Skip to content
This repository has been archived by the owner on Mar 13, 2022. It is now read-only.

Commit

Permalink
remove required idp-certificate-authority-data in kubeconfig for oidc…
Browse files Browse the repository at this point in the history 
… toke refresh, kubernetes-client/python#493

fix pep8 style
add unit test
  • Loading branch information
@mvle
mvle committed May 25, 2018
1 parent 5784a38 commit 980f9b1
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 14 deletions.
33 changes: 19 additions & 14 deletions config/kube_config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,22 +255,27 @@ def _load_oid_token(self):
return self.token

def _refresh_oidc(self, provider):
ca_cert = tempfile.NamedTemporaryFile(delete=True)
config = Configuration()

if PY3:
cert = base64.b64decode(
provider['config']['idp-certificate-authority-data']
).decode('utf-8')
else:
cert = base64.b64decode(
provider['config']['idp-certificate-authority-data'] + "=="
)
if 'idp-certificate-authority-data' in provider['config']:
ca_cert = tempfile.NamedTemporaryFile(delete=True)

with open(ca_cert.name, 'w') as fh:
fh.write(cert)
if PY3:
cert = base64.b64decode(
provider['config']['idp-certificate-authority-data']
).decode('utf-8')
else:
cert = base64.b64decode(
provider['config']['idp-certificate-authority-data'] + "=="
)

config = Configuration()
config.ssl_ca_cert = ca_cert.name
with open(ca_cert.name, 'w') as fh:
fh.write(cert)

config.ssl_ca_cert = ca_cert.name

else:
config.verify_ssl = False

client = ApiClient(configuration=config)

Expand Down Expand Up @@ -301,7 +306,7 @@ def _refresh_oidc(self, provider):
refresh_token=provider['config']['refresh-token'],
auth=(provider['config']['client-id'],
provider['config']['client-secret']),
verify=ca_cert.name
verify=config.ssl_ca_cert if config.verify_ssl else None
)
except oauthlib.oauth2.rfc6749.errors.InvalidClientIdError:
return
Expand Down
49 changes: 49 additions & 0 deletions config/kube_config_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,13 @@ class TestKubeConfigLoader(BaseTestCase):
"user": "expired_oidc"
}
},
{
"name": "expired_oidc_nocert",
"context": {
"cluster": "default",
"user": "expired_oidc_nocert"
}
},
{
"name": "user_pass",
"context": {
Expand Down Expand Up @@ -519,6 +526,22 @@ class TestKubeConfigLoader(BaseTestCase):
}
}
},
{
"name": "expired_oidc_nocert",
"user": {
"auth-provider": {
"name": "oidc",
"config": {
"client-id": "tectonic-kubectl",
"client-secret": "FAKE_SECRET",
"id-token": TEST_OIDC_EXPIRED_LOGIN,
"idp-issuer-url": "https://example.org/identity",
"refresh-token":
"lucWJjEhlxZW01cXI3YmVlcYnpxNGhzk"
}
}
}
},
{
"name": "user_pass",
"user": {
Expand Down Expand Up @@ -649,6 +672,32 @@ def test_oidc_with_refresh(self, mock_ApiClient, mock_OAuth2Session):
self.assertTrue(loader._load_oid_token())
self.assertEqual("Bearer abc123", loader.token)

@mock.patch('kubernetes.config.kube_config.OAuth2Session.refresh_token')
@mock.patch('kubernetes.config.kube_config.ApiClient.request')
def test_oidc_with_refresh_nocert(
self, mock_ApiClient, mock_OAuth2Session):
mock_response = mock.MagicMock()
type(mock_response).status = mock.PropertyMock(
return_value=200
)
type(mock_response).data = mock.PropertyMock(
return_value=json.dumps({
"token_endpoint": "https://example.org/identity/token"
})
)

mock_ApiClient.return_value = mock_response

mock_OAuth2Session.return_value = {"id_token": "abc123",
"refresh_token": "newtoken123"}

loader = KubeConfigLoader(
config_dict=self.TEST_KUBE_CONFIG,
active_context="expired_oidc_nocert",
)
self.assertTrue(loader._load_oid_token())
self.assertEqual("Bearer abc123", loader.token)

def test_user_pass(self):
expected = FakeConfig(host=TEST_HOST, token=TEST_BASIC_TOKEN)
actual = FakeConfig()
Expand Down

0 comments on commit 980f9b1

Please sign in to comment.