Refactor

Open browser automatically on authentication

README.md

@@ -18,6 +18,7 @@ Application Options:
       --kubeconfig=               Path to the kubeconfig file (default: ~/.kube/config) [$KUBECONFIG]
       --insecure-skip-tls-verify  If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
                                   [$KUBELOGIN_INSECURE_SKIP_TLS_VERIFY]
+      --skip-open-browser         If set, it does not open the browser on authentication. [$KUBELOGIN_SKIP_OPEN_BROWSER]
 
 Help Options:
   -h, --help        Show this help message

auth/authcode.go

@@ -2,65 +2,55 @@ package auth
 
 import (
 	"context"
-	"crypto/rand"
-	"encoding/binary"
 	"fmt"
 	"log"
 	"net/http"
 
+	"github.com/pkg/browser"
 	"golang.org/x/oauth2"
 )
 
-// BrowserAuthCodeFlow is a flow to get a token by browser interaction.
-type BrowserAuthCodeFlow struct {
-	oauth2.Config
-	Port int // HTTP server port
+type authCodeFlow struct {
+	Config          *oauth2.Config
+	ServerPort      int  // HTTP server port
+	SkipOpenBrowser bool // skip opening browser if true
 }
 
-// GetToken returns a token.
-func (f *BrowserAuthCodeFlow) GetToken(ctx context.Context) (*oauth2.Token, error) {
-	f.Config.RedirectURL = fmt.Sprintf("http://localhost:%d/", f.Port)
-	state, err := generateState()
+func (f *authCodeFlow) getToken(ctx context.Context) (*oauth2.Token, error) {
+	code, err := f.getAuthCode(ctx)
 	if err != nil {
-		return nil, fmt.Errorf("Could not generate state parameter: %s", err)
-	}
-	log.Printf("Open http://localhost:%d for authorization", f.Port)
-	code, err := f.getCode(ctx, &f.Config, state)
-	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Could not get an auth code: %s", err)
 	}
 	token, err := f.Config.Exchange(ctx, code)
 	if err != nil {
-		return nil, fmt.Errorf("Could not exchange oauth code: %s", err)
+		return nil, fmt.Errorf("Could not exchange token: %s", err)
 	}
 	return token, nil
 }
 
-func generateState() (string, error) {
-	var n uint64
-	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
-		return "", err
+func (f *authCodeFlow) getAuthCode(ctx context.Context) (string, error) {
+	state, err := generateState()
+	if err != nil {
+		return "", fmt.Errorf("Could not generate state parameter: %s", err)
 	}
-	return fmt.Sprintf("%x", n), nil
-}
-
-func (f *BrowserAuthCodeFlow) getCode(ctx context.Context, config *oauth2.Config, state string) (string, error) {
 	codeCh := make(chan string)
+	defer close(codeCh)
 	errCh := make(chan error)
+	defer close(errCh)
 	server := http.Server{
-		Addr: fmt.Sprintf(":%d", f.Port),
-		Handler: &handler{
-			AuthCodeURL: config.AuthCodeURL(state),
-			Callback: func(code string, actualState string, err error) {
-				switch {
-				case err != nil:
-					errCh <- err
-				case actualState != state:
-					errCh <- fmt.Errorf("OAuth state did not match, should be %s but %s", state, actualState)
-				default:
+		Addr: fmt.Sprintf("localhost:%d", f.ServerPort),
+		Handler: &authCodeHandler{
+			authCodeURL: f.Config.AuthCodeURL(state),
+			gotCode: func(code string, gotState string) {
+				if gotState == state {
 					codeCh <- code
+				} else {
+					errCh <- fmt.Errorf("State does not match, wants %s but %s", state, gotState)
 				}
 			},
+			gotError: func(err error) {
+				errCh <- err
+			},
 		},
 	}
 	go func() {
@@ -68,6 +58,12 @@ func (f *BrowserAuthCodeFlow) getCode(ctx context.Context, config *oauth2.Config
 			errCh <- err
 		}
 	}()
+	go func() {
+		log.Printf("Open http://localhost:%d for authorization", f.ServerPort)
+		if !f.SkipOpenBrowser {
+			browser.OpenURL(fmt.Sprintf("http://localhost:%d/", f.ServerPort))
+		}
+	}()
 	select {
 	case err := <-errCh:
 		server.Shutdown(ctx)
@@ -75,32 +71,36 @@ func (f *BrowserAuthCodeFlow) getCode(ctx context.Context, config *oauth2.Config
 	case code := <-codeCh:
 		server.Shutdown(ctx)
 		return code, nil
+	case <-ctx.Done():
+		server.Shutdown(ctx)
+		return "", ctx.Err()
 	}
 }
 
-type handler struct {
-	AuthCodeURL string
-	Callback    func(code string, state string, err error)
+type authCodeHandler struct {
+	authCodeURL string
+	gotCode     func(code string, state string)
+	gotError    func(err error)
 }
 
-func (s *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (h *authCodeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	log.Printf("%s %s", r.Method, r.RequestURI)
-	switch r.URL.Path {
-	case "/":
-		code := r.URL.Query().Get("code")
-		state := r.URL.Query().Get("state")
-		errorCode := r.URL.Query().Get("error")
-		errorDescription := r.URL.Query().Get("error_description")
-		switch {
-		case code != "":
-			s.Callback(code, state, nil)
-			fmt.Fprintf(w, "Back to command line.")
-		case errorCode != "":
-			s.Callback("", "", fmt.Errorf("OAuth Error: %s %s", errorCode, errorDescription))
-			fmt.Fprintf(w, "Back to command line.")
-		default:
-			http.Redirect(w, r, s.AuthCodeURL, 302)
-		}
+	m := r.Method
+	p := r.URL.Path
+	q := r.URL.Query()
+	switch {
+	case m == "GET" && p == "/" && q.Get("error") != "":
+		h.gotError(fmt.Errorf("OAuth Error: %s %s", q.Get("error"), q.Get("error_description")))
+		http.Error(w, "OAuth Error", 500)
+
+	case m == "GET" && p == "/" && q.Get("code") != "":
+		h.gotCode(q.Get("code"), q.Get("state"))
+		w.Header().Add("Content-Type", "text/html")
+		fmt.Fprintf(w, `<html><body>OK<script>window.close()</script></body></html>`)
+
+	case m == "GET" && p == "/":
+		http.Redirect(w, r, h.authCodeURL, 302)
+
 	default:
 		http.Error(w, "Not Found", 404)
 	}

auth/oidc.go

@@ -3,6 +3,8 @@ package auth
 import (
 	"context"
 	"fmt"
+	"log"
+	"net/http"
 
 	oidc "github.com/coreos/go-oidc"
 	"golang.org/x/oauth2"
@@ -12,49 +14,56 @@ import (
 type TokenSet struct {
 	IDToken      string
 	RefreshToken string
-	Claims       *Claims
 }
 
-// Claims represents properties in the ID token.
-type Claims struct {
-	Email string `json:"email"`
+// Config represents OIDC configuration.
+type Config struct {
+	Issuer          string
+	ClientID        string
+	ClientSecret    string
+	ExtraScopes     []string     // Additional scopes
+	Client          *http.Client // HTTP client for oidc and oauth2
+	ServerPort      int          // HTTP server port
+	SkipOpenBrowser bool         // skip opening browser if true
 }
 
-// GetTokenSet retrieves a token from the OIDC provider.
-func GetTokenSet(ctx context.Context, issuer string, clientID string, clientSecret string) (*TokenSet, error) {
-	provider, err := oidc.NewProvider(ctx, issuer)
+// GetTokenSet retrives a token from the OIDC provider and returns a TokenSet.
+func (c *Config) GetTokenSet(ctx context.Context) (*TokenSet, error) {
+	if c.Client != nil {
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.Client)
+	}
+	provider, err := oidc.NewProvider(ctx, c.Issuer)
 	if err != nil {
-		return nil, fmt.Errorf("Could not access OIDC issuer: %s", err)
+		return nil, fmt.Errorf("Could not discovery the OIDC issuer: %s", err)
 	}
-	flow := BrowserAuthCodeFlow{
-		Port: 8000,
-		Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     clientID,
-			ClientSecret: clientSecret,
-			Scopes:       []string{oidc.ScopeOpenID, "email"},
-		},
+	oauth2Config := &oauth2.Config{
+		Endpoint:     provider.Endpoint(),
+		ClientID:     c.ClientID,
+		ClientSecret: c.ClientSecret,
+		Scopes:       append(c.ExtraScopes, oidc.ScopeOpenID),
+		RedirectURL:  fmt.Sprintf("http://localhost:%d/", c.ServerPort),
 	}
-	token, err := flow.GetToken(ctx)
+	flow := &authCodeFlow{
+		ServerPort:      c.ServerPort,
+		SkipOpenBrowser: c.SkipOpenBrowser,
+		Config:          oauth2Config,
+	}
+	token, err := flow.getToken(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("Could not get a token: %s", err)
 	}
-	rawIDToken, ok := token.Extra("id_token").(string)
+	idToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		return nil, fmt.Errorf("id_token is missing in the token response: %s", token)
 	}
-	verifier := provider.Verifier(&oidc.Config{ClientID: clientID})
-	idToken, err := verifier.Verify(ctx, rawIDToken)
+	verifier := provider.Verifier(&oidc.Config{ClientID: c.ClientID})
+	verifiedIDToken, err := verifier.Verify(ctx, idToken)
 	if err != nil {
 		return nil, fmt.Errorf("Could not verify the id_token: %s", err)
 	}
-	var claims Claims
-	if err := idToken.Claims(&claims); err != nil {
-		return nil, fmt.Errorf("Could not extract claims from the token response: %s", err)
-	}
+	log.Printf("Got token for subject=%s", verifiedIDToken.Subject)
 	return &TokenSet{
-		IDToken:      rawIDToken,
+		IDToken:      idToken,
 		RefreshToken: token.RefreshToken,
-		Claims:       &claims,
 	}, nil
 }

auth/state.go

@@ -0,0 +1,15 @@
+package auth
+
+import (
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+)
+
+func generateState() (string, error) {
+	var n uint64
+	if err := binary.Read(rand.Reader, binary.LittleEndian, &n); err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("%x", n), nil
+}

cli/cli.go

@@ -2,11 +2,7 @@ package cli
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
 
@@ -14,7 +10,6 @@ import (
 	"github.com/int128/kubelogin/kubeconfig"
 	flags "github.com/jessevdk/go-flags"
 	homedir "github.com/mitchellh/go-homedir"
-	"golang.org/x/oauth2"
 )
 
 // Parse parses command line arguments and returns a CLI instance.
@@ -33,9 +28,9 @@ func Parse(args []string) (*CLI, error) {
 
 // CLI represents an interface of this command.
 type CLI struct {
-	KubeConfig    string `long:"kubeconfig" default:"~/.kube/config" env:"KUBECONFIG" description:"Path to the kubeconfig file"`
-	SkipTLSVerify bool   `long:"insecure-skip-tls-verify" env:"KUBELOGIN_INSECURE_SKIP_TLS_VERIFY" description:"If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure"`
-	// CertificateAuthority string `long:"certificate-authority" env:"KUBELOGIN_CERTIFICATE_AUTHORITY" description:"Path to a cert file for the certificate authority"`
+	KubeConfig      string `long:"kubeconfig" default:"~/.kube/config" env:"KUBECONFIG" description:"Path to the kubeconfig file"`
+	SkipTLSVerify   bool   `long:"insecure-skip-tls-verify" env:"KUBELOGIN_INSECURE_SKIP_TLS_VERIFY" description:"If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure"`
+	SkipOpenBrowser bool   `long:"skip-open-browser" env:"KUBELOGIN_SKIP_OPEN_BROWSER" description:"If set, it does not open the browser on authentication."`
 }
 
 // ExpandKubeConfig returns an expanded KubeConfig path.
@@ -54,7 +49,7 @@ func (c *CLI) Run(ctx context.Context) error {
 		return err
 	}
 	log.Printf("Reading %s", path)
-	cfg, err := kubeconfig.Load(path)
+	cfg, err := kubeconfig.Read(path)
 	if err != nil {
 		return fmt.Errorf("Could not load kubeconfig: %s", err)
 	}
@@ -63,7 +58,7 @@ func (c *CLI) Run(ctx context.Context) error {
 	if authInfo == nil {
 		return fmt.Errorf("Could not find current context: %s", cfg.CurrentContext)
 	}
-	authProvider, err := kubeconfig.ToOIDCAuthProviderConfig(authInfo)
+	authProvider, err := kubeconfig.FindOIDCAuthProvider(authInfo)
 	if err != nil {
 		return fmt.Errorf("Could not find auth-provider: %s", err)
 	}
@@ -71,9 +66,15 @@ func (c *CLI) Run(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("Could not configure TLS: %s", err)
 	}
-	client := &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}}
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
-	token, err := auth.GetTokenSet(ctx, authProvider.IDPIssuerURL(), authProvider.ClientID(), authProvider.ClientSecret())
+	authConfig := &auth.Config{
+		Issuer:          authProvider.IDPIssuerURL(),
+		ClientID:        authProvider.ClientID(),
+		ClientSecret:    authProvider.ClientSecret(),
+		Client:          &http.Client{Transport: &http.Transport{TLSClientConfig: tlsConfig}},
+		ServerPort:      8000,
+		SkipOpenBrowser: c.SkipOpenBrowser,
+	}
+	token, err := authConfig.GetTokenSet(ctx)
 	if err != nil {
 		return fmt.Errorf("Authentication error: %s", err)
 	}
@@ -84,32 +85,3 @@ func (c *CLI) Run(ctx context.Context) error {
 	log.Printf("Updated %s", path)
 	return nil
 }
-
-func (c *CLI) tlsConfig(authProvider *kubeconfig.OIDCAuthProviderConfig) (*tls.Config, error) {
-	p := x509.NewCertPool()
-	if authProvider.IDPCertificateAuthority() != "" {
-		b, err := ioutil.ReadFile(authProvider.IDPCertificateAuthority())
-		if err != nil {
-			return nil, fmt.Errorf("Could not read idp-certificate-authority: %s", err)
-		}
-		if p.AppendCertsFromPEM(b) != true {
-			return nil, fmt.Errorf("Could not load CA certificate from idp-certificate-authority: %s", err)
-		}
-		log.Printf("Using CA certificate: %s", authProvider.IDPCertificateAuthority())
-	}
-	if authProvider.IDPCertificateAuthorityData() != "" {
-		b, err := base64.StdEncoding.DecodeString(authProvider.IDPCertificateAuthorityData())
-		if err != nil {
-			return nil, fmt.Errorf("Could not decode idp-certificate-authority-data: %s", err)
-		}
-		if p.AppendCertsFromPEM(b) != true {
-			return nil, fmt.Errorf("Could not load CA certificate from idp-certificate-authority-data: %s", err)
-		}
-		log.Printf("Using CA certificate of idp-certificate-authority-data")
-	}
-	cfg := &tls.Config{InsecureSkipVerify: c.SkipTLSVerify}
-	if len(p.Subjects()) > 0 {
-		cfg.RootCAs = p
-	}
-	return cfg, nil
-}

cli/tls.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"log"
+
+	"github.com/int128/kubelogin/kubeconfig"
+)
+
+func (c *CLI) tlsConfig(authProvider *kubeconfig.OIDCAuthProvider) (*tls.Config, error) {
+	p := x509.NewCertPool()
+	if authProvider.IDPCertificateAuthority() != "" {
+		b, err := ioutil.ReadFile(authProvider.IDPCertificateAuthority())
+		if err != nil {
+			return nil, fmt.Errorf("Could not read idp-certificate-authority: %s", err)
+		}
+		if p.AppendCertsFromPEM(b) != true {
+			return nil, fmt.Errorf("Could not load CA certificate from idp-certificate-authority: %s", err)
+		}
+		log.Printf("Using CA certificate: %s", authProvider.IDPCertificateAuthority())
+	}
+	if authProvider.IDPCertificateAuthorityData() != "" {
+		b, err := base64.StdEncoding.DecodeString(authProvider.IDPCertificateAuthorityData())
+		if err != nil {
+			return nil, fmt.Errorf("Could not decode idp-certificate-authority-data: %s", err)
+		}
+		if p.AppendCertsFromPEM(b) != true {
+			return nil, fmt.Errorf("Could not load CA certificate from idp-certificate-authority-data: %s", err)
+		}
+		log.Printf("Using CA certificate of idp-certificate-authority-data")
+	}
+
+	cfg := &tls.Config{InsecureSkipVerify: c.SkipTLSVerify}
+	if len(p.Subjects()) > 0 {
+		cfg.RootCAs = p
+	}
+	return cfg, nil
+}

integration-test/integration_test.go

@@ -34,7 +34,8 @@ func Test(t *testing.T) {
 	go authenticate(t, &tls.Config{})
 
 	c := cli.CLI{
-		KubeConfig: kubeconfig,
+		KubeConfig:      kubeconfig,
+		SkipOpenBrowser: true,
 	}
 	if err := c.Run(ctx); err != nil {
 		t.Fatal(err)
@@ -58,8 +59,9 @@ func TestWithSkipTLSVerify(t *testing.T) {
 	go authenticate(t, &tls.Config{InsecureSkipVerify: true})
 
 	c := cli.CLI{
-		KubeConfig:    kubeconfig,
-		SkipTLSVerify: true,
+		KubeConfig:      kubeconfig,
+		SkipTLSVerify:   true,
+		SkipOpenBrowser: true,
 	}
 	if err := c.Run(ctx); err != nil {
 		t.Fatal(err)
@@ -84,7 +86,8 @@ func TestWithCACert(t *testing.T) {
 	go authenticate(t, &tls.Config{RootCAs: loadCACert(t)})
 
