Merge pull request #12 from dev-dsp/authentication-tokens

enable support of AuthenticationTokens, add Google OAuth Credentials Token Source

Author: maxlaverse

pom.xml

@@ -41,21 +41,32 @@
     <java.level>8</java.level>
 
     <!-- dependency versions -->
-    <jenkins.version>2.60.3</jenkins.version>
+    <jenkins.version>2.176.1</jenkins.version>
 
-    <slf4j.version>1.7.25</slf4j.version>
+    <slf4j.version>1.7.26</slf4j.version>
 
     <!-- jenkins plugins versions -->
-    <jenkins-credentials.version>2.1.7</jenkins-credentials.version>
-    <jenkins-plain-credentials.version>1.3</jenkins-plain-credentials.version>
+    <jenkins-structs.version>1.19</jenkins-structs.version>
 
     <!-- maven plugins versions -->
     <maven-coveralls.version>4.3.0</maven-coveralls.version>
     <maven-jacoco.version>0.8.1</maven-jacoco.version>
+    <kubernetes-client.version>4.3.0</kubernetes-client.version>
 
   </properties>
 
   <dependencies>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>kubernetes-client-api</artifactId>
+      <version>1.0.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>jackson2-api</artifactId>
+      <version>2.9.9</version>
+    </dependency>
+
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>apache-httpcomponents-client-4-api</artifactId>
@@ -73,28 +84,44 @@
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>credentials</artifactId>
-      <version>${jenkins-credentials.version}</version>
     </dependency>
     <!-- to use StringCredentialsImpl for tokens -->
     <dependency>
       <groupId>org.jenkins-ci.plugins</groupId>
       <artifactId>plain-credentials</artifactId>
-      <version>${jenkins-plain-credentials.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>authentication-tokens</artifactId>
+      <version>1.3</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>google-oauth-plugin</artifactId>
+      <version>0.8</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jenkins-ci.plugins</groupId>
+      <artifactId>docker-commons</artifactId>
+      <version>1.14</version>
+    </dependency>
+
   </dependencies>
 
   <!-- just to fix enforcer RequireUpperBoundDeps -->
   <dependencyManagement>
     <dependencies>
       <dependency>
-        <groupId>org.jenkins-ci.plugins</groupId>
-        <artifactId>structs</artifactId>
-        <version>${jenkins-structs.version}</version>
+        <groupId>io.jenkins.tools.bom</groupId>
+        <artifactId>bom</artifactId>
+        <version>2.176.2</version>
+        <scope>import</scope>
+        <type>pom</type>
       </dependency>
       <dependency>
-        <groupId>org.jenkins-ci.plugins</groupId>
-        <artifactId>ssh-credentials</artifactId>
-        <version>1.12</version>
+        <groupId>commons-io</groupId>
+        <artifactId>commons-io</artifactId>
+        <version>2.6</version>
       </dependency>
     </dependencies>
   </dependencyManagement>

src/main/java/org/jenkinsci/plugins/kubernetes/auth/KubernetesAuth.java

@@ -0,0 +1,26 @@
+package org.jenkinsci.plugins.kubernetes.auth;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+
+/**
+ * Abstracts away a Kubernetes authentication either through kubeconfig format or {@link ConfigBuilder}.
+ */
+public interface KubernetesAuth {
+    /**
+     * Decorates a {@link ConfigBuilder} to connect using the current authentication object.
+     * @param builder the configuration to decorate
+     * @return the decorated configuration
+     * @throws KubernetesAuthException if anything fails during the processing of the authentication configuration
+     */
+    ConfigBuilder decorate(ConfigBuilder builder, KubernetesAuthConfig config) throws KubernetesAuthException;
+
+    /**
+     * Builds a kube config file content based on the current authentication object.
+     *
+     * @return Kubeconfig file content corresponding to this authentication object.
+     * @throws JsonProcessingException if something fails while generating the json document for kubeconfig
+     * @throws KubernetesAuthException if something fails while dealing with credentials
+     */
+    String buildKubeConfig(KubernetesAuthConfig config) throws JsonProcessingException, KubernetesAuthException;
+}

