kubeclient 4.8.0 → 4.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 48d448677cbf44234e974ccb8abd00002c729b059f8857120f11d7a017c63f96
-  data.tar.gz: 1db9a01ab5819636816562bd60b563db6e1aa20aa45f8e8b1283da35e1c77a37
+  metadata.gz: 3c8f79b61300006829c55c6b13715e6073a1cf9517ad8334959ff64706bee4ca
+  data.tar.gz: 04ae220b4f78422992e34538e5b47a0dbf0a832aa2eb9f1ac86d3f1c221cd088
 SHA512:
-  metadata.gz: f3ba57f5db5c09035f1ae3265203f5eb64858b7383c9cb73a9e2186befc4b7c120db3984634626895143c5409c9b943103d93a106274b4d61f57579d2e22ba93
-  data.tar.gz: 2154232e7359a4e3eae7191093338cce2f6daa44abf30f663bbe59631435927519f7e342dd103a485726375bdfde5d556c3a825b3dbd063d23f055e5eb16ad1e
+  metadata.gz: b7c9ab202ff3e30f5884fd2f80987fe87a3a65a86fa1a3ecdba16383cbb958fdb98f02dd48a00a5ac50fac828b335a33b33f634f7e2cbe7913883e5aa9a81fa4
+  data.tar.gz: 52078faf6ec204c2b08658d83604fb84c7e68ad409d754ada7ae9d0d989fbce01ae53b2c33993dc71a6bed5851904fe22b6cd3688f67fa1c4bf9cd7704c43f71

data/CHANGELOG.md

@@ -4,6 +4,10 @@ Notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 Kubeclient release versioning follows [SemVer](https://semver.org/).
 
+## 4.9.0 - 2020-08-03
+### Added
+- Support for `user: exec` credential plugins using TLS client auth (#453)
+
 ## 4.8.0 — 2020-07-03
 
 ### Added

data/lib/kubeclient/config.rb

@@ -41,6 +41,11 @@ module Kubeclient
     def context(context_name = nil)
       cluster, user, namespace = fetch_context(context_name || @kcfg['current-context'])
 
+      if user.key?('exec')
+        exec_opts = expand_command_option(user['exec'], 'command')
+        user['exec_result'] = ExecCredentials.run(exec_opts)
+      end
+
       ca_cert_data     = fetch_cluster_ca_data(cluster)
       client_cert_data = fetch_user_cert_data(user)
       client_key_data  = fetch_user_key_data(user)
@@ -134,6 +139,8 @@ module Kubeclient
         File.read(ext_file_path(user['client-certificate']))
       elsif user.key?('client-certificate-data')
         Base64.decode64(user['client-certificate-data'])
+      elsif user.key?('exec_result') && user['exec_result'].key?('clientCertificateData')
+        user['exec_result']['clientCertificateData']
       end
     end
 
@@ -142,6 +149,8 @@ module Kubeclient
         File.read(ext_file_path(user['client-key']))
       elsif user.key?('client-key-data')
         Base64.decode64(user['client-key-data'])
+      elsif user.key?('exec_result') && user['exec_result'].key?('clientKeyData')
+        user['exec_result']['clientKeyData']
       end
     end
 
@@ -149,9 +158,8 @@ module Kubeclient
       options = {}
       if user.key?('token')
         options[:bearer_token] = user['token']
-      elsif user.key?('exec')
-        exec_opts = expand_command_option(user['exec'], 'command')
-        options[:bearer_token] = Kubeclient::ExecCredentials.token(exec_opts)
+      elsif user.key?('exec_result') && user['exec_result'].key?('token')
+        options[:bearer_token] = user['exec_result']['token']
       elsif user.key?('auth-provider')
         options[:bearer_token] = fetch_token_from_provider(user['auth-provider'])
       else

data/lib/kubeclient/exec_credentials.rb

@@ -6,7 +6,7 @@ module Kubeclient
   # Inspired by https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go
   class ExecCredentials
     class << self
-      def token(opts)
+      def run(opts)
         require 'open3'
         require 'json'
 
@@ -25,7 +25,7 @@ module Kubeclient
 
         creds = JSON.parse(out)
         validate_credentials(opts, creds)
-        creds['status']['token']
+        creds['status']
       end
 
       private
@@ -34,6 +34,36 @@ module Kubeclient
         raise KeyError, 'exec command is required' unless opts['command']
       end
 
