Add support for open id connect token auth

Ben Picolo · Ben Picolo · commit 63245e931801 · 2018-08-01T14:48:48.000-04:00
diff --git a/kubernetes_asyncio/config/kube_config.py b/kubernetes_asyncio/config/kube_config.py
@@ -16,11 +16,14 @@
 import atexit
 import base64
 import datetime
+import json
 import os
 import tempfile
 
 import urllib3
 import yaml
+from oauthlib import oauth2
+from requests_oauthlib import OAuth2Session
 
 from kubernetes_asyncio.client import ApiClient, Configuration
 
@@ -30,6 +33,7 @@
 
 EXPIRY_SKEW_PREVENTION_DELAY = datetime.timedelta(minutes=5)
 KUBE_CONFIG_DEFAULT_LOCATION = os.environ.get('KUBECONFIG', '~/.kube/config')
+PROVIDER_TYPE_OIDC = 'oidc'
 _temp_files = {}
 
 
@@ -163,8 +167,10 @@ async def _load_authentication(self):
             1. GCP auth-provider
             2. token_data
             3. token field (point to a token file)
-            4. username/password
+            4. oidc auth-provider
+            5. username/password
         """
+
         if not self._user:
             return
 
@@ -173,7 +179,12 @@ async def _load_authentication(self):
             return
 
         if self._load_user_token():
+
             return
+
+        if await self._load_oid_token():
+            return
+
         self._load_user_pass_token()
 
     async def load_gcp_token(self):
@@ -184,7 +195,7 @@ async def load_gcp_token(self):
         config = self._user['auth-provider']['config']
 
         if (('access-token' not in config) or
-           ('expiry' in config and _is_expired(config['expiry']))):
+                ('expiry' in config and _is_expired(config['expiry']))):
 
             if self._get_google_credentials is not None:
                 if asyncio.iscoroutinefunction(self._get_google_credentials):
@@ -201,6 +212,101 @@ async def load_gcp_token(self):
         self.token = "Bearer %s" % config['access-token']
         return self.token
 
+    async def _load_oid_token(self):
+        if 'auth-provider' not in self._user:
+            return
+
+        provider = self._user['auth-provider']
+        if 'name' not in provider or provider['name'] != PROVIDER_TYPE_OIDC or 'config' not in provider:
+            return
+
+        if 'id-token' not in provider['config']:
+            await self._refresh_oidc(provider)
+            self.token = 'Bearer {}'.format(provider['config']['id-token'])
+            return self.token
+
+        parts = provider['config']['id-token'].split('.')
+
+        if len(parts) != 3:
+            raise ValueError('oidc: JWT tokens should contain 3 period-delimited parts')
+
+        id_token = parts[1]
+        # Re-pad the unpadded JWT token
+        id_token += (4 - len(id_token) % 4) * '='
+        jwt_attributes = json.loads(base64.b64decode(id_token).decode('utf8'))
+        expires = jwt_attributes.get('exp')
+
+        if (
+            expires is not None and
+            _is_expired(datetime.datetime.utcfromtimestamp(expires))
+        ):
+            await self._refresh_oidc(provider)
+
+        self.token = 'Bearer {}'.format(provider['config']['id-token'])
+        return self.token
+
+    async def _refresh_oidc(self, provider):
+        if 'refresh-token' not in provider['config']:
+            raise ValueError('oidc: No valid id-token, and cannot refresh without refresh-token')
+
+        with tempfile.NamedTemporaryFile(delete=True) as certfile:
+            configuration = Configuration()
+            cert_auth_data = await self._retrieve_oidc_cacert(provider)
+            if cert_auth_data is not None:
+                certfile.write(cert_auth_data)
+                certfile.flush()
+                configuration.ssl_ca_cert = certfile.name
+
+            client = ApiClient(configuration=configuration)
+            issuer_url = provider['config']['idp-issuer-url']
+            response = await client.request(
+                method='GET',
+                url='{}/.well-known/openid-configuration'.format(issuer_url.rstrip("/"))
+            )
+
+            if response.status != 200:
+                raise ValueError('oidc: failed to query metadata endpoint')
+
+            well_known_data = json.loads(response.data)
+
+            self._perform_oauth_refresh(provider, client, well_known_data)
+
+    def _perform_oauth_refresh(self, provider, client, well_known_data):
+        # It's not optimal that this isn't async, but there's no existing well-supported
+        # aiohttp-based oauth library right now (that I can find) and it's quite a feat
+        # to recreate from scratch. Luckily, oauth refresh is a fairly rare occurrence
+        request = OAuth2Session(
+            client_id=provider['config']['client-id'],
+            token=provider['config']['refresh-token'],
+            auto_refresh_kwargs={
+                'client_id': provider['config']['client-id'],
+                'client_secret': provider['config']['client-secret'],
+            },
+            auto_refresh_url=well_known_data['token_endpoint']
+        )
+
+        try:
+            refresh = request.refresh_token(
+                token_url=well_known_data['token_endpoint'],
+                refresh_token=provider['config']['refresh-token'],
+                auth=(provider['config']['client-id'], provider['config']['client-secret']),
+                verify=client.configuration.ssl_ca_cert
+            )
+        except oauth2.rfc6749.errors.InvalidClientIdError:
+            raise ValueError('oidc: client-id was invalid')
+
+        provider['config'].value['id-token'] = refresh['id_token']
+        provider['config'].value['refresh-token'] = refresh['refresh_token']
+
+        if self._config_persister:
+            self._config_persister(self._config.value)
+
+    async def _retrieve_oidc_cacert(self, provider):
+        if 'idp-certificate-authority-data' in provider['config']:
+            return base64.b64decode(provider['config']['idp-certificate-authority-data'])
+
+        return None
+
     def _load_user_token(self):
         token = FileOrData(
             self._user, 'tokenFile', 'token',
diff --git a/kubernetes_asyncio/config/kube_config_test.py b/kubernetes_asyncio/config/kube_config_test.py
@@ -14,13 +14,14 @@
 