src/main/java/org/jenkinsci/plugins/kubernetes/auth/KubernetesAuthConfig.java

@@ -0,0 +1,37 @@
+package org.jenkinsci.plugins.kubernetes.auth;
+
+/**
+ * Configuration object for {@link KubernetesAuth} operations.
+ */
+public class KubernetesAuthConfig {
+    /**
+     * Server URL of the API endpoint
+     */
+    private final String serverUrl;
+    /**
+     * Server certificate
+     */
+    private final String caCertificate;
+    /**
+     * Set to true to skip TLS verification
+     */
+    private final boolean skipTlsVerify;
+
+    public KubernetesAuthConfig(String serverUrl, String caCertificate, boolean skipTlsVerify) {
+        this.serverUrl = serverUrl;
+        this.caCertificate = caCertificate;
+        this.skipTlsVerify = skipTlsVerify;
+    }
+
+    public String getServerUrl() {
+        return serverUrl;
+    }
+
+    public String getCaCertificate() {
+        return caCertificate;
+    }
+
+    public boolean isSkipTlsVerify() {
+        return skipTlsVerify;
+    }
+}

src/main/java/org/jenkinsci/plugins/kubernetes/auth/KubernetesAuthException.java

@@ -0,0 +1,8 @@
+package org.jenkinsci.plugins.kubernetes.auth;
+
+public class KubernetesAuthException extends Exception {
+    public KubernetesAuthException() { super(); }
+    public KubernetesAuthException(String message) { super(message); }
+    public KubernetesAuthException(String message, Throwable cause) { super(message, cause); }
+    public KubernetesAuthException(Throwable cause) { super(cause); }
+}

src/main/java/org/jenkinsci/plugins/kubernetes/auth/impl/AbstractKubernetesAuth.java

@@ -0,0 +1,49 @@
+package org.jenkinsci.plugins.kubernetes.auth.impl;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import io.fabric8.kubernetes.api.model.AuthInfoBuilder;
+import io.fabric8.kubernetes.api.model.Cluster;
+import io.fabric8.kubernetes.client.internal.SerializationUtils;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuth;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthConfig;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthException;
+import org.jenkinsci.plugins.kubernetes.credentials.Utils;
+
+abstract class AbstractKubernetesAuth implements KubernetesAuth {
+    abstract AuthInfoBuilder decorate(AuthInfoBuilder builder, KubernetesAuthConfig config) throws KubernetesAuthException;
+
+    public String buildKubeConfig(KubernetesAuthConfig config) throws JsonProcessingException, KubernetesAuthException {
+        io.fabric8.kubernetes.api.model.ConfigBuilder configBuilder = new io.fabric8.kubernetes.api.model.ConfigBuilder();
+        // setup cluster
+        Cluster cluster = new Cluster();
+        cluster.setServer(config.getServerUrl());
+        String caCertificate = config.getCaCertificate();
+        if (caCertificate != null && !caCertificate.isEmpty()) {
+            cluster.setCertificateAuthorityData(Utils.encodeBase64(Utils.wrapCertificate(caCertificate)));
+        }
+        cluster.setInsecureSkipTlsVerify(config.isSkipTlsVerify());
+        configBuilder
+                .addNewCluster()
+                    .withName("k8s")
+                    .withCluster(cluster)
+                .endCluster();
+
+        // setup user (class-specific)
+        configBuilder
+                .addNewUser()
+                .withName("cluster-admin")
+                    .withUser(decorate(new AuthInfoBuilder(), config).build())
+                .endUser();
+        // setup context
+        configBuilder
+                .addNewContext()
+                    .withName("k8s")
+                    .withNewContext()
+                        .withCluster("k8s")
+                        .withUser("cluster-admin")
+                    .endContext()
+                .endContext();
+        return SerializationUtils.getMapper().writeValueAsString(configBuilder.build());
+    }
+
+}

src/main/java/org/jenkinsci/plugins/kubernetes/auth/impl/KubernetesAuthCertificate.java

