Remove deprecation of standalone mode (#680)

* Remove deprecation of standalone mode

* Update standalone-mode.md

.circleci/config.yml

@@ -1,40 +0,0 @@
-version: 2
-jobs:
-  build:
-    docker:
-      - image: circleci/golang:1.13.3
-    steps:
-      - run: |
-          sudo apt install -y file
-      - run: |
-          mkdir -p ~/bin
-          echo 'export PATH="$HOME/bin:$PATH"' >> $BASH_ENV
-      - run: |
-          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.5.0/ghcp_linux_amd64
-          chmod +x ~/bin/ghcp
-      - run: |
-          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b ~/bin v1.21.0
-      - run: go get github.com/int128/goxzst
-      - run: go get github.com/tcnksm/ghr
-      - checkout
-      - run: make check
-      - run: bash <(curl -s https://codecov.io/bash)
-      - run: make dist
-      - run: |
-          unzip dist/gh/kubelogin_linux_amd64.zip -d /tmp
-          file /tmp/kubelogin
-          /tmp/kubelogin --help
-      - run: |
-          if [ "$CIRCLE_TAG" ]; then
-            make release
-          fi
-
-workflows:
-  version: 2
-  all:
-    jobs:
-      - build:
-          context: open-source
-          filters:
-            tags:
-              only: /.*/

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,20 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+## Describe the issue
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,15 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+## Purpose of the feature (why)
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+A clear and concise description of what you want to happen.
+
+## Your idea (how)
+A clear and concise description of any alternative solutions or features you've considered.

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,20 @@
+---
+name: Question
+about: Feel free to ask a question
+title: ''
+labels: question
+assignees: ''
+
+---
+
+## Describe the question
+A clear and concise description of what the issue is.
+
+## To reproduce
+A console log or steps to reproduce the issue.
+
+## Your environment
+- OS: e.g. macOS
+- kubelogin version: e.g. v1.19
+- kubectl version: e.g. v1.19
+- OpenID Connect provider: e.g. Google

.github/renovate.json5

@@ -0,0 +1,6 @@
+{
+  "extends": [
+    "config:base",
+    "github>int128/go-actions",
+  ],
+}

.github/workflows/docker.yaml

@@ -0,0 +1,52 @@
+name: docker
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+      - Makefile
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/docker.yaml
+      - pkg/**
+      - go.*
+      - Dockerfile
+      - Makefile
+    tags:
+      - v*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: docker/metadata-action@v3
+        id: metadata
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: int128/docker-build-cache-config-action@v1
+        id: cache
+        with:
+          image: ghcr.io/${{ github.repository }}/cache
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-qemu-action@v1
+      - uses: docker/setup-buildx-action@v1
+      - uses: docker/build-push-action@v2
+        with:
+          push: ${{ github.event_name == 'push' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.cache-from }}
+          cache-to: ${{ steps.cache.outputs.cache-to }}
+          platforms: linux/amd64,linux/arm64

.github/workflows/go.yaml

@@ -0,0 +1,45 @@
+name: go
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/go.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.16
+      - uses: golangci/golangci-lint-action@v2
+        with:
+          version: v1.43.0
+          skip-go-installation: true
+          skip-pkg-cache: true
+          skip-build-cache: true
+
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.16
+      - run: go test -v -race ./...

.github/workflows/release.yaml

@@ -0,0 +1,70 @@
+name: release
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+    tags:
+      - v*
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/release.yaml
+      - pkg/**
+      - go.*
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        platform:
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: amd64
+            CGO_ENABLED: 0 # https://github.com/int128/kubelogin/issues/567
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm64
+          - runs-on: ubuntu-latest
+            GOOS: linux
+            GOARCH: arm
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: amd64
+            CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/249
+          - runs-on: macos-latest
+            GOOS: darwin
+            GOARCH: arm64
+          - runs-on: windows-latest
+            GOOS: windows
+            GOARCH: amd64
+    runs-on: ${{ matrix.platform.runs-on }}
+    env:
+      GOOS: ${{ matrix.platform.GOOS }}
+      GOARCH: ${{ matrix.platform.GOARCH }}
+      CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: int128/go-actions/setup@v1
+        with:
+          go-version: 1.16
+      - run: go build -ldflags "-X main.version=${GITHUB_REF##*/}"
+      - uses: int128/go-actions/release@v1
+        with:
+          binary: kubelogin
+
+  publish:
+    if: startswith(github.ref, 'refs/tags/')
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v2
+      - uses: rajatjindal/krew-release-bot@v0.0.40

.github/workflows/system-test.yaml

@@ -0,0 +1,42 @@
+name: system-test
+
+on:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+  push:
+    branches:
+      - master
+    paths:
+      - .github/workflows/system-test.yaml
+      - system_test/**
+      - pkg/**
+      - go.*
+
+jobs:
+  system-test:
+    # https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
+      - uses: actions/checkout@v2
+      - uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            go-
+      # https://packages.ubuntu.com/xenial/libnss3-tools
+      - run: sudo apt update
+      - run: sudo apt install -y libnss3-tools
+      - run: mkdir -p ~/.pki/nssdb
+      - run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
+      - run: make -C system_test -j3

.gitignore

@@ -1,9 +1,10 @@
 /.idea
 
-/.kubeconfig*
+/acceptance_test/output/
 
-/dist
 /coverage.out
 
 /kubelogin
 /kubectl-oidc_login
+/kubelogin_*.zip
+/kubelogin_*.zip.sha256

.krew.yaml

@@ -0,0 +1,62 @@
+apiVersion: krew.googlecontainertools.github.com/v1alpha2
+kind: Plugin
+metadata:
+  name: oidc-login
+spec:
+  homepage: https://github.com/int128/kubelogin
+  shortDescription: Log in to the OpenID Connect provider
+  description: |
+    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
+
+    ## Credential plugin mode
+    kubectl executes oidc-login before calling the Kubernetes APIs.
+    oidc-login automatically opens the browser and you can log in to the provider.
+    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
+    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
+
+    ## Standalone mode
+    Run `kubectl oidc-login`.
+    It automatically opens the browser and you can log in to the provider.
+    After authentication, it writes the token to the kubeconfig and you can access the cluster.
+    See https://github.com/int128/kubelogin#standalone-mode for more.
+
+  caveats: |
+    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
+  version: {{ .TagName }}
+  platforms:
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: linux
+        arch: arm
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: amd64
+  - bin: kubelogin
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_arm64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: darwin
+        arch: arm64
+  - bin: kubelogin.exe
+    {{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_amd64.zip" .TagName }}
+    selector:
+      matchLabels:
+        os: windows
+        arch: amd64

Dockerfile

@@ -0,0 +1,12 @@
+FROM golang:1.17 as builder
+
+WORKDIR /builder
+COPY go.* .
+RUN go mod download
+COPY main.go .
+COPY pkg pkg
+RUN go build
+
+FROM gcr.io/distroless/base-debian10
+COPY --from=builder /builder/kubelogin /
+ENTRYPOINT ["/kubelogin"]

Makefile

@@ -1,37 +0,0 @@
-TARGET := kubelogin
-CIRCLE_TAG ?= HEAD
-LDFLAGS := -X main.version=$(CIRCLE_TAG)
-
-all: $(TARGET)
-
-.PHONY: check
-check:
-	golangci-lint run
-	go test -v -race -cover -coverprofile=coverage.out ./...
-
-$(TARGET): $(wildcard *.go)
-	go build -o $@ -ldflags "$(LDFLAGS)"
-
-dist:
-    # make the zip files for GitHub Releases
-	VERSION=$(CIRCLE_TAG) CGO_ENABLED=0 goxzst -d dist/gh/ -i "LICENSE" -o "$(TARGET)" -t "kubelogin.rb oidc-login.yaml" -- -ldflags "$(LDFLAGS)"
-	zipinfo dist/gh/kubelogin_linux_amd64.zip
-	# make the Homebrew formula
-	mv dist/gh/kubelogin.rb dist/
-	# make the yaml for krew-index
-	mkdir -p dist/plugins
-	cp dist/gh/oidc-login.yaml dist/plugins/oidc-login.yaml
-
-.PHONY: release
-release: dist
-    # publish to the GitHub Releases
-	ghr -u "$(CIRCLE_PROJECT_USERNAME)" -r "$(CIRCLE_PROJECT_REPONAME)" "$(CIRCLE_TAG)" dist/gh/
-	# publish to the Homebrew tap repository
-	ghcp commit -u "$(CIRCLE_PROJECT_USERNAME)" -r "homebrew-$(CIRCLE_PROJECT_REPONAME)" -m "$(CIRCLE_TAG)" -C dist/ kubelogin.rb
-	# fork krew-index and create a branch
-	ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(CIRCLE_TAG)" -m "Bump oidc-login to $(CIRCLE_TAG)" -C dist/ plugins/oidc-login.yaml
-
-.PHONY: clean
-clean:
-	-rm $(TARGET)
-	-rm -r dist/

README.md

@@ -1,10 +1,10 @@
-# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
+# kubelogin [![go](https://github.com/int128/kubelogin/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kubelogin/actions/workflows/go.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
 
 This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
 
 Here is an example of Kubernetes authentication with the Google Identity Platform:
 
-<img alt="screencast" src="https://user-images.githubusercontent.com/321266/70971501-7bcebc80-20e4-11ea-8afc-539dcaea0aa8.gif" width="652" height="455">
+<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
 
 Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
 When you run kubectl, kubelogin opens the browser and you can log in to the provider.
@@ -18,21 +18,21 @@ Take a look at the diagram:
 
 ### Setup
 
-Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases) as follows:
+Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew), [Chocolatey](https://chocolatey.org/packages/kubelogin) or [GitHub Releases](https://github.com/int128/kubelogin/releases).
 
 ```sh
-# Homebrew
+# Homebrew (macOS and Linux)
 brew install int128/kubelogin/kubelogin
 
-# Krew
+# Krew (macOS, Linux, Windows and ARM)
 kubectl krew install oidc-login
 
-# GitHub Releases
-curl -LO https://github.com/int128/kubelogin/releases/download/v1.15.0/kubelogin_linux_amd64.zip
-unzip kubelogin_linux_amd64.zip
-ln -s kubelogin kubectl-oidc_login
+# Chocolatey (Windows)
+choco install kubelogin
 ```
 
+If you install via GitHub releases, you need to put the `kubelogin` binary on your path under the name `kubectl-oidc_login` so that the [kubectl plugin mechanism](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/) can find it when you invoke `kubectl oidc-login`. The other install methods do this for you.
+
 You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
 The kubeconfig looks like:
 
@@ -51,7 +51,7 @@ users:
       - --oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
-See [the setup guide](docs/setup.md) for more.
+See [setup guide](docs/setup.md) for more.
 
 
 ### Run
@@ -63,11 +63,11 @@ kubectl get pods
 ```
 
 Kubectl executes kubelogin before calling the Kubernetes APIs.
-Kubelogin automatically opens the browser and you can log in to the provider.
+Kubelogin automatically opens the browser, and you can log in to the provider.
 
 <img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
 
-After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
+After authentication, kubelogin returns the credentials to kubectl and kubectl then calls the Kubernetes APIs with these credentials.
 
 ```
 % kubectl get pods
@@ -80,173 +80,52 @@ Kubelogin writes the ID token and refresh token to the token cache file.
 
 If the cached ID token is valid, kubelogin just returns it.
 If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
-If the refresh token has expired, kubelogin will perform reauthentication.
+If the refresh token has expired, kubelogin will perform re-authentication (you will have to login via browser again).
 
 
 ### Troubleshoot
 
 You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
-Kubelogin will perform authentication if the token cache file does not exist.
+Kubelogin will ask you to login via browser again if the token cache file does not exist i.e., it starts with a clean slate
 
-You can dump the claims of token by passing `-v1` option.
+You can dump claims of an ID token by `setup` command.
 
-```
-I1212 10:14:17.754394    2517 get_token.go:91] the ID token has the claim: sub=********
-I1212 10:14:17.754434    2517 get_token.go:91] the ID token has the claim: at_hash=********
-I1212 10:14:17.754449    2517 get_token.go:91] the ID token has the claim: nonce=********
-I1212 10:14:17.754459    2517 get_token.go:91] the ID token has the claim: iat=1576113256
-I1212 10:14:17.754467    2517 get_token.go:91] the ID token has the claim: exp=1576116856
-I1212 10:14:17.754484    2517 get_token.go:91] the ID token has the claim: iss=https://accounts.google.com
-I1212 10:14:17.754497    2517 get_token.go:91] the ID token has the claim: azp=********.apps.googleusercontent.com
-I1212 10:14:17.754506    2517 get_token.go:91] the ID token has the claim: aud=********.apps.googleusercontent.com
+```console
+% kubectl oidc-login setup --oidc-issuer-url https://accounts.google.com --oidc-client-id REDACTED --oidc-client-secret REDACTED
+...
+You got a token with the following claims:
+
+{
+  "sub": "********",
+  "iss": "https://accounts.google.com",
+  "aud": "********",
+  ...
+}
 ```
 
-
-## Usage
-
-This document is for the development version.
-If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).
-
-Kubelogin supports the following options:
-
-```
-% kubectl oidc-login get-token -h
-Run as a kubectl credential plugin
-
-Usage:
-  kubelogin get-token [flags]
-
-Flags:
-      --oidc-issuer-url string         Issuer URL of the provider (mandatory)
-      --oidc-client-id string          Client ID of the provider (mandatory)
-      --oidc-client-secret string      Client secret of the provider
-      --oidc-extra-scope strings       Scopes to request to the provider
-      --certificate-authority string   Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --token-cache-dir string         Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
-      --grant-type string              The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-port ints               Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser              If true, it does not open the browser on authentication
-      --username string                If set, perform the resource owner password credentials grant
-      --password string                If set, use the password instead of asking it
-  -h, --help                           help for get-token
-
-Global Flags:
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-```
-
-See also the options of [standalone mode](docs/standalone-mode.md).
-
-### Extra scopes
-
-You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
+You can increase the log level by `-v1` option.
 
 ```yaml
-      - --oidc-extra-scope=email
-      - --oidc-extra-scope=profile
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: kubectl
+      args:
+      - oidc-login
+      - get-token
+      - -v1
 ```
 
-### CA Certificates
-
-You can use your self-signed certificate for the provider.
-
-```yaml
-      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
-```
-
-### HTTP Proxy
-
-You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
-See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
+You can verify kubelogin works with your provider using [acceptance test](acceptance_test).
 
 
-### Authentication flows
+## Docs
 
-#### Authorization code flow
-
-Kubelogin performs the authorization code flow by default.
-
-It starts the local server at port 8000 or 18000 by default.
-You need to register the following redirect URIs to the provider:
-
-- `http://localhost:8000`
-- `http://localhost:18000` (used if port 8000 is already in use)
-
-You can change the ports by the option:
-
-```yaml
-      - --listen-port=12345
-      - --listen-port=23456
-```
-
-#### Authorization code flow with keyboard interactive
-
-If you cannot access the browser, instead use the authorization code flow with keyboard interactive.
-
-```yaml
-      - --grant-type=authcode-keyboard
-```
-
-Kubelogin will show the URL and prompt.
-Open the URL in the browser and then copy the code shown.
-
-```
-% kubectl get pods
-Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
-Enter code: YOUR_CODE
-```
-
-Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and
-some OIDC providers do not support it.
-
-#### Resource owner password credentials grant flow
-
-Kubelogin performs the resource owner password credentials grant flow
-when `--grant-type=password` or `--username` is set.
-
-Note that most OIDC providers do not support this flow.
-Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
-
-You can set the username and password.
-
-```yaml
-      - --username=USERNAME
-      - --password=PASSWORD
-```
-
-If the password is not set, kubelogin will show the prompt for the password.
-
-```yaml
-      - --username=USERNAME
-```
-
-```
-% kubectl get pods
-Password:
-```
-
-If the username is not set, kubelogin will show the prompt for the username and password.
-
-```yaml
-      - --grant-type=password
-```
-
-```
-% kubectl get pods
-Username: foo
-Password:
-```
+- [Setup guide](docs/setup.md)
+- [Usage and options](docs/usage.md)
+- [Standalone mode](docs/standalone-mode.md)
 
 
 ## Related works
@@ -261,15 +140,18 @@ You can access the Kubernetes Dashboard using kubelogin and [kauthproxy](https:/
 This is an open source software licensed under Apache License 2.0.
 Feel free to open issues and pull requests for improving code and documents.
 
+Your pull request will be merged into master with squash.
+
 ### Development
 
-Go 1.13 or later is required.
+Go 1.16+ is required.
 
 ```sh
-# Run lint and tests
-make check
-
-# Compile and run the command
 make
 ./kubelogin
 ```
+
+See also:
+
+- [system test](system_test)
+- [acceptance_test](acceptance_test)

acceptance_test/Makefile

@@ -0,0 +1,42 @@
+CLUSTER_NAME := kubelogin-acceptance-test
+OUTPUT_DIR := $(CURDIR)/output
+
+KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
+export KUBECONFIG
+
+# create a Kubernetes cluster
+.PHONY: cluster
+cluster:
+	# create a cluster
+	mkdir -p $(OUTPUT_DIR)
+	sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
+	kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
+	# set up access control
+	kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
+	kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
+	# set up kubectl
+	kubectl config set-credentials oidc \
+		--exec-api-version=client.authentication.k8s.io/v1beta1 \
+		--exec-command=$(CURDIR)/../kubelogin \
+		--exec-arg=get-token \
+		--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
+		--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
+		--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
+		--exec-arg=--oidc-client-secret=$(OIDC_CLIENT_SECRET) \
+		--exec-arg=--oidc-extra-scope=email
+	# switch the default user
+	kubectl config set-context --current --user=oidc
+
+# clean up the resources
+.PHONY: clean
+clean:
+	-rm -r $(OUTPUT_DIR)
+.PHONY: delete-cluster
+delete-cluster:
+	kind delete cluster --name $(CLUSTER_NAME)
+
+.PHONY: check
+check:
+	docker version
+	kind version
+	kubectl version --client

acceptance_test/README.md

@@ -0,0 +1,75 @@
+# kubelogin/acceptance_test
+
+This is a manual test for verifying Kubernetes OIDC authentication with your OIDC provider.
+
+
+## Purpose
+
+This test checks the following points:
+
+1. You can set up your OIDC provider using [setup guide](../docs/setup.md).
+1. The plugin works with your OIDC provider.
+
+
+## Getting Started
+
+### Prerequisite
+
+You need to build the plugin into the parent directory.
+
+```sh
+make -C ..
+```
+
+You need to set up your provider.
+See [setup guide](../docs/setup.md) for more.
+
+You need to install the following tools:
+
+- Docker
+- Kind
+- kubectl
+
+You can check if the tools are available.
+
+```sh
+make check
+```
+
+### 1. Create a cluster
+
+Create a cluster.
+For example, you can create a cluster with Google account authentication.
+
+```sh
+make OIDC_ISSUER_URL=https://accounts.google.com \
+  OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
+  OIDC_CLIENT_SECRET=REDACTED \
+  YOUR_EMAIL=REDACTED@gmail.com
+```
+
+It will do the following steps:
+
+1. Create a cluster.
+1. Set up access control. It allows read-only access from your email address.
+1. Set up kubectl to enable the plugin.
+
+You can change kubectl configuration in generated `output/kubeconfig.yaml`.
+
+### 2. Run kubectl
+
+Make sure you can log in to the provider and access the cluster.
+
+```console
+% export KUBECONFIG=$PWD/output/kubeconfig.yaml
+% kubectl get pods -A
+```
+
+### Clean up
+
+To delete the cluster and generated files:
+
+```sh
+make delete-cluster
+make clean
+```

acceptance_test/cluster.yaml

@@ -0,0 +1,13 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        oidc-issuer-url: OIDC_ISSUER_URL
+        oidc-client-id: OIDC_CLIENT_ID
+        oidc-username-claim: email

docs/setup.md

@@ -1,6 +1,6 @@
 # Kubernetes OpenID Connection authentication
 
-This document guides how to set up the Kubernetes OpenID Connect (OIDC) authentication.
+This document guides how to set up Kubernetes OpenID Connect (OIDC) authentication.
 Let's see the following steps:
 
 1. Set up the OIDC provider
@@ -35,7 +35,7 @@ Variable                | Value
 You can log in with a user of Keycloak.
 Make sure you have an administrator role of the Keycloak realm.
 
-Open the Keycloak and create an OIDC client as follows:
+Open Keycloak and create an OIDC client as follows:
 
 - Client ID: `YOUR_CLIENT_ID`
 - Valid Redirect URLs:
@@ -52,7 +52,7 @@ You can associate client roles by adding the following mapper:
 - Token Claim Name: `groups`
 - Add to ID token: on
 
-For example, if you have the `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
+For example, if you have `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
 
 Replace the following variables in the later sections.
 
@@ -72,7 +72,7 @@ Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an a
 - Homepage URL: `https://dex.example.com`
 - Authorization callback URL: `https://dex.example.com/callback`
 
-Deploy the [dex](https://github.com/dexidp/dex) with the following config:
+Deploy [Dex](https://github.com/dexidp/dex) with the following config:
 
 ```yaml
 issuer: https://dex.example.com
@@ -126,6 +126,28 @@ Variable                | Value
 
 You do not need to set `YOUR_CLIENT_SECRET`.
 
+If you need `groups` claim for access control,
+see [jetstack/okta-kubectl-auth](https://github.com/jetstack/okta-kubectl-auth/blob/master/docs/okta-setup.md) and [#250](https://github.com/int128/kubelogin/issues/250).
+
+### Ping Identity
+
+Login with an account that has permissions to create applications.
+Create an OIDC application with the following configuration:
+
+- Redirect URIs:
+    - `http://localhost:8000`
+    - `http://localhost:18000` (used if the port 8000 is already in use)
+- Grant type: Authorization Code
+- PKCE Enforcement: Required
+
+Leverage the following variables in the next steps.
+
+Variable                | Value
+------------------------|------
+`ISSUER_URL`            | `https://auth.pingone.com/<PingOne Tenant Id>/as`
+`YOUR_CLIENT_ID`        |  random string
+
+`YOUR_CLIENT_SECRET` is not required for this configuration.
 
 ## 2. Verify authentication
 
@@ -138,31 +160,23 @@ kubectl oidc-login setup \
   --oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
-It will open the browser and you can log in to the provider.
-Then it will show the instruction.
+It launches the browser and navigates to `http://localhost:8000`.
+Please log in to the provider.
+
+You can set extra options, for example, extra scope or CA certificate.
+See also the full options.
+
+```sh
+kubectl oidc-login setup --help
+```
 
 
 ## 3. Bind a cluster role
 
-In this tutorial, bind the `cluster-admin` role to you.
-Apply the following manifest:
-
-```yaml
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: oidc-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: User
-  name: ISSUER_URL#YOUR_SUBJECT
-```
+Here bind `cluster-admin` role to you.
 
 ```sh
-kubectl apply -f oidc-cluster-admin.yaml
+kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
 ```
 
 As well as you can create a custom cluster role and bind it.
@@ -170,14 +184,14 @@ As well as you can create a custom cluster role and bind it.
 
 ## 4. Set up the Kubernetes API server
 
-Add the following options to the kube-apiserver:
+Add the following flags to kube-apiserver:
 
 ```
 --oidc-issuer-url=ISSUER_URL
 --oidc-client-id=YOUR_CLIENT_ID
 ```
 
-See [OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for details.
+See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
 
 If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
 
@@ -200,35 +214,32 @@ If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), a
 
 ## 5. Set up the kubeconfig
 
-Add the following user to the kubeconfig:
+Add `oidc` user to the kubeconfig.
 
-```yaml
-users:
-- name: oidc
-  user:
-    exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
-      command: kubectl
-      args:
-      - oidc-login
-      - get-token
-      - --oidc-issuer-url=ISSUER_URL
-      - --oidc-client-id=YOUR_CLIENT_ID
-      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```sh
+kubectl config set-credentials oidc \
+  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-command=kubectl \
+  --exec-arg=oidc-login \
+  --exec-arg=get-token \
+  --exec-arg=--oidc-issuer-url=ISSUER_URL \
+  --exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
+  --exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
 ```
 
-You can share the kubeconfig to your team members for on-boarding.
-
 
 ## 6. Verify cluster access
 
 Make sure you can access the Kubernetes cluster.
 
+```sh
+kubectl --user=oidc cluster-info
 ```
-% kubectl get nodes
-Open http://localhost:8000 for authentication
-You got a valid token until 2019-05-16 22:03:13 +0900 JST
-NAME                                    STATUS    ROLES     AGE       VERSION
-ip-1-2-3-4.us-west-2.compute.internal   Ready     node      21d       v1.9.6
-ip-1-2-3-5.us-west-2.compute.internal   Ready     node      20d       v1.9.6
+
+You can switch the current context to oidc.
+
+```sh
+kubectl config set-context --current --user=oidc
 ```
+
+You can share the kubeconfig to your team members for on-boarding.

docs/standalone-mode.md

@@ -1,9 +1,12 @@
 # Standalone mode
 
-You can run kubelogin as a standalone command.
-In this mode, you need to manually run the command before running kubectl.
+Kubelogin supports the standalone mode as well.
+It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.
 
-Configure the kubeconfig like:
+
+## Getting started
+
+Configure your kubeconfig like:
 
 ```yaml
 - name: keycloak
@@ -31,7 +34,7 @@ It automatically opens the browser and you can log in to the provider.
 
 After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
 
-```
+```console
 % kubelogin
 Open http://localhost:8000 for authentication
 You got a valid token until 2019-05-18 10:28:51 +0900 JST
@@ -40,7 +43,7 @@ Updated ~/.kubeconfig
 
 Now you can access the cluster.
 
-```
+```console
 % kubectl get pods
 NAME                          READY   STATUS    RESTARTS   AGE
 echoserver-86c78fdccd-nzmd5   1/1     Running   0          26d
@@ -64,7 +67,7 @@ users:
 
 If the ID token is valid, kubelogin does nothing.
 
