Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename lib/kubernetestoken to lib/kube/token #49554

Merged
merged 2 commits into from
Dec 4, 2024
+35 −34
Merged

Rename lib/kubernetestoken to lib/kube/token #49554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
77be672
Rename lib/kubernetestoken to lib/kube/token
hugoShaka Nov 28, 2024
e13403e
Lint
hugoShaka Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions integrations/lib/testing/fakejoin/kubesigner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ import (
"github.com/jonboulle/clockwork"

"github.com/gravitational/teleport/lib/cryptosuites"
"github.com/gravitational/teleport/lib/kubernetestoken"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
)

// KubernetesSigner is a JWT signer that mimicks the Kubernetes one. The signer mock Kubernetes and
Expand Down Expand Up @@ -87,7 +87,7 @@ func (s *KubernetesSigner) GetMarshaledJWKS() (string, error) {
// This token has the Teleport cluster name in its audience as required by the Kubernetes JWKS join method.
func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount, clusterName string) (string, error) {
now := s.clock.Now()
claims := kubernetestoken.ServiceAccountClaims{
claims := kubetoken.ServiceAccountClaims{
Claims: jwt.Claims{
Subject: fmt.Sprintf("system:serviceaccount:%s:%s", namespace, serviceAccount),
Audience: jwt.Audience{clusterName},
Expand All @@ -97,13 +97,13 @@ func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount,
// The Kubernetes JWKS join method rejects tokens valid more than 30 minutes.
Expiry: jwt.NewNumericDate(now.Add(29 * time.Minute)),
},
Kubernetes: &kubernetestoken.KubernetesSubClaim{
Kubernetes: &kubetoken.KubernetesSubClaim{
Namespace: namespace,
ServiceAccount: &kubernetestoken.ServiceAccountSubClaim{
ServiceAccount: &kubetoken.ServiceAccountSubClaim{
Name: serviceAccount,
UID: uuid.New().String(),
},
Pod: &kubernetestoken.PodSubClaim{
Pod: &kubetoken.PodSubClaim{
Name: pod,
UID: uuid.New().String(),
},
Expand Down
4 changes: 2 additions & 2 deletions integrations/terraform/testlib/machineid_join_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ import (
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/integrations/lib/testing/fakejoin"
"github.com/gravitational/teleport/integrations/lib/testing/integration"
"github.com/gravitational/teleport/lib/kubernetestoken"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/services"

"github.com/gravitational/teleport/integrations/terraform/provider"
Expand Down Expand Up @@ -115,7 +115,7 @@ func TestTerraformJoin(t *testing.T) {
tempDir := t.TempDir()
jwtPath := filepath.Join(tempDir, "token")
require.NoError(t, os.WriteFile(jwtPath, []byte(jwt), 0600))
require.NoError(t, os.Setenv(kubernetestoken.EnvVarCustomKubernetesTokenPath, jwtPath))
require.NoError(t, os.Setenv(kubetoken.EnvVarCustomKubernetesTokenPath, jwtPath))

// Test setup: craft a Terraform provider configuration
terraformConfig := fmt.Sprintf(`
Expand Down
6 changes: 3 additions & 3 deletions lib/auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,8 +100,8 @@ import (
"github.com/gravitational/teleport/lib/githubactions"
"github.com/gravitational/teleport/lib/gitlab"
"github.com/gravitational/teleport/lib/inventory"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
kubeutils "github.com/gravitational/teleport/lib/kube/utils"
"github.com/gravitational/teleport/lib/kubernetestoken"
"github.com/gravitational/teleport/lib/limiter"
"github.com/gravitational/teleport/lib/loginrule"
"github.com/gravitational/teleport/lib/modules"
Expand Down Expand Up @@ -618,10 +618,10 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
as.tpmValidator = tpm.Validate
}
if as.k8sTokenReviewValidator == nil {
as.k8sTokenReviewValidator = &kubernetestoken.TokenReviewValidator{}
as.k8sTokenReviewValidator = &kubetoken.TokenReviewValidator{}
}
if as.k8sJWKSValidator == nil {
as.k8sJWKSValidator = kubernetestoken.ValidateTokenWithJWKS
as.k8sJWKSValidator = kubetoken.ValidateTokenWithJWKS
}

if as.gcpIDTokenValidator == nil {
Expand Down
11 changes: 6 additions & 5 deletions lib/auth/bot_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ import (
libevents "github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/events/eventstest"
"github.com/gravitational/teleport/lib/fixtures"
"github.com/gravitational/teleport/lib/kubernetestoken"
"github.com/gravitational/teleport/lib/kube/token"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/reversetunnelclient"
"github.com/gravitational/teleport/lib/tbot/identity"
"github.com/gravitational/teleport/lib/tlsca"
Expand Down Expand Up @@ -764,9 +765,9 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) {
k8sReadFileFunc := func(name string) ([]byte, error) {
return []byte(k8sTokenName), nil
}
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) {
if token == k8sTokenName {
return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
}

return nil, errMockInvalidToken
Expand Down Expand Up @@ -919,9 +920,9 @@ func TestRegisterBotWithInvalidInstanceID(t *testing.T) {

