Skip to content

Commit

Permalink
Rename lib/kubernetestoken to lib/kube/token
Browse files Browse the repository at this point in the history
  • Loading branch information
hugoShaka committed Nov 28, 2024
1 parent 91ca392 commit d391fda
Show file tree
Hide file tree
Showing 11 changed files with 35 additions and 34 deletions.
10 changes: 5 additions & 5 deletions integrations/lib/testing/fakejoin/kubesigner.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ package fakejoin
import (
"encoding/json"
"fmt"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"time"

"github.com/go-jose/go-jose/v3"
Expand All @@ -30,7 +31,6 @@ import (
"github.com/jonboulle/clockwork"

"github.com/gravitational/teleport/lib/cryptosuites"
"github.com/gravitational/teleport/lib/kubernetestoken"
)

// KubernetesSigner is a JWT signer that mimicks the Kubernetes one. The signer mock Kubernetes and
Expand Down Expand Up @@ -87,7 +87,7 @@ func (s *KubernetesSigner) GetMarshaledJWKS() (string, error) {
// This token has the Teleport cluster name in its audience as required by the Kubernetes JWKS join method.
func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount, clusterName string) (string, error) {
now := s.clock.Now()
claims := kubernetestoken.ServiceAccountClaims{
claims := kubetoken.ServiceAccountClaims{
Claims: jwt.Claims{
Subject: fmt.Sprintf("system:serviceaccount:%s:%s", namespace, serviceAccount),
Audience: jwt.Audience{clusterName},
Expand All @@ -97,13 +97,13 @@ func (s *KubernetesSigner) SignServiceAccountJWT(pod, namespace, serviceAccount,
// The Kubernetes JWKS join method rejects tokens valid more than 30 minutes.
Expiry: jwt.NewNumericDate(now.Add(29 * time.Minute)),
},
Kubernetes: &kubernetestoken.KubernetesSubClaim{
Kubernetes: &kubetoken.KubernetesSubClaim{
Namespace: namespace,
ServiceAccount: &kubernetestoken.ServiceAccountSubClaim{
ServiceAccount: &kubetoken.ServiceAccountSubClaim{
Name: serviceAccount,
UID: uuid.New().String(),
},
Pod: &kubernetestoken.PodSubClaim{
Pod: &kubetoken.PodSubClaim{
Name: pod,
UID: uuid.New().String(),
},
Expand Down
4 changes: 2 additions & 2 deletions integrations/terraform/testlib/machineid_join_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ import (
"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/integrations/lib/testing/fakejoin"
"github.com/gravitational/teleport/integrations/lib/testing/integration"
"github.com/gravitational/teleport/lib/kubernetestoken"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"github.com/gravitational/teleport/lib/services"

"github.com/gravitational/teleport/integrations/terraform/provider"
Expand Down Expand Up @@ -115,7 +115,7 @@ func TestTerraformJoin(t *testing.T) {
tempDir := t.TempDir()
jwtPath := filepath.Join(tempDir, "token")
require.NoError(t, os.WriteFile(jwtPath, []byte(jwt), 0600))
require.NoError(t, os.Setenv(kubernetestoken.EnvVarCustomKubernetesTokenPath, jwtPath))
require.NoError(t, os.Setenv(kubetoken.EnvVarCustomKubernetesTokenPath, jwtPath))

// Test setup: craft a Terraform provider configuration
terraformConfig := fmt.Sprintf(`
Expand Down
6 changes: 3 additions & 3 deletions lib/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ import (
"encoding/pem"
"errors"
"fmt"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"io"
"log/slog"
"math/big"
Expand Down Expand Up @@ -101,7 +102,6 @@ import (
"github.com/gravitational/teleport/lib/gitlab"
"github.com/gravitational/teleport/lib/inventory"
kubeutils "github.com/gravitational/teleport/lib/kube/utils"
"github.com/gravitational/teleport/lib/kubernetestoken"
"github.com/gravitational/teleport/lib/limiter"
"github.com/gravitational/teleport/lib/loginrule"
"github.com/gravitational/teleport/lib/modules"
Expand Down Expand Up @@ -617,10 +617,10 @@ func NewServer(cfg *InitConfig, opts ...ServerOption) (*Server, error) {
as.tpmValidator = tpm.Validate
}
if as.k8sTokenReviewValidator == nil {
as.k8sTokenReviewValidator = &kubernetestoken.TokenReviewValidator{}
as.k8sTokenReviewValidator = &kubetoken.TokenReviewValidator{}
}
if as.k8sJWKSValidator == nil {
as.k8sJWKSValidator = kubernetestoken.ValidateTokenWithJWKS
as.k8sJWKSValidator = kubetoken.ValidateTokenWithJWKS
}