+      def validate_client_credentials_status(status)
+        has_client_cert_data = status.key?('clientCertificateData')
+        has_client_key_data = status.key?('clientKeyData')
+
+        if has_client_cert_data && !has_client_key_data
+          raise 'exec plugin didn\'t return client key data'
+        end
+
+        if !has_client_cert_data && has_client_key_data
+          raise 'exec plugin didn\'t return client certificate data'
+        end
+
+        has_client_cert_data && has_client_key_data
+      end
+
+      def validate_credentials_status(status)
+        raise 'exec plugin didn\'t return a status field' if status.nil?
+
+        has_client_credentials = validate_client_credentials_status(status)
+        has_token = status.key?('token')
+
+        if has_client_credentials && has_token
+          raise 'exec plugin returned both token and client data'
+        end
+
+        return if has_client_credentials || has_token
+
+        raise 'exec plugin didn\'t return a token or client data' unless has_token
+      end
+
       def validate_credentials(opts, creds)
         # out should have ExecCredential structure
         raise 'invalid credentials' if creds.nil?
@@ -45,8 +75,7 @@ module Kubeclient
             "plugin returned version #{creds['apiVersion']}"
         end
 
-        raise 'exec plugin didn\'t return a status field' if creds['status'].nil?
-        raise 'exec plugin didn\'t return a token' if creds['status']['token'].nil?
+        validate_credentials_status(creds['status'])
       end
 
       # Transform name/value pairs to hash

data/lib/kubeclient/version.rb

@@ -1,4 +1,4 @@
 # Kubernetes REST-API Client
 module Kubeclient
-  VERSION = '4.8.0'.freeze
+  VERSION = '4.9.0'.freeze
 end

data/test/test_exec_credentials.rb

@@ -1,13 +1,13 @@
 require_relative 'test_helper'
 require 'open3'
 
-# Unit tests for the ExecCredentials token provider
+# Unit tests for the ExecCredentials provider
 class ExecCredentialsTest < MiniTest::Test
   def test_exec_opts_missing
     expected_msg =
       'exec options are required'
     exception = assert_raises(ArgumentError) do
-      Kubeclient::ExecCredentials.token(nil)
+      Kubeclient::ExecCredentials.run(nil)
     end
     assert_equal(expected_msg, exception.message)
   end
@@ -16,7 +16,7 @@ class ExecCredentialsTest < MiniTest::Test
     expected_msg =
       'exec command is required'
     exception = assert_raises(KeyError) do
-      Kubeclient::ExecCredentials.token({})
+      Kubeclient::ExecCredentials.run({})
     end
     assert_equal(expected_msg, exception.message)
   end
@@ -33,34 +33,134 @@ class ExecCredentialsTest < MiniTest::Test
 
     Open3.stub(:capture3, [nil, err, st]) do
       exception = assert_raises(RuntimeError) do
-        Kubeclient::ExecCredentials.token(opts)
+        Kubeclient::ExecCredentials.run(opts)
       end
       assert_equal(expected_msg, exception.message)
     end
   end
 
-  def test_token
+  def test_run_with_token_credentials
     opts = { 'command' => 'dummy' }
 
+    credentials = {
+      'token' => '0123456789ABCDEF0123456789ABCDEF'
+    }
+
+    creds = JSON.dump(
+      'apiVersion' => 'client.authentication.k8s.io/v1alpha1',
+      'status' => credentials
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      assert_equal(credentials, Kubeclient::ExecCredentials.run(opts))
+    end
+  end
+
+  def test_run_with_client_credentials
+    opts = { 'command' => 'dummy' }
+
+    credentials = {
+      'clientCertificateData' => '0123456789ABCDEF0123456789ABCDEF',
+      'clientKeyData' => '0123456789ABCDEF0123456789ABCDEF'
+    }
+
+    creds = JSON.dump(
+      'apiVersion' => 'client.authentication.k8s.io/v1alpha1',
+      'status' => credentials
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      assert_equal(credentials, Kubeclient::ExecCredentials.run(opts))
+    end
+  end
+
+  def test_run_with_missing_client_certificate_data
+    opts = { 'command' => 'dummy' }
+
+    credentials = {
+      'clientKeyData' => '0123456789ABCDEF0123456789ABCDEF'
+    }
+
+    creds = JSON.dump(
+      'apiVersion' => 'client.authentication.k8s.io/v1alpha1',
+      'status' => credentials
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    expected_msg = 'exec plugin didn\'t return client certificate data'
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.run(opts)
+      end
+      assert_equal(expected_msg, exception.message)
+    end
+  end
+
+  def test_run_with_missing_client_key_data
+    opts = { 'command' => 'dummy' }
+
+    credentials = {
+      'clientCertificateData' => '0123456789ABCDEF0123456789ABCDEF'
+    }
+
     creds = JSON.dump(
-      'apiVersion': 'client.authentication.k8s.io/v1alpha1',
-      'status': {
-        'token': '0123456789ABCDEF0123456789ABCDEF'
-      }
+      'apiVersion' => 'client.authentication.k8s.io/v1alpha1',
+      'status' => credentials
     )
 