botName := "bot"
k8sTokenName := "jwks-matching-service-account"
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) {
if token == k8sTokenName {
return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
}

return nil, errMockInvalidToken
Expand Down
4 changes: 2 additions & 2 deletions lib/auth/join/join.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ import (
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/githubactions"
"github.com/gravitational/teleport/lib/gitlab"
"github.com/gravitational/teleport/lib/kubernetestoken"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/spacelift"
"github.com/gravitational/teleport/lib/terraformcloud"
"github.com/gravitational/teleport/lib/tlsca"
Expand Down Expand Up @@ -238,7 +238,7 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul
return nil, trace.Wrap(err)
}
case types.JoinMethodKubernetes:
params.IDToken, err = kubernetestoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc)
params.IDToken, err = kubetoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc)
if err != nil {
return nil, trace.Wrap(err)
}
Expand Down
14 changes: 7 additions & 7 deletions lib/auth/join_kubernetes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,16 @@ import (
"github.com/sirupsen/logrus"

"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/kubernetestoken"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
)

type k8sTokenReviewValidator interface {
Validate(ctx context.Context, token, clusterName string) (*kubernetestoken.ValidationResult, error)
Validate(ctx context.Context, token, clusterName string) (*kubetoken.ValidationResult, error)
}

type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubernetestoken.ValidationResult, error)
type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubetoken.ValidationResult, error)

func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubernetestoken.ValidationResult, error) {
func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubetoken.ValidationResult, error) {
if req.IDToken == "" {
return nil, trace.BadParameter("IDToken not provided for Kubernetes join request")
}
Expand All @@ -58,7 +58,7 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi
}

// Switch to join method subtype token validation.
var result *kubernetestoken.ValidationResult
var result *kubetoken.ValidationResult
switch token.Spec.Kubernetes.Type {
case types.KubernetesJoinTypeStaticJWKS:
result, err = a.k8sJWKSValidator(
Expand Down Expand Up @@ -90,10 +90,10 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi
return result, trace.Wrap(checkKubernetesAllowRules(token, result))
}

func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubernetestoken.ValidationResult) error {
func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubetoken.ValidationResult) error {
// If a single rule passes, accept the token
for _, rule := range pt.Spec.Kubernetes.Allow {
wantUsername := fmt.Sprintf("%s:%s", kubernetestoken.ServiceAccountNamePrefix, rule.ServiceAccount)
wantUsername := fmt.Sprintf("%s:%s", kubetoken.ServiceAccountNamePrefix, rule.ServiceAccount)
if wantUsername != got.Username {
continue
}
Expand Down
12 changes: 6 additions & 6 deletions lib/auth/join_kubernetes_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,14 @@ import (

"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/auth/testauthority"
"github.com/gravitational/teleport/lib/kubernetestoken"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
)

type mockK8STokenReviewValidator struct {
tokens map[string]*kubernetestoken.ValidationResult
tokens map[string]*kubetoken.ValidationResult
}

func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token, _ string) (*kubernetestoken.ValidationResult, error) {
func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token, _ string) (*kubetoken.ValidationResult, error) {
result, ok := m.tokens[token]
if !ok {
return nil, errMockInvalidToken
Expand All @@ -48,22 +48,22 @@ func TestAuth_RegisterUsingToken_Kubernetes(t *testing.T) {
// Test setup

// Creating an auth server with mock Kubernetes token validator
tokenReviewTokens := map[string]*kubernetestoken.ValidationResult{
tokenReviewTokens := map[string]*kubetoken.ValidationResult{
"matching-implicit-in-cluster": {Username: "system:serviceaccount:namespace1:service-account1"},
// "matching-explicit-in-cluster" intentionally matches the second allow
// rule of explicitInCluster to ensure all rules are processed.
"matching-explicit-in-cluster": {Username: "system:serviceaccount:namespace2:service-account2"},
"user-token": {Username: "namespace1:service-account1"},
}
jwksTokens := map[string]*kubernetestoken.ValidationResult{
jwksTokens := map[string]*kubetoken.ValidationResult{
"jwks-matching-service-account": {Username: "system:serviceaccount:static-jwks:matching"},
"jwks-mismatched-service-account": {Username: "system:serviceaccount:static-jwks:mismatched"},
}

ctx := context.Background()
p, err := newTestPack(ctx, t.TempDir(), func(server *Server) error {
server.k8sTokenReviewValidator = &mockK8STokenReviewValidator{tokens: tokenReviewTokens}
server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubetoken.ValidationResult, error) {
result, ok := jwksTokens[token]
if !ok {
return nil, errMockInvalidToken
Expand Down
2 changes: 1 addition & 1 deletion lib/kubernetestoken/token_source.go → lib/kube/token/source.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"strings"
Expand Down
2 changes: 1 addition & 1 deletion lib/kubernetestoken/token_source_test.go → lib/kube/token/source_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"io/fs"
Expand Down
2 changes: 1 addition & 1 deletion lib/kubernetestoken/token_validator.go → lib/kube/token/validator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"context"
Expand Down
2 changes: 1 addition & 1 deletion lib/kubernetestoken/token_validator_test.go → lib/kube/token/validator_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"context"
Expand Down
Loading