITY❗
+
+If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
+endangering your connection and cluster credentials.
+See [latest CHANGELOG.md](https://github.com/ManageIQ/kubeclient/blob/master/CHANGELOG.md) for details and which versions got a fix.
+Open an issue if you want a backport to another version.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/kubeclient.gemspec

@@ -14,9 +14,10 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/abonas/kubeclient'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0")
+  git_files = `git ls-files -z`.split("\x0")
+  spec.files         = git_files.grep_v(%r{^(test|spec|features)/})
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.test_files    = []
   spec.require_paths = ['lib']
   spec.required_ruby_version = '>= 2.2.0'
 
@@ -30,6 +31,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'googleauth', '~> 0.5.1'
   spec.add_development_dependency('mocha', '~> 1.5')
   spec.add_development_dependency 'openid_connect', '~> 1.1'
+  spec.add_development_dependency 'net-smtp'
 
   spec.add_dependency 'jsonpath', '~> 1.0'
   spec.add_dependency 'rest-client', '~> 2.0'

data/lib/kubeclient/common.rb

@@ -194,10 +194,22 @@ module Kubeclient
     def handle_uri(uri, path)
       raise ArgumentError, 'Missing uri' unless uri
       @api_endpoint = (uri.is_a?(URI) ? uri : URI.parse(uri))
-      @api_endpoint.path = path if @api_endpoint.path.empty?
-      @api_endpoint.path = @api_endpoint.path.chop if @api_endpoint.path.end_with?('/')
-      components = @api_endpoint.path.to_s.split('/') # ["", "api"] or ["", "apis", batch]
-      @api_group = components.length > 2 ? components[2] + '/' : ''
+
+      # This regex will anchor at the last `/api`, `/oapi` or`/apis/:group`) part of the URL
+      # The whole path will be matched and if existing, the api_group will be extracted.
+      re = /^(?<path>.*\/o?api(?:s\/(?<apigroup>[^\/]+))?)$/mi
+      match = re.match(@api_endpoint.path.chomp('/'))
+
+      if match
+        # Since `re` captures 2 groups, match will always have 3 elements
+        # If thus we have a non-nil value in match 2, this is our api_group.
+        @api_group = match[:apigroup].nil? ? '' : match[:apigroup] + '/'
+        @api_endpoint.path = match[:path]
+      else
+        # This is a fallback, for when `/api` was not provided as part of the uri
+        @api_group = ''
+        @api_endpoint.path = @api_endpoint.path.chomp('/') + path
+      end
     end
 
     def build_namespace_prefix(namespace)
@@ -255,8 +267,8 @@ module Kubeclient
           patch_entity(entity.resource_name, name, patch, 'merge-patch', namespace)
         end
 
-        define_singleton_method("apply_#{entity.method_names[0]}") do |*args|
-          apply_entity(entity.resource_name, *args)
+        define_singleton_method("apply_#{entity.method_names[0]}") do |resource, opts = {}|
+          apply_entity(entity.resource_name, resource, **opts)
         end
       end
     end

data/lib/kubeclient/config.rb

@@ -30,7 +30,12 @@ module Kubeclient
 
     # Builds Config instance by parsing given file, with lookups relative to file's directory.
     def self.read(filename)
-      parsed = YAML.safe_load(File.read(filename), [Date, Time])
+      parsed =
+        if RUBY_VERSION >= '2.6'
+          YAML.safe_load(File.read(filename), permitted_classes: [Date, Time])
+        else
+          YAML.safe_load(File.read(filename), [Date, Time])
+        end
       Config.new(parsed, File.dirname(filename))
     end
 
@@ -46,20 +51,22 @@ module Kubeclient
         user['exec_result'] = ExecCredentials.run(exec_opts)
       end
 
-      ca_cert_data     = fetch_cluster_ca_data(cluster)
       client_cert_data = fetch_user_cert_data(user)
       client_key_data  = fetch_user_key_data(user)
       auth_options     = fetch_user_auth_options(user)
 
       ssl_options = {}
 
-      if !ca_cert_data.nil?
+      ssl_options[:verify_ssl] = if cluster['insecure-skip-tls-verify'] == true
+                                   OpenSSL::SSL::VERIFY_NONE
+                                 else
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 end
+
+      if cluster_ca_data?(cluster)
         cert_store = OpenSSL::X509::Store.new
-        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
-        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_PEER
+        populate_cert_store_from_cluster_ca_data(cluster, cert_store)
         ssl_options[:cert_store] = cert_store
-      else
-        ssl_options[:verify_ssl] = OpenSSL::SSL::VERIFY_NONE
       end
 
       unless client_cert_data.nil?
@@ -126,11 +133,16 @@ module Kubeclient
       [cluster, user, namespace]
     end
 