-```
+```console
 % kubelogin
 You already have a valid token until 2019-05-18 10:28:51 +0900 JST
 ```
@@ -75,58 +78,6 @@ If the refresh token has expired, kubelogin will proceed the authentication.
 
 ## Usage
 
-Kubelogin supports the following options:
-
-```
-% kubectl oidc-login -h
-Login to the OpenID Connect provider.
-
-You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
-Run the following command to show the setup instruction:
-
-	kubectl oidc-login setup
-
-See https://github.com/int128/kubelogin for more.
-
-Usage:
-  main [flags]
-  main [command]
-
-Available Commands:
-  get-token   Run as a kubectl credential plugin
-  help        Help about any command
-  setup       Show the setup instruction
-  version     Print the version information
-
-Flags:
-      --kubeconfig string                Path to the kubeconfig file
-      --context string                   The name of the kubeconfig context to use
-      --user string                      The name of the kubeconfig user to use. Prior to --context
-      --certificate-authority string     Path to a cert file for the certificate authority
-      --insecure-skip-tls-verify         If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --grant-type string                The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
-      --listen-port ints                 Port to bind to the local server. If multiple ports are given, it will try the ports in order (default [8000,18000])
-      --skip-open-browser                If true, it does not open the browser on authentication
-      --username string                  If set, perform the resource owner password credentials grant
-      --password string                  If set, use the password instead of asking it
-      --add_dir_header                   If true, adds the file directory to the header
-      --alsologtostderr                  log to standard error as well as files
-      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
-      --log_dir string                   If non-empty, write log files in this directory
-      --log_file string                  If non-empty, use this log file
-      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
-      --logtostderr                      log to standard error instead of files (default true)
-      --skip_headers                     If true, avoid header prefixes in the log messages
-      --skip_log_headers                 If true, avoid headers when opening log files
-      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
-  -v, --v Level                          number for the log level verbosity
-      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
-  -h, --help                             help for main
-      --version                          version for main
-```
-
-### Kubeconfig
-
 You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
 It defaults to `~/.kube/config`.
 
@@ -154,26 +105,4 @@ Key | Direction | Value
 `id-token`                        | Write | ID token got from the provider.
 `refresh-token`                   | Write | Refresh token got from the provider.
 
-### Extra scopes
-
-You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
-```
-
-Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
-
-```sh
-kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
-sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
-```
-
-### CA Certificates
-
-You can use your self-signed certificates for the provider.
-
-```sh
-kubectl config set-credentials keycloak \
-  --auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
-```
+See also [usage.md](usage.md).

docs/usage.md

@@ -0,0 +1,252 @@
+# Usage
+
+Kubelogin supports the following options:
+
+```
+Usage:
+  kubelogin get-token [flags]
+
+Flags:
+      --oidc-issuer-url string                          Issuer URL of the provider (mandatory)
+      --oidc-client-id string                           Client ID of the provider (mandatory)
+      --oidc-client-secret string                       Client secret of the provider
+      --oidc-extra-scope strings                        Scopes to request to the provider
+      --oidc-use-pkce                                   Force PKCE usage
+      --token-cache-dir string                          Path to a directory for token cache (default "~/.kube/cache/oidc-login")
+      --certificate-authority stringArray               Path to a cert file for the certificate authority
+      --certificate-authority-data stringArray          Base64 encoded cert for the certificate authority
+      --insecure-skip-tls-verify                        If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --tls-renegotiation-once                          If set, allow a remote server to request renegotiation once per connection
+      --tls-renegotiation-freely                        If set, allow a remote server to repeatedly request renegotiation
+      --grant-type string                               Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
+      --listen-address strings                          [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
+      --skip-open-browser                               [authcode] Do not open the browser automatically
+      --browser-command string                          [authcode] Command to open the browser
+      --authentication-timeout-sec int                  [authcode] Timeout of authentication in seconds (default 180)
+      --local-server-cert string                        [authcode] Certificate path for the local server
+      --local-server-key string                         [authcode] Certificate key path for the local server
+      --open-url-after-authentication string            [authcode] If set, open the URL in the browser after authentication
+      --oidc-redirect-url-hostname string               [authcode] Hostname of the redirect URL (default "localhost")
+      --oidc-auth-request-extra-params stringToString   [authcode, authcode-keyboard] Extra query parameters to send with an authentication request (default [])
+      --username string                                 [password] Username for resource owner password credentials grant
+      --password string                                 [password] Password for resource owner password credentials grant
+  -h, --help                                            help for get-token
+
+Global Flags:
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory
+      --log_file string                  If non-empty, use this log file
+      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files
+      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+
+## Options
+
+### Authentication timeout
+
+By default, you need to log in to your provider in the browser within 3 minutes.
+This prevents a process from remaining forever.
+You can change the timeout by the following flag:
+
+```yaml
+      - --authentication-timeout-sec=60
+```
+
+For now this timeout works only for the authorization code flow.
+
+### Extra scopes
+
+You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
+
+```yaml
+      - --oidc-extra-scope=email
+      - --oidc-extra-scope=profile
+```
+
+### CA certificate
+
+You can use your self-signed certificate for the provider.
+
+```yaml
+      - --certificate-authority=/home/user/.kube/keycloak-ca.pem
+      - --certificate-authority-data=LS0t...
+```
+
+### HTTP proxy
+
+You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
+See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
+
+### Home directory expansion
+
+If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
+
+- `--certificate-authority`
+- `--local-server-cert`
+- `--local-server-key`
+- `--token-cache-dir`
+
+
+## Authentication flows
+
+Kubelogin support the following flows:
+
+- Authorization code flow
+- Authorization code flow with a keyboard
+- Resource owner password credentials grant flow
+
+### Authorization code flow
+
+Kubelogin performs the authorization code flow by default.
+
+It starts the local server at port 8000 or 18000 by default.
+You need to register the following redirect URIs to the provider:
+
+- `http://localhost:8000`
+- `http://localhost:18000` (used if port 8000 is already in use)
+
+You can change the listening address.
+
+```yaml
+      - --listen-address=127.0.0.1:12345
+      - --listen-address=127.0.0.1:23456
+```
+
+You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
+
+```yaml
+      - --local-server-cert=localhost.crt
+      - --local-server-key=localhost.key
+```
+
+You can change the hostname of redirect URI from the default value `localhost`.
+
+```yaml
+      - --oidc-redirect-url-hostname=127.0.0.1
+```
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
+```
+
+When authentication completed, kubelogin shows a message to close the browser.
+You can change the URL to show after authentication.
+
+```yaml
+      - --open-url-after-authentication=https://example.com/success.html
+```
+
+You can skip opening the browser if you encounter some environment problem.
+
+```yaml
+      - --skip-open-browser
+```
+
+For Linux users, you change the default browser by `BROWSER` environment variable.
+
+### Authorization code flow with a keyboard
+
+If you cannot access the browser, instead use the authorization code flow with a keyboard.
+
+```yaml
+      - --grant-type=authcode-keyboard
+```
+
+Kubelogin will show the URL and prompt.
+Open the URL in the browser and then copy the code shown.
+
+```
+% kubectl get pods
+Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
+Enter code: YOUR_CODE
+```
+
+Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and some OIDC providers do not support it.
+
+You can add extra parameters to the authentication request.
+
+```yaml
+      - --oidc-auth-request-extra-params=ttl=86400
+```
+
+### Resource owner password credentials grant flow
+
+Kubelogin performs the resource owner password credentials grant flow
+when `--grant-type=password` or `--username` is set.
+
+Note that most OIDC providers do not support this flow.
+Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
+
+You can set the username and password.
+
+```yaml
+      - --username=USERNAME
+      - --password=PASSWORD
+```
+
+If the password is not set, kubelogin will show the prompt for the password.
+
+```yaml
+      - --username=USERNAME
+```
+
+```
+% kubectl get pods
+Password:
+```
+
+If the username is not set, kubelogin will show the prompt for the username and password.
+
+```yaml
+      - --grant-type=password
+```
+
+```
+% kubectl get pods
+Username: foo
+Password:
+```
+
+## Run in Docker
+
+You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
+The kubeconfig looks like:
+
+```yaml
+users:
+- name: oidc
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: docker
+      args:
+      - run
+      - --rm
+      - -v
+      - /tmp/.token-cache:/.token-cache
+      - -p
+      - 8000:8000
+      - ghcr.io/int128/kubelogin
+      - get-token
+      - --token-cache-dir=/.token-cache
+      - --listen-address=0.0.0.0:8000
+      - --oidc-issuer-url=ISSUER_URL
+      - --oidc-client-id=YOUR_CLIENT_ID
+      - --oidc-client-secret=YOUR_CLIENT_SECRET
+```
+
+Known limitations:
+
+- It cannot open the browser automatically.
+- The container port and listen port must be equal for consistency of the redirect URI.

e2e_test/credetial_plugin_test.go

@@ -1,299 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"io/ioutil"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/go-cmp/cmp"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin/mock_credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
-	"github.com/int128/kubelogin/pkg/di"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-)
-
-// Run the integration tests of the credential plugin use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the output.
-//
-func TestCredentialPlugin(t *testing.T) {
-	cacheDir, err := ioutil.TempDir("", "kube")
-	if err != nil {
-		t.Fatalf("could not create a cache dir: %s", err)
-	}
-	defer func() {
-		if err := os.RemoveAll(cacheDir); err != nil {
-			t.Errorf("could not clean up the cache dir: %s", err)
-		}
-	}()
-
-	t.Run("NoTLS", func(t *testing.T) {
-		testCredentialPlugin(t, cacheDir, keys.None, nil)
-	})
-	t.Run("TLS", func(t *testing.T) {
-		testCredentialPlugin(t, cacheDir, keys.Server, []string{"--certificate-authority", keys.Server.CACertPath})
-	})
-}
-
-func testCredentialPlugin(t *testing.T, cacheDir string, idpTLS keys.Keys, extraArgs []string) {
-	timeout := 1 * time.Second
-
-	t.Run("Defaults", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-	})
-
-	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-		setupMockIDPForROPC(service, serverURL, "openid", "USER", "PASS", idToken)
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-			"--username", "USER",
-			"--password", "PASS",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-	})
-
-	t.Run("HasValidToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		setupTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-		assertTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasValidRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
-
-		setupMockIDPForDiscovery(service, serverURL)
-		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
-			Return(idp.NewTokenResponse(validIDToken, "NEW_REFRESH_TOKEN"), nil)
-
-		setupTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      expiredIDToken,
-			RefreshToken: "VALID_REFRESH_TOKEN",
-		})
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &validIDToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-		assertTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      validIDToken,
-			RefreshToken: "NEW_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		validIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		expiredIDToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast)
-
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &validIDToken)
-		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
-			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
-			MaxTimes(2) // package oauth2 will retry refreshing the token
-
-		setupTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      expiredIDToken,
-			RefreshToken: "EXPIRED_REFRESH_TOKEN",
-		})
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &validIDToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-		assertTokenCache(t, cacheDir, tokencache.Key{
-			IssuerURL: serverURL,
-			ClientID:  "kubernetes",
-		}, tokencache.TokenCache{
-			IDToken:      validIDToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "email profile openid", &idToken)
-
-		credentialPluginInteraction := mock_credentialplugin.NewMockInterface(ctrl)
-		assertCredentialPluginOutput(t, credentialPluginInteraction, &idToken)
-
-		args := []string{
-			"--token-cache-dir", cacheDir,
-			"--oidc-issuer-url", serverURL,
-			"--oidc-client-id", "kubernetes",
-			"--oidc-extra-scope", "email",
-			"--oidc-extra-scope", "profile",
-		}
-		args = append(args, extraArgs...)
-		runGetTokenCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), credentialPluginInteraction, args)
-	})
-}
-
-func assertCredentialPluginOutput(t *testing.T, credentialPluginInteraction *mock_credentialplugin.MockInterface, idToken *string) {
-	credentialPluginInteraction.EXPECT().
-		Write(gomock.Any()).
-		Do(func(out credentialplugin.Output) {
-			if out.Token != *idToken {
-				t.Errorf("Token wants %s but %s", *idToken, out.Token)
-			}
-			if out.Expiry != tokenExpiryFuture {
-				t.Errorf("Expiry wants %v but %v", tokenExpiryFuture, out.Expiry)
-			}
-		})
-}
-
-func runGetTokenCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, interaction credentialplugin.Interface, args []string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, interaction)
-	exitCode := cmd.Run(ctx, append([]string{
-		"kubelogin", "get-token",
-		"--v=1",
-		"--skip-open-browser",
-		"--listen-port", "0",
-	}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
-
-func setupTokenCache(t *testing.T, cacheDir string, k tokencache.Key, v tokencache.TokenCache) {
-	var r tokencache.Repository
-	err := r.Save(cacheDir, k, v)
-	if err != nil {
-		t.Errorf("could not set up the token cache: %s", err)
-	}
-}
-
-func assertTokenCache(t *testing.T, cacheDir string, k tokencache.Key, want tokencache.TokenCache) {
-	var r tokencache.Repository
-	v, err := r.FindByKey(cacheDir, k)
-	if err != nil {
-		t.Errorf("could not set up the token cache: %s", err)
-	}
-	if diff := cmp.Diff(&want, v); diff != "" {
-		t.Errorf("token cache mismatch: %s", diff)
-	}
-}

e2e_test/helpers_test.go

@@ -1,91 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"net/http"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-)
-
-var (
-	tokenExpiryFuture = time.Now().Add(time.Hour).Round(time.Second)
-	tokenExpiryPast   = time.Now().Add(-time.Hour).Round(time.Second)
-)
-
-func newIDToken(t *testing.T, issuer, nonce string, expiry time.Time) string {
-	t.Helper()
-	var claims struct {
-		jwt.StandardClaims
-		Nonce  string   `json:"nonce"`
-		Groups []string `json:"groups"`
-	}
-	claims.StandardClaims = jwt.StandardClaims{
-		Issuer:    issuer,
-		Audience:  "kubernetes",
-		Subject:   "SUBJECT",
-		IssuedAt:  time.Now().Unix(),
-		ExpiresAt: expiry.Unix(),
-	}
-	claims.Nonce = nonce
-	claims.Groups = []string{"admin", "users"}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(keys.JWSKeyPair)
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func setupMockIDPForDiscovery(service *mock_idp.MockService, serverURL string) {
-	service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-	service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-}
-
-func setupMockIDPForCodeFlow(t *testing.T, service *mock_idp.MockService, serverURL, scope string, idToken *string) {
-	var nonce string
-	setupMockIDPForDiscovery(service, serverURL)
-	service.EXPECT().AuthenticateCode(scope, gomock.Any()).
-		DoAndReturn(func(_, gotNonce string) (string, error) {
-			nonce = gotNonce
-			return "YOUR_AUTH_CODE", nil
-		})
-	service.EXPECT().Exchange("YOUR_AUTH_CODE").
-		DoAndReturn(func(string) (*idp.TokenResponse, error) {
-			*idToken = newIDToken(t, serverURL, nonce, tokenExpiryFuture)
-			return idp.NewTokenResponse(*idToken, "YOUR_REFRESH_TOKEN"), nil
-		})
-}
-
-func setupMockIDPForROPC(service *mock_idp.MockService, serverURL, scope, username, password, idToken string) {
-	setupMockIDPForDiscovery(service, serverURL)
-	service.EXPECT().AuthenticatePassword(username, password, scope).
-		Return(idp.NewTokenResponse(idToken, "YOUR_REFRESH_TOKEN"), nil)
-}
-
-func openBrowserOnReadyFunc(t *testing.T, ctx context.Context, k keys.Keys) authentication.LocalServerReadyFunc {
-	return func(url string) {
-		client := http.Client{Transport: &http.Transport{TLSClientConfig: k.TLSConfig}}
-		req, err := http.NewRequest("GET", url, nil)
-		if err != nil {
-			t.Errorf("could not create a request: %s", err)
-			return
-		}
-		req = req.WithContext(ctx)
-		resp, err := client.Do(req)
-		if err != nil {
-			t.Errorf("could not send a request: %s", err)
-			return
-		}
-		defer resp.Body.Close()
-		if resp.StatusCode != 200 {
-			t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
-		}
-	}
-}

e2e_test/idp/mock_idp/mock_service.go

@@ -1,122 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/e2e_test/idp (interfaces: Service)
-
-// Package mock_idp is a generated GoMock package.
-package mock_idp
-
-import (
-	gomock "github.com/golang/mock/gomock"
-	idp "github.com/int128/kubelogin/e2e_test/idp"
-	reflect "reflect"
-)
-
-// MockService is a mock of Service interface
-type MockService struct {
-	ctrl     *gomock.Controller
-	recorder *MockServiceMockRecorder
-}
-
-// MockServiceMockRecorder is the mock recorder for MockService
-type MockServiceMockRecorder struct {
-	mock *MockService
-}
-
-// NewMockService creates a new mock instance
-func NewMockService(ctrl *gomock.Controller) *MockService {
-	mock := &MockService{ctrl: ctrl}
-	mock.recorder = &MockServiceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockService) EXPECT() *MockServiceMockRecorder {
-	return m.recorder
-}
-
-// AuthenticateCode mocks base method
-func (m *MockService) AuthenticateCode(arg0, arg1 string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AuthenticateCode", arg0, arg1)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticateCode indicates an expected call of AuthenticateCode
-func (mr *MockServiceMockRecorder) AuthenticateCode(arg0, arg1 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticateCode", reflect.TypeOf((*MockService)(nil).AuthenticateCode), arg0, arg1)
-}
-
-// AuthenticatePassword mocks base method
-func (m *MockService) AuthenticatePassword(arg0, arg1, arg2 string) (*idp.TokenResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AuthenticatePassword", arg0, arg1, arg2)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AuthenticatePassword indicates an expected call of AuthenticatePassword
-func (mr *MockServiceMockRecorder) AuthenticatePassword(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AuthenticatePassword", reflect.TypeOf((*MockService)(nil).AuthenticatePassword), arg0, arg1, arg2)
-}
-
-// Discovery mocks base method
-func (m *MockService) Discovery() *idp.DiscoveryResponse {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Discovery")
-	ret0, _ := ret[0].(*idp.DiscoveryResponse)
-	return ret0
-}
-
-// Discovery indicates an expected call of Discovery
-func (mr *MockServiceMockRecorder) Discovery() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Discovery", reflect.TypeOf((*MockService)(nil).Discovery))
-}
-
-// Exchange mocks base method
-func (m *MockService) Exchange(arg0 string) (*idp.TokenResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Exchange", arg0)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Exchange indicates an expected call of Exchange
-func (mr *MockServiceMockRecorder) Exchange(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Exchange", reflect.TypeOf((*MockService)(nil).Exchange), arg0)
-}
-
-// GetCertificates mocks base method
-func (m *MockService) GetCertificates() *idp.CertificatesResponse {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetCertificates")
-	ret0, _ := ret[0].(*idp.CertificatesResponse)
-	return ret0
-}
-
-// GetCertificates indicates an expected call of GetCertificates
-func (mr *MockServiceMockRecorder) GetCertificates() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificates", reflect.TypeOf((*MockService)(nil).GetCertificates))
-}
-
-// Refresh mocks base method
-func (m *MockService) Refresh(arg0 string) (*idp.TokenResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Refresh", arg0)
-	ret0, _ := ret[0].(*idp.TokenResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Refresh indicates an expected call of Refresh
-func (mr *MockServiceMockRecorder) Refresh(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Refresh", reflect.TypeOf((*MockService)(nil).Refresh), arg0)
-}

e2e_test/keys/keys.go

@@ -1,67 +0,0 @@
-package keys
-
-import (
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-)
-
-// Keys represents a pair of certificate and key.
-type Keys struct {
-	CertPath   string
-	KeyPath    string
-	CACertPath string
-	TLSConfig  *tls.Config
-}
-
-// None represents non-TLS.
-var None Keys
-
-// Server is a Keys for TLS server.
-// These files should be generated by Makefile before test.
-var Server = Keys{
-	CertPath:   "keys/testdata/server.crt",
-	KeyPath:    "keys/testdata/server.key",
-	CACertPath: "keys/testdata/ca.crt",
-	TLSConfig:  newTLSConfig("keys/testdata/ca.crt"),
-}
-
-// JWSKey is path to the key for signing ID tokens.
-// This file should be generated by Makefile before test.
-const JWSKey = "keys/testdata/jws.key"
-
-// JWSKeyPair is the key pair loaded from JWSKey.
-var JWSKeyPair = readPrivateKey(JWSKey)
-
-func newTLSConfig(name string) *tls.Config {
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		panic(err)
-	}
-	p := x509.NewCertPool()
-	if !p.AppendCertsFromPEM(b) {
-		panic("could not append the CA cert")
-	}
-	return &tls.Config{RootCAs: p}
-}
-
-func readPrivateKey(name string) *rsa.PrivateKey {
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		panic(err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		panic("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		panic("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		panic(err)
-	}
-	return k
-}

e2e_test/keys/testdata/.gitignore

@@ -1 +0,0 @@
-/CA

e2e_test/keys/testdata/Makefile

@@ -1,59 +0,0 @@
-EXPIRY := 3650
-
-all: ca.key ca.crt server.key server.crt jws.key
-
-.PHONY: clean
-clean:
-	-rm -v ca.* server.* jws.*
-
-ca.key:
-	openssl genrsa -out $@ 1024
-
-.INTERMEDIATE: ca.csr
-ca.csr: openssl.cnf ca.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key ca.key \
-		-subj "/CN=Hello CA" \
-		-out $@
-	openssl req -noout -text -in $@
-
-ca.crt: ca.csr ca.key
-	openssl x509 \
-		-req \
-		-days $(EXPIRY) \
-		-signkey ca.key \
-		-in ca.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-server.key:
-	openssl genrsa -out $@ 1024
-
-.INTERMEDIATE: server.csr
-server.csr: openssl.cnf server.key
-	openssl req -config openssl.cnf \
-		-new \
-		-key server.key \
-		-subj "/CN=localhost" \
-		-out $@
-	openssl req -noout -text -in $@
-