if as.gcpIDTokenValidator == nil {
Expand Down
11 changes: 6 additions & 5 deletions lib/auth/bot_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ import (
"encoding/base64"
"encoding/json"
"encoding/pem"
"github.com/gravitational/teleport/lib/kube/token"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"net/http"
"strings"
"testing"
Expand Down Expand Up @@ -62,7 +64,6 @@ import (
libevents "github.com/gravitational/teleport/lib/events"
"github.com/gravitational/teleport/lib/events/eventstest"
"github.com/gravitational/teleport/lib/fixtures"
"github.com/gravitational/teleport/lib/kubernetestoken"
"github.com/gravitational/teleport/lib/reversetunnelclient"
"github.com/gravitational/teleport/lib/tbot/identity"
"github.com/gravitational/teleport/lib/tlsca"
Expand Down Expand Up @@ -764,9 +765,9 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) {
k8sReadFileFunc := func(name string) ([]byte, error) {
return []byte(k8sTokenName), nil
}
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) {
if token == k8sTokenName {
return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
}

return nil, errMockInvalidToken
Expand Down Expand Up @@ -919,9 +920,9 @@ func TestRegisterBotWithInvalidInstanceID(t *testing.T) {

botName := "bot"
k8sTokenName := "jwks-matching-service-account"
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
a.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*token.ValidationResult, error) {
if token == k8sTokenName {
return &kubernetestoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
return &kubetoken.ValidationResult{Username: "system:serviceaccount:static-jwks:matching"}, nil
}

return nil, errMockInvalidToken
Expand Down
4 changes: 2 additions & 2 deletions lib/auth/join/join.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"context"
"crypto"
"crypto/x509"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"log/slog"
"os"
"time"
Expand Down Expand Up @@ -50,7 +51,6 @@ import (
"github.com/gravitational/teleport/lib/defaults"
"github.com/gravitational/teleport/lib/githubactions"
"github.com/gravitational/teleport/lib/gitlab"
"github.com/gravitational/teleport/lib/kubernetestoken"
"github.com/gravitational/teleport/lib/spacelift"
"github.com/gravitational/teleport/lib/terraformcloud"
"github.com/gravitational/teleport/lib/tlsca"
Expand Down Expand Up @@ -238,7 +238,7 @@ func Register(ctx context.Context, params RegisterParams) (result *RegisterResul
return nil, trace.Wrap(err)
}
case types.JoinMethodKubernetes:
params.IDToken, err = kubernetestoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc)
params.IDToken, err = kubetoken.GetIDToken(os.Getenv, params.KubernetesReadFileFunc)
if err != nil {
return nil, trace.Wrap(err)
}
Expand Down
14 changes: 7 additions & 7 deletions lib/auth/join_kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,22 +21,22 @@ package auth
import (
"context"
"fmt"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"time"

"github.com/gravitational/trace"
"github.com/sirupsen/logrus"

"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/kubernetestoken"
)

type k8sTokenReviewValidator interface {
Validate(context.Context, string) (*kubernetestoken.ValidationResult, error)
Validate(context.Context, string) (*kubetoken.ValidationResult, error)
}

type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubernetestoken.ValidationResult, error)
type k8sJWKSValidator func(now time.Time, jwksData []byte, clusterName string, token string) (*kubetoken.ValidationResult, error)

func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubernetestoken.ValidationResult, error) {
func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.RegisterUsingTokenRequest) (*kubetoken.ValidationResult, error) {
if req.IDToken == "" {
return nil, trace.BadParameter("IDToken not provided for Kubernetes join request")
}
Expand All @@ -53,7 +53,7 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi
}

