k2hr3-api 1.0.10 → 1.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ChangeLog +6 -0
- package/lib/k8soidc.js +40 -15
- package/package.json +1 -1
package/ChangeLog
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
k2hr3-api (1.0.11) unstable; urgency=low
|
|
2
|
+
|
|
3
|
+
* Added config value as unscopedtoken expire for oidc - #60
|
|
4
|
+
|
|
5
|
+
-- Takeshi Nakatani <ggtakec@gmail.com> Tue, 05 Jul 2022 16:54:16 +0900
|
|
6
|
+
|
|
1
7
|
k2hr3-api (1.0.10) unstable; urgency=low
|
|
2
8
|
|
|
3
9
|
* Bumpup version number for npm package
|
package/lib/k8soidc.js
CHANGED
|
@@ -37,12 +37,13 @@
|
|
|
37
37
|
//
|
|
38
38
|
// {
|
|
39
39
|
// 'k8soidc': {
|
|
40
|
-
// 'audience':
|
|
41
|
-
// 'issuer':
|
|
42
|
-
// 'usernamekey':
|
|
43
|
-
// 'k8sapi_url':
|
|
44
|
-
// 'k8s_ca_path':
|
|
45
|
-
// 'k8s_sa_token':
|
|
40
|
+
// 'audience': '<client id for open id connect>',
|
|
41
|
+
// 'issuer': '<issue url for open id connect>',
|
|
42
|
+
// 'usernamekey': '<user name key name in token>',
|
|
43
|
+
// 'k8sapi_url': '<kubernetes api url>',
|
|
44
|
+
// 'k8s_ca_path': '<CA cert file path for kubernetes api url>',
|
|
45
|
+
// 'k8s_sa_token': '<Service account token for kubernetes>'
|
|
46
|
+
// 'unscopedtoken_exp':'<Expire limit for unscoped Token created from oidc>'
|
|
46
47
|
// }
|
|
47
48
|
// }
|
|
48
49
|
//
|
|
@@ -75,6 +76,12 @@
|
|
|
75
76
|
// API. If you're running the K2HR3 API inside a Kubernetes pod,
|
|
76
77
|
// it's '/var/run/secrets/kubernetes.io/serviceaccount/token'.
|
|
77
78
|
// This key and value are required.
|
|
79
|
+
// [unscopedtoken_exp]
|
|
80
|
+
// Specifies the expiration date of the Unscoped token created by
|
|
81
|
+
// OIDC. This value is specified in seconds(s).
|
|
82
|
+
// If this value does not exist or is less than or equal to 0,
|
|
83
|
+
// the default value will be used. The default value is the same
|
|
84
|
+
// as the OIDC token expiration date.
|
|
78
85
|
//
|
|
79
86
|
//------------------------------------------------------------------------
|
|
80
87
|
|
|
@@ -115,6 +122,7 @@ var oidc_username = null;
|
|
|
115
122
|
var k8s_api_url = null;
|
|
116
123
|
var k8s_ca_cert = null;
|
|
117
124
|
var k2hr3_k8s_sa_token = null;
|
|
125
|
+
var unscopedtoken_exp = 0; // Expire limit for unscoped Token created from oidc(default is 0 means as same as oidc limit)
|
|
118
126
|
|
|
119
127
|
(function()
|
|
120
128
|
{
|
|
@@ -123,12 +131,17 @@ var k2hr3_k8s_sa_token = null;
|
|
|
123
131
|
oidc_config = apiConf.getOtherObject('k8soidc');
|
|
124
132
|
|
|
125
133
|
if(apiutil.isSafeEntity(oidc_config)){
|
|
126
|
-
oidc_audience
|
|
127
|
-
oidc_issuer
|
|
128
|
-
oidc_username
|
|
129
|
-
k8s_api_url
|
|
130
|
-
k8s_ca_cert
|
|
131
|
-
k2hr3_k8s_sa_token
|
|
134
|
+
oidc_audience = oidc_config.audience;
|
|
135
|
+
oidc_issuer = oidc_config.issuer;
|
|
136
|
+
oidc_username = oidc_config.usernamekey;
|
|
137
|
+
k8s_api_url = oidc_config.k8sapi_url;
|
|
138
|
+
k8s_ca_cert = oidc_config.k8s_ca_path;
|
|
139
|
+
k2hr3_k8s_sa_token = fs.readFileSync(oidc_config.k8s_sa_token, 'utf8');
|
|
140
|
+
|
|
141
|
+
// unscopedtoken_exp must be number
|
|
142
|
+
if(apiutil.isSafeEntity(oidc_config.unscopedtoken_exp) && !isNaN(oidc_config.unscopedtoken_exp) && 0 < oidc_config.unscopedtoken_exp){
|
|
143
|
+
unscopedtoken_exp = oidc_config.unscopedtoken_exp;
|
|
144
|
+
}
|
|
132
145
|
}
|
|
133
146
|
}());
|
|
134
147
|
|
|
@@ -186,8 +199,12 @@ function rawCreateUserTokenByK8sUser(user, user_id, tenant, expire_limit)
|
|
|
186
199
|
if(!apiutil.isSafeString(tenant)){
|
|
187
200
|
tenant = null;
|
|
188
201
|
}
|
|
189
|
-
if(
|
|
190
|
-
expire_limit =
|
|
202
|
+
if(0 < unscopedtoken_exp){
|
|
203
|
+
expire_limit = unscopedtoken_exp; // override expire limit by config
|
|
204
|
+
}else{
|
|
205
|
+
if(!apiutil.isSafeEntity(expire_limit) || isNaN(expire_limit) || expire_limit <= 0){
|
|
206
|
+
expire_limit = 24 * 60 * 60; // default 24H
|
|
207
|
+
}
|
|
191
208
|
}
|
|
192
209
|
|
|
193
210
|
var dkcobj = k2hr3.getK2hdkc(true, false); // use permanent object(need to clean)
|
|
@@ -799,7 +816,15 @@ function rawGetUserUnscopedTokenK8s(token, callback)
|
|
|
799
816
|
|
|
800
817
|
// core seed
|
|
801
818
|
var user_id_uuid4 = apiutil.cvtNumberStringToUuid4(userid, 10); // payload.sub is decimal string
|
|
802
|
-
var expire_limit
|
|
819
|
+
var expire_limit;
|
|
820
|
+
if(apiutil.isSafeEntity(payload['exp']) && !isNaN(payload['exp'])){
|
|
821
|
+
expire_limit = payload['exp'] - apiutil.getUnixtime();
|
|
822
|
+
if(expire_limit <= 0){
|
|
823
|
+
expire_limit= 24 * 60 * 60; // default 24H
|
|
824
|
+
}
|
|
825
|
+
}else{
|
|
826
|
+
expire_limit = 24 * 60 * 60; // default 24H
|
|
827
|
+
}
|
|
803
828
|
|
|
804
829
|
// create token
|
|
805
830
|
var resobj = rawCreateUserTokenByK8sUser(lower_username, user_id_uuid4, null, expire_limit);
|