From a7cad3c626f98604769808288e5efde8c07d8355 Mon Sep 17 00:00:00 2001 From: Fan Shang Xiang Date: Fri, 12 Jul 2024 12:27:18 +0800 Subject: [PATCH] add expire early credential wrapper --- pkg/azclient/armauth/expire_early_wrapper.go | 57 ++++++++++++++ .../armauth/expire_early_wrapper_test.go | 78 +++++++++++++++++++ .../armauth/token_credential_mock_test.go | 73 +++++++++++++++++ pkg/azclient/auth.go | 1 + 4 files changed, 209 insertions(+) create mode 100644 pkg/azclient/armauth/expire_early_wrapper.go create mode 100644 pkg/azclient/armauth/expire_early_wrapper_test.go create mode 100644 pkg/azclient/armauth/token_credential_mock_test.go diff --git a/pkg/azclient/armauth/expire_early_wrapper.go b/pkg/azclient/armauth/expire_early_wrapper.go new file mode 100644 index 0000000000..843be4aa56 --- /dev/null +++ b/pkg/azclient/armauth/expire_early_wrapper.go @@ -0,0 +1,57 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package armauth + +import ( + "context" + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" +) + +// expireEarlyTokenCredential is a wrapper around the azcore.TokenCredential that +// returns an earlier ExpiresOn timestamp to avoid conditions like clockSkew, or a race +// condition during polling. +// See: https://github.com/hashicorp/terraform-provider-azurerm/issues/20834 for more details +type expireEarlyTokenCredential struct { + cred azcore.TokenCredential +} + +func NewExpireEarlyTokenWrapper(cred azcore.TokenCredential) azcore.TokenCredential { + return &expireEarlyTokenCredential{ + cred: cred, + } +} + +func (w *expireEarlyTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) { + token, err := w.cred.GetToken(ctx, options) + if err != nil { + return azcore.AccessToken{}, err + } + + twoHoursFromNow := time.Now().Add(2 * time.Hour) + // IMDS may have the MI token already, and have an expiration of less than 2h when we receive the token. We don't want to set that value beyond the ExpiresOn time and potentially miss a refresh + // So we just return earlier here. See discussion here: https://github.com/Azure/karpenter-provider-azure/pull/391/files#r1648633051 + if token.ExpiresOn.Before(twoHoursFromNow) { + return token, nil + } + // If the token expires in more than 2 hours, this means we are taking in a new token with a fresh 24h expiration time or one already in the cache that hasn't been modified by us, so we want to set that to two hours so + // we can refresh it early to avoid the polling bugs mentioned in the above issue + token.ExpiresOn = twoHoursFromNow + return token, nil +} diff --git a/pkg/azclient/armauth/expire_early_wrapper_test.go b/pkg/azclient/armauth/expire_early_wrapper_test.go new file mode 100644 index 0000000000..9e0a727e5b --- /dev/null +++ b/pkg/azclient/armauth/expire_early_wrapper_test.go @@ -0,0 +1,78 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package armauth + +import ( + "context" + "testing" + "time" + + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "go.uber.org/mock/gomock" +) + +func Test_expireEarlyTokenCredential_GetToken(t *testing.T) { + type fields struct { + token azcore.AccessToken + } + tests := []struct { + name string + fields fields + wantErr bool + }{ + { + name: "valid token", + fields: fields{ + token: azcore.AccessToken{ + Token: "token", + ExpiresOn: time.Now().Add(4 * time.Hour), + }, + }, + wantErr: false, + }, + { + name: "valid token", + fields: fields{ + token: azcore.AccessToken{ + Token: "token", + ExpiresOn: time.Now().Add(1 * time.Hour), + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cntl := gomock.NewController(t) + defer cntl.Finish() + cred := NewMockTokenCredential(cntl) + cred.EXPECT().GetToken(gomock.Any(), gomock.Any()).Return(tt.fields.token, nil).AnyTimes() + w := &expireEarlyTokenCredential{ + cred: cred, + } + got, err := w.GetToken(context.Background(), policy.TokenRequestOptions{}) + if (err != nil) != tt.wantErr { + t.Errorf("expireEarlyTokenCredential.GetToken() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got.ExpiresOn.After(time.Now().Add(2 * time.Hour)) { + t.Errorf("expireEarlyTokenCredential.GetToken() = %v, should expire within 2 hour", got) + } + }) + } +} diff --git a/pkg/azclient/armauth/token_credential_mock_test.go b/pkg/azclient/armauth/token_credential_mock_test.go new file mode 100644 index 0000000000..7305585987 --- /dev/null +++ b/pkg/azclient/armauth/token_credential_mock_test.go @@ -0,0 +1,73 @@ +// /* +// Copyright The Kubernetes Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// */ + + +// Code generated by MockGen. DO NOT EDIT. +// Source: github.com/Azure/azure-sdk-for-go/sdk/azcore (interfaces: TokenCredential) +// +// Generated by this command: +// +// mockgen -package armauth github.com/Azure/azure-sdk-for-go/sdk/azcore TokenCredential +// +// Package armauth is a generated GoMock package. +package armauth + +import ( + context "context" + reflect "reflect" + + exported "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + gomock "go.uber.org/mock/gomock" +) + +// MockTokenCredential is a mock of TokenCredential interface. +type MockTokenCredential struct { + ctrl *gomock.Controller + recorder *MockTokenCredentialMockRecorder +} + +// MockTokenCredentialMockRecorder is the mock recorder for MockTokenCredential. +type MockTokenCredentialMockRecorder struct { + mock *MockTokenCredential +} + +// NewMockTokenCredential creates a new mock instance. +func NewMockTokenCredential(ctrl *gomock.Controller) *MockTokenCredential { + mock := &MockTokenCredential{ctrl: ctrl} + mock.recorder = &MockTokenCredentialMockRecorder{mock} + return mock +} + +// EXPECT returns an object that allows the caller to indicate expected use. +func (m *MockTokenCredential) EXPECT() *MockTokenCredentialMockRecorder { + return m.recorder +} + +// GetToken mocks base method. +func (m *MockTokenCredential) GetToken(arg0 context.Context, arg1 exported.TokenRequestOptions) (azcore.AccessToken, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetToken", arg0, arg1) + ret0, _ := ret[0].(azcore.AccessToken) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetToken indicates an expected call of GetToken. +func (mr *MockTokenCredentialMockRecorder) GetToken(arg0, arg1 any) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetToken", reflect.TypeOf((*MockTokenCredential)(nil).GetToken), arg0, arg1) +} diff --git a/pkg/azclient/auth.go b/pkg/azclient/auth.go index df6316a16e..fb7fb92d3f 100644 --- a/pkg/azclient/auth.go +++ b/pkg/azclient/auth.go @@ -80,6 +80,7 @@ func NewAuthProvider(armConfig *ARMClientConfig, config *AzureAuthConfig, client if err != nil { return nil, err } + managedIdentityCredential = armauth.NewExpireEarlyTokenWrapper(managedIdentityCredential) } var (