// Switch to join method subtype token validation.
var result *kubernetestoken.ValidationResult
var result *kubetoken.ValidationResult
switch token.Spec.Kubernetes.Type {
case types.KubernetesJoinTypeStaticJWKS:
clusterName, err := a.GetDomainName()
Expand Down Expand Up @@ -89,10 +89,10 @@ func (a *Server) checkKubernetesJoinRequest(ctx context.Context, req *types.Regi
return result, trace.Wrap(checkKubernetesAllowRules(token, result))
}

func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubernetestoken.ValidationResult) error {
func checkKubernetesAllowRules(pt *types.ProvisionTokenV2, got *kubetoken.ValidationResult) error {
// If a single rule passes, accept the token
for _, rule := range pt.Spec.Kubernetes.Allow {
wantUsername := fmt.Sprintf("%s:%s", kubernetestoken.ServiceAccountNamePrefix, rule.ServiceAccount)
wantUsername := fmt.Sprintf("%s:%s", kubetoken.ServiceAccountNamePrefix, rule.ServiceAccount)
if wantUsername != got.Username {
continue
}
Expand Down
12 changes: 6 additions & 6 deletions lib/auth/join_kubernetes_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ package auth

import (
"context"
kubetoken "github.com/gravitational/teleport/lib/kube/token"
"testing"
"time"

Expand All @@ -28,14 +29,13 @@ import (

"github.com/gravitational/teleport/api/types"
"github.com/gravitational/teleport/lib/auth/testauthority"
"github.com/gravitational/teleport/lib/kubernetestoken"
)

type mockK8STokenReviewValidator struct {
tokens map[string]*kubernetestoken.ValidationResult
tokens map[string]*kubetoken.ValidationResult
}

func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token string) (*kubernetestoken.ValidationResult, error) {
func (m *mockK8STokenReviewValidator) Validate(_ context.Context, token string) (*kubetoken.ValidationResult, error) {
result, ok := m.tokens[token]
if !ok {
return nil, errMockInvalidToken
Expand All @@ -48,22 +48,22 @@ func TestAuth_RegisterUsingToken_Kubernetes(t *testing.T) {
// Test setup

// Creating an auth server with mock Kubernetes token validator
tokenReviewTokens := map[string]*kubernetestoken.ValidationResult{
tokenReviewTokens := map[string]*kubetoken.ValidationResult{
"matching-implicit-in-cluster": {Username: "system:serviceaccount:namespace1:service-account1"},
// "matching-explicit-in-cluster" intentionally matches the second allow
// rule of explicitInCluster to ensure all rules are processed.
"matching-explicit-in-cluster": {Username: "system:serviceaccount:namespace2:service-account2"},
"user-token": {Username: "namespace1:service-account1"},
}
jwksTokens := map[string]*kubernetestoken.ValidationResult{
jwksTokens := map[string]*kubetoken.ValidationResult{
"jwks-matching-service-account": {Username: "system:serviceaccount:static-jwks:matching"},
"jwks-mismatched-service-account": {Username: "system:serviceaccount:static-jwks:mismatched"},
}

ctx := context.Background()
p, err := newTestPack(ctx, t.TempDir(), func(server *Server) error {
server.k8sTokenReviewValidator = &mockK8STokenReviewValidator{tokens: tokenReviewTokens}
server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubernetestoken.ValidationResult, error) {
server.k8sJWKSValidator = func(_ time.Time, _ []byte, _ string, token string) (*kubetoken.ValidationResult, error) {
result, ok := jwksTokens[token]
if !ok {
return nil, errMockInvalidToken
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"strings"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"io/fs"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"context"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

package kubernetestoken
package token

import (
"context"
Expand Down

0 comments on commit d391fda

Please sign in to comment.