From 77be6729ea56455c8ad48877d4032accfd72c5c1 Mon Sep 17 00:00:00 2001 From: hugoShaka Date: Thu, 28 Nov 2024 10:58:56 -0500 Subject: [PATCH 1/2] Rename lib/kubernetestoken to lib/kube/token --- integrations/lib/testing/fakejoin/kubesigner.go | 10 +++++----- .../terraform/testlib/machineid_join_test.go | 4 ++-- lib/auth/auth.go | 6 +++--- lib/auth/bot_test.go | 11 ++++++----- lib/auth/join/join.go | 4 ++-- lib/auth/join_kubernetes.go | 14 +++++++------- lib/auth/join_kubernetes_test.go | 12 ++++++------ .../token_source.go => kube/token/source.go} | 2 +- .../token/source_test.go} | 2 +- .../token_validator.go => kube/token/validator.go} | 2 +- .../token/validator_test.go} | 2 +- 11 files changed, 35 insertions(+), 34 deletions(-) rename lib/{kubernetestoken/token_source.go => kube/token/source.go} (98%) rename lib/{kubernetestoken/token_source_test.go => kube/token/source_test.go} (99%) rename lib/{kubernetestoken/token_validator.go => kube/token/validator.go} (99%) rename lib/{kubernetestoken/token_validator_test.go => kube/token/validator_test.go} (99%) diff --git a/integrations/lib/testing/fakejoin/kubesigner.go b/integrations/lib/testing/fakejoin/kubesigner.go index 271c913d2758f..479c1817a9877 100644 --- a/integrations/lib/testing/fakejoin/kubesigner.go +++ b/integrations/lib/testing/fakejoin/kubesigner.go @@ -21,6 +21,7 @@ package fakejoin import ( "encoding/json" "fmt" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "time" "github.com/go-jose/go-jose/v3" @@ -30,7 +31,6 @@ import ( "github.com/jonboulle/clockwork" "github.com/gravitational/teleport/lib/cryptosuites" - "github.com/gravitational/teleport/lib/kubernetestoken" ) // KubernetesSigner is a JWT signer that mimicks the Kubernetes one. The signer mock Kubernetes and @@ -87,7 +87,7 @@ func (s *KubernetesSigner) GetMarshaledJWKS() (string, error) { // This token has the Teleport cluster name in its audience as required by the Kubernetes JWKS join method. func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount, clusterName string) (string, error) { now := s.clock.Now() - claims := kubernetestoken.ServiceAccountClaims{ + claims := kubetoken.ServiceAccountClaims{ Claims: jwt.Claims{ Subject: fmt.Sprintf("system:serviceaccount:%s:%s", namespace, serviceAccount), Audience: jwt.Audience{clusterName}, @@ -97,13 +97,13 @@ func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount, // The Kubernetes JWKS join method rejects tokens valid more than 30 minutes. Expiry: jwt.NewNumericDate(now.Add(29 * time.Minute)), }, - Kubernetes: &kubernetestoken.KubernetesSubClaim{ + Kubernetes: &kubetoken.KubernetesSubClaim{ Namespace: namespace, - ServiceAccount: &kubernetestoken.ServiceAccountSubClaim{ + ServiceAccount: &kubetoken.ServiceAccountSubClaim{ Name: serviceAccount, UID: uuid.New().String(), }, - Pod: &kubernetestoken.PodSubClaim{ + Pod: &kubetoken.PodSubClaim{ Name: pod, UID: uuid.New().String(), }, diff --git a/integrations/terraform/testlib/machineid_join_test.go b/integrations/terraform/testlib/machineid_join_test.go index 52299c3cf457e..63d751f75630b 100644 --- a/integrations/terraform/testlib/machineid_join_test.go +++ b/integrations/terraform/testlib/machineid_join_test.go @@ -35,7 +35,7 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/integrations/lib/testing/fakejoin" "github.com/gravitational/teleport/integrations/lib/testing/integration" - "github.com/gravitational/teleport/lib/kubernetestoken" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/integrations/terraform/provider" @@ -115,7 +115,7 @@ func TestTerraformJoin(t *testing.T) { tempDir := t.TempDir() jwtPath := filepath.Join(tempDir, "token") require.NoError(t, os.WriteFile(jwtPath, []byte(jwt), 