 import base64
 import datetime
+import json
 import os
 import shutil
 import tempfile
 from types import SimpleNamespace
 
 import yaml
-from asynctest import Mock, TestCase, main, patch
+from asynctest import Mock, PropertyMock, TestCase, main, patch
 from six import PY3
 
 from .config_exception import ConfigException
@@ -39,6 +40,10 @@ def _base64(string):
     return base64.encodestring(string.encode()).decode()
 
 
+def _unpadded_base64(string):
+    return base64.b64encode(string.encode()).decode().rstrip('')
+
+
 def _raise_exception(st):
     raise Exception(st)
 
@@ -67,6 +72,20 @@ def _raise_exception(st):
 TEST_CLIENT_CERT = "client-cert"
 TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT)
 
+TEST_OIDC_TOKEN = "test-oidc-token"
+TEST_OIDC_INFO = "{\"name\": \"test\"}"
+TEST_OIDC_BASE = _unpadded_base64(TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO)
+TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
+TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
+TEST_OIDC_EXP_BASE = _unpadded_base64(TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP)
+TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)
+
+
+async def _return_async_value(val):
+    return val
+
 
 class BaseTestCase(TestCase):
 
@@ -333,6 +352,27 @@ class TestKubeConfigLoader(BaseTestCase):
                     "user": "expired_gcp"
                 }
             },
+            {
+                "name": "oidc",
+                "context": {
+                    "cluster": "default",
+                    "user": "oidc"
+                }
+            },
+            {
+                "name": "expired_oidc",
+                "context": {
+                    "cluster": "default",
+                    "user": "expired_oidc"
+                }
+            },
+            {
+                "name": "expired_oidc_no_idp_cert_data",
+                "context": {
+                    "cluster": "default",
+                    "user": "expired_oidc_no_idp_cert_data"
+                }
+            },
             {
                 "name": "user_pass",
                 "context": {
@@ -450,6 +490,48 @@ class TestKubeConfigLoader(BaseTestCase):
                     "password": TEST_PASSWORD,  # should be ignored
                 }
             },
+            {
+                "name": "oidc",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "id-token": TEST_OIDC_LOGIN
+                        }
+                    }
+                }
+            },
+            {
+                "name": "expired_oidc",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "client-id": "tectonic-kubectl",
+                            "client-secret": "FAKE_SECRET",
+                            "id-token": TEST_OIDC_EXPIRED_LOGIN,
+                            "idp-certificate-authority-data": TEST_OIDC_CA,
+                            "idp-issuer-url": "https://example.localhost/identity",
+                            "refresh-token": "lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
+                        }
+                    }
+                }
+            },
+            {
+                "name": "expired_oidc_no_idp_cert_data",
+                "user": {
+                    "auth-provider": {
+                        "name": "oidc",
+                        "config": {
