Skip to content

Commit

Permalink
Use the request context for Kubernetes API call (#104) (#105)
Browse files Browse the repository at this point in the history
* Use the request context for kubernetes API call

* Upgrade go version
  • Loading branch information
briankassouf authored Feb 17, 2021
1 parent 006df47 commit ff90561
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 8 deletions.
2 changes: 1 addition & 1 deletion .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ version: 2
jobs:
build:
docker:
- image: circleci/golang:1.12
- image: docker.mirror.hashicorp.services/circleci/golang:1.15
working_directory: /go/src/github.com/hashicorp/vault-plugin-auth-kubernetes
steps:
- checkout
Expand Down
6 changes: 3 additions & 3 deletions path_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func (b *kubeAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
}

// look up the JWT token in the kubernetes API
err = serviceAccount.lookup(jwtStr, b.reviewFactory(config))
err = serviceAccount.lookup(ctx, jwtStr, b.reviewFactory(config))
if err != nil {
b.Logger().Error(`login unauthorized due to: ` + err.Error())
return nil, logical.ErrPermissionDenied
Expand Down Expand Up @@ -350,8 +350,8 @@ type projectedServiceAccountPod struct {

// lookup calls the TokenReview API in kubernetes to verify the token and secret
// still exist.
func (s *serviceAccount) lookup(jwtStr string, tr tokenReviewer) error {
r, err := tr.Review(jwtStr, s.Audience)
func (s *serviceAccount) lookup(ctx context.Context, jwtStr string, tr tokenReviewer) error {
r, err := tr.Review(ctx, jwtStr, s.Audience)
if err != nil {
return err
}
Expand Down
27 changes: 27 additions & 0 deletions path_login_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,33 @@ func TestLogin(t *testing.T) {
}
}

func TestLogin_ContextError(t *testing.T) {
b, storage := setupBackend(t, testDefaultPEMs, testName, testNamespace)

data := map[string]interface{}{
"role": "plugin-test",
"jwt": jwtData,
}

req := &logical.Request{
Operation: logical.UpdateOperation,
Path: "login",
Storage: storage,
Data: data,
Connection: &logical.Connection{
RemoteAddr: "127.0.0.1",
},
}

ctx, cancel := context.WithCancel(context.Background())
cancel()

_, err := b.HandleRequest(ctx, req)
if err != context.Canceled {
t.Fatalf("expected context canceled error, got: %v", err)
}
}

func TestLogin_ECDSA_PEM(t *testing.T) {
b, storage := setupBackend(t, testNoPEMs, testName, testNamespace)

Expand Down
13 changes: 9 additions & 4 deletions token_review.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package kubeauth

import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
"encoding/json"
Expand All @@ -28,7 +29,7 @@ type tokenReviewResult struct {

// This exists so we can use a mock TokenReview when running tests
type tokenReviewer interface {
Review(string, []string) (*tokenReviewResult, error)
Review(context.Context, string, []string) (*tokenReviewResult, error)
}

type tokenReviewFactory func(*kubeConfig) tokenReviewer
Expand All @@ -44,7 +45,7 @@ func tokenReviewAPIFactory(config *kubeConfig) tokenReviewer {
}
}

func (t *tokenReviewAPI) Review(jwt string, aud []string) (*tokenReviewResult, error) {
func (t *tokenReviewAPI) Review(ctx context.Context, jwt string, aud []string) (*tokenReviewResult, error) {

client := cleanhttp.DefaultClient()

Expand Down Expand Up @@ -75,7 +76,7 @@ func (t *tokenReviewAPI) Review(jwt string, aud []string) (*tokenReviewResult, e

// Build the request to the token review API
url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", strings.TrimSuffix(t.config.Host, "/"))
req, err := http.NewRequest("POST", url, bytes.NewBuffer(trJSON))
req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewBuffer(trJSON))
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -188,7 +189,11 @@ func mockTokenReviewFactory(name, namespace, UID string) tokenReviewFactory {
}
}

func (t *mockTokenReview) Review(jwt string, aud []string) (*tokenReviewResult, error) {
func (t *mockTokenReview) Review(ctx context.Context, cjwt string, aud []string) (*tokenReviewResult, error) {
if ctx.Err() != nil {
return nil, ctx.Err()
}

return &tokenReviewResult{
Name: t.saName,
Namespace: t.saNamespace,
Expand Down

0 comments on commit ff90561

Please sign in to comment.