0600)) - require.NoError(t, os.Setenv(kubernetestoken.EnvVarCustomKubernetesTokenPath, jwtPath)) + require.NoError(t, os.Setenv(kubetoken.EnvVarCustomKubernetesTokenPath, jwtPath)) // Test setup: craft a Terraform provider configuration terraformConfig := fmt.Sprintf(` diff --git a/lib/auth/auth.go b/lib/auth/auth.go index 5543a6fb00752..d9a9a3b4b193b 100644 --- a/lib/auth/auth.go +++ b/lib/auth/auth.go @@ -35,6 +35,7 @@ import ( "encoding/pem" "errors" "fmt" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "io" "log/slog" "math/big" @@ -101,7 +102,6 @@ import ( "github.com/gravitational/teleport/lib/gitlab" "github.com/gravitational/teleport/lib/inventory" kubeutils "github.com/gravitational/teleport/lib/kube/utils" - "github.com/gravitational/teleport/lib/kubernetestoken" "github.com/gravitational/teleport/lib/limiter" "github.com/gravitational/teleport/lib/loginrule" "github.com/gravitational/teleport/lib/modules" @@ -618,10 +618,10 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) { as.tpmValidator = tpm.Validate } if as.k8sTokenReviewValidator == nil { - as.k8sTokenReviewValidator = &kubernetestoken.TokenReviewValidator{} + as.k8sTokenReviewValidator = &kubetoken.TokenReviewValidator{} } if as.k8sJWKSValidator == nil { - as.k8sJWKSValidator = kubernetestoken.ValidateTokenWithJWKS + as.k8sJWKSValidator = kubetoken.ValidateTokenWithJWKS } if as.gcpIDTokenValidator == nil { diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go index 5ff53115b5374..5145513e4412b 100644 --- a/lib/auth/bot_test.go +++ b/lib/auth/bot_test.go @@ -27,6 +27,8 @@ import ( "encoding/base64" "encoding/json" "encoding/pem" + "github.com/gravitational/teleport/lib/kube/token" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "net/http" "strings" "testing" @@ -62,7 +64,6 @@ import ( libevents "github.com/gravitational/teleport/lib/events" "github.com/gravitational/teleport/lib/events/eventstest" "github.com/gravitational/teleport/lib/fixtures" - "github.com/gravitational/teleport/lib/kubernetestoken" "github.com/gravitational/teleport/lib/reversetunnelclient" "github.com/gravitational/teleport/lib/tbot/identity" "github.com/gravitational/teleport/lib/tlsca" @@ -764,9 +765,9 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) { k8sReadFileFunc := func(name string) ([]byte, error) { return []byte(k8sTokenName), nil } - a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) { + a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) { if token == k8sTokenName { - return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil + return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil } return nil, errMockInvalidToken @@ -919,9 +920,9 @@ func TestRegisterBotWithInvalidInstanceID(t *testing.T) { botName := "bot" k8sTokenName := "jwks-matching-service-account" - a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) { + a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) { if token == k8sTokenName { - return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil + return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil } return nil, errMockInvalidToken diff --git a/lib/auth/join/join.go b/lib/auth/join/join.go index 15deb2bb5da7b..6587ebc0ced2f 100644 --- a/lib/auth/join/join.go +++ b/lib/auth/join/join.go @@ -20,6 +20,7 @@ import ( "context" "crypto" "crypto/x509" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "log/slog" "os" "time" @@ -50,7 +51,6 @@ import ( "github.com/gravitational/teleport/lib/defaults" "github.com/gravitational/teleport/lib/githubactions" "github.com/gravitational/teleport/lib/gitlab" - "github.com/gravitational/teleport/lib/kubernetestoken" "github.com/gravitational/teleport/lib/spacelift" "github.com/gravitational/teleport/lib/terraformcloud" "github.com/gravitational/teleport/lib/tlsca" @@ -238,7 +238,7 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul return nil, trace.Wrap(err) } case types.JoinMethodKubernetes: - params.IDToken, err = kubernetestoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc) + params.IDToken, err = kubetoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc) if err != nil { return nil, trace.Wrap(err) } diff --git a/lib/auth/join_kubernetes.go b/lib/auth/join_kubernetes.go index bcf9eeea05b56..314ef9d648754 100644 --- a/lib/auth/join_kubernetes.go +++ b/lib/auth/join_kubernetes.go @@ -21,22 +21,22 @@ package auth import ( "context" "fmt" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "time" "github.com/gravitational/trace" "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" - "github.com/gravitational/teleport/lib/kubernetestoken" ) type k8sTokenReviewValidator interface { - Validate(ctx context.Context, token, clusterName string) (*kubernetestoken.ValidationResult, error) + Validate(ctx context.Context, token, clusterName string) (*kubetoken.ValidationResult, error) } -type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubernetestoken.ValidationResult, error) +type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubetoken.ValidationResult, error) -func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubernetestoken.ValidationResult, error) { +func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubetoken.ValidationResult, error) { if req.IDToken == "" { return nil, trace.BadParameter("IDToken not provided for Kubernetes join request") } @@ -58,7 +58,7 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi } // Switch to join method subtype token validation. - var result *kubernetestoken.ValidationResult + var result *kubetoken.ValidationResult switch token.Spec.Kubernetes.Type { case types.KubernetesJoinTypeStaticJWKS: result, err = a.k8sJWKSValidator( @@ -90,10 +90,10 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi return result, trace.Wrap(checkKubernetesAllowRules(token, result)) } -func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubernetestoken.ValidationResult) error { +func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubetoken.ValidationResult) error { // If a single rule passes, accept the token for _, rule := range pt.Spec.Kubernetes.Allow { - wantUsername := fmt.Sprintf("%s:%s", kubernetestoken.ServiceAccountNamePrefix, rule.ServiceAccount) + wantUsername := fmt.Sprintf("%s:%s", kubetoken.ServiceAccountNamePrefix, rule.ServiceAccount) if wantUsername != got.Username { continue } diff --git a/lib/auth/join_kubernetes_test.go b/lib/auth/join_kubernetes_test.go index 3af845ba5467f..46e32181ff109 100644 --- a/lib/auth/join_kubernetes_test.go +++ b/lib/auth/join_kubernetes_test.go @@ -20,6 +20,7 @@ package auth import ( "context" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "testing" "time" @@ -28,14 +29,13 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/auth/testauthority" - "github.com/gravitational/teleport/lib/kubernetestoken" ) type mockK8STokenReviewValidator struct { - tokens map[string]*kubernetestoken.ValidationResult + tokens map[string]*kubetoken.ValidationResult } -func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token, _ string) (*kubernetestoken.ValidationResult, error) { +func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token, _ string) (*kubetoken.ValidationResult, error) { result, ok := m.tokens[token] if !ok { return nil, errMockInvalidToken @@ -48,14 +48,14 @@ func TestAuth_RegisterUsingToken_Kubernetes(t *testing.T) { // Test setup // Creating an auth server with mock Kubernetes token validator - tokenReviewTokens := map[string]*kubernetestoken.ValidationResult{ + tokenReviewTokens := map[string]*kubetoken.ValidationResult{ "matching-implicit-in-cluster": {Username: "system:serviceaccount:namespace1:service-account1"}, // "matching-explicit-in-cluster" intentionally matches the second allow // rule of explicitInCluster to ensure all rules are processed. "matching-explicit-in-cluster": {Username: "system:serviceaccount:namespace2:service-account2"}, "user-token": {Username: "namespace1:service-account1"}, } - jwksTokens := map[string]*kubernetestoken.ValidationResult{ + jwksTokens := map[string]*kubetoken.ValidationResult{ "jwks-matching-service-account": {Username: "system:serviceaccount:static-jwks:matching"}, "jwks-mismatched-service-account": {Username: "system:serviceaccount:static-jwks:mismatched"}, } @@ -63,7 +63,7 @@ func TestAuth_RegisterUsingToken_Kubernetes(t *testing.T) { ctx := context.Background() p, err := newTestPack(ctx, t.TempDir(), func(server *Server) error { server.k8sTokenReviewValidator = &mockK8STokenReviewValidator{tokens: tokenReviewTokens} - server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) { + server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubetoken.ValidationResult, error) { result, ok := jwksTokens[token] if !ok { return nil, errMockInvalidToken diff --git a/lib/kubernetestoken/token_source.go b/lib/kube/token/source.go similarity index 98% rename from lib/kubernetestoken/token_source.go rename to lib/kube/token/source.go index 55a506937cc89..8a10c442088fa 100644 --- a/lib/kubernetestoken/token_source.go +++ b/lib/kube/token/source.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package kubernetestoken +package token import ( "strings" diff --git a/lib/kubernetestoken/token_source_test.go b/lib/kube/token/source_test.go similarity index 99% rename from lib/kubernetestoken/token_source_test.go rename to lib/kube/token/source_test.go index 4089017378278..9d3e5fd5a4092 100644 --- a/lib/kubernetestoken/token_source_test.go +++ b/lib/kube/token/source_test.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package kubernetestoken +package token import ( "io/fs" diff --git a/lib/kubernetestoken/token_validator.go b/lib/kube/token/validator.go similarity index 99% rename from lib/kubernetestoken/token_validator.go rename to lib/kube/token/validator.go index 3d04392f2eeae..cff66b95f2454 100644 --- a/lib/kubernetestoken/token_validator.go +++ b/lib/kube/token/validator.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package kubernetestoken +package token import ( "context" diff --git a/lib/kubernetestoken/token_validator_test.go b/lib/kube/token/validator_test.go similarity index 99% rename from lib/kubernetestoken/token_validator_test.go rename to lib/kube/token/validator_test.go index 23433f62602ef..823ca40214b22 100644 --- a/lib/kubernetestoken/token_validator_test.go +++ b/lib/kube/token/validator_test.go @@ -16,7 +16,7 @@ * along with this program. If not, see . */ -package kubernetestoken +package token import ( "context" From e13403e4819553e7bf71ab7c8db8657ffa7792ea Mon Sep 17 00:00:00 2001 From: hugoShaka Date: Thu, 28 Nov 2024 11:13:32 -0500 Subject: [PATCH 2/2] Lint --- integrations/lib/testing/fakejoin/kubesigner.go | 2 +- lib/auth/auth.go | 2 +- lib/auth/bot_test.go | 4 ++-- lib/auth/join/join.go | 2 +- lib/auth/join_kubernetes.go | 2 +- lib/auth/join_kubernetes_test.go | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/integrations/lib/testing/fakejoin/kubesigner.go b/integrations/lib/testing/fakejoin/kubesigner.go index 479c1817a9877..460bfff21320f 100644 --- a/integrations/lib/testing/fakejoin/kubesigner.go +++ b/integrations/lib/testing/fakejoin/kubesigner.go @@ -21,7 +21,6 @@ package fakejoin import ( "encoding/json" "fmt" - kubetoken "github.com/gravitational/teleport/lib/kube/token" "time" "github.com/go-jose/go-jose/v3" @@ -31,6 +30,7 @@ import ( "github.com/jonboulle/clockwork" "github.com/gravitational/teleport/lib/cryptosuites" + kubetoken "github.com/gravitational/teleport/lib/kube/token" ) // KubernetesSigner is a JWT signer that mimicks the Kubernetes one. The signer mock Kubernetes and diff --git a/lib/auth/auth.go b/lib/auth/auth.go index d9a9a3b4b193b..7e1a31640cdaa 100644 --- a/lib/auth/auth.go +++ b/lib/auth/auth.go @@ -35,7 +35,6 @@ import ( "encoding/pem" "errors" "fmt" - kubetoken "github.com/gravitational/teleport/lib/kube/token" "io" "log/slog" "math/big" @@ -101,6 +100,7 @@ import ( "github.com/gravitational/teleport/lib/githubactions" "github.com/gravitational/teleport/lib/gitlab" "github.com/gravitational/teleport/lib/inventory" + kubetoken "github.com/gravitational/teleport/lib/kube/token" kubeutils "github.com/gravitational/teleport/lib/kube/utils" "github.com/gravitational/teleport/lib/limiter" "github.com/gravitational/teleport/lib/loginrule" diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go index 5145513e4412b..ae4ddb14136b9 100644 --- a/lib/auth/bot_test.go +++ b/lib/auth/bot_test.go @@ -27,8 +27,6 @@ import ( "encoding/base64" "encoding/json" "encoding/pem" - "github.com/gravitational/teleport/lib/kube/token" - kubetoken "github.com/gravitational/teleport/lib/kube/token" "net/http" "strings" "testing" @@ -64,6 +62,8 @@ import ( libevents "github.com/gravitational/teleport/lib/events" "github.com/gravitational/teleport/lib/events/eventstest" "github.com/gravitational/teleport/lib/fixtures" + "github.com/gravitational/teleport/lib/kube/token" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "github.com/gravitational/teleport/lib/reversetunnelclient" "github.com/gravitational/teleport/lib/tbot/identity" "github.com/gravitational/teleport/lib/tlsca" diff --git a/lib/auth/join/join.go b/lib/auth/join/join.go index 6587ebc0ced2f..b00c4b6bf2a7d 100644 --- a/lib/auth/join/join.go +++ b/lib/auth/join/join.go @@ -20,7 +20,6 @@ import ( "context" "crypto" "crypto/x509" - kubetoken "github.com/gravitational/teleport/lib/kube/token" "log/slog" "os" "time" @@ -51,6 +50,7 @@ import ( "github.com/gravitational/teleport/lib/defaults" "github.com/gravitational/teleport/lib/githubactions" "github.com/gravitational/teleport/lib/gitlab" + kubetoken "github.com/gravitational/teleport/lib/kube/token" "github.com/gravitational/teleport/lib/spacelift" "github.com/gravitational/teleport/lib/terraformcloud" "github.com/gravitational/teleport/lib/tlsca" diff --git a/lib/auth/join_kubernetes.go b/lib/auth/join_kubernetes.go index 314ef9d648754..d5bbc6586d831 100644 --- a/lib/auth/join_kubernetes.go +++ b/lib/auth/join_kubernetes.go @@ -21,13 +21,13 @@ package auth import ( "context" "fmt" - kubetoken "github.com/gravitational/teleport/lib/kube/token" "time" "github.com/gravitational/trace" "github.com/sirupsen/logrus" "github.com/gravitational/teleport/api/types" + kubetoken "github.com/gravitational/teleport/lib/kube/token" ) type k8sTokenReviewValidator interface { diff --git a/lib/auth/join_kubernetes_test.go b/lib/auth/join_kubernetes_test.go index 46e32181ff109..00090d70a124d 100644 --- a/lib/auth/join_kubernetes_test.go +++ b/lib/auth/join_kubernetes_test.go @@ -20,7 +20,6 @@ package auth import ( "context" - kubetoken "github.com/gravitational/teleport/lib/kube/token" "testing" "time" @@ -29,6 +28,7 @@ import ( "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/auth/testauthority" + kubetoken "github.com/gravitational/teleport/lib/kube/token" ) type mockK8STokenReviewValidator struct {