-server.crt: openssl.cnf server.csr ca.key ca.crt
-	rm -fr ./CA
-	mkdir -p ./CA
-	touch CA/index.txt
-	touch CA/index.txt.attr
-	echo 00 > CA/serial
-	openssl ca -config openssl.cnf \
-		-days $(EXPIRY) \
-		-extensions v3_req \
-		-batch \
-		-cert ca.crt \
-		-keyfile ca.key \
-		-in server.csr \
-		-out $@
-	openssl x509 -text -in $@
-
-jws.key:
-	openssl genrsa -out $@ 1024

e2e_test/keys/testdata/ca.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBnTCCAQYCCQC/aR7GRyndljANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhI
-ZWxsbyBDQTAeFw0xOTA5MjUxNDQ0NTFaFw0yOTA5MjIxNDQ0NTFaMBMxETAPBgNV
-BAMMCEhlbGxvIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDnSTDsRx4U
-JmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ4Pc51itOycWN1nclNVb489i9
-J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3Lu4mysxyOtYZNsdST8GBCP0m4
-2tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
-AE/gsgTC4jzYC3icZdhALJTe3JsZ7geN702dE95zSI5LXAzzHJ/j8wGmorQjrMs2
-iNPjVOdTU6cVWa1Ba29wWakVyVCUqDmDiWHaVhM/Qyyxo6mVlZGFwSnto3zq/h4y
-KMFJ8lUtFCYMrzo5wqgj2xOjVrN77F6F4XWZbMufh50G
------END CERTIFICATE-----

e2e_test/keys/testdata/ca.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDnSTDsRx4UJmaTWHOAZasfN2O37wMcRez7LDM2qfQ8nlXnEAAZ
-4Pc51itOycWN1nclNVb489i9J8ALgRKzNumSkfl1sCgJoDds75AC3oRRCbhnEP3L
-u4mysxyOtYZNsdST8GBCP0m42tWa4W2ditpA44uU4x8opAX2qY919nVLNwIDAQAB
-AoGAaYmTYm29QvKW4et9oPxDjpYG0bqlz7P0xFRR9kKtKTATAMHjWeu2xFR/JI+b
-rvJLIdZqHmWe5AmMb3NxZgfLonEB71ohaKQha1L8Vc7aoedRheJvqqaNr+ZxoCMO
-8xcjsaMYxLEVt0tg6XyKyEhi1/hOufFZ4BSng4oQbrpaNIkCQQD6hPEzzPZtMEEe
-eRdwTVUIStKFMQbRdwZ5Oc7pyDk2U+SFRJiqkBkqnmFekcf2UgbBQxem+GMhWNgE
-LItKy/wVAkEA7FiHxbzn2msaE3hZCWudtnXqmJNuPO0zJ5icXe2svwmwPfLA/rm9
-iazCuyzyK67J8IG9QgIjQFYXtQbMr2chGwJBAMm3dghBx0LQEf8Zfdf9TLSqmqyI
-d3b+IgZGl+cCQ58NGfp863ibIsiAUuK0+4/JKItBHLBjXF6jjPx/aYFGkqkCQH4w
-GnXCEYx1qJuCow87jR4xQQsrlC0lfC2E9t/TmWr6UkYRCWg3ZXJPcj0bl0Upcppd
-ut22ZHniPZAizEBOcMcCQQDnMEOxufxhMsx2NC8yON/noewLINqKcbkMsl6DjvJl
-+wLbQmzJ0j+uIBgdpsj4rWnEr7GxoL2eWG44QDUBco79
------END RSA PRIVATE KEY-----

e2e_test/keys/testdata/jws.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQCZukkN1GxMlNXkpOZxCnvCF874/rn1sNKzO98fOwmBRPG2+m/c
-yqBY7t2L2nihqz3+GZTiHmzSrBzMAGPVW1qGmk9KYg3m7akz9SiCxdoUkgM9MCCp
-X/s8IhgtXkyoKFPcGdwHblDl/3aJG02b6TAQD8vTNQAKoKw7L0FST+pvRwIDAQAB
-AoGBAJT1fXR5MbfDQL+dSe6fSex5RYTgzzDTdldW3I1Wl487Tz0OzvYTIe0LCIJL
-4DhHxnpCL5IsCSbav8ytVA+ZxczHpEW6UxbalXt5UfgFu0joTrdoGxDcVWgUCW3J
-Olbln0lOP55wViKh509gt45Za3VxJrNul3khVfVj7qGG9cKBAkEAxwtT8LxwqTYF
-nqoeZvPp15JAqlgdk38ttJa4KEqvpBTSxNIXkL9T5gJ+irKZAzxlz/U7bhn5mw6E
-3xFiljOXpQJBAMW3XRFOjgNBXNjbt81wREF5LdZl9EI8cRMSH6xljt2uwSqw4EG3
-76gFvccUd+WnfspFQZVypSSD4pWzsAqh13sCQQCA9BLW5Y7r4ab0a2y08JNwaT1h
-3yKSO5QF6pu25uQyHpeKkj5YNcyKONV40EqXsRqZB10QcN2omlh1GJNRkm1NAkEA
-qV3lr4mnRUqcinfM/4MINT3k8h/sGUFFa5y+3SMyOtwURMm3kRRLi5c/dmYmPug4
-SHUDNU48AQeo9awzRShWOQJBAJdw+cfRgi4fo3HY33uZdFa1T9G+qTA2ijhco6O3
-8tOc0yOFEtPNXM87MsHGIQP3ZCLfIY1gs2O3WCTFbPxR4rc=
------END RSA PRIVATE KEY-----

e2e_test/keys/testdata/openssl.cnf

@@ -1,36 +0,0 @@
-[ ca ]
-default_ca      = CA_default
-
-[ CA_default ]
-dir             = ./CA
-certs           = $dir
-crl_dir         = $dir
-database        = $dir/index.txt
-new_certs_dir   = $dir
-default_md      = sha256
-policy          = policy_match
-serial          = $dir/serial
-
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-[ req ]
-distinguished_name	= req_distinguished_name
-req_extensions = v3_req
-x509_extensions = v3_ca
-
-[ req_distinguished_name ]
-commonName			= Common Name (e.g. server FQDN or YOUR name)
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = DNS:localhost
-
-[ v3_ca ]
-basicConstraints = CA:true

e2e_test/keys/testdata/server.crt

@@ -1,52 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Hello CA
-        Validity
-            Not Before: Aug 18 06:00:06 2019 GMT
-            Not After : Aug 15 06:00:06 2029 GMT
-        Subject: CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (1024 bit)
-                Modulus:
-                    00:d6:4e:eb:3a:cb:25:f9:7e:92:22:f2:63:99:da:
-                    08:05:8b:a3:e7:d3:fd:71:3e:bd:da:c5:d5:63:b7:
-                    d3:7b:f8:cd:1a:2e:5c:a2:4f:48:98:c2:b4:da:e8:
-                    1e:d3:d7:8f:d8:ee:a9:70:d0:9d:4f:f4:8d:95:e5:
-                    8e:9a:71:b6:80:aa:0b:cb:28:1d:f6:0d:7e:aa:78:
-                    bf:30:e6:58:d7:6b:92:8f:19:1c:7d:95:f8:d5:2f:
-                    8c:58:49:98:88:05:50:88:80:a9:77:c4:16:b4:c1:
-                    00:45:1e:d3:d0:ed:98:4d:f7:a3:5d:f1:82:cb:a5:
-                    4d:19:64:4d:43:db:13:d4:17
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: 
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature, Non Repudiation, Key Encipherment
-            X509v3 Subject Alternative Name: 
-                DNS:localhost
-    Signature Algorithm: sha256WithRSAEncryption
-         5a:5c:5e:8b:de:82:86:f4:98:40:0e:cf:c5:51:fe:89:46:49:
-         f0:26:d2:a5:06:e3:91:43:c1:f8:b2:ad:b7:a1:23:13:1a:80:
-         45:00:51:70:b6:06:63:c6:a8:c8:22:5d:1b:00:e0:4a:8c:2e:
-         ce:b4:da:b1:89:8a:d2:d0:e3:eb:0f:16:34:45:a1:bd:64:5c:
-         48:41:8c:0a:bf:66:be:1c:a8:35:47:ce:b0:dc:c8:4f:5e:c1:
-         ec:ef:21:fb:45:55:95:e3:99:40:46:0b:6c:8a:b3:d5:f0:bf:
-         39:a4:ba:c4:d7:58:88:58:08:07:98:59:6e:ca:9c:08:e4:c4:
-         4f:db
------BEGIN CERTIFICATE-----
-MIIBzTCCATagAwIBAgIBADANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhIZWxs
-byBDQTAeFw0xOTA4MTgwNjAwMDZaFw0yOTA4MTUwNjAwMDZaMBQxEjAQBgNVBAMM
-CWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1k7rOssl+X6S
-IvJjmdoIBYuj59P9cT692sXVY7fTe/jNGi5cok9ImMK02uge09eP2O6pcNCdT/SN
-leWOmnG2gKoLyygd9g1+qni/MOZY12uSjxkcfZX41S+MWEmYiAVQiICpd8QWtMEA
-RR7T0O2YTfejXfGCy6VNGWRNQ9sT1BcCAwEAAaMwMC4wCQYDVR0TBAIwADALBgNV
-HQ8EBAMCBeAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4GB
-AFpcXovegob0mEAOz8VR/olGSfAm0qUG45FDwfiyrbehIxMagEUAUXC2BmPGqMgi
-XRsA4EqMLs602rGJitLQ4+sPFjRFob1kXEhBjAq/Zr4cqDVHzrDcyE9ewezvIftF
-VZXjmUBGC2yKs9XwvzmkusTXWIhYCAeYWW7KnAjkxE/b
------END CERTIFICATE-----

e2e_test/keys/testdata/server.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDWTus6yyX5fpIi8mOZ2ggFi6Pn0/1xPr3axdVjt9N7+M0aLlyi
-T0iYwrTa6B7T14/Y7qlw0J1P9I2V5Y6acbaAqgvLKB32DX6qeL8w5ljXa5KPGRx9
-lfjVL4xYSZiIBVCIgKl3xBa0wQBFHtPQ7ZhN96Nd8YLLpU0ZZE1D2xPUFwIDAQAB
-AoGBAJhNR7Dl1JwFzndViWE6aP7/6UEFEBWeADDs7aTLbFmrTJ+xmRWkgLRHk14L
-HnVwuYLywaoyJ8o9wy1nEbxC2e4zWZ94d351MQf3/komCXDBzEsktfAcNsAFnMmS
-HZuGXfhi0FYWoftpIGxUmEBmQRcq0ctycbLves6TY3y+oajpAkEA8UHmSr/zsM3E
-XQXPp2BCAvRrTH/njk4R0jwB29Bi89gt/XDD4uvfWbHw7TZxnZuCpWisnxpMPIwa
-1rjqIQmhEwJBAONncQUOxwYCIuvraIhV0QtkIUa+YpTvAxP8ZNXx+agtHmHG2TTf
-kGv2YddvjxXZItN/FZOzUGm9OptaeLRTpW0CQHO8CEzNnoqve0agtgf2LlSaiiqt
-pRhoLTZsYPvhEMcnapCNGvtt6bxul0REfOZ9poPRHhZJGE9naqydEnv80Y8CQQC3
-pxLfws95SsBpR/VkJepuCK/XMmrrXRxfR7coEgROjiG7VZyV1vgMOS9Ljg1A19wI
-cto6LtcCjpCGZsqU1/kBAkEAv2tXBts3vuIjguZNMz7KLWmu3zG2SQRaqdEZwL+R
-DQmD5tbI6gEtd5OmgmSiW8A4mpfgFYvG7Um2fwi7TTXtSA==
------END RSA PRIVATE KEY-----

e2e_test/standalone_test.go

@@ -1,283 +0,0 @@
-package e2e_test
-
-import (
-	"context"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/e2e_test/idp"
-	"github.com/int128/kubelogin/e2e_test/idp/mock_idp"
-	"github.com/int128/kubelogin/e2e_test/keys"
-	"github.com/int128/kubelogin/e2e_test/kubeconfig"
-	"github.com/int128/kubelogin/e2e_test/localserver"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-	"github.com/int128/kubelogin/pkg/di"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-)
-
-// Run the integration tests of the Login use-case.
-//
-// 1. Start the auth server.
-// 2. Run the Cmd.
-// 3. Open a request for the local server.
-// 4. Verify the kubeconfig.
-//
-func TestStandalone(t *testing.T) {
-	t.Run("NoTLS", func(t *testing.T) {
-		testStandalone(t, keys.None)
-	})
-	t.Run("TLS", func(t *testing.T) {
-		testStandalone(t, keys.Server)
-	})
-}
-
-func testStandalone(t *testing.T, idpTLS keys.Keys) {
-	timeout := 5 * time.Second
-
-	t.Run("Defaults", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ResourceOwnerPasswordCredentials", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "", tokenExpiryFuture)
-		setupMockIDPForROPC(service, serverURL, "openid", "USER", "PASS", idToken)
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-			"--username", "USER",
-			"--password", "PASS",
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasValidToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDToken:                 idToken,
-			RefreshToken:            "YOUR_REFRESH_TOKEN",
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasValidRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		idToken := newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryFuture)
-		service.EXPECT().Discovery().Return(idp.NewDiscoveryResponse(serverURL))
-		service.EXPECT().GetCertificates().Return(idp.NewCertificatesResponse(keys.JWSKeyPair))
-		service.EXPECT().Refresh("VALID_REFRESH_TOKEN").
-			Return(idp.NewTokenResponse(idToken, "NEW_REFRESH_TOKEN"), nil)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-			RefreshToken:            "VALID_REFRESH_TOKEN",
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "NEW_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("HasExpiredRefreshToken", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-		service.EXPECT().Refresh("EXPIRED_REFRESH_TOKEN").
-			Return(nil, &idp.ErrorResponse{Code: "invalid_request", Description: "token has expired"}).
-			MaxTimes(2) // package oauth2 will retry refreshing the token
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDToken:                 newIDToken(t, serverURL, "YOUR_NONCE", tokenExpiryPast), // expired
-			RefreshToken:            "EXPIRED_REFRESH_TOKEN",
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("env_KUBECONFIG", func(t *testing.T) {
-		// do not run this in parallel due to change of the env var
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
-		defer unsetenv(t, "KUBECONFIG")
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-
-	t.Run("ExtraScopes", func(t *testing.T) {
-		t.Parallel()
-		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
-		defer cancel()
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		service := mock_idp.NewMockService(ctrl)
-		serverURL, server := localserver.Start(t, idp.NewHandler(t, service), idpTLS)
-		defer server.Shutdown(t, ctx)
-		var idToken string
-		setupMockIDPForCodeFlow(t, service, serverURL, "profile groups openid", &idToken)
-
-		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
-			Issuer:                  serverURL,
-			ExtraScopes:             "profile,groups",
-			IDPCertificateAuthority: idpTLS.CACertPath,
-		})
-		defer os.Remove(kubeConfigFilename)
-
-		args := []string{
-			"--kubeconfig", kubeConfigFilename,
-		}
-		runRootCmd(t, ctx, openBrowserOnReadyFunc(t, ctx, idpTLS), args)
-		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
-			IDToken:      idToken,
-			RefreshToken: "YOUR_REFRESH_TOKEN",
-		})
-	})
-}
-
-func runRootCmd(t *testing.T, ctx context.Context, localServerReadyFunc authentication.LocalServerReadyFunc, args []string) {
-	t.Helper()
-	cmd := di.NewCmdForHeadless(mock_logger.New(t), localServerReadyFunc, nil)
-	exitCode := cmd.Run(ctx, append([]string{
-		"kubelogin",
-		"--v=1",
-		"--listen-port", "0",
-		"--skip-open-browser",
-	}, args...), "HEAD")
-	if exitCode != 0 {
-		t.Errorf("exit status wants 0 but %d", exitCode)
-	}
-}
-
-func setenv(t *testing.T, key, value string) {
-	t.Helper()
-	if err := os.Setenv(key, value); err != nil {
-		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
-	}
-}
-
-func unsetenv(t *testing.T, key string) {
-	t.Helper()
-	if err := os.Unsetenv(key); err != nil {
-		t.Fatalf("Could not unset the env var %s: %s", key, err)
-	}
-}

go.mod

@@ -1,26 +1,25 @@
 module github.com/int128/kubelogin
 
-go 1.12
+go 1.16
 
 require (
-	github.com/coreos/go-oidc v2.1.0+incompatible
-	github.com/dgrijalva/jwt-go v0.0.0-20160705203006-01aeca54ebda
-	github.com/go-test/deep v1.0.4
-	github.com/golang/mock v1.3.1
-	github.com/google/go-cmp v0.3.1
-	github.com/google/wire v0.4.0
-	github.com/int128/oauth2cli v1.8.1
-	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
-	github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
-	github.com/spf13/cobra v0.0.5
+	github.com/alexflint/go-filemutex v1.1.0
+	github.com/chromedp/chromedp v0.7.6
+	github.com/coreos/go-oidc/v3 v3.1.0
+	github.com/golang-jwt/jwt/v4 v4.2.0
+	github.com/golang/mock v1.6.0
+	github.com/google/go-cmp v0.5.6
+	github.com/google/wire v0.5.0
+	github.com/int128/oauth2cli v1.14.0
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
+	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
-	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
-	gopkg.in/yaml.v2 v2.2.7
-	k8s.io/apimachinery v0.0.0-20190612205821-1799e75a0719
-	k8s.io/client-go v0.0.0-20190620085101-78d2af792bab
-	k8s.io/klog v0.4.0
+	golang.org/x/net v0.0.0-20211123203042-d83791d6bcd9
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/apimachinery v0.22.4
+	k8s.io/client-go v0.22.4
+	k8s.io/klog/v2 v2.40.1
 )

integration_test/credetial_plugin_test.go

@@ -0,0 +1,443 @@
+package integration_test
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+)
+
+// Run the integration tests of the credential plugin use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the output.
+//
+func TestCredentialPlugin(t *testing.T) {
+	timeout := 10 * time.Second
+	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
+	tokenCacheDir := t.TempDir()
+
+	for name, tc := range map[string]struct {
+		keyPair keypair.KeyPair
+		args    []string
+	}{
+		"NoTLS": {},
+		"TLS": {
+			keyPair: keypair.Server,
+			args:    []string{"--certificate-authority", keypair.Server.CACertPath},
+		},
+	} {
+		httpDriverOption := httpdriver.Option{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
+		t.Run(name, func(t *testing.T) {
+			t.Run("AuthCode", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				var stdout bytes.Buffer
+				runGetToken(t, ctx, getTokenConfig{
+					tokenCacheDir: tokenCacheDir,
+					issuerURL:     sv.IssuerURL(),
+					httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+					now:           now,
+					stdout:        &stdout,
+					args:          tc.args,
+				})
+				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+			})
+
+			t.Run("ROPC", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+						Username:          "USER1",
+						Password:          "PASS1",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				var stdout bytes.Buffer
+				runGetToken(t, ctx, getTokenConfig{
+					tokenCacheDir: tokenCacheDir,
+					issuerURL:     sv.IssuerURL(),
+					httpDriver:    httpdriver.Zero(t),
+					now:           now,
+					stdout:        &stdout,
+					args: append([]string{
+						"--username", "USER1",
+						"--password", "PASS1",
+					}, tc.args...),
+				})
+				assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+			})
+
+			t.Run("TokenCacheLifecycle", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				defer sv.Shutdown(t, ctx)
+
+				t.Run("NoCache", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_1",
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						now:           now,
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				})
+				t.Run("Valid", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.Zero(t),
+						now:           now,
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+				})
+				t.Run("Refresh", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_1",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(3 * time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_2",
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						now:           now.Add(2 * time.Hour),
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
+				})
+				t.Run("RefreshAgain", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_2",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(5 * time.Hour),
+						},
+					})
+					var stdout bytes.Buffer
+					runGetToken(t, ctx, getTokenConfig{
+						tokenCacheDir: tokenCacheDir,
+						issuerURL:     sv.IssuerURL(),
+						httpDriver:    httpdriver.New(ctx, t, httpDriverOption),
+						now:           now.Add(4 * time.Hour),
+						stdout:        &stdout,
+						args:          tc.args,
+					})
+					assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(5*time.Hour))
+				})
+			})
+		})
+	}
+
+	t.Run("PKCE", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:               "openid",
+				RedirectURIPrefix:   "http://localhost:",
+				CodeChallengeMethod: "S256",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry:                 now.Add(time.Hour),
+				CodeChallengeMethodsSupported: []string{"plain", "S256"},
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("TLSData", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--certificate-authority-data", keypair.Server.CACertBase64},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "email profile openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args: []string{
+				"--oidc-extra-scope", "email",
+				"--oidc-extra-scope", "profile",
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "URL=https://example.com/success"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--open-url-after-authentication", "https://example.com/success"},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("RedirectURLHostname", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://127.0.0.1:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args:          []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("RedirectURLHTTPS", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "https://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{
+				TLSConfig:    keypair.Server.TLSConfig,
+				BodyContains: "Authenticated",
+			}),
+			now:    now,
+			stdout: &stdout,
+			args: []string{
+				"--local-server-cert", keypair.Server.CertPath,
+				"--local-server-key", keypair.Server.KeyPath,
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+
+	t.Run("ExtraParams", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+				ExtraParams: map[string]string{
+					"ttl":    "86400",
+					"reauth": "false",
+				},
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		var stdout bytes.Buffer
+		runGetToken(t, ctx, getTokenConfig{
+			tokenCacheDir: tokenCacheDir,
+			issuerURL:     sv.IssuerURL(),
+			httpDriver:    httpdriver.New(ctx, t, httpdriver.Option{BodyContains: "Authenticated"}),
+			now:           now,
+			stdout:        &stdout,
+			args: []string{
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=false",
+			},
+		})
+		assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
+	})
+}
+
+type getTokenConfig struct {
+	tokenCacheDir string
+	issuerURL     string
+	httpDriver    browser.Interface
+	stdout        io.Writer
+	now           time.Time
+	args          []string
+}
+
+func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
+	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, cfg.stdout, logger.New(t), cfg.httpDriver)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"get-token",
+		"--token-cache-dir", cfg.tokenCacheDir,
+		"--oidc-issuer-url", cfg.issuerURL,
+		"--oidc-client-id", "kubernetes",
+		"--listen-address", "127.0.0.1:0",
+	}, cfg.args...), "latest")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+func assertCredentialPluginStdout(t *testing.T, stdout io.Reader, token string, expiry time.Time) {
+	var got clientauthenticationv1beta1.ExecCredential
+	if err := json.NewDecoder(stdout).Decode(&got); err != nil {
+		t.Errorf("could not decode json of the credential plugin: %s", err)
+		return
+	}
+	want := clientauthenticationv1beta1.ExecCredential{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "client.authentication.k8s.io/v1beta1",
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+			Token:               token,
+			ExpirationTimestamp: &metav1.Time{Time: expiry},
+		},
+	}
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
+	}
+}

integration_test/httpdriver/http_driver.go

@@ -0,0 +1,78 @@
+// Package httpdriver provides a test double of the browser.
+package httpdriver
+
+import (
+	"context"
+	"crypto/tls"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+)
+
+type Option struct {
+	TLSConfig    *tls.Config
+	BodyContains string
+}
+
+// New returns a client to simulate browser access.
+func New(ctx context.Context, t *testing.T, o Option) *client {
+	return &client{ctx, t, o}
+}
+
+// Zero returns a client which call is not expected.
+func Zero(t *testing.T) *zeroClient {
+	return &zeroClient{t}
+}
+
+type client struct {
+	ctx context.Context
+	t   *testing.T
+	o   Option
+}
+
+func (c *client) Open(url string) error {
+	client := http.Client{Transport: &http.Transport{TLSClientConfig: c.o.TLSConfig}}
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		c.t.Errorf("could not create a request: %s", err)
+		return nil
+	}
+	req = req.WithContext(c.ctx)
+	resp, err := client.Do(req)
+	if err != nil {
+		c.t.Errorf("could not send a request: %s", err)
+		return nil
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != 200 {
+		c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
+	}
+	b, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		c.t.Errorf("could not read body: %s", err)
+		return nil
+	}
+	body := string(b)
+	if !strings.Contains(body, c.o.BodyContains) {
+		c.t.Errorf("body should contain %s but was %s", c.o.BodyContains, body)
+	}
+	return nil
+}
+
+func (c *client) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}
+
+type zeroClient struct {
+	t *testing.T
+}
+
+func (c *zeroClient) Open(url string) error {
+	c.t.Errorf("unexpected function call Open(%s)", url)
+	return nil
+}
+
+func (c *zeroClient) OpenCommand(_ context.Context, url, _ string) error {
+	return c.Open(url)
+}

integration_test/keypair/keypair.go

@@ -0,0 +1,62 @@
+package keypair
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+)
+
+// KeyPair represents a pair of certificate and key.
+type KeyPair struct {
+	CertPath     string
+	KeyPath      string
+	CACertPath   string
+	CACertBase64 string
+	TLSConfig    *tls.Config
+}
+
+// None represents non-TLS.
+var None KeyPair
+
+// Server is a KeyPair for TLS server.
+// These files should be generated by Makefile before test.
+var Server = KeyPair{
+	CertPath:     "keypair/testdata/server.crt",
+	KeyPath:      "keypair/testdata/server.key",
+	CACertPath:   "keypair/testdata/ca.crt",
+	CACertBase64: readAsBase64("keypair/testdata/ca.crt"),
+	TLSConfig:    newTLSConfig("keypair/testdata/ca.crt"),
+}
+
+func readAsBase64(name string) string {
+	f, err := os.Open(name)
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+	var s strings.Builder
+	e := base64.NewEncoder(base64.StdEncoding, &s)
+	if _, err := io.Copy(e, f); err != nil {
+		panic(err)
+	}
+	if err := e.Close(); err != nil {
+		panic(err)
+	}
+	return s.String()
+}
+
+func newTLSConfig(name string) *tls.Config {
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		panic(err)
+	}
+	p := x509.NewCertPool()
+	if !p.AppendCertsFromPEM(b) {
+		panic("could not append the CA cert")
+	}
+	return &tls.Config{RootCAs: p}
+}

integration_test/keypair/testdata/Makefile

@@ -0,0 +1,26 @@
+EXPIRY := 3650
+OUTPUT_DIR := testdata
+TARGETS := ca.key
+TARGETS += ca.crt
+TARGETS += server.key
+TARGETS += server.crt
+
+.PHONY: all
+all: $(TARGETS)
+
+ca.key:
+	openssl genrsa -out $@ 2048
+ca.csr: ca.key
+	openssl req -new -key ca.key -out $@ -subj "/CN=hello-ca" -config openssl.cnf
+ca.crt: ca.key ca.csr
+	openssl x509 -req -in ca.csr -signkey ca.key -out $@ -days $(EXPIRY)
+server.key:
+	openssl genrsa -out $@ 2048
+server.csr: openssl.cnf server.key
+	openssl req -new -key server.key -out $@ -subj "/CN=localhost" -config openssl.cnf
+server.crt: openssl.cnf server.csr ca.crt ca.key
+	openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $@ -sha256 -days $(EXPIRY) -extensions v3_req -extfile openssl.cnf
+
+.PHONY: clean
+clean:
+	-rm -v $(TARGETS)

integration_test/keypair/testdata/ca.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICojCCAYoCCQCNsdXicWqF2DANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAho
+ZWxsby1jYTAeFw0yMDAyMDYwMTMzMzNaFw0zMDAyMDMwMTMzMzNaMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxcPN
+dS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs+3WZQpsSj5nC4yEx8uPQ
+bTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZAiT0pJw8hdypTQyMLbeDr
+Vl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY4KENHFE3OAcD58FMvvrh
+vgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIsvFE6zSyAxU55RElph7mE
+ru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9zavFkGx2MEwDp/3FmUukR
+yJnS2KnAo0QdBeS1LQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAXGfoDwuKY4TyF
+fhKg553Y5I6VDCDc97jyW9yyfc0kvPjQc4EGQV+1eQqMSeh2THpgEEKk9hH/g35a
+grPRcBTsEWpbQd16yWyulQeyOtPeWZB2FvAigMaAdMmeXlTs6++gJ6PjPuACa2Jl
+nJ/AjCqKFxkn0yEVkPTY0c/I9A12xhCmATqIrQiK1pPowiFxQb4M8Cm0z0AkaJZr
+iW0NCOJlLzBqRpFquL4umNaIsxTmOshfM70NpQGRjKREBuK6S0qWsRR0wz4b9Rvi
+62qW4zU94q2EDIoCItjHP4twGENXJDC0vLCsKfA5AvbPzszd5/4ifYe2C00Rn7/O
+lIxrspMm
+-----END CERTIFICATE-----

integration_test/keypair/testdata/ca.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrDCCAZQCAQAwEzERMA8GA1UEAwwIaGVsbG8tY2EwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDFw811LzwHp7CpWf+b3I7vg4sjA2uoxyLyXuiU/1eV
