Merge pull request #13 from int128/extra-scopes

Add extra-scopes support

.circleci/config.yml

@@ -6,10 +6,12 @@ jobs:
     working_directory: /go/src/github.com/int128/kubelogin
     steps:
       - checkout
-      - run: go get -v -t -d
+      - run: go get -v -t -d ./...
       - run: go get github.com/golang/lint/golint
       - run: golint
       - run: go build -v
+      - run: make -C e2e/authserver/testdata
+      - run: go test -v ./...
 
   release:
     docker:
@@ -17,7 +19,7 @@ jobs:
     working_directory: /go/src/github.com/int128/kubelogin
     steps:
       - checkout
-      - run: go get -v -t -d
+      - run: go get -v -t -d ./...
       - run: go get github.com/mitchellh/gox
       - run: go get github.com/tcnksm/ghr
       - run: gox --osarch 'darwin/amd64 linux/amd64 windows/amd64 windows/386' -output 'dist/{{.Dir}}_{{.OS}}_{{.Arch}}'

.editorconfig

@@ -8,3 +8,8 @@ indent_size = 2
 
 [*.go]
 indent_style = tab
+indent_size = 4
+
+[Makefile]
+indent_style = tab
+indent_size = 4

.gitignore

@@ -1 +1,2 @@
 /kubelogin
+/.kubeconfig

README.md

@@ -1,120 +1,263 @@
 # kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin)
 
-`kubelogin` is a command to get an OpenID Connect (OIDC) token for `kubectl` authentication.
+This is a command for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+It gets a token from the OIDC provider and writes it to the kubeconfig.
+
+This may work with various OIDC providers such as Keycloak, Google Identity Platform and Azure AD.
 
 
-## Getting Started
+## TL;DR
 
-Download [the latest release](https://github.com/int128/kubelogin/releases) and save it as `/usr/local/bin/kubelogin`.
+You need to setup the OIDC provider and [Kubernetes OIDC authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
 
-Run the command.
+After initial setup or when the token has been expired, just run `kubelogin`:
 
 ```
 % kubelogin
-2018/03/23 18:01:40 Reading config from /home/user/.kube/config
-2018/03/23 18:01:40 Using current context: hello.k8s.local
-2018/03/23 18:01:40 Using issuer: https://keycloak.example.com/auth/realms/hello
-2018/03/23 18:01:40 Using client ID: kubernetes
-2018/03/23 18:01:41 Starting OpenID Connect authentication:
-
-## Automatic (recommended)
-
-Open the following URL in the web browser:
-
-http://localhost:8000/
-
-## Manual
-
-If you cannot access to localhost, instead open the following URL:
-
-https://keycloak.example.com/auth/realms/hello/protocol/openid-connect/auth?client_id=kubernetes&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=********
-
-Enter the code:
+2018/08/27 15:03:06 Reading /home/user/.kube/config
+2018/08/27 15:03:06 Using current context: hello.k8s.local
+2018/08/27 15:03:07 Open http://localhost:8000 for authorization
 ```
 
-And then open http://localhost:8000.
-If you cannot access to localhost, you can choose manual interaction instead.
+It opens the browser and you can log in to the provider.
+After you logged in to the provider, it closes the browser automatically.
 
-`kubelogin` will update your `~/.kube/config` with the ID token and refresh token, as follows:
+Then it writes the ID token and refresh token to the kubeconfig.
+
+```
+2018/08/27 15:03:07 GET /
+2018/08/27 15:03:08 GET /?state=a51081925f20c043&session_state=5637cbdf-ffdc-4fab-9fc7-68a3e6f2e73f&code=ey...
+2018/08/27 15:03:09 Got token for subject=cf228a73-47fe-4986-a2a8-b2ced80a884b
+2018/08/27 15:03:09 Updated /home/user/.kube/config
+```
+
+Please see the later section for details.
+
+
+## Getting Started with Google Account
+
+### 1. Setup Google API
+
+Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client as follows:
+
+- Application Type: Web application
+- Redirect URL: `http://localhost:8000/`
+
+### 2. Setup Kubernetes cluster
+
+Configure your Kubernetes API Server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
+
+```yaml
+spec:
+  kubeAPIServer:
+    oidcIssuerURL: https://accounts.google.com
+    oidcClientID: YOUR_CLIENT_ID.apps.googleusercontent.com
+```
+
+Here assign the `cluster-admin` role to your user.
+
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: oidc-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: User
+  name: https://accounts.google.com#1234567890
+```
+
+### 3. Setup kubectl and kubelogin
+
+Setup `kubectl` to authenticate with your identity provider.
+
+```sh
+kubectl config set-credentials CLUSTER_NAME \
+  --auth-provider oidc \
+  --auth-provider-arg idp-issuer-url=https://accounts.google.com \
+  --auth-provider-arg client-id=YOUR_CLIENT_ID.apps.googleusercontent.com \
+  --auth-provider-arg client-secret=YOUR_CLIENT_SECRET
+```
+
+Download [the latest release](https://github.com/int128/kubelogin/releases) and save it.
+
+Run `kubelogin` and open http://localhost:8000 in your browser.
+
+```
+% kubelogin
+2018/08/10 10:36:38 Reading .kubeconfig
+2018/08/10 10:36:38 Using current context: hello.k8s.local
+2018/08/10 10:36:41 Open http://localhost:8000 for authorization
+2018/08/10 10:36:45 GET /
+2018/08/10 10:37:07 GET /?state=...&session_state=...&code=ey...
+2018/08/10 10:37:08 Updated .kubeconfig
+```
+
+Now your `~/.kube/config` should be like:
 
 ```yaml
-# ~/.kube/config (snip)
-current-context: hello.k8s.local
-contexts:
-- context:
-    cluster: hello.k8s.local
-    user: hello.k8s.local
-  name: hello.k8s.local
 users:
 - name: hello.k8s.local
   user:
     auth-provider:
       config:
-        idp-issuer-url: https://keycloak.example.com/auth/realms/hello
-        client-id: kubernetes
+        idp-issuer-url: https://accounts.google.com
+        client-id: YOUR_CLIENT_ID.apps.googleusercontent.com
         client-secret: YOUR_SECRET
-        id-token: ey...       # kubelogin will update ID token
-        refresh-token: ey...  # kubelogin will update refresh token
+        id-token: ey...       # kubelogin will update ID token here
+        refresh-token: ey...  # kubelogin will update refresh token here
       name: oidc
 ```
 
-Make sure you can access to the cluster:
+Make sure you can access to the Kubernetes cluster.
 
 ```
-% kubectl version
-Client Version: version.Info{...}
-Server Version: version.Info{...}
+% kubectl get nodes
+NAME                                    STATUS    ROLES     AGE       VERSION
+ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
+ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
 ```
 
 
-## Prerequisite
+## Getting Started with Keycloak
 
-You have to setup your OIDC identity provider and Kubernetes cluster.
+### 1. Setup Keycloak
 
-### 1. Setup OIDC Identity Provider
+Create an OIDC client as follows:
 
-This tutorial assumes you have created an OIDC client with the following:
-
-- Issuer URL: `https://keycloak.example.com/auth/realms/hello`
+- Redirect URL: `http://localhost:8000/`
+- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
 - Client ID: `kubernetes`
-- Client Secret: `YOUR_CLIENT_SECRET`
-- Allowed redirect URLs:
-  - `http://localhost:8000/`
-  - `urn:ietf:wg:oauth:2.0:oob`
-- Groups claim: `groups` (optional for group based access controll)
+- Groups claim: `groups`
 
-### 2. Setup Kubernetes API Server
+Then create a group `kubernetes:admin` and join to it.
 