     st = Minitest::Mock.new
     st.expect(:success?, true)
 
+    expected_msg = 'exec plugin didn\'t return client key data'
+
     Open3.stub(:capture3, [creds, nil, st]) do
-      assert_equal('0123456789ABCDEF0123456789ABCDEF', Kubeclient::ExecCredentials.token(opts))
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.run(opts)
+      end
+      assert_equal(expected_msg, exception.message)
+    end
+  end
+
+  def test_run_with_client_data_and_token
+    opts = { 'command' => 'dummy' }
+
+    credentials = {
+      'clientCertificateData' => '0123456789ABCDEF0123456789ABCDEF',
+      'clientKeyData' => '0123456789ABCDEF0123456789ABCDEF',
+      'token' => '0123456789ABCDEF0123456789ABCDEF'
+    }
+
+    creds = JSON.dump(
+      'apiVersion' => 'client.authentication.k8s.io/v1alpha1',
+      'status' => credentials
+    )
+
+    st = Minitest::Mock.new
+    st.expect(:success?, true)
+
+    expected_msg = 'exec plugin returned both token and client data'
+
+    Open3.stub(:capture3, [creds, nil, st]) do
+      exception = assert_raises(RuntimeError) do
+        Kubeclient::ExecCredentials.run(opts)
+      end
+      assert_equal(expected_msg, exception.message)
     end
   end
 
   def test_status_missing
     opts = { 'command' => 'dummy' }
 
-    creds = JSON.dump('apiVersion': 'client.authentication.k8s.io/v1alpha1')
+    creds = JSON.dump('apiVersion' => 'client.authentication.k8s.io/v1alpha1')
 
     st = Minitest::Mock.new
     st.expect(:success?, true)
@@ -69,28 +169,28 @@ class ExecCredentialsTest < MiniTest::Test
 
     Open3.stub(:capture3, [creds, nil, st]) do
       exception = assert_raises(RuntimeError) do
-        Kubeclient::ExecCredentials.token(opts)
+        Kubeclient::ExecCredentials.run(opts)
       end
       assert_equal(expected_msg, exception.message)
     end
   end
 
-  def test_token_missing
+  def test_credentials_missing
     opts = { 'command' => 'dummy' }
 
     creds = JSON.dump(
-      'apiVersion': 'client.authentication.k8s.io/v1alpha1',
-      'status': {}
+      'apiVersion' => 'client.authentication.k8s.io/v1alpha1',
+      'status' => {}
     )
 
     st = Minitest::Mock.new
     st.expect(:success?, true)
 
-    expected_msg = 'exec plugin didn\'t return a token'
+    expected_msg = 'exec plugin didn\'t return a token or client data'
 
     Open3.stub(:capture3, [creds, nil, st]) do
       exception = assert_raises(RuntimeError) do
-        Kubeclient::ExecCredentials.token(opts)
+        Kubeclient::ExecCredentials.run(opts)
       end
       assert_equal(expected_msg, exception.message)
     end
@@ -106,7 +206,7 @@ class ExecCredentialsTest < MiniTest::Test
     }
 
     creds = JSON.dump(
-      'apiVersion': api_version
+      'apiVersion' => api_version
     )
 
     st = Minitest::Mock.new
@@ -117,7 +217,7 @@ class ExecCredentialsTest < MiniTest::Test
 
     Open3.stub(:capture3, [creds, nil, st]) do
       exception = assert_raises(RuntimeError) do
-        Kubeclient::ExecCredentials.token(opts)
+        Kubeclient::ExecCredentials.run(opts)
       end
       assert_equal(expected_msg, exception.message)
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kubeclient
 version: !ruby/object:Gem::Version
-  version: 4.8.0
+  version: 4.9.0
 platform: ruby
 authors:
 - Alissa Bonas
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-07-03 00:00:00.000000000 Z
+date: 2020-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler