tomplus
diff --git a/‎.gitignore
+1 b/‎.gitignore
+1
diff --git a/‎kubernetes_asyncio/config/kube_config.py
+77-2 b/‎kubernetes_asyncio/config/kube_config.py
+77-2
diff --git a/‎kubernetes_asyncio/config/kube_config_test.py
+142-1 b/‎kubernetes_asyncio/config/kube_config_test.py
+142-1
@@ -2,6 +2,7 @@
 __pycache__/
 *.py[cod]
 *$py.class
+/.pytest_cache
 
 # C extensions
 *.so
 
@@ -16,6 +16,7 @@
 import atexit
 import base64
 import datetime
+import json
 import os
 import tempfile
 
@@ -27,9 +28,11 @@
 from .config_exception import ConfigException
 from .dateutil import UTC, parse_rfc3339
 from .google_auth import google_auth_credentials
+from .openid import OpenIDRequestor
 
 EXPIRY_SKEW_PREVENTION_DELAY = datetime.timedelta(minutes=5)
 KUBE_CONFIG_DEFAULT_LOCATION = os.environ.get('KUBECONFIG', '~/.kube/config')
+PROVIDER_TYPE_OIDC = 'oidc'
 _temp_files = {}
 
 
@@ -163,17 +166,24 @@ async def _load_authentication(self):
             1. GCP auth-provider
             2. token_data
             3. token field (point to a token file)
-            4. username/password
+            4. oidc auth-provider
+            5. username/password
         """
+
         if not self._user:
             return
 
         if self.provider == 'gcp':
             await self.load_gcp_token()
             return
 
+        if self.provider == PROVIDER_TYPE_OIDC:
+            await self._load_oid_token()
+            return
+
         if self._load_user_token():
             return
+
         self._load_user_pass_token()
 
     async def load_gcp_token(self):
@@ -184,7 +194,7 @@ async def load_gcp_token(self):
         config = self._user['auth-provider']['config']
 
         if (('access-token' not in config) or
-           ('expiry' in config and _is_expired(config['expiry']))):
+                ('expiry' in config and _is_expired(config['expiry']))):
 
             if self._get_google_credentials is not None:
                 if asyncio.iscoroutinefunction(self._get_google_credentials):
@@ -201,6 +211,71 @@ async def load_gcp_token(self):
         self.token = "Bearer %s" % config['access-token']
         return self.token
 
+    async def _load_oid_token(self):
+        provider = self._user['auth-provider']
+
+        if 'config' not in provider:
+            raise ValueError('oidc: missing configuration')
+
+        if 'id-token' not in provider['config']:
+            await self._refresh_oidc(provider)
+
+            self.token = 'Bearer {}'.format(provider['config']['id-token'])
+            return self.token
+
+        parts = provider['config']['id-token'].split('.')
+
+        if len(parts) != 3:
+            raise ValueError('oidc: JWT tokens should contain 3 period-delimited parts')
+
+        id_token = parts[1]
+        # Re-pad the unpadded JWT token
+        id_token += (4 - len(id_token) % 4) * '='
+        jwt_attributes = json.loads(base64.b64decode(id_token).decode('utf8'))
+        expires = jwt_attributes.get('exp')
+
+        if (
+            expires is not None and
+            _is_expired(datetime.datetime.utcfromtimestamp(expires))
+        ):
+            await self._refresh_oidc(provider)
+
+        self.token = 'Bearer {}'.format(provider['config']['id-token'])
+        return self.token
+
+    async def _refresh_oidc(self, provider):
+        if 'refresh-token' not in provider['config']:
+            raise ConfigException('oidc: No valid id-token, and cannot refresh without refresh-token')
+
+        with tempfile.NamedTemporaryFile(delete=True) as certfile:
+            ssl_ca_cert = None
+            cert_auth_data = self._retrieve_oidc_cacert(provider)
+            if cert_auth_data is not None:
+                certfile.write(cert_auth_data)
+                certfile.flush()
+                ssl_ca_cert = certfile.name
+
+            requestor = OpenIDRequestor(
+                provider['config']['client-id'],
+                provider['config']['client-secret'],
+                provider['config']['idp-issuer-url'],
+                ssl_ca_cert,
+            )
+
+            resp = await requestor.refresh_token(provider['config']['refresh-token'])
+
+            provider['config'].value['id-token'] = resp['id_token']
+            provider['config'].value['refresh-token'] = resp['refresh_token']
+
+            if self._config_persister:
+                self._config_persister(self._config.value)
+
+    def _retrieve_oidc_cacert(self, provider):
+        if 'idp-certificate-authority-data' in provider['config']:
+            return base64.b64decode(provider['config']['idp-certificate-authority-data'])
+
+        return None
+
     def _load_user_token(self):
         token = FileOrData(
             self._user, 'tokenFile', 'token',
 
@@ -14,13 +14,14 @@
 
 import base64
 import datetime
+import json
 import os
 import shutil
 import tempfile
 from types import SimpleNamespace
 
 import yaml
-from asynctest import Mock, TestCase, main, patch
+from asynctest import Mock, PropertyMock, TestCase, main, patch
 from six import PY3
 
 from .config_exception import ConfigException
@@ -39,6 +40,10 @@ def _base64(string):
     return base64.encodestring(string.encode()).decode()
 
 
+def _unpadded_base64(string):
+    return base64.b64encode(string.encode()).decode().rstrip('')
+
+
 def _raise_exception(st):
     raise Exception(st)
 
@@ -67,6 +72,20 @@ def _raise_exception(st):
 TEST_CLIENT_CERT = "client-cert"
 TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT)
 
+TEST_OIDC_TOKEN = "test-oidc-token"
+TEST_OIDC_INFO = "{\"name\": \"test\"}"
+TEST_OIDC_BASE = _unpadded_base64(TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO)
+TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
+TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
+TEST_OIDC_EXP_BASE = _unpadded_base64(TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP)
+TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)
+
+
+async def _return_async_value(val):
+    return val
+
 
 class BaseTestCase(TestCase):
 
@@ -333,6 +352,27 @@ class TestKubeConfigLoader(BaseTestCase):
                     "user": "expired_gcp"
                 }
             },
+            {
+                "name": "oidc",
+                "context": {
+                    "cluster": "default",
+                    "user": "oidc"
+                }
+            },
+            {
+                "name": "expired_oidc",
+                "context": {
+                    "cluster": "default",
+                    "user": "expired_oidc"
+                }
+            },
+            {
+                "name": "expired_oidc_no_idp_cert_data",
+                "context": {
+                    "cluster": "default",
+                    "user": "expired_oidc_no_idp_cert_data"
+                }
+            },
             {
                 "name": "user_pass",
                 "context": {
@@ -450,6 +490,48 @@ class TestKubeConfigLoader(BaseTestCase):
                     "password": TEST_PASSWORD,  # should be ignored
                 }
             },
+            {
+                "name": "oidc",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "id-token": TEST_OIDC_LOGIN
+                        }
+                    }
+                }
+            },
+            {
+                "name": "expired_oidc",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "client-id": "tectonic-kubectl",
+                            "client-secret": "FAKE_SECRET",
+                            "id-token": TEST_OIDC_EXPIRED_LOGIN,
+                            "idp-certificate-authority-data": TEST_OIDC_CA,
+                            "idp-issuer-url": "https://example.localhost/identity",
+                            "refresh-token": "lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
+                        }
+                    }
+                }
+            },
+            {
+                "name": "expired_oidc_no_idp_cert_data",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "client-id": "tectonic-kubectl",
+                            "client-secret": "FAKE_SECRET",
+                            "id-token": TEST_OIDC_EXPIRED_LOGIN,
+                            "idp-issuer-url": "https://example.localhost/identity",
+                            "refresh-token": "lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
+                        }
+                    }
+                }
+            },
             {
                 "name": "user_pass",
                 "user": {
@@ -564,6 +646,65 @@ async def cred():
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_ANOTHER_DATA_BASE64,
                          loader.token)
 
+    async def test_oidc_no_refresh(self):
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context='oidc',
+        )
+        await loader._load_authentication()
+        self.assertEqual(TEST_OIDC_TOKEN, loader.token)
+
+    @patch('kubernetes_asyncio.config.kube_config.OpenIDRequestor.refresh_token')
+    async def test_oidc_with_refresh(self, mock_refresh_token):
+        mock_refresh_token.return_value = {
+            'id_token': 'abc123',
+            'refresh_token': 'newtoken123'
+        }
+
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context='expired_oidc',
+        )
+        await loader._load_authentication()
+        self.assertEqual('Bearer abc123', loader.token)
+
+    @patch('kubernetes_asyncio.config.kube_config.OpenIDRequestor.refresh_token')
+    async def test_oidc_with_refresh_no_idp_cert_data(self, mock_refresh_token):
+        mock_refresh_token.return_value = {
+            'id_token': 'abc123',
+            'refresh_token': 'newtoken123'
+        }
+
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context='expired_oidc_no_idp_cert_data',
+        )
+        await loader._load_authentication()
+        self.assertEqual('Bearer abc123', loader.token)
+
+    async def test_invalid_oidc_configs(self):
+        loader = KubeConfigLoader(config_dict=self.TEST_KUBE_CONFIG)
+
+        with self.assertRaises(ValueError):
+            loader._user = {'auth-provider': {}}
+            await loader._load_oid_token()
+
+        with self.assertRaises(ValueError):
+            loader._user = {
+                'auth-provider': {
+                    'config': {
+                        'id-token': 'notvalid'
+                    },
+                }
+            }
+            await loader._load_oid_token()
+
+    async def test_invalid_refresh(self):
+        loader = KubeConfigLoader(config_dict=self.TEST_KUBE_CONFIG)
+
+        with self.assertRaises(ConfigException):
+            await  loader._refresh_oidc({'config': {}})
+
     async def test_user_pass(self):
         expected = FakeConfig(host=TEST_HOST, token=TEST_BASIC_TOKEN)
         actual = FakeConfig()