-Configure the Kubernetes API server allows your identity provider.
+### 2. Setup Kubernetes cluster
 
-If you are using kops, `kops edit cluster` and append the following settings:
+Configure your Kubernetes API Server accepts [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens).
+If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
 
 ```yaml
 spec:
   kubeAPIServer:
+    oidcIssuerURL: https://keycloak.example.com/auth/realms/YOUR_REALM
     oidcClientID: kubernetes
     oidcGroupsClaim: groups
-    oidcIssuerURL: https://keycloak.example.com/auth/realms/hello
 ```
 
-### 3. Setup kubectl
+Here assign the `cluster-admin` role to the `kubernetes:admin` group.
 
-Run the following script to configure `kubectl` uses your identity provider:
+```yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: keycloak-admin-group
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: Group
+  name: /kubernetes:admin
+```
+
+### 3. Setup kubectl and kubelogin
+
+Setup `kubectl` to authenticate with your identity provider.
 
 ```sh
-CLUSTER_NAME=hello.k8s.local
-
-kubectl config set-credentials $CLUSTER_NAME \
+kubectl config set-credentials CLUSTER_NAME \
   --auth-provider oidc \
-  --auth-provider-arg idp-issuer-url=https://keycloak.example.com/auth/realms/hello \
+  --auth-provider-arg idp-issuer-url=https://keycloak.example.com/auth/realms/YOUR_REALM \
   --auth-provider-arg client-id=kubernetes \
   --auth-provider-arg client-secret=YOUR_CLIENT_SECRET
-
-# Set the context
-kubectl config set-context $CLUSTER_NAME --cluster $CLUSTER_NAME --user $CLUSTER_NAME
 ```
 
-In actual team operation, you can distribute the script to your team members for easy setup.
+Download [the latest release](https://github.com/int128/kubelogin/releases) and save it.
+
+Run `kubelogin` and make sure you can access to the cluster.
+See the previous section for details.
+
+
+## Configuration
+
+```
+  kubelogin [OPTIONS]
+
+Application Options:
+      --kubeconfig=               Path to the kubeconfig file (default: ~/.kube/config) [$KUBECONFIG]
+      --insecure-skip-tls-verify  If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+                                  [$KUBELOGIN_INSECURE_SKIP_TLS_VERIFY]
+      --skip-open-browser         If set, it does not open the browser on authentication. [$KUBELOGIN_SKIP_OPEN_BROWSER]
+
+Help Options:
+  -h, --help        Show this help message
+```
+
+This supports the following keys of `auth-provider` in kubeconfig.
+See also [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl).
+
+Key | Direction | Value
+----|-----------|------
+`idp-issuer-url`                  | IN (Required) | Issuer URL of the provider.
+`client-id`                       | IN (Required) | Client ID of the provider.
+`client-secret`                   | IN (Required) | Client Secret of the provider.
+`idp-certificate-authority`       | IN (Optional) | CA certificate path of the provider.
+`idp-certificate-authority-data`  | IN (Optional) | Base64 encoded CA certificate of the provider.
+`extra-scopes`                    | IN (Optional) | Scopes to request to the provider (comma separated).
+`id-token`                        | OUT | ID token got from the provider.
+`refresh-token`                   | OUT | Refresh token got from the provider.
+
+
+### Kubeconfig path
+
+You can set the environment variable `KUBECONFIG` to point the config file.
+Default to `~/.kube/config`.
+
+```sh
+export KUBECONFIG="$PWD/.kubeconfig"
+```
+
+### Team onboarding
+
+You can share the kubeconfig to your team members for easy setup.
+
+```yaml
+apiVersion: v1
+kind: Config
+clusters:
+  - cluster:
+      certificate-authority-data: LS...
+      server: https://api.hello.k8s.example.com
+      name: hello.k8s.local
+contexts:
+- context:
+    cluster: hello.k8s.local
+    user: hello.k8s.local
+  name: hello.k8s.local
+current-context: hello.k8s.local
+preferences: {}
+users:
+- name: hello.k8s.local
+  user:
+    auth-provider:
+      name: oidc
+      config:
+        client-id: YOUR_CLIEND_ID
+        client-secret: YOUR_CLIENT_SECRET
+        idp-issuer-url: YOUR_ISSUER
+```
+
+If you are using kops, export the kubeconfig and edit it.
+
+```sh
+KUBECONFIG=.kubeconfig kops export kubecfg hello.k8s.local
+vim .kubeconfig
+```
 
 
 ## Contributions
@@ -122,8 +265,19 @@ In actual team operation, you can distribute the script to your team members for
 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests.
 
-### How to build
+### Build and Test
 
 ```sh
 go get github.com/int128/kubelogin
 ```
+
+```sh
+cd $GOPATH/src/github.com/int128/kubelogin
+make -C e2e/authserver/testdata
+go test -v ./...
+```
+
+### Release
+
+CircleCI publishes the build to GitHub.
+See [.circleci/config.yml](.circleci/config.yml).