-    def fetch_cluster_ca_data(cluster)
+    def cluster_ca_data?(cluster)
+      cluster.key?('certificate-authority') || cluster.key?('certificate-authority-data')
+    end
+
+    def populate_cert_store_from_cluster_ca_data(cluster, cert_store)
       if cluster.key?('certificate-authority')
-        File.read(ext_file_path(cluster['certificate-authority']))
+        cert_store.add_file(ext_file_path(cluster['certificate-authority']))
       elsif cluster.key?('certificate-authority-data')
-        Base64.decode64(cluster['certificate-authority-data'])
+        ca_cert_data = Base64.decode64(cluster['certificate-authority-data'])
+        cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
       end
     end
 

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.9.0'.freeze
+  VERSION = '4.9.3'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.9.0
+  version: 4.9.3
 platform: ruby
 authors:
 - Alissa Bonas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-03 00:00:00.000000000 Z
+date: 2022-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -150,6 +150,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: net-smtp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jsonpath
   requirement: !ruby/object:Gem::Requirement
@@ -225,9 +239,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/actions.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -251,113 +265,11 @@ files:
 - lib/kubeclient/resource_not_found_error.rb
 - lib/kubeclient/version.rb
 - lib/kubeclient/watch_stream.rb
-- test/cassettes/kubernetes_guestbook.yml
-- test/config/allinone.kubeconfig
-- test/config/execauth.kubeconfig
-- test/config/external-ca.pem
-- test/config/external-cert.pem
-- test/config/external-key.rsa
-- test/config/external.kubeconfig
-- test/config/gcpauth.kubeconfig
-- test/config/gcpcmdauth.kubeconfig
-- test/config/nouser.kubeconfig
-- test/config/oidcauth.kubeconfig
-- test/config/timestamps.kubeconfig
-- test/config/userauth.kubeconfig
-- test/json/bindings_list.json
-- test/json/component_status.json
-- test/json/component_status_list.json
-- test/json/config.istio.io_api_resource_list.json
-- test/json/config_map_list.json
-- test/json/core_api_resource_list.json
-- test/json/core_api_resource_list_without_kind.json
-- test/json/core_oapi_resource_list_without_kind.json
-- test/json/created_endpoint.json
-- test/json/created_namespace.json
-- test/json/created_secret.json
-- test/json/created_security_context_constraint.json
-- test/json/created_service.json
-- test/json/empty_pod_list.json
-- test/json/endpoint_list.json
-- test/json/entity_list.json
-- test/json/event_list.json
-- test/json/extensions_v1beta1_api_resource_list.json
-- test/json/limit_range.json
-- test/json/limit_range_list.json
-- test/json/namespace.json
-- test/json/namespace_exception.json
-- test/json/namespace_list.json
-- test/json/node.json
-- test/json/node_list.json
-- test/json/node_notice.json
-- test/json/persistent_volume.json
-- test/json/persistent_volume_claim.json
-- test/json/persistent_volume_claim_list.json
-- test/json/persistent_volume_claims_nil_items.json
-- test/json/persistent_volume_list.json
-- test/json/pod.json
-- test/json/pod_list.json
-- test/json/pod_template_list.json
-- test/json/pods_1.json
-- test/json/pods_2.json
-- test/json/pods_410.json
-- test/json/processed_template.json
-- test/json/replication_controller.json
-- test/json/replication_controller_list.json
-- test/json/resource_quota.json
-- test/json/resource_quota_list.json
-- test/json/secret_list.json
-- test/json/security.openshift.io_api_resource_list.json
-- test/json/security_context_constraint_list.json
-- test/json/service.json
-- test/json/service_account.json
-- test/json/service_account_list.json
-- test/json/service_illegal_json_404.json
-- test/json/service_json_patch.json
-- test/json/service_list.json
-- test/json/service_merge_patch.json
-- test/json/service_patch.json
-- test/json/service_update.json
-- test/json/template.json
-- test/json/template.openshift.io_api_resource_list.json
-- test/json/template_list.json
-- test/json/versions_list.json
-- test/json/watch_stream.json
-- test/test_common.rb
-- test/test_component_status.rb
-- test/test_config.rb
-- test/test_endpoint.rb
-- test/test_exec_credentials.rb
-- test/test_gcp_command_credentials.rb
-- test/test_google_application_default_credentials.rb
-- test/test_guestbook_go.rb
-- test/test_helper.rb
-- test/test_kubeclient.rb
-- test/test_limit_range.rb
-- test/test_missing_methods.rb
-- test/test_namespace.rb
-- test/test_node.rb
-- test/test_oidc_auth_provider.rb
-- test/test_persistent_volume.rb
-- test/test_persistent_volume_claim.rb
-- test/test_pod.rb