+wmHFRmz7dZlCmxKPmcLjITHy49BtO0EqdddUN77yTs6wtOu6736KxNpiTij9Nlu7
+D83fVkCJPSknDyF3KlNDIwtt4OtWXhtut9tjLDHfQPKsfFSSDM5azjn1TBzXBa7R
+bszbUZjgoQ0cUTc4BwPnwUy++uG+CSyUBPDBbgzZS1dQUnxceHbqD8njnQNTaDA3
+GlxJ0iy8UTrNLIDFTnlESWmHuYSu71w1YBiEJFm+VlDZWUfsLolDdIfID1FmYFs+
+leG2X3Nq8WQbHYwTAOn/cWZS6RHImdLYqcCjRB0F5LUtAgMBAAGgVDBSBgkqhkiG
+9w0BCQ4xRTBDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMBQGA1UdEQQNMAuCCWxv
+Y2FsaG9zdDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEA
+o/Uthp3NWx0ydTn/GBZI+vA3gI7Qd9UwLvwkeinldRlPM9DOXpG6LR0C40f6u+fj
+mXvUDerveYJI8rpo+Ds0UVqy63AH/zZLG7M96L5Nv2KnK40bkfVNez858Yqp1u17
+/ci1ZsQIElU5v2qKozaHdQThDVtD5ZZdZoQwLvBLE/Dwpe/4VZZFh8smPMR+Mhcq
++b7gpSy1RiUffk0ZMjuF9Nc9OODdQMTCf+86i0qWXGVzkhfHKAGv+xarHEztcmxF
+GUgUYW8DMvYBjEzaGRM1n0aIFkQO6y8SUXvGMIGBSMC4jfBH3ghIXg1+nD6Uah4D
+16r+CLjFsDUdn/DK/fIQVw==
+-----END CERTIFICATE REQUEST-----

integration_test/keypair/testdata/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxcPNdS88B6ewqVn/m9yO74OLIwNrqMci8l7olP9XlcJhxUZs
++3WZQpsSj5nC4yEx8uPQbTtBKnXXVDe+8k7OsLTruu9+isTaYk4o/TZbuw/N31ZA
+iT0pJw8hdypTQyMLbeDrVl4bbrfbYywx30DyrHxUkgzOWs459Uwc1wWu0W7M21GY
+4KENHFE3OAcD58FMvvrhvgkslATwwW4M2UtXUFJ8XHh26g/J450DU2gwNxpcSdIs
+vFE6zSyAxU55RElph7mEru9cNWAYhCRZvlZQ2VlH7C6JQ3SHyA9RZmBbPpXhtl9z
+avFkGx2MEwDp/3FmUukRyJnS2KnAo0QdBeS1LQIDAQABAoIBAHSoWtMsaMnPNlu/
+thM32K0auIGP6/rkdQ3pxGLX+M9jmY7oSzNOHHj4xssklZyroS45CmLU2Ez2tG1+
+cMm4iR4dqwxbaBbtpjDlEDLF1PiUiwmadHlANb1PpJsJwZHR41UOn2QUITR/ig+H
+K2gZhM0QjkaU/Uj9a5zyJ/UC6iupmgCtj8ij65B49qKMODxV4gqZstRSZiJ3gb6R
+TBeR3PUWQS62MZueEQz2eF0eXkXKsFWcbLfHArjfIJ533zW68A0vabgqOhCwJTks
++rkyaKUjEwJJQcgpCfUI4t9HAwICqYtw0fQdDDaMak2XTDFnGHn1/VfSi818U5Sa
+jZ+/uIECgYEA4uCd5ISsLWebSv2r5f97N8+WcW0MSJ0XP5MniiMvlaNOtJmoN3H0
+PlgR3uwpH9TNWHITZEEb/I93r2E3f24v2018g0uJuwiRDusxHs7yuxw/93Y5rwtG
+3twL1k0GyeLCxfM2y2QQU/awXISx7nNk2f0umvTWmjrEw632oQSWCSECgYEA3yaF
+zDk7k1u1GdZAh+pQAyUtjzHSvQjiE2JzLaH8BTorACrczRascX5yyMi0QfLYnoYt
+UL9dCb4Z8HUclj55kBSx8anvVtf3XAT3hZ3sm8LV3JLGDeURGS8rGdV+tyFk7zw9
+XgvaLj3xjB5CoJvtOhbXvqF9M9yp4TMBb5El7o0CgYBTx5Bm15thNPZCrgQxbbOJ
+u42ZmyRDGEeCgYvDVhT3VBP3WxqkRt9juk/3GwxgpcuikpWYmvaDwFL5H5RH6V+g
+wy9sqJNWzuYKNU2xS8iU0ezJLA5HFon4OBfi7hTIroUwZgzg9LWW2+zqbVHrdQ9T
+9Eumiy1ITNVmUTJW6YOiIQKBgBE4BsEAdZFkVTAeMTKLqQrlFoPjI1DE27UFNsAB
+rNG2cFT9+bW1ly7WxAKsQgSIuaBZ2CtP6Nz0l0nPr5oEThsJDcYJB9faqFKoa3Ua
+/4PxX9E6Xh/6WfxogFno+HMnF4PCUTXtkjNZQkc+moOMJJ0D4DfsfB3BXDZtWiIC
+wDuNAoGBAN5ZFTXwE1VpWxIWq5dV9+0aVOP/eB+h7Pt+u2xyRip31FGcpGEzGniu
+VmOzWApW7NmvD0QWtstJWlCpsw+rOptAL0oVunlB70KuYuA+2Q5g/Cw3kUrvXqbe
+mkCoV21eFAmpU+I6z/n7pUDXPuUsmTkzmwedv0HUuNSQJmHZOMPD
+-----END RSA PRIVATE KEY-----

integration_test/keypair/testdata/ca.srl

@@ -0,0 +1 @@
+9E12C7A1AF348811

integration_test/keypair/testdata/openssl.cnf

@@ -0,0 +1,14 @@
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+extendedKeyUsage = serverAuth
+
+[alt_names]
+DNS.1 = localhost

integration_test/keypair/testdata/server.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIJAJ4Sx6GvNIgRMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
+BAMMCGhlbGxvLWNhMB4XDTIwMDIwNjAxMzMzM1oXDTMwMDIwMzAxMzMzM1owFDES
+MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLtJr+/AxI8k5Er
+MFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0XK41ZSbDAchbW
+349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92+TzrrlbkZ5+W
+YVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzXfVUpxJ/DYLXZ
+yHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Nggn6XJNh/g1QK
+o4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABo0UwQzAJBgNVHRMEAjAAMAsGA1UdDwQE
+AwIF4DAUBgNVHREEDTALgglsb2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
+DQYJKoZIhvcNAQELBQADggEBACqlq8b7trNRtKUm1PbY7dnrAFCOnV4OT2R98s17
+Q6tmCXM1DvQ101W0ih/lh6iPyU4JM2A0kvO+gizuL/Dmvb6oh+3ox0mMLposptso
+gCE1K3SXlvlcLdM6hXRJ5+XwlSCHM6o2Y4yABnKjT6Zr+CMh86a5abDx33hkJ4QR
+6I+/iBHVLiCVv0wUF3jD/T+HxinEQrB4cQsSgKmfPClrc8n7rkWWE+MdwEL4VZCH
+ufabw178aYibVvJ8k3rushjLlftkDyCNno2rz8YWrnaxabVR0EqSPInyYQenmv2r
+/CedVKpmdH2RV8ubkwqa0s6cmpRkyu6FS2g3LviJhmm0nwQ=
+-----END CERTIFICATE-----

integration_test/keypair/testdata/server.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICrTCCAZUCAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F
+7yVyphLtJr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4
+TKyVaU0XK41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTk
+C3gSVF92+TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDg
+kGuwwhzXfVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV
++2ovP0Nggn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABoFQwUgYJKoZI
+hvcNAQkOMUUwQzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAUBgNVHREEDTALggls
+b2NhbGhvc3QwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEB
+ACUQ0j3XuUZY3fso5tEgOGVjVsTU+C4pIsEw3e1KyIB93i56ANKaq1uBLtnlWtYi
+R4RxZ3Sf08GzoEHAHpWoQ4BQ3WGDQjxSdezbudWMuNnNyvyhkh36tmmp/PLA4iZD
+Q/d1odzGWg1HMqY0/Q3hfz40MQ9IEBBm+5zKw3tLsKNIKdSdlY7Ul3Z9PUsqsOVW
+uF0LKsTMEh1CpbYnOBS2EQjComVM5kYfdQwDNh+BMok8rH7mHFYRmrwYUrU9njsM
+eoKqhLkoSu6hw1Cgd9Yru5lC541KfxsSN4Cj6rkm+Qv/5zjvIPxYZ+akSQQR9hR3
+2O9THHKqaQS0xmD+y8NjfYk=
+-----END CERTIFICATE REQUEST-----

integration_test/keypair/testdata/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA3CJvDbbiiY/o9lgzeABLCtZe56h2w9Dzejy02M6F7yVyphLt
+Jr+/AxI8k5ErMFRitkzgIUkLn/90CZjPI3k5OnLtUAJ4XLj4gUGjziy4TKyVaU0X
+K41ZSbDAchbW349lsEgW5ZnL4qNaZeCvvbYec+RroVc6ZXCcDp4BATTkC3gSVF92
++TzrrlbkZ5+WYVeoMpAPWDPq2zwQx4RcYlpkpI/fzLezRqjRcZJx3FDgkGuwwhzX
+fVUpxJ/DYLXZyHCKyaT7e8YIs8e7TRekOwrLCfssfhJSdWopf6aYRZFV+2ovP0Ng
+gn6XJNh/g1QKo4wzJAf6v5WMc0jEvb7EuSG+nwIDAQABAoIBAEYvWFb4C0wurOj2
+ABrvhP2Ekaesh4kxMp+zgTlqxzsTJnWarS/gjKcPBm9KJon3La3P3tnd7y3pBXcV
+2F0IBl4DTHRpBTUS6HBVnENc8LnJgK2dHZkOLPyYtRLrA0Et+A73PQ2hNmchC+5V
+b9K9oQH0Pvim1gCHocnrSIi480hQPazO9/gnHvFtu9Tdsx9kM9jgChhh5VaR+nzM
+uw6MpUSzCri3/W6K5Hz8F1lLQcZ6o3vyyFtLPjFrWT4J1UiHqAoxuCGeWTvMbGQl
+9Cg0SMX4FLBpbIoMonhM3hb9Cw3FVRGU/1i4oF+gEIGlX/v9CPT5HAZmD59rawc8
+11x7yTECgYEA8EYVGKauLHeI1nJdCoVrWI73W1wtwt6prJbzltpoAR4tb3Qu6gBX
+JQNd+Ifhl28lK6lPnCGk/SsmfiKSp/XE4IyS1GBd2LpxWj5R50GePCg4hAzk9Xyx
+M9SJAFQw73pODgu4RWFXTCOMo9crahJ6X/O+MckHqbFqqohJ8nChGDkCgYEA6oro
+Ql/ymO7UdYCay7OlzKeg8ud6XgkZ+wkpSG/5TQ0QZWVN3aSOLztEdVfh3PAqWob0
+KgVhLmq6CYwq+HSzU92bvFqCgYUMU8tYzeRboGLxyEdAGL+EW0j8wQyZKYR5cNz4
+yM0hpM6kbJ0zZqkYVM/XfRT2RTGwTMakF/FOHZcCgYEAmf4guTriuIcoAWEstniK
+Myj16ezrO1Df6Eia+B0kuUqxDhSlmL39HDDLQmU8NYU7in8qEcQSbVwBgKgB3HoM
+42nVFR5qJ2RfD9qPPar1klKo3iExgRCYtcJKyBYtgt6dNi1WvcjEXX0PP1bBcWtE
+WUjrphbUvXKDDabp1eNPrCkCgYBOw/F2APTeyS4Oe+8AQ8eFcDIMARLGK7ZO6Oe1
+TO1jI+UCuD+rFI0vbW7zHV1brkf6+OFcj0vwo6TweeMgZ0il/IFFgvva9UyLg3nC
+Q1NGDJR4Fv1+kiqn4V4IkuuI1tVVws/F16XZzA/J7g0KB/WE3fvXJMgDuskjL36C
+D+aU5wKBgQCvEg+mJYny1QiR/mQuowX34xf4CkMl7Xq9YDH7W/3AlwuPrPNHaZjh
+SvSCz9I8vV0E4ur6atazgCblnvA/G3d4r8YYx+e1l30WJHMgoZRxxHMH74tmUPAj
+Klic16BJikSQclMeFdlJqf2UHd37eEuYnxorpep8YGP7/eN1ghHWAw==
+-----END RSA PRIVATE KEY-----

integration_test/kubeconfig/kubeconfig.go

@@ -2,8 +2,8 @@ package kubeconfig
 
 import (
 	"html/template"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"gopkg.in/yaml.v2"
@@ -22,7 +22,7 @@ type Values struct {
 // Create creates a kubeconfig file and returns path to it.
 func Create(t *testing.T, v *Values) string {
 	t.Helper()
-	f, err := ioutil.TempFile("", "kubeconfig")
+	f, err := os.Create(filepath.Join(t.TempDir(), "kubeconfig"))
 	if err != nil {
 		t.Fatal(err)
 	}

integration_test/oidcserver/handler/handler.go

@@ -1,25 +1,24 @@
-// Package idp provides a test double of the identity provider of OpenID Connect.
-package idp
+// Package handler provides a HTTP handler for the OpenID Connect Provider.
+package handler
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
-
-	"golang.org/x/xerrors"
 )
 
-func NewHandler(t *testing.T, service Service) *Handler {
-	return &Handler{t, service}
+func New(t *testing.T, provider Provider) *Handler {
+	return &Handler{t, provider}
 }
 
-// Handler provides a HTTP handler for the identity provider of OpenID Connect.
-// You need to implement the Service interface.
+// Handler provides a HTTP handler for the OpenID Connect Provider.
+// You need to implement the Provider interface.
 // Note that this skips some security checks and is only for testing.
 type Handler struct {
-	t       *testing.T
-	service Service
+	t        *testing.T
+	provider Provider
 }
 
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -29,7 +28,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
 		return
 	}
-	if errResp := new(ErrorResponse); xerrors.As(err, &errResp) {
+	if errResp := new(ErrorResponse); errors.As(err, &errResp) {
 		h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
 		w.Header().Add("Content-Type", "application/json")
 		w.WriteHeader(400)
@@ -58,74 +57,80 @@ func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
 	p := r.URL.Path
 	switch {
 	case m == "GET" && p == "/.well-known/openid-configuration":
-		discoveryResponse := h.service.Discovery()
+		discoveryResponse := h.provider.Discovery()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(discoveryResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
+			return fmt.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/certs":
-		certificatesResponse := h.service.GetCertificates()
+		certificatesResponse := h.provider.GetCertificates()
 		w.Header().Add("Content-Type", "application/json")
 		e := json.NewEncoder(w)
 		if err := e.Encode(certificatesResponse); err != nil {
-			return xerrors.Errorf("could not render json: %w", err)
+			return fmt.Errorf("could not render json: %w", err)
 		}
 	case m == "GET" && p == "/auth":
-		// 3.1.2.1. Authentication Request
-		// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 		q := r.URL.Query()
-		redirectURI, scope, state, nonce := q.Get("redirect_uri"), q.Get("scope"), q.Get("state"), q.Get("nonce")
-		code, err := h.service.AuthenticateCode(scope, nonce)
+		redirectURI, state := q.Get("redirect_uri"), q.Get("state")
+		code, err := h.provider.AuthenticateCode(AuthenticationRequest{
+			RedirectURI:         redirectURI,
+			State:               state,
+			Scope:               q.Get("scope"),
+			Nonce:               q.Get("nonce"),
+			CodeChallenge:       q.Get("code_challenge"),
+			CodeChallengeMethod: q.Get("code_challenge_method"),
+			RawQuery:            q,
+		})
 		if err != nil {
-			return xerrors.Errorf("authentication error: %w", err)
+			return fmt.Errorf("authentication error: %w", err)
 		}
 		to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
 		http.Redirect(w, r, to, 302)
 	case m == "POST" && p == "/token":
 		if err := r.ParseForm(); err != nil {
-			return xerrors.Errorf("could not parse the form: %w", err)
+			return fmt.Errorf("could not parse the form: %w", err)
 		}
 		grantType := r.Form.Get("grant_type")
 		switch grantType {
 		case "authorization_code":
-			// 3.1.3.1. Token Request
-			// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
-			code := r.Form.Get("code")
-			tokenResponse, err := h.service.Exchange(code)
+			tokenResponse, err := h.provider.Exchange(TokenRequest{
+				Code:         r.Form.Get("code"),
+				CodeVerifier: r.Form.Get("code_verifier"),
+			})
 			if err != nil {
-				return xerrors.Errorf("token request error: %w", err)
+				return fmt.Errorf("token request error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		case "password":
 			// 4.3. Resource Owner Password Credentials Grant
 			// https://tools.ietf.org/html/rfc6749#section-4.3
 			username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
-			tokenResponse, err := h.service.AuthenticatePassword(username, password, scope)
+			tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
 			if err != nil {
-				return xerrors.Errorf("authentication error: %w", err)
+				return fmt.Errorf("authentication error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		case "refresh_token":
 			// 12.1. Refresh Request
 			// https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken
 			refreshToken := r.Form.Get("refresh_token")
-			tokenResponse, err := h.service.Refresh(refreshToken)
+			tokenResponse, err := h.provider.Refresh(refreshToken)
 			if err != nil {
-				return xerrors.Errorf("token refresh error: %w", err)
+				return fmt.Errorf("token refresh error: %w", err)
 			}
 			w.Header().Add("Content-Type", "application/json")
 			e := json.NewEncoder(w)
 			if err := e.Encode(tokenResponse); err != nil {
-				return xerrors.Errorf("could not render json: %w", err)
+				return fmt.Errorf("could not render json: %w", err)
 			}
 		default:
 			// 5.2. Error Response

integration_test/oidcserver/handler/types.go

@@ -1,23 +1,19 @@
-package idp
-
-//go:generate mockgen -destination mock_idp/mock_service.go github.com/int128/kubelogin/e2e_test/idp Service
+package handler
 
 import (
-	"crypto/rsa"
-	"encoding/base64"
 	"fmt"
-	"math/big"
+	"net/url"
 )
 
-// Service provides discovery and authentication methods.
+// Provider provides discovery and authentication methods.
 // If an implemented method returns an ErrorResponse,
 // the handler will respond 400 and corresponding json of the ErrorResponse.
 // Otherwise, the handler will respond 500 and fail the current test.
-type Service interface {
+type Provider interface {
 	Discovery() *DiscoveryResponse
 	GetCertificates() *CertificatesResponse
-	AuthenticateCode(scope, nonce string) (code string, err error)
-	Exchange(code string) (*TokenResponse, error)
+	AuthenticateCode(req AuthenticationRequest) (code string, err error)
+	Exchange(req TokenRequest) (*TokenResponse, error)
 	AuthenticatePassword(username, password, scope string) (*TokenResponse, error)
 	Refresh(refreshToken string) (*TokenResponse, error)
 }
@@ -38,26 +34,6 @@ type DiscoveryResponse struct {
 	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"`
 }
 
-// NewDiscoveryResponse returns a DiscoveryResponse for the local server.
-// This is based on https://accounts.google.com/.well-known/openid-configuration.
-func NewDiscoveryResponse(issuer string) *DiscoveryResponse {
-	return &DiscoveryResponse{
-		Issuer:                            issuer,
-		AuthorizationEndpoint:             issuer + "/auth",
-		TokenEndpoint:                     issuer + "/token",
-		JwksURI:                           issuer + "/certs",
-		UserinfoEndpoint:                  issuer + "/userinfo",
-		RevocationEndpoint:                issuer + "/revoke",
-		ResponseTypesSupported:            []string{"code id_token"},
-		SubjectTypesSupported:             []string{"public"},
-		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
-		ScopesSupported:                   []string{"openid", "email", "profile"},
-		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
-		CodeChallengeMethodsSupported:     []string{"plain", "S256"},
-		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
-	}
-}
-
 type CertificatesResponse struct {
 	Keys []*CertificatesResponseKey `json:"keys"`
 }
@@ -71,21 +47,23 @@ type CertificatesResponseKey struct {
 	E   string `json:"e"`
 }
 
-// NewCertificatesResponse returns a CertificatesResponse using the key pair.
-// This is used for verifying a signature of ID token.
-func NewCertificatesResponse(idTokenKeyPair *rsa.PrivateKey) *CertificatesResponse {
-	return &CertificatesResponse{
-		Keys: []*CertificatesResponseKey{
-			{
-				Kty: "RSA",
-				Alg: "RS256",
-				Use: "sig",
-				Kid: "dummy",
-				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
-				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
-			},
-		},
-	}
+// AuthenticationRequest represents a type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+type AuthenticationRequest struct {
+	RedirectURI         string
+	State               string
+	Scope               string // space separated string
+	Nonce               string
+	CodeChallenge       string
+	CodeChallengeMethod string
+	RawQuery            url.Values
+}
+
+// TokenRequest represents a type of:
+// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+type TokenRequest struct {
+	Code         string
+	CodeVerifier string
 }
 
 type TokenResponse struct {
@@ -96,17 +74,6 @@ type TokenResponse struct {
 	IDToken      string `json:"id_token"`
 }
 
-// NewTokenResponse returns a TokenResponse.
-func NewTokenResponse(idToken, refreshToken string) *TokenResponse {
-	return &TokenResponse{
-		TokenType:    "Bearer",
-		ExpiresIn:    3600,
-		AccessToken:  "YOUR_ACCESS_TOKEN",
-		IDToken:      idToken,
-		RefreshToken: refreshToken,
-	}
-}
-
 // ErrorResponse represents an error response described in the following section:
 // 5.2 Error Response
 // https://tools.ietf.org/html/rfc6749#section-5.2

integration_test/oidcserver/http/http.go

@@ -1,7 +1,5 @@
-// Package localserver provides a http server running on localhost.
-// This is only for testing.
-//
-package localserver
+// Package http provides a http server running on localhost for testing.
+package http
 
 import (
 	"context"
@@ -9,7 +7,7 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/int128/kubelogin/e2e_test/keys"
+	"github.com/int128/kubelogin/integration_test/keypair"
 )
 
 type Shutdowner interface {
@@ -17,28 +15,23 @@ type Shutdowner interface {
 }
 
 type shutdowner struct {
-	l net.Listener
 	s *http.Server
 }
 
 func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
-	// s.Shutdown() closes the lister as well,
-	// so we do not need to call l.Close() explicitly
 	if err := s.s.Shutdown(ctx); err != nil {
-		t.Errorf("Could not shutdown the server: %s", err)
+		t.Errorf("could not shutdown the server: %s", err)
 	}
 }
 
-// Start starts an authentication server.
-// If k is non-nil, it starts a TLS server.
-func Start(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
-	if k == keys.None {
+func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
+	if k == keypair.None {
 		return startNoTLS(t, h)
 	}
 	return startTLS(t, h, k)
 }
 
-func startNoTLS(t *testing.T, h http.Handler) (string, Shutdowner) {
+func startNoTLS(t *testing.T, h http.Handler) (string, *shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "http://localhost:" + port
@@ -51,10 +44,10 @@ func startNoTLS(t *testing.T, h http.Handler) (string, Shutdowner) {
 			t.Error(err)
 		}
 	}()
-	return url, &shutdowner{l, s}
+	return url, &shutdowner{s}
 }
 
-func startTLS(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
+func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, *shutdowner) {
 	t.Helper()
 	l, port := newLocalhostListener(t)
 	url := "https://localhost:" + port
@@ -67,7 +60,7 @@ func startTLS(t *testing.T, h http.Handler, k keys.Keys) (string, Shutdowner) {
 			t.Error(err)
 		}
 	}()
-	return url, &shutdowner{l, s}
+	return url, &shutdowner{s}
 }
 
 func newLocalhostListener(t *testing.T) (net.Listener, string) {

integration_test/oidcserver/server.go

@@ -0,0 +1,217 @@
+// Package oidcserver provides a stub of OpenID Connect provider.
+package oidcserver
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/big"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/oidcserver/handler"
+	"github.com/int128/kubelogin/integration_test/oidcserver/http"
+	"github.com/int128/kubelogin/pkg/testing/jwt"
+)
+
+type Server interface {
+	http.Shutdowner
+	IssuerURL() string
+	SetConfig(Config)
+	LastTokenResponse() *handler.TokenResponse
+}
+
+// Want represents a set of expected values.
+type Want struct {
+	Scope               string
+	RedirectURIPrefix   string
+	CodeChallengeMethod string            // optional
+	ExtraParams         map[string]string // optional
+	Username            string            // optional
+	Password            string            // optional
+	RefreshToken        string            // optional
+}
+
+// Response represents a set of response values.
+type Response struct {
+	IDTokenExpiry                 time.Time
+	RefreshToken                  string
+	RefreshError                  string   // if set, Refresh() will return the error
+	CodeChallengeMethodsSupported []string // optional
+}
+
+// Config represents a configuration of the OpenID Connect provider.
+type Config struct {
+	Want     Want
+	Response Response
+}
+
+// New starts a HTTP server for the OpenID Connect provider.
+func New(t *testing.T, k keypair.KeyPair, c Config) Server {
+	sv := server{Config: c, t: t}
+	sv.issuerURL, sv.Shutdowner = http.Start(t, handler.New(t, &sv), k)
+	return &sv
+}
+
+type server struct {
+	Config
+	http.Shutdowner
+	t                         *testing.T
+	issuerURL                 string
+	lastAuthenticationRequest *handler.AuthenticationRequest
+	lastTokenResponse         *handler.TokenResponse
+}
+
+func (sv *server) IssuerURL() string {
+	return sv.issuerURL
+}
+
+func (sv *server) SetConfig(cfg Config) {
+	sv.Config = cfg
+}
+
+func (sv *server) LastTokenResponse() *handler.TokenResponse {
+	return sv.lastTokenResponse
+}
+
+func (sv *server) Discovery() *handler.DiscoveryResponse {
+	// based on https://accounts.google.com/.well-known/openid-configuration
+	return &handler.DiscoveryResponse{
+		Issuer:                            sv.issuerURL,
+		AuthorizationEndpoint:             sv.issuerURL + "/auth",
+		TokenEndpoint:                     sv.issuerURL + "/token",
+		JwksURI:                           sv.issuerURL + "/certs",
+		UserinfoEndpoint:                  sv.issuerURL + "/userinfo",
+		RevocationEndpoint:                sv.issuerURL + "/revoke",
+		ResponseTypesSupported:            []string{"code id_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
+		ScopesSupported:                   []string{"openid", "email", "profile"},
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
+		CodeChallengeMethodsSupported:     sv.Config.Response.CodeChallengeMethodsSupported,
+		ClaimsSupported:                   []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
+	}
+}
+
+func (sv *server) GetCertificates() *handler.CertificatesResponse {
+	idTokenKeyPair := jwt.PrivateKey
+	return &handler.CertificatesResponse{
+		Keys: []*handler.CertificatesResponseKey{
+			{
+				Kty: "RSA",
+				Alg: "RS256",
+				Use: "sig",
+				Kid: "dummy",
+				E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
+				N:   base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
+			},
+		},
+	}
+}
+
+func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
+	if req.Scope != sv.Want.Scope {
+		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
+	}
+	if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
+		sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
+	}
+	if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
+		sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
+	}
+	for k, v := range sv.Want.ExtraParams {
+		got := req.RawQuery.Get(k)
+		if got != v {
+			sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
+		}
+	}
+	sv.lastAuthenticationRequest = &req
+	return "YOUR_AUTH_CODE", nil
+}
+
+func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
+	if req.Code != "YOUR_AUTH_CODE" {
+		return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
+	}
+	if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
+		// https://tools.ietf.org/html/rfc7636#section-4.6
+		challenge := computeS256Challenge(req.CodeVerifier)
+		if challenge != sv.lastAuthenticationRequest.CodeChallenge {
+			sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
+		}
+	}
+	resp := &handler.TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: sv.Response.RefreshToken,
+		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
+			claims.Issuer = sv.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
+			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
+			claims.Audience = []string{"kubernetes"}
+			claims.Nonce = sv.lastAuthenticationRequest.Nonce
+		}),
+	}
+	sv.lastTokenResponse = resp
+	return resp, nil
+}
+
+func computeS256Challenge(verifier string) string {
+	c := sha256.Sum256([]byte(verifier))
+	return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
+}
+
+func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
+	if scope != sv.Want.Scope {
+		sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
+	}
+	if username != sv.Want.Username {
+		sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
+	}
+	if password != sv.Want.Password {
+		sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
+	}
+	resp := &handler.TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: sv.Response.RefreshToken,
+		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
+			claims.Issuer = sv.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
+			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	sv.lastTokenResponse = resp
+	return resp, nil
+}
+
+func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
+	if refreshToken != sv.Want.RefreshToken {
+		sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
+	}
+	if sv.Response.RefreshError != "" {
+		return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
+	}
+	resp := &handler.TokenResponse{
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+		AccessToken:  "YOUR_ACCESS_TOKEN",
+		RefreshToken: sv.Response.RefreshToken,
+		IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
+			claims.Issuer = sv.issuerURL
+			claims.Subject = "SUBJECT"
+			claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
+			claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
+			claims.Audience = []string{"kubernetes"}
+		}),
+	}
+	sv.lastTokenResponse = resp
+	return resp, nil
+}

integration_test/standalone_test.go

@@ -0,0 +1,334 @@
+package integration_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/int128/kubelogin/integration_test/httpdriver"
+	"github.com/int128/kubelogin/integration_test/keypair"
+	"github.com/int128/kubelogin/integration_test/kubeconfig"
+	"github.com/int128/kubelogin/integration_test/oidcserver"
+	"github.com/int128/kubelogin/pkg/di"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/testing/clock"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+)
+
+// Run the integration tests of the Login use-case.
+//
+// 1. Start the auth server.
+// 2. Run the Cmd.
+// 3. Open a request for the local server.
+// 4. Verify the kubeconfig.
+//
+func TestStandalone(t *testing.T) {
+	timeout := 3 * time.Second
+	now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
+
+	for name, tc := range map[string]struct {
+		keyPair keypair.KeyPair
+		args    []string
+	}{
+		"NoTLS": {},
+		"TLS": {
+			keyPair: keypair.Server,
+		},
+	} {
+		httpDriverOption := httpdriver.Option{
+			TLSConfig:    tc.keyPair.TLSConfig,
+			BodyContains: "Authenticated",
+		}
+
+		t.Run(name, func(t *testing.T) {
+			t.Run("AuthCode", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				defer os.Remove(kubeConfigFilename)
+				runStandalone(t, ctx, standaloneConfig{
+					issuerURL:          sv.IssuerURL(),
+					kubeConfigFilename: kubeConfigFilename,
+					httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+					now:                now,
+				})
+				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+					IDToken:      sv.LastTokenResponse().IDToken,
+					RefreshToken: sv.LastTokenResponse().RefreshToken,
+				})
+			})
+
+			t.Run("ROPC", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
+					Want: oidcserver.Want{
+						Scope:             "openid",
+						RedirectURIPrefix: "http://localhost:",
+						Username:          "USER1",
+						Password:          "PASS1",
+					},
+					Response: oidcserver.Response{
+						IDTokenExpiry: now.Add(time.Hour),
+					},
+				})
+				defer sv.Shutdown(t, ctx)
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				defer os.Remove(kubeConfigFilename)
+				runStandalone(t, ctx, standaloneConfig{
+					issuerURL:          sv.IssuerURL(),
+					kubeConfigFilename: kubeConfigFilename,
+					httpDriver:         httpdriver.Zero(t),
+					now:                now,
+					args: []string{
+						"--username", "USER1",
+						"--password", "PASS1",
+					},
+				})
+				kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+					IDToken:      sv.LastTokenResponse().IDToken,
+					RefreshToken: sv.LastTokenResponse().RefreshToken,
+				})
+			})
+
+			t.Run("TokenLifecycle", func(t *testing.T) {
+				t.Parallel()
+				ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+				defer cancel()
+				sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
+				defer sv.Shutdown(t, ctx)
+				kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+					Issuer:                  sv.IssuerURL(),
+					IDPCertificateAuthority: tc.keyPair.CACertPath,
+				})
+				defer os.Remove(kubeConfigFilename)
+
+				t.Run("NoToken", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_1",
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						now:                now,
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_1",
+					})
+				})
+				t.Run("Valid", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.Zero(t),
+						now:                now,
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_1",
+					})
+				})
+				t.Run("Refresh", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_1",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(3 * time.Hour),
+							RefreshToken:  "REFRESH_TOKEN_2",
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						now:                now.Add(2 * time.Hour),
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_2",
+					})
+				})
+				t.Run("RefreshAgain", func(t *testing.T) {
+					sv.SetConfig(oidcserver.Config{
+						Want: oidcserver.Want{
+							Scope:             "openid",
+							RedirectURIPrefix: "http://localhost:",
+							RefreshToken:      "REFRESH_TOKEN_2",
+						},
+						Response: oidcserver.Response{
+							IDTokenExpiry: now.Add(5 * time.Hour),
+						},
+					})
+					runStandalone(t, ctx, standaloneConfig{
+						issuerURL:          sv.IssuerURL(),
+						kubeConfigFilename: kubeConfigFilename,
+						httpDriver:         httpdriver.New(ctx, t, httpDriverOption),
+						now:                now.Add(4 * time.Hour),
+					})
+					kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+						IDToken:      sv.LastTokenResponse().IDToken,
+						RefreshToken: "REFRESH_TOKEN_2",
+					})
+				})
+			})
+		})
+	}
+
+	t.Run("TLSData", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:                      sv.IssuerURL(),
+			IDPCertificateAuthorityData: keypair.Server.CACertBase64,
+		})
+		defer os.Remove(kubeConfigFilename)
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:          sv.IssuerURL(),
+			kubeConfigFilename: kubeConfigFilename,
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{TLSConfig: keypair.Server.TLSConfig}),
+			now:                now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+
+	t.Run("env_KUBECONFIG", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer: sv.IssuerURL(),
+		})
+		defer os.Remove(kubeConfigFilename)
+		setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
+		defer unsetenv(t, "KUBECONFIG")
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:  sv.IssuerURL(),
+			httpDriver: httpdriver.New(ctx, t, httpdriver.Option{}),
+			now:        now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+
+	t.Run("ExtraScopes", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.TODO(), timeout)
+		defer cancel()
+		sv := oidcserver.New(t, keypair.None, oidcserver.Config{
+			Want: oidcserver.Want{
+				Scope:             "profile groups openid",
+				RedirectURIPrefix: "http://localhost:",
+			},
+			Response: oidcserver.Response{
+				IDTokenExpiry: now.Add(time.Hour),
+			},
+		})
+		defer sv.Shutdown(t, ctx)
+		kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
+			Issuer:      sv.IssuerURL(),
+			ExtraScopes: "profile,groups",
+		})
+		defer os.Remove(kubeConfigFilename)
+		runStandalone(t, ctx, standaloneConfig{
+			issuerURL:          sv.IssuerURL(),
+			kubeConfigFilename: kubeConfigFilename,
+			httpDriver:         httpdriver.New(ctx, t, httpdriver.Option{}),
+			now:                now,
+		})
+		kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
+			IDToken:      sv.LastTokenResponse().IDToken,
+			RefreshToken: sv.LastTokenResponse().RefreshToken,
+		})
+	})
+}
+
+type standaloneConfig struct {
+	issuerURL          string
+	kubeConfigFilename string
+	httpDriver         browser.Interface
+	now                time.Time
+	args               []string
+}
+
+func runStandalone(t *testing.T, ctx context.Context, cfg standaloneConfig) {
+	cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, os.Stdout, logger.New(t), cfg.httpDriver)
+	exitCode := cmd.Run(ctx, append([]string{
+		"kubelogin",
+		"--kubeconfig", cfg.kubeConfigFilename,
+		"--listen-address", "127.0.0.1:0",
+	}, cfg.args...), "HEAD")
+	if exitCode != 0 {
+		t.Errorf("exit status wants 0 but %d", exitCode)
+	}
+}
+
+func setenv(t *testing.T, key, value string) {
+	t.Helper()
+	if err := os.Setenv(key, value); err != nil {
+		t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
+	}
+}
+
+func unsetenv(t *testing.T, key string) {
+	t.Helper()
+	if err := os.Unsetenv(key); err != nil {
+		t.Fatalf("Could not unset the env var %s: %s", key, err)
+	}
+}

kubelogin.rb

@@ -1,15 +0,0 @@
-class Kubelogin < Formula
-  desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
-  homepage "https://github.com/int128/kubelogin"
-  url "https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip"
-  version "{{ env "VERSION" }}"
-  sha256 "{{ sha256 .darwin_amd64_archive }}"
-  def install
-    bin.install "kubelogin" => "kubelogin"
-    ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
-  end
-  test do
-    system "#{bin}/kubelogin -h"
-    system "#{bin}/kubectl-oidc_login -h"
-  end
-end

oidc-login.yaml

@@ -1,64 +0,0 @@
-apiVersion: krew.googlecontainertools.github.com/v1alpha2
-kind: Plugin
-metadata:
-  name: oidc-login
-spec:
-  homepage: https://github.com/int128/kubelogin
-  shortDescription: Log in to the OpenID Connect provider
-  description: |
-    This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
-
-    ## Credential plugin mode
-    kubectl executes oidc-login before calling the Kubernetes APIs.
-    oidc-login automatically opens the browser and you can log in to the provider.
-    After authentication, kubectl gets the token from oidc-login and you can access the cluster.
-    See https://github.com/int128/kubelogin#credential-plugin-mode for more.
-
-    ## Standalone mode
-    Run `kubectl oidc-login`.
-    It automatically opens the browser and you can log in to the provider.
-    After authentication, it writes the token to the kubeconfig and you can access the cluster.
-    See https://github.com/int128/kubelogin#standalone-mode for more.
-
-  caveats: |
-    You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
-    See https://github.com/int128/kubelogin for more.
-
-  version: {{ env "VERSION" }}
-  platforms:
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
-      sha256: "{{ sha256 .linux_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: linux
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip
-      sha256: "{{ sha256 .darwin_amd64_archive }}"
-      bin: kubelogin
-      files:
-        - from: kubelogin
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: darwin
-          arch: amd64
-    - uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_windows_amd64.zip
-      sha256: "{{ sha256 .windows_amd64_archive }}"
-      bin: kubelogin.exe
-      files:
-        - from: kubelogin.exe
-          to: .
-        - from: LICENSE
-          to: .
-      selector:
-        matchLabels:
-          os: windows
-          arch: amd64

pkg/adaptors/certpool/cert.go

@@ -1,76 +0,0 @@
-// Package certpool provides loading certificates from files or base64 encoded string.
-package certpool
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"io/ioutil"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool FactoryInterface,Interface
-
-// Set provides an implementation and interface.
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
-	wire.Struct(new(CertPool), "*"),
-	wire.Bind(new(Interface), new(*CertPool)),
-)
-
-type FactoryInterface interface {
-	New() Interface
-}
-
-type Factory struct{}
-
-// New returns an instance which implements the Interface.
-func (f *Factory) New() Interface {
-	return &CertPool{pool: x509.NewCertPool()}
-}
-
-type Interface interface {
-	AddFile(filename string) error
-	AddBase64Encoded(s string) error
-	SetRootCAs(cfg *tls.Config)
-}
-
-// CertPool represents a pool of certificates.
-type CertPool struct {
-	pool *x509.CertPool
-}
-
-// SetRootCAs sets cfg.RootCAs if it has any certificate.
-// Otherwise do nothing.
-func (p *CertPool) SetRootCAs(cfg *tls.Config) {
-	if len(p.pool.Subjects()) > 0 {
-		cfg.RootCAs = p.pool
-	}
-}
-
-// AddFile loads the certificate from the file.
-func (p *CertPool) AddFile(filename string) error {
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return xerrors.Errorf("could not read %s: %w", filename, err)
-	}
-	if !p.pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate from %s", filename)
-	}
-	return nil
-}
-
-// AddBase64Encoded loads the certificate from the base64 encoded string.
-func (p *CertPool) AddBase64Encoded(s string) error {
-	b, err := base64.StdEncoding.DecodeString(s)
-	if err != nil {
-		return xerrors.Errorf("could not decode base64: %w", err)
-	}
-	if !p.pool.AppendCertsFromPEM(b) {
-		return xerrors.Errorf("could not append certificate")
-	}
-	return nil
-}

pkg/adaptors/certpool/cert_test.go

@@ -1,62 +0,0 @@
-package certpool
-
-import (
-	"crypto/tls"
-	"io/ioutil"
-	"testing"
-)
-
-func TestCertPool_AddFile(t *testing.T) {
-	t.Run("Valid", func(t *testing.T) {
-		var f Factory
-		p := f.New()
-		if err := p.AddFile("testdata/ca1.crt"); err != nil {
-			t.Errorf("AddFile error: %s", err)
-		}
-		var cfg tls.Config
-		p.SetRootCAs(&cfg)
-		if n := len(cfg.RootCAs.Subjects()); n != 1 {
-			t.Errorf("n wants 1 but was %d", n)
-		}
-	})
-	t.Run("Invalid", func(t *testing.T) {
-		var f Factory
-		p := f.New()
-		err := p.AddFile("testdata/Makefile")
-		if err == nil {
-			t.Errorf("AddFile wants an error but was nil")
-		}
-	})
-}
-
-func TestCertPool_AddBase64Encoded(t *testing.T) {
-	var f Factory
-	p := f.New()
-	if err := p.AddBase64Encoded(readFile(t, "testdata/ca2.crt.base64")); err != nil {
-		t.Errorf("AddBase64Encoded error: %s", err)
-	}
-	var cfg tls.Config
-	p.SetRootCAs(&cfg)
-	if n := len(cfg.RootCAs.Subjects()); n != 1 {
-		t.Errorf("n wants 1 but was %d", n)
-	}
-}
-
-func TestCertPool_SetRootCAs(t *testing.T) {
-	var f Factory
-	p := f.New()
-	var cfg tls.Config
-	p.SetRootCAs(&cfg)
-	if cfg.RootCAs != nil {
-		t.Errorf("cfg.RootCAs wants nil but was %+v", cfg.RootCAs)
-	}
-}
-
-func readFile(t *testing.T, filename string) string {
-	t.Helper()
-	b, err := ioutil.ReadFile(filename)
-	if err != nil {
-		t.Fatalf("ReadFile error: %s", err)
-	}
-	return string(b)
-}

pkg/adaptors/certpool/mock_certpool/mock_certpool.go

@@ -1,112 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: FactoryInterface,Interface)
-
-// Package mock_certpool is a generated GoMock package.
-package mock_certpool
-
-import (
-	tls "crypto/tls"
-	gomock "github.com/golang/mock/gomock"
-	certpool "github.com/int128/kubelogin/pkg/adaptors/certpool"
-	reflect "reflect"
-)
-
-// MockFactoryInterface is a mock of FactoryInterface interface
-type MockFactoryInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockFactoryInterfaceMockRecorder
-}
-
-// MockFactoryInterfaceMockRecorder is the mock recorder for MockFactoryInterface
-type MockFactoryInterfaceMockRecorder struct {
-	mock *MockFactoryInterface
-}
-
-// NewMockFactoryInterface creates a new mock instance
-func NewMockFactoryInterface(ctrl *gomock.Controller) *MockFactoryInterface {
-	mock := &MockFactoryInterface{ctrl: ctrl}
-	mock.recorder = &MockFactoryInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockFactoryInterface) EXPECT() *MockFactoryInterfaceMockRecorder {
-	return m.recorder
-}
-
-// New mocks base method
-func (m *MockFactoryInterface) New() certpool.Interface {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "New")
-	ret0, _ := ret[0].(certpool.Interface)
-	return ret0
-}
-
-// New indicates an expected call of New
-func (mr *MockFactoryInterfaceMockRecorder) New() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "New", reflect.TypeOf((*MockFactoryInterface)(nil).New))
-}
-
-// MockInterface is a mock of Interface interface
-type MockInterface struct {
-	ctrl     *gomock.Controller
-	recorder *MockInterfaceMockRecorder
-}
-
-// MockInterfaceMockRecorder is the mock recorder for MockInterface
-type MockInterfaceMockRecorder struct {
-	mock *MockInterface
-}
-
-// NewMockInterface creates a new mock instance
-func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
-	mock := &MockInterface{ctrl: ctrl}
-	mock.recorder = &MockInterfaceMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
-	return m.recorder
-}
-
-// AddBase64Encoded mocks base method
-func (m *MockInterface) AddBase64Encoded(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddBase64Encoded", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// AddBase64Encoded indicates an expected call of AddBase64Encoded
-func (mr *MockInterfaceMockRecorder) AddBase64Encoded(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddBase64Encoded", reflect.TypeOf((*MockInterface)(nil).AddBase64Encoded), arg0)
-}
-
-// AddFile mocks base method
-func (m *MockInterface) AddFile(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddFile", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// AddFile indicates an expected call of AddFile
-func (mr *MockInterfaceMockRecorder) AddFile(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFile", reflect.TypeOf((*MockInterface)(nil).AddFile), arg0)
-}
-
-// SetRootCAs mocks base method
-func (m *MockInterface) SetRootCAs(arg0 *tls.Config) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetRootCAs", arg0)
-}
-
-// SetRootCAs indicates an expected call of SetRootCAs
-func (mr *MockInterfaceMockRecorder) SetRootCAs(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRootCAs", reflect.TypeOf((*MockInterface)(nil).SetRootCAs), arg0)
-}

pkg/adaptors/cmd/cmd_test.go

@@ -1,330 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/int128/kubelogin/pkg/adaptors/logger/mock_logger"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
-	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
-	"github.com/int128/kubelogin/pkg/usecases/standalone"
-	"github.com/int128/kubelogin/pkg/usecases/standalone/mock_standalone"
-)
-
-func TestCmd_Run(t *testing.T) {
-	const executable = "kubelogin"
-	const version = "HEAD"
-
-	t.Run("root", func(t *testing.T) {
-		tests := map[string]struct {
-			args []string
-			in   standalone.Input
-		}{
-			"Defaults": {
-				args: []string{executable},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:8000", "127.0.0.1:18000"},
-						},
-					},
-				},
-			},
-			"FullOptions": {
-				args: []string{executable,
-					"--kubeconfig", "/path/to/kubeconfig",
-					"--context", "hello.k8s.local",
-					"--user", "google",
-					"--certificate-authority", "/path/to/cacert",
-					"--insecure-skip-tls-verify",
-					"-v1",
-					"--grant-type", "authcode",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--skip-open-browser",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					KubeconfigFilename: "/path/to/kubeconfig",
-					KubeconfigContext:  "hello.k8s.local",
-					KubeconfigUser:     "google",
-					CACertFilename:     "/path/to/cacert",
-					SkipTLSVerify:      true,
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:     []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser: true,
-						},
-					},
-				},
-			},
-			"GrantType=authcode-keyboard": {
-				args: []string{executable,
-					"--grant-type", "authcode-keyboard",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
-					},
-				},
-			},
-			"GrantType=password": {
-				args: []string{executable,
-					"--grant-type", "password",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-			"GrantType=auto": {
-				args: []string{executable,
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: standalone.Input{
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-		}
-		for name, c := range tests {
-			t.Run(name, func(t *testing.T) {
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				ctx := context.TODO()
-				mockStandalone := mock_standalone.NewMockInterface(ctrl)
-				mockStandalone.EXPECT().
-					Do(ctx, c.in)
-				cmd := Cmd{
-					Root: &Root{
-						Standalone: mockStandalone,
-						Logger:     mock_logger.New(t),
-					},
-					Logger: mock_logger.New(t),
-				}
-				exitCode := cmd.Run(ctx, c.args, version)
-				if exitCode != 0 {
-					t.Errorf("exitCode wants 0 but %d", exitCode)
-				}
-			})
-		}
-
-		t.Run("TooManyArgs", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			cmd := Cmd{
-				Root: &Root{
-					Standalone: mock_standalone.NewMockInterface(ctrl),
-					Logger:     mock_logger.New(t),
-				},
-				Logger: mock_logger.New(t),
-			}
-			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-	})
-
-	t.Run("get-token", func(t *testing.T) {
-		tests := map[string]struct {
-			args []string
-			in   credentialplugin.Input
-		}{
-			"Defaults": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress: []string{"127.0.0.1:8000", "127.0.0.1:18000"},
-						},
-					},
-				},
-			},
-			"FullOptions": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
-					"--oidc-extra-scope", "email",
-					"--oidc-extra-scope", "profile",
-					"--certificate-authority", "/path/to/cacert",
-					"--insecure-skip-tls-verify",
-					"-v1",
-					"--grant-type", "authcode",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--skip-open-browser",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir:  defaultTokenCacheDir,
-					IssuerURL:      "https://issuer.example.com",
-					ClientID:       "YOUR_CLIENT_ID",
-					ClientSecret:   "YOUR_CLIENT_SECRET",
-					ExtraScopes:    []string{"email", "profile"},
-					CACertFilename: "/path/to/cacert",
-					SkipTLSVerify:  true,
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeOption: &authentication.AuthCodeOption{
-							BindAddress:     []string{"127.0.0.1:10080", "127.0.0.1:20080"},
-							SkipOpenBrowser: true,
-						},
-					},
-				},
-			},
-			"GrantType=authcode-keyboard": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--grant-type", "authcode-keyboard",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
-					},
-				},
-			},
-			"GrantType=password": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--grant-type", "password",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-			"GrantType=auto": {
-				args: []string{executable,
-					"get-token",
-					"--oidc-issuer-url", "https://issuer.example.com",
-					"--oidc-client-id", "YOUR_CLIENT_ID",
-					"--listen-port", "10080",
-					"--listen-port", "20080",
-					"--username", "USER",
-					"--password", "PASS",
-				},
-				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
-					IssuerURL:     "https://issuer.example.com",
-					ClientID:      "YOUR_CLIENT_ID",
-					GrantOptionSet: authentication.GrantOptionSet{
-						ROPCOption: &authentication.ROPCOption{
-							Username: "USER",
-							Password: "PASS",
-						},
-					},
-				},
-			},
-		}
-		for name, c := range tests {
-			t.Run(name, func(t *testing.T) {
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				ctx := context.TODO()
-				getToken := mock_credentialplugin.NewMockInterface(ctrl)
-				getToken.EXPECT().
-					Do(ctx, c.in)
-				cmd := Cmd{
-					Root: &Root{
-						Logger: mock_logger.New(t),
-					},
-					GetToken: &GetToken{
-						GetToken: getToken,
-						Logger:   mock_logger.New(t),
-					},
-					Logger: mock_logger.New(t),
-				}
-				exitCode := cmd.Run(ctx, c.args, version)
-				if exitCode != 0 {
-					t.Errorf("exitCode wants 0 but %d", exitCode)
-				}
-			})
-		}
-
-		t.Run("MissingMandatoryOptions", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			ctx := context.TODO()
-			cmd := Cmd{
-				Root: &Root{
-					Logger: mock_logger.New(t),
-				},
-				GetToken: &GetToken{
-					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   mock_logger.New(t),
-				},
-				Logger: mock_logger.New(t),
-			}
-			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-
-		t.Run("TooManyArgs", func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			ctx := context.TODO()
-			cmd := Cmd{
-				Root: &Root{
-					Logger: mock_logger.New(t),
-				},
-				GetToken: &GetToken{
-					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
-					Logger:   mock_logger.New(t),
-				},
-				Logger: mock_logger.New(t),
-			}
-			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
-			if exitCode != 1 {
-				t.Errorf("exitCode wants 1 but %d", exitCode)
-			}
-		})
-	})
-}

pkg/adaptors/cmd/root.go

@@ -1,124 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	"github.com/int128/kubelogin/pkg/usecases/standalone"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
-)
-
-const longDescription = `Login to the OpenID Connect provider.
-
-You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
-Run the following command to show the setup instruction:
-
-	kubectl oidc-login setup
-
-See https://github.com/int128/kubelogin for more.
-`
-
-// rootOptions represents the options for the root command.
-type rootOptions struct {
-	Kubeconfig            string
-	Context               string
-	User                  string
-	CertificateAuthority  string
-	SkipTLSVerify         bool
-	authenticationOptions authenticationOptions
-}
-
-func (o *rootOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
-	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
-	f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
-	f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	o.authenticationOptions.register(f)
-}
-
-type authenticationOptions struct {
-	GrantType       string
-	ListenPort      []int
-	SkipOpenBrowser bool
-	Username        string
-	Password        string
-}
-
-var allGrantType = strings.Join([]string{
-	"auto",
-	"authcode",
-	"authcode-keyboard",
-	"password",
-}, "|")
-
-func (o *authenticationOptions) register(f *pflag.FlagSet) {
-	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("The authorization grant type to use. One of (%s)", allGrantType))
-	f.IntSliceVar(&o.ListenPort, "listen-port", defaultListenPort, "Port to bind to the local server. If multiple ports are given, it will try the ports in order")
-	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
-	f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
-	f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
-}
-
-func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
-	switch {
-	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
-		s.AuthCodeOption = &authentication.AuthCodeOption{
-			BindAddress:     translateListenPortToBindAddress(o.ListenPort),