@@ -0,0 +1,40 @@
+package org.jenkinsci.plugins.kubernetes.auth.impl;
+
+import io.fabric8.kubernetes.api.model.AuthInfoBuilder;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuth;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthConfig;
+import org.jenkinsci.plugins.kubernetes.credentials.Utils;
+
+public class KubernetesAuthCertificate extends AbstractKubernetesAuth implements KubernetesAuth {
+    private final String certificate;
+
+    private final String key;
+
+    public KubernetesAuthCertificate(String certificate, String key) {
+        this.certificate = certificate;
+        this.key = key;
+    }
+
+    @Override
+    public AuthInfoBuilder decorate(AuthInfoBuilder builder, KubernetesAuthConfig config) {
+        return builder
+                .withClientCertificateData(Utils.encodeBase64(certificate))
+                .withClientKeyData(Utils.encodeBase64(key));
+    }
+
+    @Override
+    public ConfigBuilder decorate(ConfigBuilder builder, KubernetesAuthConfig config) {
+        return builder
+                .withClientCertData(Utils.encodeBase64(certificate))
+                .withClientKeyData(Utils.encodeBase64(key));
+    }
+
+    public String getCertificate() {
+        return certificate;
+    }
+
+    public String getKey() {
+        return key;
+    }
+}

src/main/java/org/jenkinsci/plugins/kubernetes/auth/impl/KubernetesAuthKeystore.java

@@ -0,0 +1,66 @@
+package org.jenkinsci.plugins.kubernetes.auth.impl;
+
+import io.fabric8.kubernetes.api.model.AuthInfoBuilder;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuth;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthConfig;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthException;
+import org.jenkinsci.plugins.kubernetes.credentials.Utils;
+
+import javax.annotation.Nonnull;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateEncodingException;
+
+/**
+ * Kubernetes authentication using certificate and private key obtained from a keystore with a passphrase.
+ */
+public class KubernetesAuthKeystore extends AbstractKubernetesAuth implements KubernetesAuth {
+    private KeyStore keyStore;
+
+    private final String passPhrase;
+
+    public KubernetesAuthKeystore(@Nonnull KeyStore keyStore, String passPhrase) {
+        this.keyStore = keyStore;
+        this.passPhrase = passPhrase;
+    }
+
+    @Override
+    public AuthInfoBuilder decorate(AuthInfoBuilder builder, KubernetesAuthConfig config) throws KubernetesAuthException {
+        try {
+            String alias = keyStore.aliases().nextElement();
+            // Get private key using passphrase
+            Key key = keyStore.getKey(alias, passPhrase.toCharArray());
+            return builder
+                    .withClientCertificateData(Utils.encodeCertificate(keyStore.getCertificate(alias)))
+                    .withClientKeyData(Utils.encodeKey(key));
+        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateEncodingException e) {
+            throw new KubernetesAuthException(e.getMessage(), e);
+        }
+    }
+
+    @Override
+    public ConfigBuilder decorate(ConfigBuilder builder, KubernetesAuthConfig config) throws KubernetesAuthException {
+        try {
+            String alias = keyStore.aliases().nextElement();
+            // Get private key using passphrase
+            Key key = keyStore.getKey(alias, passPhrase.toCharArray());
+            return builder
+                    .withClientCertData(Utils.encodeCertificate(keyStore.getCertificate(alias)))
+                    .withClientKeyData(Utils.encodeKey(key));
+        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateEncodingException e) {
+            throw new KubernetesAuthException(e.getMessage(), e);
+        }
+    }
+
+    public KeyStore getKeyStore() {
+        return keyStore;
+    }
+
+    public String getPassPhrase() {
+        return passPhrase;
+    }
+}

src/main/java/org/jenkinsci/plugins/kubernetes/auth/impl/KubernetesAuthKubeconfig.java

@@ -0,0 +1,38 @@
+package org.jenkinsci.plugins.kubernetes.auth.impl;
+
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuth;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthConfig;
+import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthException;
+
+import java.io.IOException;
+
+/**
+ * Kubernetes authentication using a raw kubeconfig string.
+ */
+public class KubernetesAuthKubeconfig implements KubernetesAuth {
+    private final String kubeconfig;
+
+    public KubernetesAuthKubeconfig(String kubeconfig) {
+        this.kubeconfig = kubeconfig;
+    }
+
+    @Override
+    public String buildKubeConfig(KubernetesAuthConfig config) {
+        return getKubeconfig();
+    }
+
+    @Override
+    public ConfigBuilder decorate(ConfigBuilder builder, KubernetesAuthConfig config) throws KubernetesAuthException {
+        try {
+            return new ConfigBuilder(io.fabric8.kubernetes.client.Config.fromKubeconfig(getKubeconfig()));
+        } catch (IOException e) {
+            throw new KubernetesAuthException(e);
+        }
+    }
+
+    public String getKubeconfig() {
+        return kubeconfig;
+    }
+
+}