kube-rs · clux · Oct 8, 2020 · Oct 7, 2020 · Oct 8, 2020 · Oct 8, 2020
diff --git a/kube/Cargo.toml b/kube/Cargo.toml
@@ -46,6 +46,7 @@ Inflector = "0.11.4"
 tokio = { version = "0.2.22", features = ["time", "signal", "sync"] }
 static_assertions = "1.1.0"
 kube-derive = { path = "../kube-derive", version = "^0.42.0", optional = true }
+jsonpath_lib = "0.2.5"
 
 [dependencies.reqwest]
 version = "0.10.7"

diff --git a/kube/src/config/file_config.rs b/kube/src/config/file_config.rs
@@ -6,6 +6,8 @@ use crate::{config::utils, error::ConfigError, oauth2, Result};
 
 use serde::{Deserialize, Serialize};
 
+use jsonpath_lib::select as jsonpath_select;
+
 /// [`Kubeconfig`] represents information on how to connect to a remote Kubernetes cluster
 /// that is normally stored in `~/.kube/config`
 ///
@@ -179,6 +181,58 @@ impl AuthInfo {
                 if let Some(id_token) = provider.config.get("id-token") {
                     self.token = Some(id_token.clone());
                 }
+
+                if self.token.is_none() {
+                    if let Some(cmd) = provider.config.get("cmd-path") {
+                        let params = provider.config.get("cmd-args").cloned().unwrap_or_default();
+
+                        let output = std::process::Command::new(cmd)
+                            .args(params.trim().split(" "))
+                            .output()
+                            .map_err(|e|
+                                ConfigError::AuthExec(format!("Executing {:} failed: {:?}", cmd,  e))
+                            )?;
+
+                        if !output.status.success() {
+                            return Err(ConfigError::AuthExecRun {
+                                cmd: format!{"{} {}", cmd, params},
+                                status: output.status,
+                                out: output,
+                            }.into());
+                        }
+
+                        if let Some(field) = provider.config.get("token-key") {
+                            let pure_path = field
+                                .trim_matches(|c| c == '"' || c == '{' || c == '}');
+                            let json_output : serde_json::Value = serde_json::from_slice(&output.stdout)?;
+                            match jsonpath_select(&json_output, &format!("${}", pure_path)) {
+                                Ok(v) if v.len() > 0 => {
+                                    if let serde_json::Value::String(res) = v[0]  {
+                                        self.token = Some(res.clone());
+                                    } else {
+                                        return Err(ConfigError::AuthExec(
+                                            format!("Target value at {:} is not a string", pure_path)).into());
+                                    }
+                                }
+                                Err(e) => {
+                                    return Err(ConfigError::AuthExec(
+                                        format!("Could not extract JSON value: {:}", e)).into());
+                                }
+                                _ => {
+                                    return Err(ConfigError::AuthExec(
+                                        format!("Target value {:} not found", pure_path)).into());
+                                }
+                            };
+                        } else {
+                            self.token = Some(
+                                std::str::from_utf8(&output.stdout).map_err(|e|
+                                        ConfigError::AuthExec(format!("Result is not a string {:?} ", e))
+                                )?.to_owned());
+                        }
+                    } else {
+                        return Err(ConfigError::AuthExec(format!("no token or command provided. Authoring mechanism {:} not supported", provider.name)).into());
+                    }
+                }
             }
             None => {}
         };
@@ -193,3 +247,45 @@ impl AuthInfo {
         utils::data_or_file_with_base64(&self.client_key_data, &self.client_key)
     }
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    #[tokio::test]
+    async fn exec_auth_command() -> Result<()> {
+        let test_file = "
+        apiVersion: v1
+        clusters:
+        - cluster:
+            certificate-authority-data: XXXXXXX
+            server: https://36.XXX.XXX.XX
+          name: generic-name
+        contexts:
+        - context:
+            cluster: generic-name
+            user: generic-name
+          name: generic-name
+        current-context: generic-name
+        kind: Config
+        preferences: {}
+        users:
+        - name: generic-name
+          user:
+            auth-provider:
+              config:
+                cmd-args: '{\"something\": \"else\", \"credential\" : {\"access_token\" : \"my_token\"} }'
+                cmd-path: echo
+                expiry-key: '{.credential.token_expiry}'
+                token-key: '{.credential.access_token}'
+              name: gcp
+        ";
+
+        let mut config : Kubeconfig = serde_yaml::from_str(test_file).map_err(ConfigError::ParseYaml)?;
+        let auth_info = &mut config.auth_infos[0].auth_info;
+        assert!(auth_info.token.is_none());
+        auth_info.load_gcp().await?;
+        assert_eq!(auth_info.token, Some("my_token".to_owned()));
+
+        Ok(())
+    }
+}
diff --git a/kube/src/error.rs b/kube/src/error.rs
@@ -175,6 +175,8 @@ pub enum ConfigError {
     },
     #[error("Failed to parse auth exec output: {0}")]
     AuthExecParse(#[source] serde_json::Error),
+    #[error("Failed exec auth: {0}")]
+    AuthExec(String),
 }
 
 /// An Error response from the API