-			SkipOpenBrowser: o.SkipOpenBrowser,
-		}
-	case o.GrantType == "authcode-keyboard":
-		s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{}
-	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
-		s.ROPCOption = &authentication.ROPCOption{
-			Username: o.Username,
-			Password: o.Password,
-		}
-	default:
-		err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
-	}
-	return
-}
-
-type Root struct {
-	Standalone standalone.Interface
-	Logger     logger.Interface
-}
-
-func (cmd *Root) New(ctx context.Context, executable string) *cobra.Command {
-	var o rootOptions
-	rootCmd := &cobra.Command{
-		Use:   executable,
-		Short: "Login to the OpenID Connect provider",
-		Long:  longDescription,
-		Args:  cobra.NoArgs,
-		RunE: func(*cobra.Command, []string) error {
-			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
-			if err != nil {
-				return xerrors.Errorf("invalid option: %w", err)
-			}
-			in := standalone.Input{
-				KubeconfigFilename: o.Kubeconfig,
-				KubeconfigContext:  kubeconfig.ContextName(o.Context),
-				KubeconfigUser:     kubeconfig.UserName(o.User),
-				CACertFilename:     o.CertificateAuthority,
-				SkipTLSVerify:      o.SkipTLSVerify,
-				GrantOptionSet:     grantOptionSet,
-			}
-			if err := cmd.Standalone.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
-			}
-			return nil
-		},
-	}
-	o.register(rootCmd.Flags())
-	cmd.Logger.AddFlags(rootCmd.PersistentFlags())
-	return rootCmd
-}

pkg/adaptors/credentialplugin/credential_plugin.go

@@ -1,51 +0,0 @@
-// Package credentialplugin provides interaction with kubectl for a credential plugin.
-package credentialplugin
-
-import (
-	"encoding/json"
-	"os"
-	"time"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
-)
-
-//go:generate mockgen -destination mock_credentialplugin/mock_credentialplugin.go github.com/int128/kubelogin/pkg/adaptors/credentialplugin Interface
-
-var Set = wire.NewSet(
-	wire.Struct(new(Interaction), "*"),
-	wire.Bind(new(Interface), new(*Interaction)),
-)
-
-type Interface interface {
-	Write(out Output) error
-}
-
-// Output represents an output object of the credential plugin.
-type Output struct {
-	Token  string
-	Expiry time.Time
-}
-
-type Interaction struct{}
-
-// Write writes the ExecCredential to standard output for kubectl.
-func (*Interaction) Write(out Output) error {
-	ec := &v1beta1.ExecCredential{
-		TypeMeta: v1.TypeMeta{
-			APIVersion: "client.authentication.k8s.io/v1beta1",
-			Kind:       "ExecCredential",
-		},
-		Status: &v1beta1.ExecCredentialStatus{
-			Token:               out.Token,
-			ExpirationTimestamp: &v1.Time{Time: out.Expiry},
-		},
-	}
-	e := json.NewEncoder(os.Stdout)
-	if err := e.Encode(ec); err != nil {
-		return xerrors.Errorf("could not write the ExecCredential: %w", err)
-	}
-	return nil
-}

pkg/adaptors/env/env.go

@@ -1,76 +0,0 @@
-// Package env provides environment dependent facilities.
-package env
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"strings"
-	"syscall"
-
-	"github.com/google/wire"
-	"github.com/pkg/browser"
-	"golang.org/x/crypto/ssh/terminal"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_env/mock_env.go github.com/int128/kubelogin/pkg/adaptors/env Interface
-
-func init() {
-	// In credential plugin mode, some browser launcher writes a message to stdout
-	// and it may break the credential json for client-go.
-	// This prevents the browser launcher from breaking the credential json.
-	browser.Stdout = os.Stderr
-}
-
-// Set provides an implementation and interface for Env.
-var Set = wire.NewSet(
-	wire.Struct(new(Env), "*"),
-	wire.Bind(new(Interface), new(*Env)),
-)
-
-type Interface interface {
-	ReadString(prompt string) (string, error)
-	ReadPassword(prompt string) (string, error)
-	OpenBrowser(url string) error
-}
-
-// Env provides environment specific facilities.
-type Env struct{}
-
-// ReadString reads a string from the stdin.
-func (*Env) ReadString(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	r := bufio.NewReader(os.Stdin)
-	s, err := r.ReadString('\n')
-	if err != nil {
-		return "", xerrors.Errorf("could not read from stdin: %w", err)
-	}
-	s = strings.TrimRight(s, "\r\n")
-	return s, nil
-}
-
-// ReadPassword reads a password from the stdin without echo back.
-func (*Env) ReadPassword(prompt string) (string, error) {
-	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
-		return "", xerrors.Errorf("could not write the prompt: %w", err)
-	}
-	b, err := terminal.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return "", xerrors.Errorf("could not read from stdin: %w", err)
-	}
-	if _, err := fmt.Fprintln(os.Stderr); err != nil {
-		return "", xerrors.Errorf("could not write a new line: %w", err)
-	}
-	return string(b), nil
-}
-
-// OpenBrowser opens the default browser.
-func (env *Env) OpenBrowser(url string) error {
-	if err := browser.OpenURL(url); err != nil {
-		return xerrors.Errorf("could not open the browser: %w", err)
-	}
-	return nil
-}

pkg/adaptors/jwtdecoder/decoder.go

@@ -1,74 +0,0 @@
-// Package jwtdecoder provides decoding a JWT.
-package jwtdecoder
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_jwtdecoder/mock_jwtdecoder.go github.com/int128/kubelogin/pkg/adaptors/jwtdecoder Interface
-
-// Set provides an implementation and interface.
-var Set = wire.NewSet(
-	wire.Struct(new(Decoder), "*"),
-	wire.Bind(new(Interface), new(*Decoder)),
-)
-
-type Interface interface {
-	Decode(s string) (*Claims, error)
-}
-
-// Claims represents claims of a token.
-type Claims struct {
-	Subject string
-	Expiry  time.Time
-	Pretty  map[string]string // string representation for debug and logging
-}
-
-type Decoder struct{}
-
-// Decode returns the claims of the JWT.
-// Note that this method does not verify the signature and always trust it.
-func (d *Decoder) Decode(s string) (*Claims, error) {
-	parts := strings.Split(s, ".")
-	if len(parts) != 3 {
-		return nil, xerrors.Errorf("token contains an invalid number of segments")
-	}
-	b, err := jwt.DecodeSegment(parts[1])
-	if err != nil {
-		return nil, xerrors.Errorf("could not decode the token: %w", err)
-	}
-	var claims jwt.StandardClaims
-	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&claims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
-	}
-	var rawClaims map[string]interface{}
-	if err := json.NewDecoder(bytes.NewBuffer(b)).Decode(&rawClaims); err != nil {
-		return nil, xerrors.Errorf("could not decode the json of token: %w", err)
-	}
-	return &Claims{
-		Subject: claims.Subject,
-		Expiry:  time.Unix(claims.ExpiresAt, 0),
-		Pretty:  dumpRawClaims(rawClaims),
-	}, nil
-}
-
-func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v := v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%.f", v)
-		default:
-			claims[k] = fmt.Sprintf("%v", v)
-		}
-	}
-	return claims
-}

pkg/adaptors/jwtdecoder/decoder_test.go

@@ -1,87 +0,0 @@
-package jwtdecoder
-
-import (
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"io/ioutil"
-	"testing"
-	"time"
-
-	"github.com/dgrijalva/jwt-go"
-)
-
-func TestDecoder_Decode(t *testing.T) {
-	var decoder Decoder
-
-	t.Run("ValidToken", func(t *testing.T) {
-		expiry := time.Now().Round(time.Second)
-		idToken := newIDToken(t, "https://issuer.example.com", expiry)
-		decodedToken, err := decoder.Decode(idToken)
-		if err != nil {
-			t.Fatalf("Decode error: %s", err)
-		}
-		if decodedToken.Expiry != expiry {
-			t.Errorf("Expiry wants %s but %s", expiry, decodedToken.Expiry)
-		}
-		t.Logf("Pretty=%+v", decodedToken.Pretty)
-	})
-	t.Run("InvalidToken", func(t *testing.T) {
-		decodedToken, err := decoder.Decode("HEADER.INVALID_TOKEN.SIGNATURE")
-		if err == nil {
-			t.Errorf("error wants non-nil but nil")
-		} else {
-			t.Logf("expected error: %+v", err)
-		}
-		if decodedToken != nil {
-			t.Errorf("decodedToken wants nil but %+v", decodedToken)
-		}
-	})
-}
-
-func newIDToken(t *testing.T, issuer string, expiry time.Time) string {
-	t.Helper()
-	claims := struct {
-		jwt.StandardClaims
-		Nonce         string   `json:"nonce"`
-		Groups        []string `json:"groups"`
-		EmailVerified bool     `json:"email_verified"`
-	}{
-		StandardClaims: jwt.StandardClaims{
-			Issuer:    issuer,
-			Audience:  "kubernetes",
-			Subject:   "SUBJECT",
-			IssuedAt:  time.Now().Unix(),
-			ExpiresAt: expiry.Unix(),
-		},
-		Nonce:         "NONCE",
-		Groups:        []string{"admin", "users"},
-		EmailVerified: false,
-	}
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	s, err := token.SignedString(readPrivateKey(t, "testdata/jws.key"))
-	if err != nil {
-		t.Fatalf("Could not sign the claims: %s", err)
-	}
-	return s
-}
-
-func readPrivateKey(t *testing.T, name string) *rsa.PrivateKey {
-	t.Helper()
-	b, err := ioutil.ReadFile(name)
-	if err != nil {
-		t.Fatalf("could not read the file: %s", err)
-	}
-	block, rest := pem.Decode(b)
-	if block == nil {
-		t.Fatalf("could not decode PEM")
-	}
-	if len(rest) > 0 {
-		t.Fatalf("PEM should contain single key but multiple keys")
-	}
-	k, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		t.Fatalf("could not parse the key: %s", err)
-	}
-	return k
-}

pkg/adaptors/jwtdecoder/testdata/Makefile

@@ -1,8 +0,0 @@
-all: jws.key
-
-jws.key:
-	openssl genrsa -out $@ 1024
-
-.PHONY: clean
-clean:
-	-rm -v jws.key

pkg/adaptors/jwtdecoder/testdata/jws.key

@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCrH34yA/f/sBOUlkYnRtd2jgDZ3WivhidqvoQaa73xqTazbkn6
-GZ9r7jx0CGLRV2bmErj2WoyT54yrhezrKh0YXAHlrwLdsmV4dwiV0lOfUJd9P/vF
-e2hiAWv4CcO9ZuNkTsrxM5W8Wdj2tjqOvsIn4We+HWPkpknT7VtT5RrumwIDAQAB
-AoGAFqy5oA7+kZbXQV0YNqQgcMkoO7Ym5Ps1xeMwxf94z8jIQsZebxFuGnMa95UU
-4wBd1ias85fUANUxwpigaBjQee5Hk+dnfUe1snUWYNm9H6tKrXEF8ajer3a2knEv
-GfK0CSEumFougfW2xG88ChGTS60wc+MIRfXERCvWpGm/5EECQQDdv5IBSi89g/R1
-5AGZKFCoqr6Zw5bWEKPzCCYJZzncR1ER9vP2AnMExM8Io/87WYvmpZIUrXJvQYm8
-hkfVOcBZAkEAxY4VcqmRWru3zmnbj21MwcwtgESaONkWsHeYs1C/Y/3zt7TuelYz
-ZJ9aUuUsaiJLEs9Y26nMt0L0snWGr2noEwJBANaDp1PWFyMUTt3pB17JcFXqb15C
-pt1I1cGapWk9Uez1lMijNNhNAEWhuoKqW5Nnif5DN7EHJYfZR8x3vm/YYWkCQHAA
-0iAkCwjKDLe2RIjYiwAE5ncmbdl1GuwJokVnrlrei+LHbb1mSdTuk6MT006JCs8r
-R1GivzHXgCv9fdLN1IkCQHxRvv9RPND80eEkdMv4qu0s22OLRhLQ/pb+YeT5Cjjv
-pJYWKrvXdRZcuNde9JiiTgK2UW1wM8KeD/EGvK2yF6M=
------END RSA PRIVATE KEY-----

pkg/adaptors/logger/mock_logger/logger.go

@@ -1,46 +0,0 @@
-package mock_logger
-
-import (
-	"fmt"
-
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/spf13/pflag"
-)
-
-func New(t testingLogger) *Logger {
-	return &Logger{t}
-}
-
-type testingLogger interface {
-	Logf(format string, v ...interface{})
-}
-
-// Logger provides logging facility using testing.T.
-type Logger struct {
-	t testingLogger
-}
-
-func (*Logger) AddFlags(f *pflag.FlagSet) {
-	f.IntP("v", "v", 0, "dummy flag used in the tests")
-}
-
-func (l *Logger) Printf(format string, args ...interface{}) {
-	l.t.Logf(format, args...)
-}
-
-type Verbose struct {
-	t     testingLogger
-	level int
-}
-
-func (v *Verbose) Infof(format string, args ...interface{}) {
-	v.t.Logf(fmt.Sprintf("I%d] ", v.level)+format, args...)
-}
-
-func (l *Logger) V(level int) logger.Verbose {
-	return &Verbose{l.t, level}
-}
-
-func (*Logger) IsEnabled(level int) bool {
-	return true
-}

pkg/adaptors/oidcclient/factory.go

@@ -1,68 +0,0 @@
-// Package oidcclient provides a client of OpenID Connect.
-package oidcclient
-
-import (
-	"context"
-	"crypto/tls"
-	"net/http"
-
-	"github.com/coreos/go-oidc"
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient/logging"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-type FactoryInterface interface {
-	New(ctx context.Context, config Config) (Interface, error)
-}
-
-// Config represents a configuration of OpenID Connect client.
-type Config struct {
-	IssuerURL     string
-	ClientID      string
-	ClientSecret  string
-	ExtraScopes   []string // optional
-	CertPool      certpool.Interface
-	SkipTLSVerify bool
-}
-
-type Factory struct {
-	Logger logger.Interface
-}
-
-// New returns an instance of adaptors.Interface with the given configuration.
-func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
-	var tlsConfig tls.Config
-	tlsConfig.InsecureSkipVerify = config.SkipTLSVerify
-	config.CertPool.SetRootCAs(&tlsConfig)
-	baseTransport := &http.Transport{
-		TLSClientConfig: &tlsConfig,
-		Proxy:           http.ProxyFromEnvironment,
-	}
-	loggingTransport := &logging.Transport{
-		Base:   baseTransport,
-		Logger: f.Logger,
-	}
-	httpClient := &http.Client{
-		Transport: loggingTransport,
-	}
-
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
-	provider, err := oidc.NewProvider(ctx, config.IssuerURL)
-	if err != nil {
-		return nil, xerrors.Errorf("could not discovery the OIDCClientFactory issuer: %w", err)
-	}
-	return &client{
-		httpClient: httpClient,
-		provider:   provider,
-		oauth2Config: oauth2.Config{
-			Endpoint:     provider.Endpoint(),
-			ClientID:     config.ClientID,
-			ClientSecret: config.ClientSecret,
-			Scopes:       append(config.ExtraScopes, oidc.ScopeOpenID),
-		},
-		logger: f.Logger,
-	}, nil
-}

pkg/adaptors/oidcclient/oidcclient.go

@@ -1,197 +0,0 @@
-package oidcclient
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"time"
-
-	"github.com/coreos/go-oidc"
-	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/oauth2cli"
-	"golang.org/x/oauth2"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_oidcclient/mock_oidcclient.go github.com/int128/kubelogin/pkg/adaptors/oidcclient FactoryInterface,Interface
-
-// Set provides an implementation and interface for OIDC.
-var Set = wire.NewSet(
-	wire.Struct(new(Factory), "*"),
-	wire.Bind(new(FactoryInterface), new(*Factory)),
-)
-
-type Interface interface {
-	GetAuthCodeURL(in AuthCodeURLInput) string
-	ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error)
-	GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error)
-	GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error)
-	Refresh(ctx context.Context, refreshToken string) (*TokenSet, error)
-}
-
-type AuthCodeURLInput struct {
-	State               string
-	Nonce               string
-	CodeChallenge       string
-	CodeChallengeMethod string
-	RedirectURI         string
-}
-
-type ExchangeAuthCodeInput struct {
-	Code         string
-	CodeVerifier string
-	Nonce        string
-	RedirectURI  string
-}
-
-type GetTokenByAuthCodeInput struct {
-	BindAddress         []string
-	Nonce               string
-	CodeChallenge       string
-	CodeChallengeMethod string
-	CodeVerifier        string
-}
-
-// TokenSet represents an output DTO of
-// Interface.GetTokenByAuthCode, Interface.GetTokenByROPC and Interface.Refresh.
-type TokenSet struct {
-	IDToken        string
-	RefreshToken   string
-	IDTokenSubject string
-	IDTokenExpiry  time.Time
-	IDTokenClaims  map[string]string // string representation of claims for logging
-}
-
-type client struct {
-	httpClient   *http.Client
-	provider     *oidc.Provider
-	oauth2Config oauth2.Config
-	logger       logger.Interface
-}
-
-func (c *client) wrapContext(ctx context.Context) context.Context {
-	if c.httpClient != nil {
-		ctx = context.WithValue(ctx, oauth2.HTTPClient, c.httpClient)
-	}
-	return ctx
-}
-
-// GetTokenByAuthCode performs the authorization code flow.
-func (c *client) GetTokenByAuthCode(ctx context.Context, in GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	config := oauth2cli.Config{
-		OAuth2Config: c.oauth2Config,
-		AuthCodeOptions: []oauth2.AuthCodeOption{
-			oauth2.AccessTypeOffline,
-			oidc.Nonce(in.Nonce),
-			oauth2.SetAuthURLParam("code_challenge", in.CodeChallenge),
-			oauth2.SetAuthURLParam("code_challenge_method", in.CodeChallengeMethod),
-		},
-		TokenRequestOptions: []oauth2.AuthCodeOption{
-			oauth2.SetAuthURLParam("code_verifier", in.CodeVerifier),
-		},
-		LocalServerBindAddress: in.BindAddress,
-		LocalServerReadyChan:   localServerReadyChan,
-	}
-	token, err := oauth2cli.GetToken(ctx, config)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-// GetAuthCodeURL returns the URL of authentication request for the authorization code flow.
-func (c *client) GetAuthCodeURL(in AuthCodeURLInput) string {
-	cfg := c.oauth2Config
-	cfg.RedirectURL = in.RedirectURI
-	return cfg.AuthCodeURL(in.State,
-		oauth2.AccessTypeOffline,
-		oidc.Nonce(in.Nonce),
-		oauth2.SetAuthURLParam("code_challenge", in.CodeChallenge),
-		oauth2.SetAuthURLParam("code_challenge_method", in.CodeChallengeMethod),
-	)
-}
-
-// ExchangeAuthCode exchanges the authorization code and token.
-func (c *client) ExchangeAuthCode(ctx context.Context, in ExchangeAuthCodeInput) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	cfg := c.oauth2Config
-	cfg.RedirectURL = in.RedirectURI
-	token, err := cfg.Exchange(ctx, in.Code, oauth2.SetAuthURLParam("code_verifier", in.CodeVerifier))
-	if err != nil {
-		return nil, xerrors.Errorf("could not exchange the authorization code: %w", err)
-	}
-	return c.verifyToken(ctx, token, in.Nonce)
-}
-
-// GetTokenByROPC performs the resource owner password credentials flow.
-func (c *client) GetTokenByROPC(ctx context.Context, username, password string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	token, err := c.oauth2Config.PasswordCredentialsToken(ctx, username, password)
-	if err != nil {
-		return nil, xerrors.Errorf("could not get a token: %w", err)
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// Refresh sends a refresh token request and returns a token set.
-func (c *client) Refresh(ctx context.Context, refreshToken string) (*TokenSet, error) {
-	ctx = c.wrapContext(ctx)
-	currentToken := &oauth2.Token{
-		Expiry:       time.Now(),
-		RefreshToken: refreshToken,
-	}
-	source := c.oauth2Config.TokenSource(ctx, currentToken)
-	token, err := source.Token()
-	if err != nil {
-		return nil, xerrors.Errorf("could not refresh the token: %w", err)
-	}
-	return c.verifyToken(ctx, token, "")
-}
-
-// verifyToken verifies the token with the certificates of the provider and the nonce.
-// If the nonce is an empty string, it does not verify the nonce.
-func (c *client) verifyToken(ctx context.Context, token *oauth2.Token, nonce string) (*TokenSet, error) {
-	idTokenString, ok := token.Extra("id_token").(string)
-	if !ok {
-		return nil, xerrors.Errorf("id_token is missing in the token response: %s", token)
-	}
-	verifier := c.provider.Verifier(&oidc.Config{ClientID: c.oauth2Config.ClientID})
-	idToken, err := verifier.Verify(ctx, idTokenString)
-	if err != nil {
-		return nil, xerrors.Errorf("could not verify the ID token: %w", err)
-	}
-	if nonce != "" && nonce != idToken.Nonce {
-		return nil, xerrors.Errorf("nonce did not match (wants %s but was %s)", nonce, idToken.Nonce)
-	}
-	claims, err := dumpClaims(idToken)
-	if err != nil {
-		c.logger.V(1).Infof("incomplete claims of the ID token: %w", err)
-	}
-	return &TokenSet{
-		IDToken:       idTokenString,
-		RefreshToken:  token.RefreshToken,
-		IDTokenExpiry: idToken.Expiry,
-		IDTokenClaims: claims,
-	}, nil
-}
-
-func dumpClaims(token *oidc.IDToken) (map[string]string, error) {
-	var rawClaims map[string]interface{}
-	err := token.Claims(&rawClaims)
-	return dumpRawClaims(rawClaims), err
-}
-
-func dumpRawClaims(rawClaims map[string]interface{}) map[string]string {
-	claims := make(map[string]string)
-	for k, v := range rawClaims {
-		switch v := v.(type) {
-		case float64:
-			claims[k] = fmt.Sprintf("%.f", v)
-		default:
-			claims[k] = fmt.Sprintf("%v", v)
-		}
-	}
-	return claims
-}

pkg/adaptors/tokencache/tokencache.go

@@ -1,81 +0,0 @@
-package tokencache
-
-import (
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"os"
-	"path/filepath"
-
-	"github.com/google/wire"
-	"golang.org/x/xerrors"
-)
-
-//go:generate mockgen -destination mock_tokencache/mock_tokencache.go github.com/int128/kubelogin/pkg/adaptors/tokencache Interface
-
-// Set provides an implementation and interface for Kubeconfig.
-var Set = wire.NewSet(
-	wire.Struct(new(Repository), "*"),
-	wire.Bind(new(Interface), new(*Repository)),
-)
-
-type Interface interface {
-	FindByKey(dir string, key Key) (*TokenCache, error)
-	Save(dir string, key Key, cache TokenCache) error
-}
-
-// Key represents a key of a token cache.
-type Key struct {
-	IssuerURL string
-	ClientID  string
-}
-
-// TokenCache represents a token cache.
-type TokenCache struct {
-	IDToken      string `json:"id_token,omitempty"`
-	RefreshToken string `json:"refresh_token,omitempty"`
-}
-
-// Repository provides access to the token cache on the local filesystem.
-// Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
-type Repository struct{}
-
-func (r *Repository) FindByKey(dir string, key Key) (*TokenCache, error) {
-	filename := filepath.Join(dir, computeFilename(key))
-	f, err := os.Open(filename)
-	if err != nil {
-		return nil, xerrors.Errorf("could not open file %s: %w", filename, err)
-	}
-	defer f.Close()
-	d := json.NewDecoder(f)
-	var c TokenCache
-	if err := d.Decode(&c); err != nil {
-		return nil, xerrors.Errorf("could not decode json file %s: %w", filename, err)
-	}
-	return &c, nil
-}
-
-func (r *Repository) Save(dir string, key Key, cache TokenCache) error {
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return xerrors.Errorf("could not create directory %s: %w", dir, err)
-	}
-	filename := filepath.Join(dir, computeFilename(key))
-	f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return xerrors.Errorf("could not create file %s: %w", filename, err)
-	}
-	defer f.Close()
-	e := json.NewEncoder(f)
-	if err := e.Encode(&cache); err != nil {
-		return xerrors.Errorf("could not encode json to file %s: %w", filename, err)
-	}
-	return nil
-}
-
-func computeFilename(key Key) string {
-	s := sha256.New()
-	_, _ = s.Write([]byte(key.IssuerURL))
-	_, _ = s.Write([]byte{0x00})
-	_, _ = s.Write([]byte(key.ClientID))
-	return hex.EncodeToString(s.Sum(nil))
-}

pkg/adaptors/tokencache/tokencache_test.go

@@ -1,80 +0,0 @@
-package tokencache
-
-import (
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/go-test/deep"
-)
-
-func TestRepository_FindByKey(t *testing.T) {
-	var r Repository
-
-	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-		key := Key{
-			IssuerURL: "YOUR_ISSUER",
-			ClientID:  "YOUR_CLIENT_ID",
-		}
-		json := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}`
-		filename := filepath.Join(dir, computeFilename(key))
-		if err := ioutil.WriteFile(filename, []byte(json), 0600); err != nil {
-			t.Fatalf("could not write to the temp file: %s", err)
-		}
-
-		tokenCache, err := r.FindByKey(dir, key)
-		if err != nil {
-			t.Errorf("err wants nil but %+v", err)
-		}
-		want := &TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if diff := deep.Equal(tokenCache, want); diff != nil {
-			t.Error(diff)
-		}
-	})
-}
-
-func TestRepository_Save(t *testing.T) {
-	var r Repository
-
-	t.Run("Success", func(t *testing.T) {
-		dir, err := ioutil.TempDir("", "kube")
-		if err != nil {
-			t.Fatalf("could not create a temp dir: %s", err)
-		}
-		defer func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Errorf("could not clean up the temp dir: %s", err)
-			}
-		}()
-
-		key := Key{
-			IssuerURL: "YOUR_ISSUER",
-			ClientID:  "YOUR_CLIENT_ID",
-		}
-		tokenCache := TokenCache{IDToken: "YOUR_ID_TOKEN", RefreshToken: "YOUR_REFRESH_TOKEN"}
-		if err := r.Save(dir, key, tokenCache); err != nil {
-			t.Errorf("err wants nil but %+v", err)
-		}
-
-		filename := filepath.Join(dir, computeFilename(key))
-		b, err := ioutil.ReadFile(filename)
-		if err != nil {
-			t.Fatalf("could not read the token cache file: %s", err)
-		}
-		want := `{"id_token":"YOUR_ID_TOKEN","refresh_token":"YOUR_REFRESH_TOKEN"}
-`
-		if diff := deep.Equal(string(b), want); diff != nil {
-			t.Error(diff)
-		}
-	})
-}

pkg/cmd/authentication.go

@@ -0,0 +1,104 @@
+package cmd
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/spf13/pflag"
+)
+
+type authenticationOptions struct {
+	GrantType                  string
+	ListenAddress              []string
+	ListenPort                 []int // deprecated
+	AuthenticationTimeoutSec   int
+	SkipOpenBrowser            bool
+	BrowserCommand             string
+	LocalServerCertFile        string
+	LocalServerKeyFile         string
+	OpenURLAfterAuthentication string
+	RedirectURLHostname        string
+	AuthRequestExtraParams     map[string]string
+	Username                   string
+	Password                   string
+}
+
+// determineListenAddress returns the addresses from the flags.
+// Note that --listen-address is always given due to the default value.
+// If --listen-port is not set, it returns --listen-address.
+// If --listen-port is set, it returns the strings of --listen-port.
+func (o *authenticationOptions) determineListenAddress() []string {
+	if len(o.ListenPort) == 0 {
+		return o.ListenAddress
+	}
+	var a []string
+	for _, p := range o.ListenPort {
+		a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
+	}
+	return a
+}
+
+var allGrantType = strings.Join([]string{
+	"auto",
+	"authcode",
+	"authcode-keyboard",
+	"password",
+}, "|")
+
+func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("Authorization grant type to use. One of (%s)", allGrantType))
+	f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "[authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order")
+	//TODO: remove the deprecated flag
+	f.IntSliceVar(&o.ListenPort, "listen-port", nil, "[authcode] deprecated: port to bind to the local server")
+	if err := f.MarkDeprecated("listen-port", "use --listen-address instead"); err != nil {
