Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
2fb745f0
Commit
2fb745f0
authored
Apr 08, 2016
by
Jeff Lowdermilk
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #23661 from spxtr/oidc
Remove retries from most oidc tests.
parents
c3dac2d1
ae79677f
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
61 additions
and
28 deletions
+61
-28
authn.go
pkg/apiserver/authenticator/authn.go
+9
-1
oidc.go
plugin/pkg/auth/authenticator/token/oidc/oidc.go
+45
-14
oidc_test.go
plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
+7
-13
No files found.
pkg/apiserver/authenticator/authn.go
View file @
2fb745f0
...
@@ -138,7 +138,15 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Request,
...
@@ -138,7 +138,15 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Request,
// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Request or an error.
// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Request or an error.
func
newAuthenticatorFromOIDCIssuerURL
(
issuerURL
,
clientID
,
caFile
,
usernameClaim
,
groupsClaim
string
)
(
authenticator
.
Request
,
error
)
{
func
newAuthenticatorFromOIDCIssuerURL
(
issuerURL
,
clientID
,
caFile
,
usernameClaim
,
groupsClaim
string
)
(
authenticator
.
Request
,
error
)
{
tokenAuthenticator
,
err
:=
oidc
.
New
(
issuerURL
,
clientID
,
caFile
,
usernameClaim
,
groupsClaim
)
tokenAuthenticator
,
err
:=
oidc
.
New
(
oidc
.
OIDCOptions
{
IssuerURL
:
issuerURL
,
ClientID
:
clientID
,
CAFile
:
caFile
,
UsernameClaim
:
usernameClaim
,
GroupsClaim
:
groupsClaim
,
MaxRetries
:
oidc
.
DefaultRetries
,
RetryBackoff
:
oidc
.
DefaultBackoff
,
})
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
...
...
plugin/pkg/auth/authenticator/token/oidc/oidc.go
View file @
2fb745f0
...
@@ -34,38 +34,52 @@ import (
...
@@ -34,38 +34,52 @@ import (
"k8s.io/kubernetes/pkg/util/net"
"k8s.io/kubernetes/pkg/util/net"
)
)
var
(
const
(
maxRetries
=
5
DefaultRetries
=
5
retry
Backoff
=
time
.
Second
*
3
Default
Backoff
=
time
.
Second
*
3
)
)
type
OIDCOptions
struct
{
IssuerURL
string
ClientID
string
CAFile
string
UsernameClaim
string
GroupsClaim
string
// 0 disables retry
MaxRetries
int
RetryBackoff
time
.
Duration
}
type
OIDCAuthenticator
struct
{
type
OIDCAuthenticator
struct
{
clientConfig
oidc
.
ClientConfig
clientConfig
oidc
.
ClientConfig
client
*
oidc
.
Client
client
*
oidc
.
Client
usernameClaim
string
usernameClaim
string
groupsClaim
string
groupsClaim
string
stopSyncProvider
chan
struct
{}
stopSyncProvider
chan
struct
{}
maxRetries
int
retryBackoff
time
.
Duration
}
}
// New creates a new OpenID Connect client with the given issuerURL and clientID.
// New creates a new OpenID Connect client with the given issuerURL and clientID.
// NOTE(yifan): For now we assume the server provides the "jwks_uri" so we don't
// NOTE(yifan): For now we assume the server provides the "jwks_uri" so we don't
// need to manager the key sets by ourselves.
// need to manager the key sets by ourselves.
func
New
(
issuerURL
,
clientID
,
caFile
,
usernameClaim
,
groupsClaim
string
)
(
*
OIDCAuthenticator
,
error
)
{
func
New
(
opts
OIDCOptions
)
(
*
OIDCAuthenticator
,
error
)
{
var
cfg
oidc
.
ProviderConfig
var
cfg
oidc
.
ProviderConfig
var
err
error
var
err
error
var
roots
*
x509
.
CertPool
var
roots
*
x509
.
CertPool
url
,
err
:=
url
.
Parse
(
i
ssuerURL
)
url
,
err
:=
url
.
Parse
(
opts
.
I
ssuerURL
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
if
url
.
Scheme
!=
"https"
{
if
url
.
Scheme
!=
"https"
{
return
nil
,
fmt
.
Errorf
(
"'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'"
,
i
ssuerURL
,
url
.
Scheme
)
return
nil
,
fmt
.
Errorf
(
"'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'"
,
opts
.
I
ssuerURL
,
url
.
Scheme
)
}
}
if
ca
File
!=
""
{
if
opts
.
CA
File
!=
""
{
roots
,
err
=
crypto
.
CertPoolFromFile
(
ca
File
)
roots
,
err
=
crypto
.
CertPoolFromFile
(
opts
.
CA
File
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Errorf
(
"Failed to read the CA file: %v"
,
err
)
glog
.
Errorf
(
"Failed to read the CA file: %v"
,
err
)
}
}
...
@@ -84,12 +98,21 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
...
@@ -84,12 +98,21 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
hc
:=
&
http
.
Client
{}
hc
:=
&
http
.
Client
{}
hc
.
Transport
=
tr
hc
.
Transport
=
tr
maxRetries
:=
opts
.
MaxRetries
if
maxRetries
<
0
{
maxRetries
=
DefaultRetries
}
retryBackoff
:=
opts
.
RetryBackoff
if
retryBackoff
<
0
{
retryBackoff
=
DefaultBackoff
}
for
i
:=
0
;
i
<=
maxRetries
;
i
++
{
for
i
:=
0
;
i
<=
maxRetries
;
i
++
{
if
i
==
maxRetries
{
if
i
==
maxRetries
{
return
nil
,
fmt
.
Errorf
(
"failed to fetch provider config after %v retries"
,
maxRetries
)
return
nil
,
fmt
.
Errorf
(
"failed to fetch provider config after %v retries"
,
maxRetries
)
}
}
cfg
,
err
=
oidc
.
FetchProviderConfig
(
hc
,
strings
.
TrimSuffix
(
i
ssuerURL
,
"/"
))
cfg
,
err
=
oidc
.
FetchProviderConfig
(
hc
,
strings
.
TrimSuffix
(
opts
.
I
ssuerURL
,
"/"
))
if
err
==
nil
{
if
err
==
nil
{
break
break
}
}
...
@@ -97,11 +120,11 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
...
@@ -97,11 +120,11 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
time
.
Sleep
(
retryBackoff
)
time
.
Sleep
(
retryBackoff
)
}
}
glog
.
Infof
(
"Fetched provider config from %s: %#v"
,
i
ssuerURL
,
cfg
)
glog
.
Infof
(
"Fetched provider config from %s: %#v"
,
opts
.
I
ssuerURL
,
cfg
)
ccfg
:=
oidc
.
ClientConfig
{
ccfg
:=
oidc
.
ClientConfig
{
HTTPClient
:
hc
,
HTTPClient
:
hc
,
Credentials
:
oidc
.
ClientCredentials
{
ID
:
c
lientID
},
Credentials
:
oidc
.
ClientCredentials
{
ID
:
opts
.
C
lientID
},
ProviderConfig
:
cfg
,
ProviderConfig
:
cfg
,
}
}
...
@@ -113,9 +136,17 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
...
@@ -113,9 +136,17 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA
// SyncProviderConfig will start a goroutine to periodically synchronize the provider config.
// SyncProviderConfig will start a goroutine to periodically synchronize the provider config.
// The synchronization interval is set by the expiration length of the config, and has a mininum
// The synchronization interval is set by the expiration length of the config, and has a mininum
// and maximum threshold.
// and maximum threshold.
stop
:=
client
.
SyncProviderConfig
(
issuerURL
)
stop
:=
client
.
SyncProviderConfig
(
opts
.
IssuerURL
)
return
&
OIDCAuthenticator
{
ccfg
,
client
,
usernameClaim
,
groupsClaim
,
stop
},
nil
return
&
OIDCAuthenticator
{
ccfg
,
client
,
opts
.
UsernameClaim
,
opts
.
GroupsClaim
,
stop
,
maxRetries
,
retryBackoff
,
},
nil
}
}
// AuthenticateToken decodes and verifies a JWT using the OIDC client, if the verification succeeds,
// AuthenticateToken decodes and verifies a JWT using the OIDC client, if the verification succeeds,
...
...
plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
View file @
2fb745f0
...
@@ -200,11 +200,8 @@ func generateSelfSignedCert(t *testing.T, host, certPath, keyPath string) {
...
@@ -200,11 +200,8 @@ func generateSelfSignedCert(t *testing.T, host, certPath, keyPath string) {
}
}
func
TestOIDCDiscoveryTimeout
(
t
*
testing
.
T
)
{
func
TestOIDCDiscoveryTimeout
(
t
*
testing
.
T
)
{
maxRetries
=
3
expectErr
:=
fmt
.
Errorf
(
"failed to fetch provider config after 1 retries"
)
retryBackoff
=
time
.
Second
_
,
err
:=
New
(
OIDCOptions
{
"https://127.0.0.1:9999/bar"
,
"client-foo"
,
""
,
"sub"
,
""
,
1
,
100
*
time
.
Millisecond
})
expectErr
:=
fmt
.
Errorf
(
"failed to fetch provider config after 3 retries"
)
_
,
err
:=
New
(
"https://foo/bar"
,
"client-foo"
,
""
,
"sub"
,
""
)
if
!
reflect
.
DeepEqual
(
err
,
expectErr
)
{
if
!
reflect
.
DeepEqual
(
err
,
expectErr
)
{
t
.
Errorf
(
"Expecting %v, but got %v"
,
expectErr
,
err
)
t
.
Errorf
(
"Expecting %v, but got %v"
,
expectErr
,
err
)
}
}
...
@@ -212,7 +209,7 @@ func TestOIDCDiscoveryTimeout(t *testing.T) {
...