+                            "client-id": "tectonic-kubectl",
+                            "client-secret": "FAKE_SECRET",
+                            "id-token": TEST_OIDC_EXPIRED_LOGIN,
+                            "idp-issuer-url": "https://example.localhost/identity",
+                            "refresh-token": "lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
+                        }
+                    }
+                }
+            },
             {
                 "name": "user_pass",
                 "user": {
@@ -564,6 +646,64 @@ async def cred():
         self.assertEqual(BEARER_TOKEN_FORMAT % TEST_ANOTHER_DATA_BASE64,
                          loader.token)
 
+    async def test_oidc_no_refresh(self):
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context='oidc',
+        )
+        self.assertTrue(await loader._load_oid_token())
+        self.assertEqual(TEST_OIDC_TOKEN, loader.token)
+
+    @patch('kubernetes_asyncio.config.kube_config.OAuth2Session.refresh_token')
+    @patch('kubernetes_asyncio.config.kube_config.ApiClient')
+    async def test_oidc_with_refresh(self, mock_api_client, mock_oauth2_session):
+        mock_response = Mock()
+        type(mock_response).status = PropertyMock(
+            return_value=200
+        )
+        type(mock_response).data = PropertyMock(
+            return_value=json.dumps({
+                'token_endpoint': 'https://example.localhost/identity/token'
+            })
+        )
+
+        mock_api_client().request.return_value = _return_async_value(mock_response)
+        mock_oauth2_session.return_value = {
+            'id_token': 'abc123',
+            'refresh_token': 'newtoken123'
+        }
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context='expired_oidc',
+        )
+        self.assertTrue(await loader._load_oid_token())
+        self.assertEqual('Bearer abc123', loader.token)
+
+    @patch('kubernetes_asyncio.config.kube_config.OAuth2Session.refresh_token')
+    @patch('kubernetes_asyncio.config.kube_config.ApiClient')
+    async def test_oidc_with_refresh_no_idp_cert_data(self, mock_api_client, mock_oauth2_session):
+        mock_response = Mock()
+        type(mock_response).status = PropertyMock(
+            return_value=200
+        )
+        type(mock_response).data = PropertyMock(
+            return_value=json.dumps({
+                'token_endpoint': 'https://example.localhost/identity/token'
+            })
+        )
+
+        mock_api_client().request.return_value = _return_async_value(mock_response)
+        mock_oauth2_session.return_value = {
+            'id_token': 'abc123',
+            'refresh_token': 'newtoken123'
+        }
+        loader = KubeConfigLoader(
+            config_dict=self.TEST_KUBE_CONFIG,
+            active_context='expired_oidc_no_idp_cert_data',
+        )
+        self.assertTrue(await loader._load_oid_token())
+        self.assertEqual('Bearer abc123', loader.token)
+
     async def test_user_pass(self):
         expected = FakeConfig(host=TEST_HOST, token=TEST_BASIC_TOKEN)
         actual = FakeConfig()
diff --git a/requirements.txt b/requirements.txt
@@ -4,4 +4,5 @@ python-dateutil>=2.5.3  # BSD
 setuptools>=21.0.0  # PSF/ZPL
 urllib3>=1.19.1,!=1.21,<1.23  # MIT
 pyyaml>=3.12  # MIT
+requests-oauthlib # ISC
 aiohttp>=2.3.10 # # Apache-2.0