+		panic(err)
+	}
+	f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "[authcode] Do not open the browser automatically")
+	f.StringVar(&o.BrowserCommand, "browser-command", "", "[authcode] Command to open the browser")
+	f.IntVar(&o.AuthenticationTimeoutSec, "authentication-timeout-sec", defaultAuthenticationTimeoutSec, "[authcode] Timeout of authentication in seconds")
+	f.StringVar(&o.LocalServerCertFile, "local-server-cert", "", "[authcode] Certificate path for the local server")
+	f.StringVar(&o.LocalServerKeyFile, "local-server-key", "", "[authcode] Certificate key path for the local server")
+	f.StringVar(&o.OpenURLAfterAuthentication, "open-url-after-authentication", "", "[authcode] If set, open the URL in the browser after authentication")
+	f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "[authcode] Hostname of the redirect URL")
+	f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "[authcode, authcode-keyboard] Extra query parameters to send with an authentication request")
+	f.StringVar(&o.Username, "username", "", "[password] Username for resource owner password credentials grant")
+	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
+}
+
+func (o *authenticationOptions) expandHomedir() {
+	o.LocalServerCertFile = expandHomedir(o.LocalServerCertFile)
+	o.LocalServerKeyFile = expandHomedir(o.LocalServerKeyFile)
+}
+
+func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
+	switch {
+	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
+		s.AuthCodeBrowserOption = &authcode.BrowserOption{
+			BindAddress:                o.determineListenAddress(),
+			SkipOpenBrowser:            o.SkipOpenBrowser,
+			BrowserCommand:             o.BrowserCommand,
+			AuthenticationTimeout:      time.Duration(o.AuthenticationTimeoutSec) * time.Second,
+			LocalServerCertFile:        o.LocalServerCertFile,
+			LocalServerKeyFile:         o.LocalServerKeyFile,
+			OpenURLAfterAuthentication: o.OpenURLAfterAuthentication,
+			RedirectURLHostname:        o.RedirectURLHostname,
+			AuthRequestExtraParams:     o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "authcode-keyboard":
+		s.AuthCodeKeyboardOption = &authcode.KeyboardOption{
+			AuthRequestExtraParams: o.AuthRequestExtraParams,
+		}
+	case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
+		s.ROPCOption = &ropc.Option{
+			Username: o.Username,
+			Password: o.Password,
+		}
+	default:
+		err = fmt.Errorf("grant-type must be one of (%s)", allGrantType)
+	}
+	return
+}

pkg/cmd/authentication_test.go

@@ -0,0 +1,143 @@
+package cmd
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/spf13/pflag"
+)
+
+func Test_authenticationOptions_grantOptionSet(t *testing.T) {
+	tests := map[string]struct {
+		args []string
+		want authentication.GrantOptionSet
+	}{
+		"NoFlag": {
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           defaultListenAddress,
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"FullOptions": {
+			args: []string{
+				"--grant-type", "authcode",
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--skip-open-browser",
+				"--browser-command", "firefox",
+				"--authentication-timeout-sec", "10",
+				"--local-server-cert", "/path/to/local-server-cert",
+				"--local-server-key", "/path/to/local-server-key",
+				"--open-url-after-authentication", "https://example.com/success.html",
+				"--oidc-redirect-url-hostname", "example",
+				"--oidc-auth-request-extra-params", "ttl=86400",
+				"--oidc-auth-request-extra-params", "reauth=true",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:                []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					SkipOpenBrowser:            true,
+					BrowserCommand:             "firefox",
+					AuthenticationTimeout:      10 * time.Second,
+					LocalServerCertFile:        "/path/to/local-server-cert",
+					LocalServerKeyFile:         "/path/to/local-server-key",
+					OpenURLAfterAuthentication: "https://example.com/success.html",
+					RedirectURLHostname:        "example",
+					AuthRequestExtraParams:     map[string]string{"ttl": "86400", "reauth": "true"},
+				},
+			},
+		},
+		"when --listen-port is set, it should convert the port to address": {
+			args: []string{
+				"--listen-port", "10080",
+				"--listen-port", "20080",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"when --listen-port is set, it should ignore --listen-address flags": {
+			args: []string{
+				"--listen-port", "10080",
+				"--listen-port", "20080",
+				"--listen-address", "127.0.0.1:30080",
+				"--listen-address", "127.0.0.1:40080",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeBrowserOption: &authcode.BrowserOption{
+					BindAddress:           []string{"127.0.0.1:10080", "127.0.0.1:20080"},
+					AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+					RedirectURLHostname:   "localhost",
+				},
+			},
+		},
+		"GrantType=authcode-keyboard": {
+			args: []string{
+				"--grant-type", "authcode-keyboard",
+			},
+			want: authentication.GrantOptionSet{
+				AuthCodeKeyboardOption: &authcode.KeyboardOption{},
+			},
+		},
+		"GrantType=password": {
+			args: []string{
+				"--grant-type", "password",
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				ROPCOption: &ropc.Option{
+					Username: "USER",
+					Password: "PASS",
+				},
+			},
+		},
+		"GrantType=auto": {
+			args: []string{
+				"--listen-address", "127.0.0.1:10080",
+				"--listen-address", "127.0.0.1:20080",
+				"--username", "USER",
+				"--password", "PASS",
+			},
+			want: authentication.GrantOptionSet{
+				ROPCOption: &ropc.Option{
+					Username: "USER",
+					Password: "PASS",
+				},
+			},
+		},
+	}
+
+	for name, c := range tests {
+		t.Run(name, func(t *testing.T) {
+			var o authenticationOptions
+			f := pflag.NewFlagSet("", pflag.ContinueOnError)
+			o.addFlags(f)
+			if err := f.Parse(c.args); err != nil {
+				t.Fatalf("Parse error: %s", err)
+			}
+			got, err := o.grantOptionSet()
+			if err != nil {
+				t.Fatalf("grantOptionSet error: %s", err)
+			}
+			if diff := cmp.Diff(c.want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

pkg/cmd/cmd.go

@@ -2,13 +2,12 @@ package cmd
 
 import (
 	"context"
-	"fmt"
 	"path/filepath"
+	"runtime"
 
 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/spf13/cobra"
-	"k8s.io/client-go/util/homedir"
 )
 
 // Set provides an implementation and interface for Cmd.
@@ -24,15 +23,10 @@ type Interface interface {
 	Run(ctx context.Context, args []string, version string) int
 }
 
-var defaultListenPort = []int{8000, 18000}
-var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
+var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
+var defaultTokenCacheDir = filepath.Join("~", ".kube", "cache", "oidc-login")
 
-func translateListenPortToBindAddress(ports []int) (address []string) {
-	for _, p := range ports {
-		address = append(address, fmt.Sprintf("127.0.0.1:%d", p))
-	}
-	return
-}
+const defaultAuthenticationTimeoutSec = 180
 
 // Cmd provides interaction with command line interface (CLI).
 type Cmd struct {
@@ -45,17 +39,15 @@ type Cmd struct {
 // Run parses the command line arguments and executes the specified use-case.
 // It returns an exit code, that is 0 on success or 1 on error.
 func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
-	executable := filepath.Base(args[0])
-
-	rootCmd := cmd.Root.New(ctx, executable)
+	rootCmd := cmd.Root.New()
 	rootCmd.Version = version
 	rootCmd.SilenceUsage = true
 	rootCmd.SilenceErrors = true
 
-	getTokenCmd := cmd.GetToken.New(ctx)
+	getTokenCmd := cmd.GetToken.New()
 	rootCmd.AddCommand(getTokenCmd)
 
-	setupCmd := cmd.Setup.New(ctx)
+	setupCmd := cmd.Setup.New()
 	rootCmd.AddCommand(setupCmd)
 
 	versionCmd := &cobra.Command{
@@ -63,13 +55,13 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
 		Short: "Print the version information",
 		Args:  cobra.NoArgs,
 		Run: func(*cobra.Command, []string) {
-			cmd.Logger.Printf("%s version %s", executable, version)
+			cmd.Logger.Printf("kubelogin version %s (%s %s_%s)", version, runtime.Version(), runtime.GOOS, runtime.GOARCH)
 		},
 	}
 	rootCmd.AddCommand(versionCmd)
 
 	rootCmd.SetArgs(args[1:])
-	if err := rootCmd.Execute(); err != nil {
+	if err := rootCmd.ExecuteContext(ctx); err != nil {
 		cmd.Logger.Printf("error: %s", err)
 		cmd.Logger.V(1).Infof("stacktrace: %+v", err)
 		return 1

pkg/cmd/cmd_test.go

@@ -0,0 +1,257 @@
+package cmd
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/int128/kubelogin/pkg/usecases/authentication"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	"github.com/int128/kubelogin/pkg/usecases/standalone/mock_standalone"
+)
+
+func TestCmd_Run(t *testing.T) {
+	const executable = "kubelogin"
+	const version = "HEAD"
+
+	t.Run("root", func(t *testing.T) {
+		tests := map[string]struct {
+			args []string
+			in   standalone.Input
+		}{
+			"Defaults": {
+				args: []string{executable},
+				in: standalone.Input{
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"--kubeconfig", "/path/to/kubeconfig",
+					"--context", "hello.k8s.local",
+					"--user", "google",
+					"-v1",
+				},
+				in: standalone.Input{
+					KubeconfigFilename: "/path/to/kubeconfig",
+					KubeconfigContext:  "hello.k8s.local",
+					KubeconfigUser:     "google",
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctrl := gomock.NewController(t)
+				defer ctrl.Finish()
+				ctx := context.TODO()
+				mockStandalone := mock_standalone.NewMockInterface(ctrl)
+				mockStandalone.EXPECT().
+					Do(ctx, c.in)
+				cmd := Cmd{
+					Root: &Root{
+						Standalone: mockStandalone,
+						Logger:     logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
+			})
+		}
+
+		t.Run("TooManyArgs", func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			cmd := Cmd{
+				Root: &Root{
+					Standalone: mock_standalone.NewMockInterface(ctrl),
+					Logger:     logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+	})
+
+	t.Run("get-token", func(t *testing.T) {
+		userHomeDir, err := os.UserHomeDir()
+		if err != nil {
+			t.Fatalf("os.UserHomeDir error: %s", err)
+		}
+
+		tests := map[string]struct {
+			args []string
+			in   credentialplugin.Input
+		}{
+			"Defaults": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"FullOptions": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--oidc-client-secret", "YOUR_CLIENT_SECRET",
+					"--oidc-extra-scope", "email",
+					"--oidc-extra-scope", "profile",
+					"-v1",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/cache/oidc-login"),
+					Provider: oidc.Provider{
+						IssuerURL:    "https://issuer.example.com",
+						ClientID:     "YOUR_CLIENT_ID",
+						ClientSecret: "YOUR_CLIENT_SECRET",
+						ExtraScopes:  []string{"email", "profile"},
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+						},
+					},
+				},
+			},
+			"HomedirExpansion": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--certificate-authority", "~/.kube/ca.crt",
+					"--local-server-cert", "~/.kube/oidc-server.crt",
+					"--local-server-key", "~/.kube/oidc-server.key",
+					"--token-cache-dir", "~/.kube/oidc-cache",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: filepath.Join(userHomeDir, ".kube/oidc-cache"),
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+							LocalServerCertFile:   filepath.Join(userHomeDir, ".kube/oidc-server.crt"),
+							LocalServerKeyFile:    filepath.Join(userHomeDir, ".kube/oidc-server.key"),
+						},
+					},
+					TLSClientConfig: tlsclientconfig.Config{
+						CACertFilename: []string{filepath.Join(userHomeDir, ".kube/ca.crt")},
+					},
+				},
+			},
+		}
+		for name, c := range tests {
+			t.Run(name, func(t *testing.T) {
+				ctrl := gomock.NewController(t)
+				defer ctrl.Finish()
+				ctx := context.TODO()
+				getToken := mock_credentialplugin.NewMockInterface(ctrl)
+				getToken.EXPECT().
+					Do(ctx, c.in)
+				cmd := Cmd{
+					Root: &Root{
+						Logger: logger.New(t),
+					},
+					GetToken: &GetToken{
+						GetToken: getToken,
+						Logger:   logger.New(t),
+					},
+					Logger: logger.New(t),
+				}
+				exitCode := cmd.Run(ctx, c.args, version)
+				if exitCode != 0 {
+					t.Errorf("exitCode wants 0 but %d", exitCode)
+				}
+			})
+		}
+
+		t.Run("MissingMandatoryOptions", func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+
+		t.Run("TooManyArgs", func(t *testing.T) {
+			ctrl := gomock.NewController(t)
+			defer ctrl.Finish()
+			ctx := context.TODO()
+			cmd := Cmd{
+				Root: &Root{
+					Logger: logger.New(t),
+				},
+				GetToken: &GetToken{
+					GetToken: mock_credentialplugin.NewMockInterface(ctrl),
+					Logger:   logger.New(t),
+				},
+				Logger: logger.New(t),
+			}
+			exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
+			if exitCode != 1 {
+				t.Errorf("exitCode wants 1 but %d", exitCode)
+			}
+		})
+	})
+}

pkg/cmd/get_token.go

@@ -1,13 +1,14 @@
 package cmd
 
 import (
-	"context"
+	"errors"
+	"fmt"
 
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )
 
 // getTokenOptions represents the options for get-token command.
@@ -16,22 +17,28 @@ type getTokenOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	CertificateAuthority  string
-	SkipTLSVerify         bool
+	UsePKCE               bool
 	TokenCacheDir         string
+	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 }
 
-func (o *getTokenOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
+func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
-	o.authenticationOptions.register(f)
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
+	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
+	o.tlsOptions.addFlags(f)
+	o.authenticationOptions.addFlags(f)
+}
+
+func (o *getTokenOptions) expandHomedir() error {
+	o.TokenCacheDir = expandHomedir(o.TokenCacheDir)
+	o.authenticationOptions.expandHomedir()
+	o.tlsOptions.expandHomedir()
+	return nil
 }
 
 type GetToken struct {
@@ -39,7 +46,7 @@ type GetToken struct {
 	Logger   logger.Interface
 }
 
-func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
+func (cmd *GetToken) New() *cobra.Command {
 	var o getTokenOptions
 	c := &cobra.Command{
 		Use:   "get-token [flags]",
@@ -49,34 +56,40 @@ func (cmd *GetToken) New(ctx context.Context) *cobra.Command {
 				return err
 			}
 			if o.IssuerURL == "" {
-				return xerrors.New("--oidc-issuer-url is missing")
+				return errors.New("--oidc-issuer-url is missing")
 			}
 			if o.ClientID == "" {
-				return xerrors.New("--oidc-client-id is missing")
+				return errors.New("--oidc-client-id is missing")
 			}
 			return nil
 		},
-		RunE: func(*cobra.Command, []string) error {
+		RunE: func(c *cobra.Command, _ []string) error {
+			if err := o.expandHomedir(); err != nil {
+				return err
+			}
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("error: %w", err)
+				return fmt.Errorf("get-token: %w", err)
 			}
 			in := credentialplugin.Input{
-				IssuerURL:      o.IssuerURL,
-				ClientID:       o.ClientID,
-				ClientSecret:   o.ClientSecret,
-				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.CertificateAuthority,
-				SkipTLSVerify:  o.SkipTLSVerify,
-				TokenCacheDir:  o.TokenCacheDir,
-				GrantOptionSet: grantOptionSet,
+				Provider: oidc.Provider{
+					IssuerURL:    o.IssuerURL,
+					ClientID:     o.ClientID,
+					ClientSecret: o.ClientSecret,
+					UsePKCE:      o.UsePKCE,
+					ExtraScopes:  o.ExtraScopes,
+				},
+				TokenCacheDir:   o.TokenCacheDir,
+				GrantOptionSet:  grantOptionSet,
+				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}
-			if err := cmd.GetToken.Do(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("get-token: %w", err)
 			}
 			return nil
 		},
 	}
-	o.register(c.Flags())
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
 	return c
 }

pkg/cmd/homedir.go

@@ -0,0 +1,15 @@
+package cmd
+
+import (
+	"path/filepath"
+	"strings"
+
+	"k8s.io/client-go/util/homedir"
+)
+
+func expandHomedir(s string) string {
+	if !strings.HasPrefix(s, "~") {
+		return s
+	}
+	return filepath.Join(homedir.HomeDir(), strings.TrimPrefix(s, "~"))
+}

pkg/cmd/root.go

@@ -0,0 +1,73 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/kubeconfig"
+	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+const rootDescription = `Log in to the OpenID Connect provider.
+
+You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
+To show the setup instruction:
+
+	kubectl oidc-login setup
+
+See https://github.com/int128/kubelogin for more.
+`
+
+// rootOptions represents the options for the root command.
+type rootOptions struct {
+	Kubeconfig            string
+	Context               string
+	User                  string
+	tlsOptions            tlsOptions
+	authenticationOptions authenticationOptions
+}
+
+func (o *rootOptions) addFlags(f *pflag.FlagSet) {
+	f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
+	f.StringVar(&o.Context, "context", "", "Name of the kubeconfig context to use")
+	f.StringVar(&o.User, "user", "", "Name of the kubeconfig user to use. Prior to --context")
+	o.tlsOptions.addFlags(f)
+	o.authenticationOptions.addFlags(f)
+}
+
+type Root struct {
+	Standalone standalone.Interface
+	Logger     logger.Interface
+}
+
+func (cmd *Root) New() *cobra.Command {
+	var o rootOptions
+	c := &cobra.Command{
+		Use:   "kubelogin",
+		Short: "Log in to the OpenID Connect provider",
+		Long:  rootDescription,
+		Args:  cobra.NoArgs,
+		RunE: func(c *cobra.Command, _ []string) error {
+			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
+			if err != nil {
+				return fmt.Errorf("invalid option: %w", err)
+			}
+			in := standalone.Input{
+				KubeconfigFilename: o.Kubeconfig,
+				KubeconfigContext:  kubeconfig.ContextName(o.Context),
+				KubeconfigUser:     kubeconfig.UserName(o.User),
+				GrantOptionSet:     grantOptionSet,
+				TLSClientConfig:    o.tlsOptions.tlsClientConfig(),
+			}
+			if err := cmd.Standalone.Do(c.Context(), in); err != nil {
+				return fmt.Errorf("login: %w", err)
+			}
+			return nil
+		},
+	}
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
+	cmd.Logger.AddFlags(c.PersistentFlags())
+	return c
+}

pkg/cmd/setup.go

@@ -1,12 +1,11 @@
 package cmd
 
 import (
-	"context"
+	"fmt"
 
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/xerrors"
 )
 
 // setupOptions represents the options for setup command.
@@ -15,27 +14,26 @@ type setupOptions struct {
 	ClientID              string
 	ClientSecret          string
 	ExtraScopes           []string
-	CertificateAuthority  string
-	SkipTLSVerify         bool
+	UsePKCE               bool
+	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 }
 
-func (o *setupOptions) register(f *pflag.FlagSet) {
-	f.SortFlags = false
+func (o *setupOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
 	f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
 	f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
 	f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
-	f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
-	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
-	o.authenticationOptions.register(f)
+	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
+	o.tlsOptions.addFlags(f)
+	o.authenticationOptions.addFlags(f)
 }
 
 type Setup struct {
 	Setup setup.Interface
 }
 
-func (cmd *Setup) New(ctx context.Context) *cobra.Command {
+func (cmd *Setup) New() *cobra.Command {
 	var o setupOptions
 	c := &cobra.Command{
 		Use:   "setup",
@@ -44,30 +42,31 @@ func (cmd *Setup) New(ctx context.Context) *cobra.Command {
 		RunE: func(c *cobra.Command, _ []string) error {
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
-				return xerrors.Errorf("error: %w", err)
+				return fmt.Errorf("setup: %w", err)
 			}
 			in := setup.Stage2Input{
-				IssuerURL:      o.IssuerURL,
-				ClientID:       o.ClientID,
-				ClientSecret:   o.ClientSecret,
-				ExtraScopes:    o.ExtraScopes,
-				CACertFilename: o.CertificateAuthority,
-				SkipTLSVerify:  o.SkipTLSVerify,
-				GrantOptionSet: grantOptionSet,
+				IssuerURL:       o.IssuerURL,
+				ClientID:        o.ClientID,
+				ClientSecret:    o.ClientSecret,
+				ExtraScopes:     o.ExtraScopes,
+				UsePKCE:         o.UsePKCE,
+				GrantOptionSet:  grantOptionSet,
+				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
 			}
-			if c.Flags().Lookup("listen-port").Changed {
-				in.ListenPortArgs = o.authenticationOptions.ListenPort
+			if c.Flags().Lookup("listen-address").Changed {
+				in.ListenAddressArgs = o.authenticationOptions.ListenAddress
 			}
 			if in.IssuerURL == "" || in.ClientID == "" {
 				cmd.Setup.DoStage1()
 				return nil
 			}
-			if err := cmd.Setup.DoStage2(ctx, in); err != nil {
-				return xerrors.Errorf("error: %w", err)
+			if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
+				return fmt.Errorf("setup: %w", err)
 			}
 			return nil
 		},
 	}
-	o.register(c.Flags())
+	c.Flags().SortFlags = false
+	o.addFlags(c.Flags())
 	return c
 }

pkg/cmd/tls.go

@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"crypto/tls"
+
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/spf13/pflag"
+)
+
+type tlsOptions struct {
+	CACertFilename            []string
+	CACertData                []string
+	SkipTLSVerify             bool
+	RenegotiateOnceAsClient   bool
+	RenegotiateFreelyAsClient bool
+}
+
+func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
+	f.StringArrayVar(&o.CACertFilename, "certificate-authority", nil, "Path to a cert file for the certificate authority")
+	f.StringArrayVar(&o.CACertData, "certificate-authority-data", nil, "Base64 encoded cert for the certificate authority")
+	f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If set, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
+	f.BoolVar(&o.RenegotiateOnceAsClient, "tls-renegotiation-once", false, "If set, allow a remote server to request renegotiation once per connection")
+	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
+}
+
+func (o *tlsOptions) expandHomedir() {
+	var caCertFilenames []string
+	for _, caCertFilename := range o.CACertFilename {
+		expanded := expandHomedir(caCertFilename)
+		caCertFilenames = append(caCertFilenames, expanded)
+	}
+	o.CACertFilename = caCertFilenames
+}
+
+func (o tlsOptions) tlsClientConfig() tlsclientconfig.Config {
+	return tlsclientconfig.Config{
+		CACertFilename: o.CACertFilename,
+		CACertData:     o.CACertData,
+		SkipTLSVerify:  o.SkipTLSVerify,
+		Renegotiation:  o.renegotiationSupport(),
+	}
+}
+
+func (o tlsOptions) renegotiationSupport() tls.RenegotiationSupport {
+	if o.RenegotiateOnceAsClient {
+		return tls.RenegotiateOnceAsClient
+	}
+	if o.RenegotiateFreelyAsClient {
+		return tls.RenegotiateFreelyAsClient
+	}
+	return tls.RenegotiateNever
+}

pkg/cmd/tls_test.go

@@ -0,0 +1,92 @@
+package cmd
+
+import (
+	"crypto/tls"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
+	"github.com/spf13/pflag"
+)
+
+func Test_tlsOptions_tlsClientConfig(t *testing.T) {
+	tests := map[string]struct {
+		args []string
+		want tlsclientconfig.Config
+	}{
+		"NoFlag": {},
+		"SkipTLSVerify": {
+			args: []string{
+				"--insecure-skip-tls-verify",
+			},
+			want: tlsclientconfig.Config{
+				SkipTLSVerify: true,
+			},
+		},
+		"CACertFilename1": {
+			args: []string{
+				"--certificate-authority", "/path/to/cert1",
+			},
+			want: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert1"},
+			},
+		},
+		"CACertFilename2": {
+			args: []string{
+				"--certificate-authority", "/path/to/cert1",
+				"--certificate-authority", "/path/to/cert2",
+			},
+			want: tlsclientconfig.Config{
+				CACertFilename: []string{"/path/to/cert1", "/path/to/cert2"},
+			},
+		},
+		"CACertData1": {
+			args: []string{
+				"--certificate-authority-data", "base64encoded1",
+			},
+			want: tlsclientconfig.Config{
+				CACertData: []string{"base64encoded1"},
+			},
+		},
+		"CACertData2": {
+			args: []string{
+				"--certificate-authority-data", "base64encoded1",
+				"--certificate-authority-data", "base64encoded2",
+			},
+			want: tlsclientconfig.Config{
+				CACertData: []string{"base64encoded1", "base64encoded2"},
+			},
+		},
+		"RenegotiateOnceAsClient": {
+			args: []string{
+				"--tls-renegotiation-once",
+			},
+			want: tlsclientconfig.Config{
+				Renegotiation: tls.RenegotiateOnceAsClient,
+			},
+		},
+		"RenegotiateFreelyAsClient": {
+			args: []string{
+				"--tls-renegotiation-freely",
+			},
+			want: tlsclientconfig.Config{
+				Renegotiation: tls.RenegotiateFreelyAsClient,
+			},
+		},
+	}
+
+	for name, c := range tests {
+		t.Run(name, func(t *testing.T) {
+			var o tlsOptions
+			f := pflag.NewFlagSet("", pflag.ContinueOnError)
+			o.addFlags(f)
+			if err := f.Parse(c.args); err != nil {
+				t.Fatalf("Parse error: %s", err)
+			}
+			got := o.tlsClientConfig()
+			if diff := cmp.Diff(c.want, got); diff != "" {
+				t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

pkg/credentialplugin/types.go

@@ -0,0 +1,10 @@
+// Package credentialplugin provides the types for client-go credential plugins.
+package credentialplugin
+
+import "time"
+
+// Output represents an output object of the credential plugin.
+type Output struct {
+	Token  string
+	Expiry time.Time
+}

pkg/credentialplugin/writer/credential_plugin.go

@@ -0,0 +1,47 @@
+// Package writer provides a writer for a credential plugin.
+package writer
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/credentialplugin"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
+)
+