auth/authcode.go

@@ -0,0 +1,109 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/pkg/browser"
+	"golang.org/x/oauth2"
+)
+
+type authCodeFlow struct {
+	Config          *oauth2.Config
+	ServerPort      int  // HTTP server port
+	SkipOpenBrowser bool // skip opening browser if true
+}
+
+func (f *authCodeFlow) getToken(ctx context.Context) (*oauth2.Token, error) {
+	code, err := f.getAuthCode(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("Could not get an auth code: %s", err)
+	}
+	token, err := f.Config.Exchange(ctx, code)
+	if err != nil {
+		return nil, fmt.Errorf("Could not exchange token: %s", err)
+	}
+	return token, nil
+}
+
+func (f *authCodeFlow) getAuthCode(ctx context.Context) (string, error) {
+	state, err := generateState()
+	if err != nil {
+		return "", fmt.Errorf("Could not generate state parameter: %s", err)
+	}
+	codeCh := make(chan string)
+	defer close(codeCh)
+	errCh := make(chan error)
+	defer close(errCh)
+	server := http.Server{
+		Addr: fmt.Sprintf("localhost:%d", f.ServerPort),
+		Handler: &authCodeHandler{
+			authCodeURL: f.Config.AuthCodeURL(state),
+			gotCode: func(code string, gotState string) {
+				if gotState == state {
+					codeCh <- code
+				} else {
+					errCh <- fmt.Errorf("State does not match, wants %s but %s", state, gotState)
+				}
+			},
+			gotError: func(err error) {
+				errCh <- err
+			},
+		},
+	}
+	go func() {
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			errCh <- err
+		}
+	}()
+	go func() {
+		log.Printf("Open http://localhost:%d for authorization", f.ServerPort)
+		if !f.SkipOpenBrowser {
+			time.Sleep(500 * time.Millisecond)
+			browser.OpenURL(fmt.Sprintf("http://localhost:%d/", f.ServerPort))
+		}
+	}()
+	select {
+	case err := <-errCh:
+		server.Shutdown(ctx)
+		return "", err
+	case code := <-codeCh:
+		server.Shutdown(ctx)
+		return code, nil
+	case <-ctx.Done():
+		server.Shutdown(ctx)
+		return "", ctx.Err()
+	}
+}
+
+type authCodeHandler struct {
+	authCodeURL string
+	gotCode     func(code string, state string)
+	gotError    func(err error)
+}
+
+func (h *authCodeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	log.Printf("%s %s", r.Method, r.RequestURI)
+	m := r.Method
+	p := r.URL.Path
+	q := r.URL.Query()
+	switch {
+	case m == "GET" && p == "/" && q.Get("error") != "":
+		h.gotError(fmt.Errorf("OAuth Error: %s %s", q.Get("error"), q.Get("error_description")))
+		http.Error(w, "OAuth Error", 500)
+
+	case m == "GET" && p == "/" && q.Get("code") != "":
+		h.gotCode(q.Get("code"), q.Get("state"))
+		w.Header().Add("Content-Type", "text/html")
+		fmt.Fprintf(w, `<html><body>OK<script>window.close()</script></body></html>`)
+
+	case m == "GET" && p == "/":
+		http.Redirect(w, r, h.authCodeURL, 302)
+
+	default:
+		http.Error(w, "Not Found", 404)
+	}
+}

auth/oidc.go

@@ -0,0 +1,69 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+
+	oidc "github.com/coreos/go-oidc"
+	"golang.org/x/oauth2"
+)
+
+// TokenSet is a set of tokens and claims.
+type TokenSet struct {
+	IDToken      string
+	RefreshToken string
+}
+
+// Config represents OIDC configuration.
+type Config struct {
+	Issuer          string
+	ClientID        string
+	ClientSecret    string
+	ExtraScopes     []string     // Additional scopes
+	Client          *http.Client // HTTP client for oidc and oauth2
+	ServerPort      int          // HTTP server port
+	SkipOpenBrowser bool         // skip opening browser if true
+}
+
+// GetTokenSet retrives a token from the OIDC provider and returns a TokenSet.
+func (c *Config) GetTokenSet(ctx context.Context) (*TokenSet, error) {
+	if c.Client != nil {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.Client)
+	}
+	provider, err := oidc.NewProvider(ctx, c.Issuer)
+	if err != nil {
+		return nil, fmt.Errorf("Could not discovery the OIDC issuer: %s", err)
+	}
+	oauth2Config := &oauth2.Config{
+		Endpoint:     provider.Endpoint(),
+		ClientID:     c.ClientID,
+		ClientSecret: c.ClientSecret,
+		Scopes:       append(c.ExtraScopes, oidc.ScopeOpenID),
+		RedirectURL:  fmt.Sprintf("http://localhost:%d/", c.ServerPort),
+	}
+	flow := &authCodeFlow{
+		ServerPort:      c.ServerPort,
+		SkipOpenBrowser: c.SkipOpenBrowser,
+		Config:          oauth2Config,
+	}
+	token, err := flow.getToken(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("Could not get a token: %s", err)
+	}
+	idToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
+	}
+	verifier := provider.Verifier(&oidc.Config{ClientID: c.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
+	if err != nil {
+		return nil, fmt.Errorf("Could not verify the id_token: %s", err)
+	}
+	log.Printf("Got token for subject=%s", verifiedIDToken.Subject)
+	return &TokenSet{
+		IDToken:      idToken,
+		RefreshToken: token.RefreshToken,
+	}, nil
+}

auth/state.go

@@ -0,0 +1,15 @@
+package auth
+
+import (
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+)
+
+func generateState() (string, error) {
+	var n uint64
+	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%x", n), nil
+}

cli/cli.go

@@ -0,0 +1,88 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/int128/kubelogin/auth"
+	"github.com/int128/kubelogin/kubeconfig"
+	flags "github.com/jessevdk/go-flags"
+	homedir "github.com/mitchellh/go-homedir"
+)
+
+// Parse parses command line arguments and returns a CLI instance.
+func Parse(args []string) (*CLI, error) {
+	var cli CLI
+	parser := flags.NewParser(&cli, flags.HelpFlag)
+	args, err := parser.Parse()
+	if err != nil {
+		return nil, err
+	}
+	if len(args) > 0 {
+		return nil, fmt.Errorf("Too many argument")
+	}
+	return &cli, nil
+}
+
+// CLI represents an interface of this command.
+type CLI struct {
+	KubeConfig      string `long:"kubeconfig" default:"~/.kube/config" env:"KUBECONFIG" description:"Path to the kubeconfig file"`
+	SkipTLSVerify   bool   `long:"insecure-skip-tls-verify" env:"KUBELOGIN_INSECURE_SKIP_TLS_VERIFY" description:"If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure"`
+	SkipOpenBrowser bool   `long:"skip-open-browser" env:"KUBELOGIN_SKIP_OPEN_BROWSER" description:"If set, it does not open the browser on authentication."`
+}
+
+// ExpandKubeConfig returns an expanded KubeConfig path.
+func (c *CLI) ExpandKubeConfig() (string, error) {
+	d, err := homedir.Expand(c.KubeConfig)
+	if err != nil {
+		return "", fmt.Errorf("Could not expand %s", c.KubeConfig)
+	}
+	return d, nil
+}
+
+// Run performs this command.
+func (c *CLI) Run(ctx context.Context) error {
+	path, err := c.ExpandKubeConfig()
+	if err != nil {
+		return err
+	}
+	log.Printf("Reading %s", path)
+	cfg, err := kubeconfig.Read(path)
+	if err != nil {
+		return fmt.Errorf("Could not load kubeconfig: %s", err)
+	}
+	log.Printf("Using current context: %s", cfg.CurrentContext)
+	authInfo := kubeconfig.FindCurrentAuthInfo(cfg)
+	if authInfo == nil {
+		return fmt.Errorf("Could not find current context: %s", cfg.CurrentContext)
+	}
+	authProvider, err := kubeconfig.FindOIDCAuthProvider(authInfo)
+	if err != nil {
+		return fmt.Errorf("Could not find auth-provider: %s", err)
+	}
+	tlsConfig, err := c.tlsConfig(authProvider)
+	if err != nil {
+		return fmt.Errorf("Could not configure TLS: %s", err)
+	}
+	authConfig := &auth.Config{
+		Issuer:          authProvider.IDPIssuerURL(),
+		ClientID:        authProvider.ClientID(),
+		ClientSecret:    authProvider.ClientSecret(),
+		ExtraScopes:     authProvider.ExtraScopes(),
+		Client:          &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}},
+		ServerPort:      8000,
+		SkipOpenBrowser: c.SkipOpenBrowser,
+	}
+	token, err := authConfig.GetTokenSet(ctx)
+	if err != nil {
+		return fmt.Errorf("Authentication error: %s", err)
+	}
+
+	authProvider.SetIDToken(token.IDToken)
+	authProvider.SetRefreshToken(token.RefreshToken)
+	kubeconfig.Write(cfg, path)
+	log.Printf("Updated %s", path)
+	return nil
+}

cli/tls.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"log"
+
+	"github.com/int128/kubelogin/kubeconfig"
+)
+
+func (c *CLI) tlsConfig(authProvider *kubeconfig.OIDCAuthProvider) (*tls.Config, error) {
+	p := x509.NewCertPool()
+	if authProvider.IDPCertificateAuthority() != "" {
+		b, err := ioutil.ReadFile(authProvider.IDPCertificateAuthority())
+		if err != nil {
+			return nil, fmt.Errorf("Could not read idp-certificate-authority: %s", err)
+		}
+		if p.AppendCertsFromPEM(b) != true {
+			return nil, fmt.Errorf("Could not load CA certificate from idp-certificate-authority: %s", err)
+		}
+		log.Printf("Using CA certificate: %s", authProvider.IDPCertificateAuthority())
+	}
+	if authProvider.IDPCertificateAuthorityData() != "" {
+		b, err := base64.StdEncoding.DecodeString(authProvider.IDPCertificateAuthorityData())
+		if err != nil {
+			return nil, fmt.Errorf("Could not decode idp-certificate-authority-data: %s", err)
+		}
+		if p.AppendCertsFromPEM(b) != true {
+			return nil, fmt.Errorf("Could not load CA certificate from idp-certificate-authority-data: %s", err)
+		}
+		log.Printf("Using CA certificate of idp-certificate-authority-data")
+	}
+
+	cfg := &tls.Config{InsecureSkipVerify: c.SkipTLSVerify}
+	if len(p.Subjects()) > 0 {
+		cfg.RootCAs = p
+	}
+	return cfg, nil
+}

config.go

@@ -1,46 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/mitchellh/go-homedir"
-	"k8s.io/client-go/tools/clientcmd"
-	"k8s.io/client-go/tools/clientcmd/api"
-)
-
-// GetCurrentAuthInfo returns the current authInfo
-func GetCurrentAuthInfo(config api.Config) *api.AuthInfo {
-	context := config.Contexts[config.CurrentContext]
-	if context == nil {
-		return nil
-	}
-	authInfo := config.AuthInfos[context.AuthInfo]
-	return authInfo
-}
-
-// ReadKubeConfig returns the current config
-func ReadKubeConfig(path string) (*api.Config, error) {
-	config, err := clientcmd.LoadFromFile(path)
-	if err != nil {
-		return nil, err
-	}
-	return config, nil
-}
-
-// WriteKubeConfig writes the config
-func WriteKubeConfig(config api.Config, path string) error {
-	return clientcmd.WriteToFile(config, path)
-}
-
-// FindKubeConfig returns env:KUBECONFIG or ~/.kube/config
-func FindKubeConfig() (string, error) {
-	env := os.Getenv("KUBECONFIG")
-	if env != "" {
-		return env, nil
-	}
-	path, err := homedir.Expand("~/.kube/config")
-	if err != nil {
-		return "", err
-	}
-	return path, nil
-}

e2e/authserver/authserver.go

@@ -0,0 +1,49 @@
+package authserver
+
+import (
+	"net/http"
+	"testing"
+)
+
+// Addr is address to listen.
+const Addr = "localhost:9000"
+
+// CACert is path to the CA certificate.
+// This should be generated by Makefile before test.
+const CACert = "authserver/testdata/ca.crt"
+
+// ServerCert is path to the server certificate.
+// This should be generated by Makefile before test.
+const ServerCert = "authserver/testdata/server.crt"
+
+// ServerKey is path to the server key.
+// This should be generated by Makefile before test.
+const ServerKey = "authserver/testdata/server.key"
+
+// Config represents server configuration.
+type Config struct {
+	Issuer string
+	Scope  string
+	Cert   string
+	Key    string
+}
+
+// Start starts a HTTP server.
+func (c *Config) Start(t *testing.T) *http.Server {
+	s := &http.Server{
+		Addr:    Addr,
+		Handler: newHandler(t, c),
+	}
+	go func() {
+		var err error
+		if c.Cert != "" && c.Key != "" {
+			err = s.ListenAndServeTLS(c.Cert, c.Key)
+		} else {
+			err = s.ListenAndServe()
+		}
+		if err != nil && err != http.ErrServerClosed {
+			t.Error(err)
+		}
+	}()
+	return s
+}

