Skip to content

Commit

Permalink
add expire early credential wrapper
Browse files Browse the repository at this point in the history
  • Loading branch information
MartinForReal authored and k8s-infra-cherrypick-robot committed Jul 12, 2024
1 parent c919111 commit 0d09ee2
Show file tree
Hide file tree
Showing 4 changed files with 209 additions and 0 deletions.
57 changes: 57 additions & 0 deletions pkg/azclient/armauth/expire_early_wrapper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
/*
Copyright 2024 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package armauth

import (
"context"
"time"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
)

// expireEarlyTokenCredential is a wrapper around the azcore.TokenCredential that
// returns an earlier ExpiresOn timestamp to avoid conditions like clockSkew, or a race
// condition during polling.
// See: https://github.com/hashicorp/terraform-provider-azurerm/issues/20834 for more details
type expireEarlyTokenCredential struct {
cred azcore.TokenCredential
}

func NewExpireEarlyTokenWrapper(cred azcore.TokenCredential) azcore.TokenCredential {
return &expireEarlyTokenCredential{
cred: cred,
}
}

func (w *expireEarlyTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) {
token, err := w.cred.GetToken(ctx, options)
if err != nil {
return azcore.AccessToken{}, err
}

twoHoursFromNow := time.Now().Add(2 * time.Hour)
// IMDS may have the MI token already, and have an expiration of less than 2h when we receive the token. We don't want to set that value beyond the ExpiresOn time and potentially miss a refresh
// So we just return earlier here. See discussion here: https://github.com/Azure/karpenter-provider-azure/pull/391/files#r1648633051
if token.ExpiresOn.Before(twoHoursFromNow) {
return token, nil
}
// If the token expires in more than 2 hours, this means we are taking in a new token with a fresh 24h expiration time or one already in the cache that hasn't been modified by us, so we want to set that to two hours so
// we can refresh it early to avoid the polling bugs mentioned in the above issue
token.ExpiresOn = twoHoursFromNow
return token, nil
}
78 changes: 78 additions & 0 deletions pkg/azclient/armauth/expire_early_wrapper_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
/*
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package armauth

import (
"context"
"testing"
"time"

"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
"go.uber.org/mock/gomock"
)

func Test_expireEarlyTokenCredential_GetToken(t *testing.T) {
type fields struct {
token azcore.AccessToken
}
tests := []struct {
name string
fields fields
wantErr bool
}{
{
name: "valid token",
fields: fields{
token: azcore.AccessToken{
Token: "token",
ExpiresOn: time.Now().Add(4 * time.Hour),
},
},
wantErr: false,
},
{
name: "valid token",
fields: fields{
token: azcore.AccessToken{
Token: "token",
ExpiresOn: time.Now().Add(1 * time.Hour),
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cntl := gomock.NewController(t)
defer cntl.Finish()
cred := NewMockTokenCredential(cntl)
cred.EXPECT().GetToken(gomock.Any(), gomock.Any()).Return(tt.fields.token, nil).AnyTimes()
w := &expireEarlyTokenCredential{
cred: cred,
}
got, err := w.GetToken(context.Background(), policy.TokenRequestOptions{})
if (err != nil) != tt.wantErr {
t.Errorf("expireEarlyTokenCredential.GetToken() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got.ExpiresOn.After(time.Now().Add(2 * time.Hour)) {
t.Errorf("expireEarlyTokenCredential.GetToken() = %v, should expire within 2 hour", got)
}
})
}
}
73 changes: 73 additions & 0 deletions pkg/azclient/armauth/token_credential_mock_test.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions pkg/azclient/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ func NewAuthProvider(armConfig *ARMClientConfig, config *AzureAuthConfig, client
if err != nil {
return nil, err
}
managedIdentityCredential = armauth.NewExpireEarlyTokenWrapper(managedIdentityCredential)
}

// ClientSecretCredential is used for client secret
Expand Down

0 comments on commit 0d09ee2

Please sign in to comment.