 	c := cli.CLI{
-		KubeConfig: kubeconfig,
+		KubeConfig:      kubeconfig,
+		SkipOpenBrowser: true,
 	}
 	if err := c.Run(ctx); err != nil {
 		t.Fatal(err)
@@ -113,7 +116,8 @@ func TestWithCACertData(t *testing.T) {
 	go authenticate(t, &tls.Config{RootCAs: loadCACert(t)})
 
 	c := cli.CLI{
-		KubeConfig: kubeconfig,
+		KubeConfig:      kubeconfig,
+		SkipOpenBrowser: true,
 	}
 	if err := c.Run(ctx); err != nil {
 		t.Fatal(err)

kubeconfig/auth.go

@@ -16,51 +16,51 @@ func FindCurrentAuthInfo(config *api.Config) *api.AuthInfo {
 	return config.AuthInfos[context.AuthInfo]
 }
 
-// ToOIDCAuthProviderConfig converts from api.AuthInfo to OIDCAuthProviderConfig.
-func ToOIDCAuthProviderConfig(authInfo *api.AuthInfo) (*OIDCAuthProviderConfig, error) {
+// FindOIDCAuthProvider returns the OIDC authProvider.
+func FindOIDCAuthProvider(authInfo *api.AuthInfo) (*OIDCAuthProvider, error) {
 	if authInfo.AuthProvider == nil {
-		return nil, fmt.Errorf("auth-provider is not set, did you setup kubectl as listed here: https://github.com/int128/kubelogin#3-setup-kubectl")
+		return nil, fmt.Errorf("auth-provider is not set, did you setup kubectl as listed here: https://github.com/int128/kubelogin")
 	}
 	if authInfo.AuthProvider.Name != "oidc" {
 		return nil, fmt.Errorf("auth-provider `%s` is not supported", authInfo.AuthProvider.Name)
 	}
-	return (*OIDCAuthProviderConfig)(authInfo.AuthProvider), nil
+	return (*OIDCAuthProvider)(authInfo.AuthProvider), nil
 }
 
-// OIDCAuthProviderConfig represents OIDC configuration in the kubeconfig.
-type OIDCAuthProviderConfig api.AuthProviderConfig
+// OIDCAuthProvider represents OIDC configuration in the kubeconfig.
+type OIDCAuthProvider api.AuthProviderConfig
 
 // IDPIssuerURL returns the idp-issuer-url.
-func (c *OIDCAuthProviderConfig) IDPIssuerURL() string {
+func (c *OIDCAuthProvider) IDPIssuerURL() string {
 	return c.Config["idp-issuer-url"]
 }
 
 // ClientID returns the client-id.
-func (c *OIDCAuthProviderConfig) ClientID() string {
+func (c *OIDCAuthProvider) ClientID() string {
 	return c.Config["client-id"]
 }
 
 // ClientSecret returns the client-secret.
-func (c *OIDCAuthProviderConfig) ClientSecret() string {
+func (c *OIDCAuthProvider) ClientSecret() string {
 	return c.Config["client-secret"]
 }
 
 // IDPCertificateAuthority returns the idp-certificate-authority.
-func (c *OIDCAuthProviderConfig) IDPCertificateAuthority() string {
+func (c *OIDCAuthProvider) IDPCertificateAuthority() string {
 	return c.Config["idp-certificate-authority"]
 }
 
 // IDPCertificateAuthorityData returns the idp-certificate-authority-data.
-func (c *OIDCAuthProviderConfig) IDPCertificateAuthorityData() string {
+func (c *OIDCAuthProvider) IDPCertificateAuthorityData() string {
 	return c.Config["idp-certificate-authority-data"]
 }
 
 // SetIDToken replaces the id-token.
-func (c *OIDCAuthProviderConfig) SetIDToken(idToken string) {
+func (c *OIDCAuthProvider) SetIDToken(idToken string) {
 	c.Config["id-token"] = idToken
 }
 
 // SetRefreshToken replaces the refresh-token.
-func (c *OIDCAuthProviderConfig) SetRefreshToken(refreshToken string) {
+func (c *OIDCAuthProvider) SetRefreshToken(refreshToken string) {
 	c.Config["refresh-token"] = refreshToken
 }

kubeconfig/kubeconfig.go

@@ -7,8 +7,8 @@ import (
 	"k8s.io/client-go/tools/clientcmd/api"
 )
 
-// Load loads the file and returns the Config.
-func Load(path string) (*api.Config, error) {
+// Read parses the file and returns the Config.
+func Read(path string) (*api.Config, error) {
 	config, err := clientcmd.LoadFromFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("Could not load kubeconfig from %s: %s", path, err)