+//go:generate mockgen -destination mock_writer/mock_writer.go github.com/int128/kubelogin/pkg/credentialplugin/writer Interface
+
+var Set = wire.NewSet(
+	wire.Struct(new(Writer), "*"),
+	wire.Bind(new(Interface), new(*Writer)),
+)
+
+type Interface interface {
+	Write(out credentialplugin.Output) error
+}
+
+type Writer struct {
+	Stdout stdio.Stdout
+}
+
+// Write writes the ExecCredential to standard output for kubectl.
+func (w *Writer) Write(out credentialplugin.Output) error {
+	ec := &clientauthenticationv1beta1.ExecCredential{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "client.authentication.k8s.io/v1beta1",
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1beta1.ExecCredentialStatus{
+			Token:               out.Token,
+			ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
+		},
+	}
+	e := json.NewEncoder(w.Stdout)
+	if err := e.Encode(ec); err != nil {
+		return fmt.Errorf("could not write the ExecCredential: %w", err)
+	}
+	return nil
+}

pkg/credentialplugin/writer/mock_writer/mock_writer.go

@@ -1,12 +1,12 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/credentialplugin (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/credentialplugin/writer (interfaces: Interface)
 
-// Package mock_credentialplugin is a generated GoMock package.
-package mock_credentialplugin
+// Package mock_writer is a generated GoMock package.
+package mock_writer
 
 import (
 	gomock "github.com/golang/mock/gomock"
-	credentialplugin "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
+	credentialplugin "github.com/int128/kubelogin/pkg/credentialplugin"
 	reflect "reflect"
 )
 

pkg/di/di.go

@@ -5,60 +5,58 @@ package di
 
 import (
 	"github.com/google/wire"
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/cmd"
-	credentialPluginAdaptor "github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/env"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/cmd"
+	"github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
+	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	kubeconfigLoader "github.com/int128/kubelogin/pkg/kubeconfig/loader"
+	kubeconfigWriter "github.com/int128/kubelogin/pkg/kubeconfig/writer"
+	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
+	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	credentialPluginUseCase "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
 )
 
-// NewCmd returns an instance of adaptors.Cmd.
+// NewCmd returns an instance of infrastructure.Cmd.
 func NewCmd() cmd.Interface {
+	wire.Build(
+		NewCmdForHeadless,
+
+		// dependencies for production
+		clock.Set,
+		stdio.Set,
+		logger.Set,
+		browser.Set,
+	)
+	return nil
+}
+
+// NewCmdForHeadless returns an instance of infrastructure.Cmd for headless testing.
+func NewCmdForHeadless(clock.Interface, stdio.Stdin, stdio.Stdout, logger.Interface, browser.Interface) cmd.Interface {
 	wire.Build(
 		// use-cases
 		authentication.Set,
-		wire.Value(authentication.DefaultLocalServerReadyFunc),
 		standalone.Set,
-		credentialPluginUseCase.Set,
+		credentialplugin.Set,
 		setup.Set,
 
-		// adaptors
+		// infrastructure
 		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		credentialPluginAdaptor.Set,
-		oidcclient.Set,
-		jwtdecoder.Set,
-		certpool.Set,
-		logger.Set,
-	)
-	return nil
-}
-
-// NewCmdForHeadless returns an instance of adaptors.Cmd for headless testing.
-func NewCmdForHeadless(logger.Interface, authentication.LocalServerReadyFunc, credentialPluginAdaptor.Interface) cmd.Interface {
-	wire.Build(
-		authentication.Set,
-		standalone.Set,
-		credentialPluginUseCase.Set,
-		setup.Set,
-
-		cmd.Set,
-		env.Set,
-		kubeconfig.Set,
-		tokencache.Set,
-		oidcclient.Set,
-		jwtdecoder.Set,
-		certpool.Set,
+		reader.Set,
+		kubeconfigLoader.Set,
+		kubeconfigWriter.Set,
+		repository.Set,
+		client.Set,
+		loader.Set,
+		writer.Set,
+		mutex.Set,
 	)
 	return nil
 }

pkg/di/wire_gen.go

@@ -6,147 +6,99 @@
 package di
 
 import (
-	"github.com/int128/kubelogin/pkg/adaptors/certpool"
-	"github.com/int128/kubelogin/pkg/adaptors/cmd"
-	"github.com/int128/kubelogin/pkg/adaptors/credentialplugin"
-	"github.com/int128/kubelogin/pkg/adaptors/env"
-	"github.com/int128/kubelogin/pkg/adaptors/jwtdecoder"
-	"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
-	"github.com/int128/kubelogin/pkg/adaptors/logger"
-	"github.com/int128/kubelogin/pkg/adaptors/oidcclient"
-	"github.com/int128/kubelogin/pkg/adaptors/tokencache"
+	"github.com/int128/kubelogin/pkg/cmd"
+	writer2 "github.com/int128/kubelogin/pkg/credentialplugin/writer"
+	"github.com/int128/kubelogin/pkg/infrastructure/browser"
+	"github.com/int128/kubelogin/pkg/infrastructure/clock"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"github.com/int128/kubelogin/pkg/infrastructure/mutex"
+	"github.com/int128/kubelogin/pkg/infrastructure/reader"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	loader2 "github.com/int128/kubelogin/pkg/kubeconfig/loader"
+	"github.com/int128/kubelogin/pkg/kubeconfig/writer"
+	"github.com/int128/kubelogin/pkg/oidc/client"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig/loader"
+	"github.com/int128/kubelogin/pkg/tokencache/repository"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
-	credentialplugin2 "github.com/int128/kubelogin/pkg/usecases/credentialplugin"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
+	"github.com/int128/kubelogin/pkg/usecases/authentication/ropc"
+	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/int128/kubelogin/pkg/usecases/setup"
 	"github.com/int128/kubelogin/pkg/usecases/standalone"
+	"os"
 )
 
 // Injectors from di.go:
 
 func NewCmd() cmd.Interface {
+	clockReal := &clock.Real{}
+	stdin := _wireFileValue
+	stdout := _wireOsFileValue
 	loggerInterface := logger.New()
-	factory := &oidcclient.Factory{
-		Logger: loggerInterface,
-	}
-	decoder := &jwtdecoder.Decoder{}
-	envEnv := &env.Env{}
-	localServerReadyFunc := _wireLocalServerReadyFuncValue
-	authCode := &authentication.AuthCode{
-		Env:                  envEnv,
-		Logger:               loggerInterface,
-		LocalServerReadyFunc: localServerReadyFunc,
-	}
-	authCodeKeyboard := &authentication.AuthCodeKeyboard{
-		Env:    envEnv,
-		Logger: loggerInterface,
-	}
-	ropc := &authentication.ROPC{
-		Env:    envEnv,
-		Logger: loggerInterface,
-	}
-	authenticationAuthentication := &authentication.Authentication{
-		OIDCClientFactory: factory,
-		JWTDecoder:        decoder,
-		Logger:            loggerInterface,
-		AuthCode:          authCode,
-		AuthCodeKeyboard:  authCodeKeyboard,
-		ROPC:              ropc,
-	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{
-		Logger: loggerInterface,
-	}
-	certpoolFactory := &certpool.Factory{}
-	standaloneStandalone := &standalone.Standalone{
-		Authentication:  authenticationAuthentication,
-		Kubeconfig:      kubeconfigKubeconfig,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
-	}
-	root := &cmd.Root{
-		Standalone: standaloneStandalone,
-		Logger:     loggerInterface,
-	}
-	repository := &tokencache.Repository{}
-	interaction := &credentialplugin.Interaction{}
-	getToken := &credentialplugin2.GetToken{
-		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repository,
-		CertPoolFactory:      certpoolFactory,
-		Interaction:          interaction,
-		Logger:               loggerInterface,
-	}
-	cmdGetToken := &cmd.GetToken{
-		GetToken: getToken,
-		Logger:   loggerInterface,
-	}
-	setupSetup := &setup.Setup{
-		Authentication:  authenticationAuthentication,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
-	}
-	cmdSetup := &cmd.Setup{
-		Setup: setupSetup,
-	}
-	cmdCmd := &cmd.Cmd{
-		Root:     root,
-		GetToken: cmdGetToken,
-		Setup:    cmdSetup,
-		Logger:   loggerInterface,
-	}
-	return cmdCmd
+	browserBrowser := &browser.Browser{}
+	cmdInterface := NewCmdForHeadless(clockReal, stdin, stdout, loggerInterface, browserBrowser)
+	return cmdInterface
 }
 
 var (
-	_wireLocalServerReadyFuncValue = authentication.DefaultLocalServerReadyFunc
+	_wireFileValue   = os.Stdin
+	_wireOsFileValue = os.Stdout
 )
 
-func NewCmdForHeadless(loggerInterface logger.Interface, localServerReadyFunc authentication.LocalServerReadyFunc, credentialpluginInterface credentialplugin.Interface) cmd.Interface {
-	factory := &oidcclient.Factory{
+func NewCmdForHeadless(clockInterface clock.Interface, stdin stdio.Stdin, stdout stdio.Stdout, loggerInterface logger.Interface, browserInterface browser.Interface) cmd.Interface {
+	loaderLoader := loader.Loader{}
+	factory := &client.Factory{
+		Loader: loaderLoader,
+		Clock:  clockInterface,
 		Logger: loggerInterface,
 	}
-	decoder := &jwtdecoder.Decoder{}
-	envEnv := &env.Env{}
-	authCode := &authentication.AuthCode{
-		Env:                  envEnv,
-		Logger:               loggerInterface,
-		LocalServerReadyFunc: localServerReadyFunc,
+	authcodeBrowser := &authcode.Browser{
+		Browser: browserInterface,
+		Logger:  loggerInterface,
 	}
-	authCodeKeyboard := &authentication.AuthCodeKeyboard{
-		Env:    envEnv,
+	readerReader := &reader.Reader{
+		Stdin: stdin,
+	}
+	keyboard := &authcode.Keyboard{
+		Reader: readerReader,
 		Logger: loggerInterface,
 	}
-	ropc := &authentication.ROPC{
-		Env:    envEnv,
+	ropcROPC := &ropc.ROPC{
+		Reader: readerReader,
 		Logger: loggerInterface,
 	}
 	authenticationAuthentication := &authentication.Authentication{
-		OIDCClientFactory: factory,
-		JWTDecoder:        decoder,
-		Logger:            loggerInterface,
-		AuthCode:          authCode,
-		AuthCodeKeyboard:  authCodeKeyboard,
-		ROPC:              ropc,
+		ClientFactory:    factory,
+		Logger:           loggerInterface,
+		Clock:            clockInterface,
+		AuthCodeBrowser:  authcodeBrowser,
+		AuthCodeKeyboard: keyboard,
+		ROPC:             ropcROPC,
 	}
-	kubeconfigKubeconfig := &kubeconfig.Kubeconfig{
-		Logger: loggerInterface,
-	}
-	certpoolFactory := &certpool.Factory{}
+	loader3 := &loader2.Loader{}
+	writerWriter := &writer.Writer{}
 	standaloneStandalone := &standalone.Standalone{
-		Authentication:  authenticationAuthentication,
-		Kubeconfig:      kubeconfigKubeconfig,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
+		Authentication:   authenticationAuthentication,
+		KubeconfigLoader: loader3,
+		KubeconfigWriter: writerWriter,
+		Logger:           loggerInterface,
 	}
 	root := &cmd.Root{
 		Standalone: standaloneStandalone,
 		Logger:     loggerInterface,
 	}
-	repository := &tokencache.Repository{}
-	getToken := &credentialplugin2.GetToken{
+	repositoryRepository := &repository.Repository{}
+	writer3 := &writer2.Writer{
+		Stdout: stdout,
+	}
+	mutexMutex := &mutex.Mutex{
+		Logger: loggerInterface,
+	}
+	getToken := &credentialplugin.GetToken{
 		Authentication:       authenticationAuthentication,
-		TokenCacheRepository: repository,
-		CertPoolFactory:      certpoolFactory,
-		Interaction:          credentialpluginInterface,
+		TokenCacheRepository: repositoryRepository,
+		Writer:               writer3,
+		Mutex:                mutexMutex,
 		Logger:               loggerInterface,
 	}
 	cmdGetToken := &cmd.GetToken{
@@ -154,9 +106,8 @@ func NewCmdForHeadless(loggerInterface logger.Interface, localServerReadyFunc au
 		Logger:   loggerInterface,
 	}
 	setupSetup := &setup.Setup{
-		Authentication:  authenticationAuthentication,
-		CertPoolFactory: certpoolFactory,
-		Logger:          loggerInterface,
+		Authentication: authenticationAuthentication,
+		Logger:         loggerInterface,
 	}
 	cmdSetup := &cmd.Setup{
 		Setup: setupSetup,

pkg/domain/oidc/oidc.go

@@ -1,65 +0,0 @@
-package oidc
-
-import (
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/binary"
-	"strings"
-
-	"golang.org/x/xerrors"
-)
-
-func NewState() (string, error) {
-	b, err := random32()
-	if err != nil {
-		return "", xerrors.Errorf("could not generate a random: %w", err)
-	}
-	return base64URLEncode(b), nil
-}
-
-func NewNonce() (string, error) {
-	b, err := random32()
-	if err != nil {
-		return "", xerrors.Errorf("could not generate a random: %w", err)
-	}
-	return base64URLEncode(b), nil
-}
-
-type PKCEParams struct {
-	CodeChallenge       string
-	CodeChallengeMethod string
-	CodeVerifier        string
-}
-
-func NewPKCEParams() (*PKCEParams, error) {
-	b, err := random32()
-	if err != nil {
-		return nil, xerrors.Errorf("could not generate a random: %w", err)
-	}
-	s := computeS256(b)
-	return &s, nil
-}
-
-func random32() ([]byte, error) {
-	b := make([]byte, 32)
-	if err := binary.Read(rand.Reader, binary.LittleEndian, b); err != nil {
-		return nil, xerrors.Errorf("could not read: %w", err)
-	}
-	return b, nil
-}
-
-func computeS256(b []byte) PKCEParams {
-	v := base64URLEncode(b)
-	s := sha256.New()
-	_, _ = s.Write([]byte(v))
-	return PKCEParams{
-		CodeChallenge:       base64URLEncode(s.Sum(nil)),
-		CodeChallengeMethod: "S256",
-		CodeVerifier:        v,
-	}
-}
-
-func base64URLEncode(b []byte) string {
-	return strings.TrimRight(base64.URLEncoding.EncodeToString(b), "=")
-}

pkg/domain/oidc/oidc_test.go

@@ -1,25 +0,0 @@
-package oidc
-
-import (
-	"testing"
-)
-
-func Test_computeS256(t *testing.T) {
-	// Testdata described at:
-	// https://tools.ietf.org/html/rfc7636#appendix-B
-	b := []byte{
-		116, 24, 223, 180, 151, 153, 224, 37, 79, 250, 96, 125, 216, 173,
-		187, 186, 22, 212, 37, 77, 105, 214, 191, 240, 91, 88, 5, 88, 83,
-		132, 141, 121,
-	}
-	p := computeS256(b)
-	if want := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"; want != p.CodeVerifier {
-		t.Errorf("CodeVerifier wants %s but was %s", want, p.CodeVerifier)
-	}
-	if want := "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM"; want != p.CodeChallenge {
-		t.Errorf("CodeChallenge wants %s but was %s", want, p.CodeChallenge)
-	}
-	if p.CodeChallengeMethod != "S256" {
-		t.Errorf("CodeChallengeMethod wants S256 but was %s", p.CodeChallengeMethod)
-	}
-}

pkg/infrastructure/browser/browser.go

@@ -0,0 +1,44 @@
+package browser
+
+import (
+	"context"
+	"os"
+	"os/exec"
+
+	"github.com/google/wire"
+	"github.com/pkg/browser"
+)
+
+//go:generate mockgen -destination mock_browser/mock_browser.go github.com/int128/kubelogin/pkg/infrastructure/browser Interface
+
+func init() {
+	// In credential plugin mode, some browser launcher writes a message to stdout
+	// and it may break the credential json for client-go.
+	// This prevents the browser launcher from breaking the credential json.
+	browser.Stdout = os.Stderr
+}
+
+var Set = wire.NewSet(
+	wire.Struct(new(Browser)),
+	wire.Bind(new(Interface), new(*Browser)),
+)
+
+type Interface interface {
+	Open(url string) error
+	OpenCommand(ctx context.Context, url, command string) error
+}
+
+type Browser struct{}
+
+// Open opens the default browser.
+func (*Browser) Open(url string) error {
+	return browser.OpenURL(url)
+}
+
+// OpenCommand opens the browser using the command.
+func (*Browser) OpenCommand(ctx context.Context, url, command string) error {
+	c := exec.CommandContext(ctx, command, url)
+	c.Stdout = os.Stderr // see above
+	c.Stderr = os.Stderr
+	return c.Run()
+}

pkg/infrastructure/browser/mock_browser/mock_browser.go

@@ -0,0 +1,62 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/infrastructure/browser (interfaces: Interface)
+
+// Package mock_browser is a generated GoMock package.
+package mock_browser
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Open mocks base method
+func (m *MockInterface) Open(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Open", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Open indicates an expected call of Open
+func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
+}
+
+// OpenCommand mocks base method
+func (m *MockInterface) OpenCommand(arg0 context.Context, arg1, arg2 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "OpenCommand", arg0, arg1, arg2)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// OpenCommand indicates an expected call of OpenCommand
+func (mr *MockInterfaceMockRecorder) OpenCommand(arg0, arg1, arg2 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OpenCommand", reflect.TypeOf((*MockInterface)(nil).OpenCommand), arg0, arg1, arg2)
+}

pkg/infrastructure/clock/clock.go

@@ -0,0 +1,24 @@
+// Package clock provides the system clock.
+package clock
+
+import (
+	"time"
+
+	"github.com/google/wire"
+)
+
+var Set = wire.NewSet(
+	wire.Struct(new(Real), "*"),
+	wire.Bind(new(Interface), new(*Real)),
+)
+
+type Interface interface {
+	Now() time.Time
+}
+
+type Real struct{}
+
+// Now returns the current time.
+func (c *Real) Now() time.Time {
+	return time.Now()
+}

pkg/infrastructure/logger/logger.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/google/wire"
 	"github.com/spf13/pflag"
-	"k8s.io/klog"
+	"k8s.io/klog/v2"
 )
 
 // Set provides an implementation and interface for Logger.
@@ -56,5 +56,5 @@ func (*Logger) V(level int) Verbose {
 
 // IsEnabled returns true if the level is enabled.
 func (*Logger) IsEnabled(level int) bool {
-	return bool(klog.V(klog.Level(level)))
+	return klog.V(klog.Level(level)).Enabled()
 }

pkg/infrastructure/mutex/mock_mutex/mock_mutex.go

@@ -0,0 +1,64 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/int128/kubelogin/pkg/infrastructure/mutex (interfaces: Interface)
+
+// Package mock_mutex is a generated GoMock package.
+package mock_mutex
+
+import (
+	context "context"
+	gomock "github.com/golang/mock/gomock"
+	mutex "github.com/int128/kubelogin/pkg/infrastructure/mutex"
+	reflect "reflect"
+)
+
+// MockInterface is a mock of Interface interface
+type MockInterface struct {
+	ctrl     *gomock.Controller
+	recorder *MockInterfaceMockRecorder
+}
+
+// MockInterfaceMockRecorder is the mock recorder for MockInterface
+type MockInterfaceMockRecorder struct {
+	mock *MockInterface
+}
+
+// NewMockInterface creates a new mock instance
+func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
+	mock := &MockInterface{ctrl: ctrl}
+	mock.recorder = &MockInterfaceMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use
+func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
+	return m.recorder
+}
+
+// Acquire mocks base method
+func (m *MockInterface) Acquire(arg0 context.Context, arg1 string) (*mutex.Lock, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Acquire", arg0, arg1)
+	ret0, _ := ret[0].(*mutex.Lock)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// Acquire indicates an expected call of Acquire
+func (mr *MockInterfaceMockRecorder) Acquire(arg0, arg1 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Acquire", reflect.TypeOf((*MockInterface)(nil).Acquire), arg0, arg1)
+}
+
+// Release mocks base method
+func (m *MockInterface) Release(arg0 *mutex.Lock) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Release", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// Release indicates an expected call of Release
+func (mr *MockInterfaceMockRecorder) Release(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Release", reflect.TypeOf((*MockInterface)(nil).Release), arg0)
+}

pkg/infrastructure/mutex/mutex.go

@@ -0,0 +1,88 @@
+package mutex
+
+import (
+	"context"
+	"fmt"
+	"github.com/alexflint/go-filemutex"
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"os"
+	"path"
+)
+
+//go:generate mockgen -destination mock_mutex/mock_mutex.go github.com/int128/kubelogin/pkg/infrastructure/mutex Interface
+
+var Set = wire.NewSet(
+	wire.Struct(new(Mutex), "*"),
+	wire.Bind(new(Interface), new(*Mutex)),
+)
+
+type Interface interface {
+	Acquire(ctx context.Context, name string) (*Lock, error)
+	Release(lock *Lock) error
+}
+
+// Lock holds the lock data.
+type Lock struct {
+	Data interface{}
+	Name string
+}
+
+type Mutex struct {
+	Logger logger.Interface
+}
+
+// internalAcquire wait for acquisition of the lock
+func internalAcquire(fm *filemutex.FileMutex) chan error {
+	result := make(chan error)
+	go func() {
+		if err := fm.Lock(); err != nil {
+			result <- err
+		}
+		close(result)
+	}()
+	return result
+}
+
+// internalRelease disposes of resources associated with a lock
+func internalRelease(fm *filemutex.FileMutex, lfn string, log logger.Interface) error {
+	err := fm.Close()
+	if err != nil {
+		log.V(1).Infof("Error closing lock file %s: %s", lfn, err)
+	}
+	return err
+}
+
+// LockFileName get the lock file name from the lock name.
+func LockFileName(name string) string {
+	return path.Join(os.TempDir(), fmt.Sprintf(".kubelogin.%s.lock", name))
+}
+
+// Acquire acquire a lock for the specified name. The context could be used to set a timeout.
+func (m *Mutex) Acquire(ctx context.Context, name string) (*Lock, error) {
+	lfn := LockFileName(name)
+	fm, err := filemutex.New(lfn)
+	if err != nil {
+		return nil, fmt.Errorf("error creating mutex file %s: %w", lfn, err)
+	}
+
+	lockChan := internalAcquire(fm)
+	select {
+	case <-ctx.Done():
+		_ = internalRelease(fm, lfn, m.Logger)
+		return nil, ctx.Err()
+	case err := <-lockChan:
+		if err != nil {
+			_ = internalRelease(fm, lfn, m.Logger)
+			return nil, fmt.Errorf("error acquiring lock on file %s: %w", lfn, err)
+		}
+		return &Lock{Data: fm, Name: name}, nil
+	}
+}
+
+// Release release the specified lock
+func (m *Mutex) Release(lock *Lock) error {
+	fm := lock.Data.(*filemutex.FileMutex)
+	lfn := LockFileName(lock.Name)
+	return internalRelease(fm, lfn, m.Logger)
+}

pkg/infrastructure/mutex/mutex_test.go

@@ -0,0 +1,64 @@
+package mutex
+
+import (
+	"fmt"
+	"github.com/int128/kubelogin/pkg/infrastructure/logger"
+	"golang.org/x/net/context"
+	"math/rand"
+	"sync"
+	"testing"
+	"time"
+)
+
+func TestMutex(t *testing.T) {
+
+	t.Run("Test successful parallel acquisition with no reentry allowed", func(t *testing.T) {
+
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		nbConcurrency := 20
+		wg := sync.WaitGroup{}
+		events := make(chan int, nbConcurrency*2)
+		errors := make(chan error, nbConcurrency)
+		doLockUnlock := func() {
+			defer wg.Done()
+
+			m := Mutex{
+				Logger: logger.New(),
+			}
+			if mutex, err := m.Acquire(ctx, "test"); err == nil {
+				events <- 1
+				var dur = time.Duration(rand.Intn(5000))
+				time.Sleep(dur * time.Microsecond)
+				events <- -1
+				if err := m.Release(mutex); err != nil {
+					errors <- fmt.Errorf("Release error: %w", err)
+				}
+			} else {
+				errors <- fmt.Errorf("Acquire error: %w", err)
+			}
+		}
+
+		for i := 0; i < nbConcurrency; i++ {
+			wg.Add(1)
+			go doLockUnlock()
+		}
+
+		wg.Wait()
+		close(events)
+		close(errors)
+
+		countConcurrent := 0
+		for delta := range events {
+			countConcurrent += delta
+			if countConcurrent > 1 {
+				t.Errorf("The mutex did not prevented reentry: %d", countConcurrent)
+			}
+		}
+
+		for anError := range errors {
+			t.Errorf("The gorouting returned an error: %s", anError)
+		}
+	})
+}

pkg/infrastructure/reader/mock_reader/mock_reader.go

@@ -1,8 +1,8 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/int128/kubelogin/pkg/adaptors/env (interfaces: Interface)
+// Source: github.com/int128/kubelogin/pkg/infrastructure/reader (interfaces: Interface)
 
-// Package mock_env is a generated GoMock package.
-package mock_env
+// Package mock_reader is a generated GoMock package.
+package mock_reader
 
 import (
 	gomock "github.com/golang/mock/gomock"
@@ -32,20 +32,6 @@ func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
 	return m.recorder
 }
 
-// OpenBrowser mocks base method
-func (m *MockInterface) OpenBrowser(arg0 string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "OpenBrowser", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// OpenBrowser indicates an expected call of OpenBrowser
-func (mr *MockInterfaceMockRecorder) OpenBrowser(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OpenBrowser", reflect.TypeOf((*MockInterface)(nil).OpenBrowser), arg0)
-}
-
 // ReadPassword mocks base method
 func (m *MockInterface) ReadPassword(arg0 string) (string, error) {
 	m.ctrl.T.Helper()

pkg/infrastructure/reader/reader.go

@@ -0,0 +1,60 @@
+// Package reader provides the reader of standard input.
+package reader
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+	"syscall"
+
+	"github.com/google/wire"
+	"github.com/int128/kubelogin/pkg/infrastructure/stdio"
+	"golang.org/x/term"
+)
+
+//go:generate mockgen -destination mock_reader/mock_reader.go github.com/int128/kubelogin/pkg/infrastructure/reader Interface
+
+// Set provides an implementation and interface for Reader.
+var Set = wire.NewSet(
+	wire.Struct(new(Reader), "*"),
+	wire.Bind(new(Interface), new(*Reader)),
+)
+
+type Interface interface {
+	ReadString(prompt string) (string, error)
+	ReadPassword(prompt string) (string, error)
+}
+
+type Reader struct {
+	Stdin stdio.Stdin
+}
+
+// ReadString reads a string from the stdin.
+func (x *Reader) ReadString(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", fmt.Errorf("write error: %w", err)
+	}
+	r := bufio.NewReader(x.Stdin)
+	s, err := r.ReadString('\n')
+	if err != nil {
+		return "", fmt.Errorf("read error: %w", err)
+	}
+	s = strings.TrimRight(s, "\r\n")
+	return s, nil
+}
+
+// ReadPassword reads a password from the stdin without echo back.
+func (*Reader) ReadPassword(prompt string) (string, error) {
+	if _, err := fmt.Fprint(os.Stderr, prompt); err != nil {
+		return "", fmt.Errorf("write error: %w", err)
+	}
+	b, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", fmt.Errorf("read error: %w", err)
+	}
+	if _, err := fmt.Fprintln(os.Stderr); err != nil {
+		return "", fmt.Errorf("write error: %w", err)
+	}
+	return string(b), nil
+}