-- test/test_pod_log.rb
-- test/test_process_template.rb
-- test/test_replication_controller.rb
-- test/test_resource_list_without_kind.rb
-- test/test_resource_quota.rb
-- test/test_secret.rb
-- test/test_security_context_constraint.rb
-- test/test_service.rb
-- test/test_service_account.rb
-- test/test_watch.rb
-- test/txt/pod_log.txt
-- test/valid_token_file
 homepage: https://github.com/abonas/kubeclient
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -372,110 +284,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: A client for Kubernetes REST api
-test_files:
-- test/cassettes/kubernetes_guestbook.yml
-- test/config/allinone.kubeconfig
-- test/config/execauth.kubeconfig
-- test/config/external-ca.pem
-- test/config/external-cert.pem
-- test/config/external-key.rsa
-- test/config/external.kubeconfig
-- test/config/gcpauth.kubeconfig
-- test/config/gcpcmdauth.kubeconfig
-- test/config/nouser.kubeconfig
-- test/config/oidcauth.kubeconfig
-- test/config/timestamps.kubeconfig
-- test/config/userauth.kubeconfig
-- test/json/bindings_list.json
-- test/json/component_status.json
-- test/json/component_status_list.json
-- test/json/config.istio.io_api_resource_list.json
-- test/json/config_map_list.json
-- test/json/core_api_resource_list.json
-- test/json/core_api_resource_list_without_kind.json
-- test/json/core_oapi_resource_list_without_kind.json
-- test/json/created_endpoint.json
-- test/json/created_namespace.json
-- test/json/created_secret.json
-- test/json/created_security_context_constraint.json
-- test/json/created_service.json
-- test/json/empty_pod_list.json
-- test/json/endpoint_list.json
-- test/json/entity_list.json
-- test/json/event_list.json
-- test/json/extensions_v1beta1_api_resource_list.json
-- test/json/limit_range.json
-- test/json/limit_range_list.json
-- test/json/namespace.json
-- test/json/namespace_exception.json
-- test/json/namespace_list.json
-- test/json/node.json
-- test/json/node_list.json
-- test/json/node_notice.json
-- test/json/persistent_volume.json
-- test/json/persistent_volume_claim.json
-- test/json/persistent_volume_claim_list.json
-- test/json/persistent_volume_claims_nil_items.json
-- test/json/persistent_volume_list.json
-- test/json/pod.json
-- test/json/pod_list.json
-- test/json/pod_template_list.json
-- test/json/pods_1.json
-- test/json/pods_2.json
-- test/json/pods_410.json
-- test/json/processed_template.json
-- test/json/replication_controller.json
-- test/json/replication_controller_list.json
-- test/json/resource_quota.json
-- test/json/resource_quota_list.json
-- test/json/secret_list.json
-- test/json/security.openshift.io_api_resource_list.json
-- test/json/security_context_constraint_list.json
-- test/json/service.json
-- test/json/service_account.json
-- test/json/service_account_list.json
-- test/json/service_illegal_json_404.json
-- test/json/service_json_patch.json
-- test/json/service_list.json
-- test/json/service_merge_patch.json
-- test/json/service_patch.json
-- test/json/service_update.json
-- test/json/template.json
-- test/json/template.openshift.io_api_resource_list.json
-- test/json/template_list.json
-- test/json/versions_list.json
-- test/json/watch_stream.json
-- test/test_common.rb
-- test/test_component_status.rb
-- test/test_config.rb
-- test/test_endpoint.rb
-- test/test_exec_credentials.rb
-- test/test_gcp_command_credentials.rb
-- test/test_google_application_default_credentials.rb
-- test/test_guestbook_go.rb
-- test/test_helper.rb
-- test/test_kubeclient.rb
-- test/test_limit_range.rb
-- test/test_missing_methods.rb
-- test/test_namespace.rb
-- test/test_node.rb
-- test/test_oidc_auth_provider.rb
-- test/test_persistent_volume.rb
-- test/test_persistent_volume_claim.rb
-- test/test_pod.rb
-- test/test_pod_log.rb
-- test/test_process_template.rb
-- test/test_replication_controller.rb
-- test/test_resource_list_without_kind.rb
-- test/test_resource_quota.rb
-- test/test_secret.rb
-- test/test_security_context_constraint.rb
-- test/test_service.rb
-- test/test_service_account.rb
-- test/test_watch.rb
-- test/txt/pod_log.txt
-- test/valid_token_file
+test_files: []

data/.travis.yml

@@ -1,29 +0,0 @@
-language: ruby
-sudo: false
-cache: bundler
-script: bundle exec rake $TASK
-
-os:
-  - linux
-  - osx
-rvm:
-  - "2.2.0"
-  - "2.3.0"
-  - "2.4.0"
-  - "2.5.0"
-  - "2.6.0"
-  - "2.7.0"
-env:
- - TASK=test
-matrix:
-  exclude:
-    - os: osx
-      rvm: "2.2.0"
-    - os: osx
-      rvm: "2.3.0"
-  # No point running Rubocop on different rubies, results will be same.
-  # The rubies it expects the code to target are controlled in .rubocop.yml.
-  include:
-    - os: linux
-      rvm: "2.5.0"
-      env: TASK=rubocop