e2e/authserver/handler.go

@@ -0,0 +1,118 @@
+package authserver
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"math/big"
+	"net/http"
+	"testing"
+	"text/template"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+type handler struct {
+	discovery *template.Template
+	token     *template.Template
+	jwks      *template.Template
+	authCode  string
+
+	Issuer     string
+	Scope      string // Default to openid
+	IDToken    string
+	PrivateKey struct{ N, E string }
+}
+
+func newHandler(t *testing.T, c *Config) *handler {
+	h := handler{
+		discovery: readTemplate(t, "oidc-discovery.json"),
+		token:     readTemplate(t, "oidc-token.json"),
+		jwks:      readTemplate(t, "oidc-jwks.json"),
+		authCode:  "3d24a8bd-35e6-457d-999e-e04bb1dfcec7",
+		Issuer:    c.Issuer,
+		Scope:     c.Scope,
+	}
+	if h.Scope == "" {
+		h.Scope = "openid"
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.StandardClaims{
+		Issuer:    c.Issuer,
+		Audience:  "kubernetes",
+		ExpiresAt: time.Now().Add(time.Hour).Unix(),
+	})
+	k, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		t.Fatalf("Could not generate a key pair: %s", err)
+	}
+	h.IDToken, err = token.SignedString(k)
+	if err != nil {
+		t.Fatalf("Could not generate an ID token: %s", err)
+	}
+	h.PrivateKey.E = base64.RawURLEncoding.EncodeToString(big.NewInt(int64(k.E)).Bytes())
+	h.PrivateKey.N = base64.RawURLEncoding.EncodeToString(k.N.Bytes())
+	return &h
+}
+
+func readTemplate(t *testing.T, name string) *template.Template {
+	t.Helper()
+	tpl, err := template.ParseFiles("authserver/testdata/" + name)
+	if err != nil {
+		t.Fatalf("Could not read template %s: %s", name, err)
+	}
+	return tpl
+}
+
+func (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if err := h.serveHTTP(w, r); err != nil {
+		log.Printf("[auth-server] Error: %s", err)
+		w.WriteHeader(500)
+	}
+}
+
+func (h *handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
+	m := r.Method
+	p := r.URL.Path
+	log.Printf("[auth-server] %s %s", m, r.RequestURI)
+	switch {
+	case m == "GET" && p == "/.well-known/openid-configuration":
+		w.Header().Add("Content-Type", "application/json")
+		if err := h.discovery.Execute(w, h); err != nil {
+			return err
+		}
+	case m == "GET" && p == "/protocol/openid-connect/auth":
+		// Authentication Response
+		// http://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
+		q := r.URL.Query()
+		if h.Scope != q.Get("scope") {
+			return fmt.Errorf("scope wants %s but %s", h.Scope, q.Get("scope"))
+		}
+		to := fmt.Sprintf("%s?state=%s&code=%s", q.Get("redirect_uri"), q.Get("state"), h.authCode)
+		http.Redirect(w, r, to, 302)
+	case m == "POST" && p == "/protocol/openid-connect/token":
+		// Token Response
+		// http://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+		if err := r.ParseForm(); err != nil {
+			return err
+		}
+		if h.authCode != r.Form.Get("code") {
+			return fmt.Errorf("code wants %s but %s", h.authCode, r.Form.Get("code"))
+		}
+		w.Header().Add("Content-Type", "application/json")
+		if err := h.token.Execute(w, h); err != nil {
+			return err
+		}
+	case m == "GET" && p == "/protocol/openid-connect/certs":
+		w.Header().Add("Content-Type", "application/json")
+		if err := h.jwks.Execute(w, h); err != nil {
+			return err
+		}
+	default:
+		http.Error(w, "Not Found", 404)
+	}
+	return nil
+}

e2e/authserver/testdata/.gitignore

@@ -0,0 +1,4 @@
+/CA
+*.key
+*.csr
+*.crt

e2e/authserver/testdata/Makefile

@@ -0,0 +1,50 @@
+.PHONY: clean
+
+all: server.crt ca.crt
+
+clean:
+	rm -v ca.* server.*
+
+ca.key:
+	openssl genrsa -out $@ 1024
+
+ca.csr: openssl.cnf ca.key
+	openssl req -config openssl.cnf \
+		-new \
+		-key ca.key \
+		-subj "/CN=Hello CA" \
+		-out $@
+	openssl req -noout -text -in $@
+
+ca.crt: ca.csr ca.key
+	openssl x509 -req \
+		-signkey ca.key \
+		-in ca.csr \
+		-out $@
+	openssl x509 -text -in $@
+
+server.key:
+	openssl genrsa -out $@ 1024
+
+server.csr: openssl.cnf server.key
+	openssl req -config openssl.cnf \
+		-new \
+		-key server.key \
+		-subj "/CN=localhost" \
+		-out $@
+	openssl req -noout -text -in $@
+
+server.crt: openssl.cnf server.csr ca.key ca.crt
+	rm -fr ./CA
+	mkdir -p ./CA
+	touch CA/index.txt
+	touch CA/index.txt.attr
+	echo 00 > CA/serial
+	openssl ca -config openssl.cnf \
+		-extensions v3_req \
+		-batch \
+		-cert ca.crt \
+		-keyfile ca.key \
+		-in server.csr \
+		-out $@
+	openssl x509 -text -in $@

e2e/authserver/testdata/oidc-discovery.json

@@ -0,0 +1,85 @@
+{
+  "issuer": "{{ .Issuer }}",
+  "authorization_endpoint": "{{ .Issuer }}/protocol/openid-connect/auth",
+  "token_endpoint": "{{ .Issuer }}/protocol/openid-connect/token",
+  "token_introspection_endpoint": "{{ .Issuer }}/protocol/openid-connect/token/introspect",
+  "userinfo_endpoint": "{{ .Issuer }}/protocol/openid-connect/userinfo",
+  "end_session_endpoint": "{{ .Issuer }}/protocol/openid-connect/logout",
+  "jwks_uri": "{{ .Issuer }}/protocol/openid-connect/certs",
+  "check_session_iframe": "{{ .Issuer }}/protocol/openid-connect/login-status-iframe.html",
+  "grant_types_supported": [
+    "authorization_code",
+    "implicit",
+    "refresh_token",
+    "password",
+    "client_credentials"
+  ],
+  "response_types_supported": [
+    "code",
+    "none",
+    "id_token",
+    "token",
+    "id_token token",
+    "code id_token",
+    "code token",
+    "code id_token token"
+  ],
+  "subject_types_supported": [
+    "public",
+    "pairwise"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256"
+  ],
+  "userinfo_signing_alg_values_supported": [
+    "RS256"
+  ],
+  "request_object_signing_alg_values_supported": [
+    "none",
+    "RS256"
+  ],
+  "response_modes_supported": [
+    "query",
+    "fragment",
+    "form_post"
+  ],
+  "registration_endpoint": "{{ .Issuer }}/clients-registrations/openid-connect",
+  "token_endpoint_auth_methods_supported": [
+    "private_key_jwt",
+    "client_secret_basic",
+    "client_secret_post",
+    "client_secret_jwt"
+  ],
+  "token_endpoint_auth_signing_alg_values_supported": [
+    "RS256"
+  ],
+  "claims_supported": [
+    "sub",
+    "iss",
+    "auth_time",
+    "name",
+    "given_name",
+    "family_name",
+    "preferred_username",
+    "email"
+  ],
+  "claim_types_supported": [
+    "normal"
+  ],
+  "claims_parameter_supported": false,
+  "scopes_supported": [
+    "openid",
+    "offline_access",
+    "phone",
+    "address",
+    "email",
+    "profile"
+  ],
+  "request_parameter_supported": true,
+  "request_uri_parameter_supported": true,
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ],
+  "tls_client_certificate_bound_access_tokens": true
+}

e2e/authserver/testdata/oidc-jwks.json

@@ -0,0 +1,12 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "alg": "RS256",
+      "use": "sig",
+      "kid": "xxx",
+      "n": "{{ .PrivateKey.N }}",
+      "e": "{{ .PrivateKey.E }}"
+    }
+  ]
+}

e2e/authserver/testdata/oidc-token.json

@@ -0,0 +1,7 @@
+{
+  "access_token": "7eaae8ab-8f69-45d9-ab7c-73560cd9444d",
+  "token_type": "Bearer",
+  "refresh_token": "44df4c82-5ce7-4260-b54d-1da0d396ef2a",
+  "expires_in": 3600,
+  "id_token": "{{ .IDToken }}"
+}

e2e/authserver/testdata/openssl.cnf

@@ -0,0 +1,37 @@
+[ ca ]
+default_ca      = CA_default
+
+[ CA_default ]
+dir             = ./CA
+certs           = $dir
+crl_dir         = $dir
+database        = $dir/index.txt
+new_certs_dir   = $dir
+default_md      = sha256
+policy          = policy_match
+serial          = $dir/serial
+default_days    = 365
+
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+distinguished_name	= req_distinguished_name
+req_extensions = v3_req
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = DNS:localhost
+
+[ v3_ca ]
+basicConstraints = CA:true

e2e/e2e_test.go

@@ -0,0 +1,147 @@
+package e2e
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/cli"
+	"github.com/int128/kubelogin/e2e/authserver"
+	"golang.org/x/sync/errgroup"
+)
+
+// End-to-end test.
+//
+// 1. Start the auth server at port 9000.
+// 2. Run the CLI.
+// 3. Open a request for port 8000.
+// 4. Wait for the CLI.
+// 5. Shutdown the auth server.
+func TestE2E(t *testing.T) {
+	data := map[string]struct {
+		kubeconfigValues kubeconfigValues
+		cli              cli.CLI
+		serverConfig     authserver.Config
+		clientTLS        *tls.Config
+	}{
+		"NoTLS": {
+			kubeconfigValues{Issuer: "http://localhost:9000"},
+			cli.CLI{},
+			authserver.Config{Issuer: "http://localhost:9000"},
+			&tls.Config{},
+		},
+		"ExtraScope": {
+			kubeconfigValues{
+				Issuer:      "http://localhost:9000",
+				ExtraScopes: "profile groups",
+			},
+			cli.CLI{},
+			authserver.Config{
+				Issuer: "http://localhost:9000",
+				Scope:  "profile groups openid",
+			},
+			&tls.Config{},
+		},
+		"SkipTLSVerify": {
+			kubeconfigValues{Issuer: "https://localhost:9000"},
+			cli.CLI{SkipTLSVerify: true},
+			authserver.Config{
+				Issuer: "https://localhost:9000",
+				Cert:   authserver.ServerCert,
+				Key:    authserver.ServerKey,
+			},
+			&tls.Config{InsecureSkipVerify: true},
+		},
+		"CACert": {
+			kubeconfigValues{
+				Issuer:                  "https://localhost:9000",
+				IDPCertificateAuthority: authserver.CACert,
+			},
+			cli.CLI{},
+			authserver.Config{
+				Issuer: "https://localhost:9000",
+				Cert:   authserver.ServerCert,
+				Key:    authserver.ServerKey,
+			},
+			&tls.Config{RootCAs: readCert(t, authserver.CACert)},
+		},
+		"CACertData": {
+			kubeconfigValues{
+				Issuer: "https://localhost:9000",
+				IDPCertificateAuthorityData: base64.StdEncoding.EncodeToString(read(t, authserver.CACert)),
+			},
+			cli.CLI{},
+			authserver.Config{
+				Issuer: "https://localhost:9000",
+				Cert:   authserver.ServerCert,
+				Key:    authserver.ServerKey,
+			},
+			&tls.Config{RootCAs: readCert(t, authserver.CACert)},
+		},
+	}
+
+	for name, c := range data {
+		t.Run(name, func(t *testing.T) {
+			ctx, cancel := context.WithCancel(context.Background())
+			defer cancel()
+			server := c.serverConfig.Start(t)
+			defer server.Shutdown(ctx)
+			kubeconfig := createKubeconfig(t, &c.kubeconfigValues)
+			defer os.Remove(kubeconfig)
+			c.cli.KubeConfig = kubeconfig
+			c.cli.SkipOpenBrowser = true
+
+			var eg errgroup.Group
+			eg.Go(func() error {
+				return c.cli.Run(ctx)
+			})
+			if err := openBrowserRequest(c.clientTLS); err != nil {
+				cancel()
+				t.Error(err)
+			}
+			if err := eg.Wait(); err != nil {
+				t.Fatalf("CLI returned error: %s", err)
+			}
+			verifyKubeconfig(t, kubeconfig)
+		})
+	}
+}
+
+func openBrowserRequest(tlsConfig *tls.Config) error {
+	time.Sleep(50 * time.Millisecond)
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
+	res, err := client.Get("http://localhost:8000/")
+	if err != nil {
+		return fmt.Errorf("Could not send a request: %s", err)
+	}
+	if res.StatusCode != 200 {
+		return fmt.Errorf("StatusCode wants 200 but %d", res.StatusCode)
+	}
+	return nil
+}
+
+func read(t *testing.T, name string) []byte {
+	t.Helper()
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		t.Fatalf("Could not read %s: %s", name, err)
+	}
+	return b
+}
+
+func readCert(t *testing.T, name string) *x509.CertPool {
+	t.Helper()
+	p := x509.NewCertPool()
+	b := read(t, name)
+	if !p.AppendCertsFromPEM(b) {
+		t.Fatalf("Could not append cert from %s", name)
+	}
+	return p
+}

e2e/kubeconfig.go

@@ -0,0 +1,45 @@
+package e2e
+
+import (
+	"html/template"
+	"io/ioutil"
+	"strings"
+	"testing"
+)
+
+type kubeconfigValues struct {
+	Issuer                      string
+	ExtraScopes                 string
+	IDPCertificateAuthority     string
+	IDPCertificateAuthorityData string
+}
+
+func createKubeconfig(t *testing.T, v *kubeconfigValues) string {
+	t.Helper()
+	f, err := ioutil.TempFile("", "kubeconfig")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	tpl, err := template.ParseFiles("testdata/kubeconfig.yaml")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := tpl.Execute(f, v); err != nil {
+		t.Fatal(err)
+	}
+	return f.Name()
+}
+
+func verifyKubeconfig(t *testing.T, kubeconfig string) {
+	b, err := ioutil.ReadFile(kubeconfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if strings.Index(string(b), "id-token: ey") == -1 {
+		t.Errorf("kubeconfig wants id-token but %s", string(b))
+	}
+	if strings.Index(string(b), "refresh-token: 44df4c82-5ce7-4260-b54d-1da0d396ef2a") == -1 {
+		t.Errorf("kubeconfig wants refresh-token but %s", string(b))
+	}
+}

e2e/testdata/kubeconfig.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Config
+clusters:
+  - cluster:
+      server: https://api.hello.k8s.example.com
+      name: hello.k8s.local
+contexts:
+- context:
+    cluster: hello.k8s.local
+    user: hello.k8s.local
+  name: hello.k8s.local
+current-context: hello.k8s.local
+preferences: {}
+users:
+- name: hello.k8s.local
+  user:
+    auth-provider:
+      config:
+        client-id: kubernetes
+        client-secret: a3c508c3-73c9-42e2-ab14-487a1bf67c33
+        idp-issuer-url: {{ .Issuer }}
+#{{ if .ExtraScopes }}
+        extra-scopes: {{ .ExtraScopes }}
+#{{ end }}
+#{{ if .IDPCertificateAuthority }}
+        idp-certificate-authority: {{ .IDPCertificateAuthority }}
+#{{ end }}
+#{{ if .IDPCertificateAuthorityData }}
+        idp-certificate-authority-data: {{ .IDPCertificateAuthorityData }}
+#{{ end }}
+      name: oidc

kubeconfig/auth.go

@@ -0,0 +1,75 @@
+package kubeconfig
+
+import (
+	"fmt"
+	"strings"
+
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+// FindCurrentAuthInfo returns the authInfo of current context.
+// If the current context does not exist, this returns nil.
+func FindCurrentAuthInfo(config *api.Config) *api.AuthInfo {
+	context := config.Contexts[config.CurrentContext]
+	if context == nil {
+		return nil
+	}
+	return config.AuthInfos[context.AuthInfo]
+}
+
+// FindOIDCAuthProvider returns the OIDC authProvider.
+func FindOIDCAuthProvider(authInfo *api.AuthInfo) (*OIDCAuthProvider, error) {
+	if authInfo.AuthProvider == nil {
+		return nil, fmt.Errorf("auth-provider is not set, did you setup kubectl as listed here: https://github.com/int128/kubelogin")
+	}
+	if authInfo.AuthProvider.Name != "oidc" {
+		return nil, fmt.Errorf("auth-provider `%s` is not supported", authInfo.AuthProvider.Name)
+	}
+	return (*OIDCAuthProvider)(authInfo.AuthProvider), nil
+}
+
+// OIDCAuthProvider represents OIDC configuration in the kubeconfig.
+type OIDCAuthProvider api.AuthProviderConfig
+
+// IDPIssuerURL returns the idp-issuer-url.
+func (c *OIDCAuthProvider) IDPIssuerURL() string {
+	return c.Config["idp-issuer-url"]
+}
+
+// ClientID returns the client-id.
+func (c *OIDCAuthProvider) ClientID() string {
+	return c.Config["client-id"]
+}
+
+// ClientSecret returns the client-secret.
+func (c *OIDCAuthProvider) ClientSecret() string {
+	return c.Config["client-secret"]
+}
+
+// IDPCertificateAuthority returns the idp-certificate-authority.
+func (c *OIDCAuthProvider) IDPCertificateAuthority() string {
+	return c.Config["idp-certificate-authority"]
+}
+
+// IDPCertificateAuthorityData returns the idp-certificate-authority-data.
+func (c *OIDCAuthProvider) IDPCertificateAuthorityData() string {
+	return c.Config["idp-certificate-authority-data"]
+}
+
+// ExtraScopes returns the extra-scopes.
+func (c *OIDCAuthProvider) ExtraScopes() []string {
+	if c.Config["extra-scopes"] == "" {
+		return []string{}
+	}
+	return strings.Split(c.Config["extra-scopes"], ",")
+}
+
+// SetIDToken replaces the id-token.
+func (c *OIDCAuthProvider) SetIDToken(idToken string) {
+	c.Config["id-token"] = idToken
+}
+
+// SetRefreshToken replaces the refresh-token.
+func (c *OIDCAuthProvider) SetRefreshToken(refreshToken string) {
+	c.Config["refresh-token"] = refreshToken
+}

kubeconfig/kubeconfig.go

@@ -0,0 +1,22 @@
+package kubeconfig
+
+import (
+	"fmt"
+
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+// Read parses the file and returns the Config.
+func Read(path string) (*api.Config, error) {
+	config, err := clientcmd.LoadFromFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("Could not load kubeconfig from %s: %s", path, err)
+	}
+	return config, nil
+}
+
+// Write writes the config to the file.
+func Write(config *api.Config, path string) error {
+	return clientcmd.WriteToFile(*config, path)
+}

main.go

@@ -1,57 +1,20 @@
 package main
 
 import (
+	"context"
 	"log"
+	"os"
 
-	"k8s.io/client-go/tools/clientcmd/api"
+	"github.com/int128/kubelogin/cli"
 )
 
 func main() {
-	kubeConfigPath, err := FindKubeConfig()
+	c, err := cli.Parse(os.Args)
 	if err != nil {
 		log.Fatal(err)
 	}
-
-	log.Printf("Reading config from %s", kubeConfigPath)
-	kubeConfig, err := ReadKubeConfig(kubeConfigPath)
-	if err != nil {
+	ctx := context.Background()
+	if err := c.Run(ctx); err != nil {
 		log.Fatal(err)
 	}
-	log.Printf("Using current context: %s", kubeConfig.CurrentContext)
-
-	authInfo := GetCurrentAuthInfo(*kubeConfig)
-	if authInfo == nil {
-		log.Fatal("Could not find the current user")
-	}
-	authProvider := authInfo.AuthProvider
-	if authProvider == nil {
-		log.Fatal("auth-provider is not set in the config")
-	}
-
-	switch authProvider.Name {
-	case "oidc":
-		if err := mutateConfigWithOIDC(authProvider); err != nil {
-			log.Fatal(err)
-		}
-		WriteKubeConfig(*kubeConfig, kubeConfigPath)
-		log.Printf("Updated %s", kubeConfigPath)
-
-	default:
-		log.Fatalf("Currently auth-provider `%s` is not supported", authProvider.Name)
-	}
-}
-
-func mutateConfigWithOIDC(authProvider *api.AuthProviderConfig) error {
-	issuer := authProvider.Config["idp-issuer-url"]
-	clientID := authProvider.Config["client-id"]
-	clientSecret := authProvider.Config["client-secret"]
-	log.Printf("Using issuer: %s", issuer)
-	log.Printf("Using client ID: %s", clientID)
-	oidcToken, err := GetOIDCToken(issuer, clientID, clientSecret)
-	if err != nil {
-		return err
-	}
-	authProvider.Config["id-token"] = oidcToken.IDToken
-	authProvider.Config["refresh-token"] = oidcToken.RefreshToken
-	return nil
 }

oidc.go

@@ -1,130 +0,0 @@
-package main
-
-import (
-	"context"
-	"crypto/rand"
-	"encoding/binary"
-	"fmt"
-	"log"
-
-	"github.com/coreos/go-oidc"
-	"golang.org/x/oauth2"
-)
-
-// OIDCToken is a token set
-type OIDCToken struct {
-	IDToken      string
-	RefreshToken string
-}
-
-// GetOIDCToken returns a token retrieved by auth code grant
-func GetOIDCToken(issuer string, clientID string, clientSecret string) (*OIDCToken, error) {
-	port := 8000
-	provider, err := oidc.NewProvider(oauth2.NoContext, issuer)
-	if err != nil {
-		return nil, err
-	}
-
-	state, err := generateState()
-	if err != nil {
-		return nil, err
-	}
-
-	webBrowserConfig := oauth2.Config{
-		ClientID:     clientID,
-		ClientSecret: clientSecret,
-		RedirectURL:  fmt.Sprintf("http://localhost:%d/", port),
-		Endpoint:     provider.Endpoint(),
-		Scopes:       []string{oidc.ScopeOpenID, "email"},
-	}
-
-	cliConfig := oauth2.Config{
-		ClientID:     clientID,
-		ClientSecret: clientSecret,
-		RedirectURL:  "urn:ietf:wg:oauth:2.0:oob",
-		Endpoint:     provider.Endpoint(),
-		Scopes:       []string{oidc.ScopeOpenID, "email"},
-	}
-
-	showInstructionToGetToken(webBrowserConfig.RedirectURL, cliConfig.AuthCodeURL(state))
-	token, err := getTokenByWebBrowserOrCLI(webBrowserConfig, cliConfig, state)
-	if err != nil {
-		return nil, err
-	}
-
-	rawIDToken, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
-	}
-
-	log.Printf("Verifying ID token...")
-	verifier := provider.Verifier(&oidc.Config{ClientID: clientID})
-	idToken, err := verifier.Verify(oauth2.NoContext, rawIDToken)
-	if err != nil {
-		return nil, err
-	}
-
-	idTokenClaim := struct {
-		Email string `json:"email"`
-	}{}
-	if err := idToken.Claims(&idTokenClaim); err != nil {
-		return nil, err
-	}
-
-	log.Printf("You are logged in as %s (%s)", idTokenClaim.Email, idToken.Subject)
-	return &OIDCToken{
-		IDToken:      rawIDToken,
-		RefreshToken: token.RefreshToken,
-	}, nil
-}
-
-func getTokenByWebBrowserOrCLI(webBrowserConfig oauth2.Config, cliConfig oauth2.Config, state string) (*oauth2.Token, error) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	webBrowserAuthCodeCh := make(chan string)
-	cliAuthCodeCh := make(chan string)
-	errCh := make(chan error)
-
-	go ReceiveAuthCodeFromWebBrowser(ctx, webBrowserConfig.AuthCodeURL(state), state, webBrowserAuthCodeCh, errCh)
-	go ReceiveAuthCodeFromCLI(ctx, cliAuthCodeCh, errCh)
-
-	select {
-	case err := <-errCh:
-		return nil, err
-
-	case authCode := <-webBrowserAuthCodeCh:
-		log.Printf("Exchanging code and token...")
-		return webBrowserConfig.Exchange(ctx, authCode)
-
-	case authCode := <-cliAuthCodeCh:
-		log.Printf("Exchanging code and token...")
-		return cliConfig.Exchange(ctx, authCode)
-	}
-}
-
-func showInstructionToGetToken(localhostURL string, cliAuthCodeURL string) {
-	log.Printf("Starting OpenID Connect authentication:")
-	fmt.Printf(`
-## Automatic (recommended)
-
-Open the following URL in the web browser:
-
-%s
-
-## Manual
-
-If you cannot access to localhost, instead open the following URL:
-
-%s
-
-Enter the code: `, localhostURL, cliAuthCodeURL)
-}
-
-func generateState() (string, error) {
-	var n uint64
-	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
-		return "", err
-	}
-	return fmt.Sprintf("%x", n), nil
-}

oidc_cli.go

@@ -1,16 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-)
-
-// ReceiveAuthCodeFromCLI receives an auth code from CLI
-func ReceiveAuthCodeFromCLI(ctx context.Context, authCodeCh chan<- string, errCh chan<- error) {
-	var authCode string
-	if _, err := fmt.Scanln(&authCode); err != nil {
-		errCh <- err
-	} else {
-		authCodeCh <- authCode
-	}
-}

oidc_http.go

@@ -1,70 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net/http"
-)
-
-// ReceiveAuthCodeFromWebBrowser starts a server and receives an auth code
-func ReceiveAuthCodeFromWebBrowser(ctx context.Context, authCodeURL string, state string, authCodeCh chan<- string, errCh chan<- error) {
-	server := http.Server{
-		Addr: ":8000",
-		Handler: &AuthCodeGrantHandler{
-			AuthCodeURL: authCodeURL,
-			State:       state,
-			Resolve:     func(authCode string) { authCodeCh <- authCode },
-			Reject:      func(err error) { errCh <- err },
-		},
-	}
-
-	go func() {
-		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			errCh <- err
-		}
-	}()
-
-	select {
-	case <-ctx.Done():
-		server.Shutdown(context.Background())
-	}
-}
-
-// AuthCodeGrantHandler handles requests for OIDC auth code grant
-type AuthCodeGrantHandler struct {
-	AuthCodeURL string
-	State       string
-	Resolve     func(string)
-	Reject      func(error)
-}
-
-func (s *AuthCodeGrantHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	log.Printf("%s %s", r.Method, r.RequestURI)
-	switch r.URL.Path {
-	case "/":
-		code := r.URL.Query().Get("code")
-		state := r.URL.Query().Get("state")
-		errorCode := r.URL.Query().Get("error")
-		errorDescription := r.URL.Query().Get("error_description")
-		switch {
-		case code != "" && state == s.State:
-			s.Resolve(code)
-			fmt.Fprintf(w, "Please back to the command line.")
-
-		case code != "" && state != s.State:
-			s.Reject(fmt.Errorf("OIDC state did not match. expected=%s, actual=%s", s.State, state))
-			fmt.Fprintf(w, "Please back to the command line.")
-
-		case errorCode != "":
-			s.Reject(fmt.Errorf("OIDC error: %s %s", errorCode, errorDescription))
-			fmt.Fprintf(w, "Please back to the command line.")
-
-		default:
-			http.Redirect(w, r, s.AuthCodeURL, 302)
-		}
-
-	default:
-		http.Error(w, "Not Found", 404)
-	}
-}