@@ -212,7 +209,7 @@ func TestOIDCDiscoveryTimeout(t *testing.T) {
func
TestOIDCDiscoveryNoKeyEndpoint
(
t
*
testing
.
T
)
{
func
TestOIDCDiscoveryNoKeyEndpoint
(
t
*
testing
.
T
)
{
var
err
error
var
err
error
expectErr
:=
fmt
.
Errorf
(
"failed to fetch provider config after
3
retries"
)
expectErr
:=
fmt
.
Errorf
(
"failed to fetch provider config after
0
retries"
)
cert
:=
path
.
Join
(
os
.
TempDir
(),
"oidc-cert"
)
cert
:=
path
.
Join
(
os
.
TempDir
(),
"oidc-cert"
)
key
:=
path
.
Join
(
os
.
TempDir
(),
"oidc-key"
)
key
:=
path
.
Join
(
os
.
TempDir
(),
"oidc-key"
)
...
@@ -237,16 +234,13 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
...
@@ -237,16 +234,13 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
Issuer
:
mustParseURL
(
t
,
srv
.
URL
),
// An invalid ProviderConfig. Keys endpoint is required.
Issuer
:
mustParseURL
(
t
,
srv
.
URL
),
// An invalid ProviderConfig. Keys endpoint is required.
}
}
_
,
err
=
New
(
srv
.
URL
,
"client-foo"
,
cert
,
"sub"
,
""
)
_
,
err
=
New
(
OIDCOptions
{
srv
.
URL
,
"client-foo"
,
cert
,
"sub"
,
""
,
0
,
0
}
)
if
!
reflect
.
DeepEqual
(
err
,
expectErr
)
{
if
!
reflect
.
DeepEqual
(
err
,
expectErr
)
{
t
.
Errorf
(
"Expecting %v, but got %v"
,
expectErr
,
err
)
t
.
Errorf
(
"Expecting %v, but got %v"
,
expectErr
,
err
)
}
}
}
}
func
TestOIDCDiscoverySecureConnection
(
t
*
testing
.
T
)
{
func
TestOIDCDiscoverySecureConnection
(
t
*
testing
.
T
)
{
maxRetries
=
3
retryBackoff
=
time
.
Second
// Verify that plain HTTP issuer URL is forbidden.
// Verify that plain HTTP issuer URL is forbidden.
op
:=
newOIDCProvider
(
t
)
op
:=
newOIDCProvider
(
t
)
srv
:=
httptest
.
NewServer
(
op
.
mux
)
srv
:=
httptest
.
NewServer
(
op
.
mux
)
...
@@ -260,7 +254,7 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
...
@@ -260,7 +254,7 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
expectErr
:=
fmt
.
Errorf
(
"'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'"
,
srv
.
URL
,
"http"
)
expectErr
:=
fmt
.
Errorf
(
"'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'"
,
srv
.
URL
,
"http"
)
_
,
err
:=
New
(
srv
.
URL
,
"client-foo"
,
""
,
"sub"
,
""
)
_
,
err
:=
New
(
OIDCOptions
{
srv
.
URL
,
"client-foo"
,
""
,
"sub"
,
""
,
0
,
0
}
)
if
!
reflect
.
DeepEqual
(
err
,
expectErr
)
{
if
!
reflect
.
DeepEqual
(
err
,
expectErr
)
{
t
.
Errorf
(
"Expecting %v, but got %v"
,
expectErr
,
err
)
t
.
Errorf
(
"Expecting %v, but got %v"
,
expectErr
,
err
)
}
}
...
@@ -296,7 +290,7 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
...
@@ -296,7 +290,7 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
}
}
// Create a client using cert2, should fail.
// Create a client using cert2, should fail.
_
,
err
=
New
(
tlsSrv
.
URL
,
"client-foo"
,
cert2
,
"sub"
,
""
)
_
,
err
=
New
(
OIDCOptions
{
tlsSrv
.
URL
,
"client-foo"
,
cert2
,
"sub"
,
""
,
0
,
0
}
)
if
err
==
nil
{
if
err
==
nil
{
t
.
Fatalf
(
"Expecting error, but got nothing"
)
t
.
Fatalf
(
"Expecting error, but got nothing"
)
}
}
...
@@ -417,7 +411,7 @@ func TestOIDCAuthentication(t *testing.T) {
...
@@ -417,7 +411,7 @@ func TestOIDCAuthentication(t *testing.T) {
}
}
for
i
,
tt
:=
range
tests
{
for
i
,
tt
:=
range
tests
{
client
,
err
:=
New
(
srv
.
URL
,
"client-foo"
,
cert
,
tt
.
userClaim
,
tt
.
groupsClaim
)
client
,
err
:=
New
(
OIDCOptions
{
srv
.
URL
,
"client-foo"
,
cert
,
tt
.
userClaim
,
tt
.
groupsClaim
,
1
,
100
*
time
.
Millisecond
}
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
t
.
Errorf
(
"Unexpected error: %v"
,
err
)
continue
continue
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment