github/kubelogin
1
0
Fork 0
mirror of https://github.com/int128/kubelogin.git synced 2026-03-02 17:00:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github:v1.35.0
Branches Tags
github:master github:renovate/kubernetes-go github:int128/Fix-lint-error-and-refactor github:int128/Add----oidc-access-type- github:seq
github:v1.36.0 github:v1.35.2 github:v1.35.0 github:v1.34.2 github:v1.34.1 github:v1.34.0 github:v1.33.0 github:v1.32.4 github:v1.32.3 github:v1.32.2 github:v1.32.1 github:v1.32.0 github:v1.31.1 github:v1.31.0 github:v1.30.1 github:v1.30.0 github:v1.29.0 github:v1.28.2 github:v1.28.1 github:v1.28.0 github:v1.27.0 github:v1.26.0 github:v1.25.4 github:v1.25.3 github:v1.25.2 github:v1.25.1 github:v1.25.0 github:v1.24.0 github:v1.23.3 github:v1.23.2 github:v1.23.1 github:v1.23.0 github:v1.22.1 github:v1.22.0 github:v1.21.0 github:v1.20.1 github:v1.20.0 github:v1.19.4 github:v1.19.3 github:v1.19.2 github:v1.19.2-beta.1 github:v1.19.1 github:v1.19.0 github:v1.18.0 github:v1.17.1 github:v1.17.0 github:v1.16.0 github:v1.15.2 github:v1.15.1 github:v1.15.0 github:v1.14.5 github:v1.14.4 github:v1.14.3 github:v1.14.2 github:v1.14.1 github:v1.14.0 github:v1.13.0 github:v1.12.0 github:v1.11.0 github:v1.10.1 github:v1.10.0 github:v1.9.1 github:v1.9.0 github:1.8.2 github:1.8.1 github:1.8 github:1.7 github:1.6 github:1.5 github:1.4.1 github:1.4 github:1.3 github:1.2 github:1.1 github:1.0
..
compare: github:v1.19.2-beta.1
Branches Tags
github:renovate/kubernetes-go github:master github:int128/Fix-lint-error-and-refactor github:int128/Add----oidc-access-type- github:seq
github:v1.36.0 github:v1.35.2 github:v1.35.0 github:v1.34.2 github:v1.34.1 github:v1.34.0 github:v1.33.0 github:v1.32.4 github:v1.32.3 github:v1.32.2 github:v1.32.1 github:v1.32.0 github:v1.31.1 github:v1.31.0 github:v1.30.1 github:v1.30.0 github:v1.29.0 github:v1.28.2 github:v1.28.1 github:v1.28.0 github:v1.27.0 github:v1.26.0 github:v1.25.4 github:v1.25.3 github:v1.25.2 github:v1.25.1 github:v1.25.0 github:v1.24.0 github:v1.23.3 github:v1.23.2 github:v1.23.1 github:v1.23.0 github:v1.22.1 github:v1.22.0 github:v1.21.0 github:v1.20.1 github:v1.20.0 github:v1.19.4 github:v1.19.3 github:v1.19.2 github:v1.19.2-beta.1 github:v1.19.1 github:v1.19.0 github:v1.18.0 github:v1.17.1 github:v1.17.0 github:v1.16.0 github:v1.15.2 github:v1.15.1 github:v1.15.0 github:v1.14.5 github:v1.14.4 github:v1.14.3 github:v1.14.2 github:v1.14.1 github:v1.14.0 github:v1.13.0 github:v1.12.0 github:v1.11.0 github:v1.10.1 github:v1.10.0 github:v1.9.1 github:v1.9.0 github:1.8.2 github:1.8.1 github:1.8 github:1.7 github:1.6 github:1.5 github:1.4.1 github:1.4 github:1.3 github:1.2 github:1.1 github:1.0

1 Commits
v1.35.0 ... v1.19.2-be

Author SHA1 Message Date
Hidetake Iwata
d7554b6d90 Move to CircleCI macOS build 2020-06-12 14:08:51 +09:00
195 changed files with 5629 additions and 12103 deletions
Expand all files Collapse all files

60
.circleci/config.yml Normal file
View File

@@ -0,0 +1,60 @@
version: 2.1
jobs:
test:
docker:
- image: cimg/go:1.14.4
steps:
- run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
- checkout
- restore_cache:
keys:
- go-sum-{{ checksum "go.sum" }}
- run: make check
- run: bash <(curl -s https://codecov.io/bash)
- save_cache:
key: go-sum-{{ checksum "go.sum" }}
paths:
- ~/go/pkg
- store_artifacts:
path: gotest.log
crossbuild:
macos:
xcode: 11.5.0
steps:
- run: |
curl -sSfL https://dl.google.com/go/go1.14.4.darwin-amd64.tar.gz | tar -C /tmp -xz
echo 'export PATH="$PATH:/tmp/go/bin:$HOME/go/bin"' >> $BASH_ENV
- checkout
- restore_cache:
keys:
- go-macos-{{ checksum "go.sum" }}
- run:
command: go get -v github.com/int128/goxzst github.com/int128/ghcp
working_directory: .circleci
- run: make dist
- run: |
if [ "$CIRCLE_TAG" ]; then
make release
fi
- save_cache:
key: go-macos-{{ checksum "go.sum" }}
paths:
- ~/go/pkg
workflows:
version: 2
build:
jobs:
- test:
filters:
tags:
only: /.*/
- crossbuild:
context: open-source
requires:
- test
filters:
tags:
only: /.*/

3
.circleci/go.mod Normal file
View File

@@ -0,0 +1,3 @@
module github.com/int128/kubelogin/.circleci
go 1.13

20
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@@ -1,20 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: bug
assignees: ''
---
## Describe the issue
A clear and concise description of what the issue is.
## To reproduce
A console log or steps to reproduce the issue.
## Your environment
- OS: e.g. macOS
- kubelogin version: e.g. v1.19
- kubectl version: e.g. v1.19
- OpenID Connect provider: e.g. Google

15
.github/ISSUE_TEMPLATE/feature_request.md vendored
View File

@@ -1,15 +0,0 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: ''
---
## Purpose of the feature (why)
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
A clear and concise description of what you want to happen.
## Your idea (how)
A clear and concise description of any alternative solutions or features you've considered.

20
.github/ISSUE_TEMPLATE/question.md vendored
View File

@@ -1,20 +0,0 @@
---
name: Question
about: Feel free to ask a question
title: ''
labels: question
assignees: ''
---
## Describe the question
A clear and concise description of what the issue is.
## To reproduce
A console log or steps to reproduce the issue.
## Your environment
- OS: e.g. macOS
- kubelogin version: e.g. v1.19
- kubectl version: e.g. v1.19
- OpenID Connect provider: e.g. Google

16
.github/release.yml vendored
View File

@@ -1,16 +0,0 @@
# https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes
changelog:
categories:
- title: Features
labels:
- '*'
exclude:
labels:
- renovate
- refactoring
- title: Refactoring
labels:
- refactoring
- title: Dependencies
labels:
- renovate

11
.github/renovate.json vendored
View File

@@ -1,11 +0,0 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"github>int128/renovate-base",
"github>int128/go-renovate-config#v1.9.0",
"github>int128/go-renovate-config:go-version-with-dockerfile#v1.9.0",
"github>int128/go-renovate-config:kubernetes#v1.9.0",
"github>int128/go-renovate-config:github-releases#v1.9.0(**/kustomization.yaml)",
"helpers:pinGitHubActionDigests"
]
}

56
.github/workflows/acceptance-test.yaml vendored
View File

@@ -1,34 +1,30 @@
name: acceptance-test
on:
pull_request:
branches:
- master
paths:
- .github/workflows/acceptance-test.yaml
- acceptance_test/**
push:
branches:
- master
paths:
- .github/workflows/acceptance-test.yaml
- acceptance_test/**
on: [push]
jobs:
test-makefile:
runs-on: ubuntu-latest
timeout-minutes: 10
build:
name: test
# https://help.github.com/en/actions/automating-your-workflow-with-github-actions/software-installed-on-github-hosted-runners#ubuntu-1804-lts
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
- uses: actions/setup-go@v1
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: make -C acceptance_test check
- run: make -C acceptance_test
env:
OIDC_ISSUER_URL: https://accounts.google.com
OIDC_CLIENT_ID: REDACTED.apps.googleusercontent.com
YOUR_EMAIL: REDACTED@gmail.com
- run: make -C acceptance_test delete-cluster
- run: make -C acceptance_test clean
go-version: 1.14.1
id: go
- uses: actions/checkout@v1
- uses: actions/cache@v1
with:
path: ~/go/pkg/mod
key: go-${{ hashFiles('**/go.sum') }}
restore-keys: |
go-
# https://kind.sigs.k8s.io/docs/user/quick-start/
- run: |
wget -q -O ./kind "https://github.com/kubernetes-sigs/kind/releases/download/v0.8.1/kind-linux-amd64"
chmod +x ./kind
sudo mv ./kind /usr/local/bin/kind
kind version
# https://packages.ubuntu.com/xenial/libnss3-tools
- run: sudo apt install -y libnss3-tools
- run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
- run: make -C acceptance_test -j3 setup
- run: make -C acceptance_test test

74
.github/workflows/docker.yaml vendored
View File

@@ -1,74 +0,0 @@
name: docker
on:
pull_request:
branches:
- master
paths:
- .github/workflows/docker.yaml
- pkg/**
- go.*
- Dockerfile
push:
branches:
- master
paths:
- .github/workflows/docker.yaml
- pkg/**
- go.*
- Dockerfile
tags:
- v*
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 10
permissions:
contents: read
packages: write
outputs:
image-uri: ${{ steps.build-metadata.outputs.image-uri }}
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
id: metadata
with:
images: ghcr.io/${{ github.repository }}
- uses: int128/docker-build-cache-config-action@fb186e80c08f14a2e56ed9105d4594562bff013f # v1.40.0
id: cache
with:
image: ghcr.io/${{ github.repository }}/cache
- uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
id: build
with:
push: ${{ github.event_name == 'push' }}
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
cache-from: ${{ steps.cache.outputs.cache-from }}
cache-to: ${{ steps.cache.outputs.cache-to }}
platforms: |
linux/amd64
linux/arm64
linux/ppc64le
- uses: int128/docker-build-metadata-action@f38781ddbaa410e9f8fa55a291dce7480798f1a0 # v1.2.0
id: build-metadata
with:
metadata: ${{ steps.build.outputs.metadata }}
test:
if: needs.build.outputs.image-uri != ''
needs: build
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- run: docker run --rm "$IMAGE_URI" --help
env:
IMAGE_URI: ${{ needs.build.outputs.image-uri }}

79
.github/workflows/go.yaml vendored
View File

@@ -1,79 +0,0 @@
name: go
on:
push:
branches:
- master
paths:
- .github/workflows/go.yaml
- pkg/**
- integration_test/**
- mocks/**
- tools/**
- '**/go.*'
tags:
- v*
pull_request:
branches:
- master
paths:
- .github/workflows/go.yaml
- pkg/**
- integration_test/**
- mocks/**
- tools/**
- '**/go.*'
jobs:
test:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: make test
integration-test:
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- macos-latest
- windows-latest
runs-on: ${{ matrix.os }}
timeout-minutes: 10
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: make integration-test
lint:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: make lint
generate:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: go mod tidy
- run: make generate
- uses: int128/update-generated-files-action@d9aac571db84cee6c16fa20190621e9deb2bc575 # v2.67.0

78
.github/workflows/release.yaml vendored
View File

@@ -1,78 +0,0 @@
name: release
on:
push:
branches:
- master
paths:
- .github/workflows/release.yaml
- pkg/**
- go.*
tags:
- v*
pull_request:
branches:
- master
paths:
- .github/workflows/release.yaml
- pkg/**
- go.*
jobs:
build:
strategy:
matrix:
platform:
- runs-on: ubuntu-latest
GOOS: linux
GOARCH: amd64
CGO_ENABLED: 0 # https://github.com/int128/kubelogin/issues/567
- runs-on: ubuntu-latest
GOOS: linux
GOARCH: arm64
- runs-on: ubuntu-latest
GOOS: linux
GOARCH: arm
- runs-on: ubuntu-latest
GOOS: linux
GOARCH: ppc64le
- runs-on: macos-latest
GOOS: darwin
GOARCH: amd64
CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/249
- runs-on: macos-latest
GOOS: darwin
GOARCH: arm64
CGO_ENABLED: 1 # https://github.com/int128/kubelogin/issues/762
- runs-on: windows-latest
GOOS: windows
GOARCH: amd64
- runs-on: windows-latest
GOOS: windows
GOARCH: arm64
runs-on: ${{ matrix.platform.runs-on }}
env:
GOOS: ${{ matrix.platform.GOOS }}
GOARCH: ${{ matrix.platform.GOARCH }}
CGO_ENABLED: ${{ matrix.platform.CGO_ENABLED }}
timeout-minutes: 10
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: go build -ldflags '-X main.version=${{ github.ref_name }}'
- uses: int128/go-release-action@2979cc5b15ceb7ae458e95b0a9467afc7ae25259 # v2.0.0
with:
binary: kubelogin
publish:
if: github.ref_type == 'tag'
needs:
- build
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: rajatjindal/krew-release-bot@3d9faef30a82761d610544f62afddca00993eef9 # v0.0.47

43
.github/workflows/system-test.yaml vendored
View File

@@ -1,43 +0,0 @@
name: system-test
on:
pull_request:
branches:
- master
paths:
- .github/workflows/system-test.yaml
- system_test/**
- pkg/**
- go.*
push:
branches:
- master
paths:
- .github/workflows/system-test.yaml
- system_test/**
- pkg/**
- go.*
jobs:
system-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version-file: go.mod
cache-dependency-path: go.sum
- run: sudo apt-get update
# Install certutil.
# https://packages.ubuntu.com/xenial/libnss3-tools
# Install keyring related packages.
# https://github.com/zalando/go-keyring/issues/45
- run: sudo apt-get install --no-install-recommends -y libnss3-tools dbus-x11 gnome-keyring
- run: echo '127.0.0.1 dex-server' | sudo tee -a /etc/hosts
- run: make -C system_test -j3
- run: make -C system_test logs
if: always()

6
.gitignore vendored
View File

@@ -1,12 +1,10 @@
/.idea
/tools/bin
/acceptance_test/output/
/dist/output
/coverage.out
/gotest.log
/kubelogin
/kubectl-oidc_login
/kubelogin_*.zip
/kubelogin_*.zip.sha256

68
.krew.yaml
View File

@@ -1,68 +0,0 @@
apiVersion: krew.googlecontainertools.github.com/v1alpha2
kind: Plugin
metadata:
name: oidc-login
spec:
homepage: https://github.com/int128/kubelogin
shortDescription: Log in to the OpenID Connect provider
description: |
This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
## Credential plugin mode
kubectl executes oidc-login before calling the Kubernetes APIs.
oidc-login automatically opens the browser and you can log in to the provider.
After authentication, kubectl gets the token from oidc-login and you can access the cluster.
See https://github.com/int128/kubelogin#credential-plugin-mode for more.
## Standalone mode
Run `kubectl oidc-login`.
It automatically opens the browser and you can log in to the provider.
After authentication, it writes the token to the kubeconfig and you can access the cluster.
See https://github.com/int128/kubelogin#standalone-mode for more.
caveats: |
You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
version: {{ .TagName }}
platforms:
- bin: kubelogin
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_amd64.zip" .TagName }}
selector:
matchLabels:
os: linux
arch: amd64
- bin: kubelogin
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm64.zip" .TagName }}
selector:
matchLabels:
os: linux
arch: arm64
- bin: kubelogin
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_linux_arm.zip" .TagName }}
selector:
matchLabels:
os: linux
arch: arm
- bin: kubelogin
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_amd64.zip" .TagName }}
selector:
matchLabels:
os: darwin
arch: amd64
- bin: kubelogin
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_darwin_arm64.zip" .TagName }}
selector:
matchLabels:
os: darwin
arch: arm64
- bin: kubelogin.exe
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_amd64.zip" .TagName }}
selector:
matchLabels:
os: windows
arch: amd64
- bin: kubelogin.exe
{{ addURIAndSha "https://github.com/int128/kubelogin/releases/download/{{ .TagName }}/kubelogin_windows_arm64.zip" .TagName }}
selector:
matchLabels:
os: windows
arch: arm64

12
.mockery.yaml
View File

@@ -1,12 +0,0 @@
dir: mocks/{{.SrcPackagePath}}_mock
pkgname: '{{.SrcPackageName}}_mock'
filename: mocks.go
template: testify
packages:
github.com/int128/kubelogin:
config:
all: true
recursive: true
io:
interfaces:
Closer: {}

20
Dockerfile
View File

@@ -1,20 +0,0 @@
FROM --platform=$BUILDPLATFORM golang:1.25.3@sha256:6d4e5e74f47db00f7f24da5f53c1b4198ae46862a47395e30477365458347bf2 AS builder
WORKDIR /builder
# Copy the Go Modules manifests
COPY go.mod go.mod
COPY go.sum go.sum
RUN go mod download
# Copy the go source
COPY main.go .
COPY pkg pkg
ARG TARGETOS
ARG TARGETARCH
RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build
FROM gcr.io/distroless/base-debian12
COPY --from=builder /builder/kubelogin /
ENTRYPOINT ["/kubelogin"]

61
Makefile
View File

@@ -1,20 +1,49 @@
.PHONY: all
all:
# CircleCI specific variables
CIRCLE_TAG ?= latest
GITHUB_USERNAME := $(CIRCLE_PROJECT_USERNAME)
GITHUB_REPONAME := $(CIRCLE_PROJECT_REPONAME)
.PHONY: test
test:
go test -v -race ./pkg/...
TARGET := kubelogin
TARGET_OSARCH := linux_amd64 darwin_amd64 windows_amd64 linux_arm linux_arm64
VERSION ?= $(CIRCLE_TAG)
LDFLAGS := -X main.version=$(VERSION)
.PHONY: integration-test
integration-test:
go test -v -race ./integration_test/...
all: $(TARGET)
.PHONY: generate
generate:
go tool github.com/google/wire/cmd/wire ./pkg/di
rm -fr mocks/
go tool mockery
$(TARGET): $(wildcard **/*.go)
go build -o $@ -ldflags "$(LDFLAGS)"
.PHONY: lint
lint:
go tool golangci-lint run
.PHONY: check
check:
golangci-lint run
go test -v -race -cover -coverprofile=coverage.out ./... > gotest.log
.PHONY: dist
dist: dist/output
dist/output:
# make the zip files for GitHub Releases
VERSION=$(VERSION) goxzst -d dist/output -i "LICENSE" -o "$(TARGET)" -osarch "$(TARGET_OSARCH)" -t "dist/kubelogin.rb dist/oidc-login.yaml dist/Dockerfile" -- -ldflags "$(LDFLAGS)"
# test the zip file
zipinfo dist/output/kubelogin_linux_amd64.zip
# make the krew yaml structure
mkdir -p dist/output/plugins
mv dist/output/oidc-login.yaml dist/output/plugins/oidc-login.yaml
.PHONY: release
release: dist
# publish the binaries
ghcp release -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)" -t "$(VERSION)" dist/output/
# publish the Homebrew formula
ghcp commit -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ kubelogin.rb
ghcp pull-request -u "$(GITHUB_USERNAME)" -r "homebrew-$(GITHUB_REPONAME)" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
# publish the Dockerfile
ghcp commit -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" -m "Bump the version to $(VERSION)" -C dist/output/ Dockerfile
ghcp pull-request -u "$(GITHUB_USERNAME)" -r "$(GITHUB_REPONAME)-docker" -b "bump-$(VERSION)" --title "Bump the version to $(VERSION)"
# publish the Krew manifest
ghcp fork-commit -u kubernetes-sigs -r krew-index -b "oidc-login-$(VERSION)" -m "Bump oidc-login to $(VERSION)" -C dist/output/ plugins/oidc-login.yaml
.PHONY: clean
clean:
-rm $(TARGET)
-rm -r dist/output/
-rm coverage.out gotest.log

326
README.md
View File

@@ -1,10 +1,10 @@
# kubelogin [![go](https://github.com/int128/kubelogin/actions/workflows/go.yaml/badge.svg)](https://github.com/int128/kubelogin/actions/workflows/go.yaml) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
# kubelogin [![CircleCI](https://circleci.com/gh/int128/kubelogin.svg?style=shield)](https://circleci.com/gh/int128/kubelogin) ![acceptance-test](https://github.com/int128/kubelogin/workflows/acceptance-test/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/int128/kubelogin)](https://goreportcard.com/report/github.com/int128/kubelogin)
This is a kubectl plugin for [Kubernetes OpenID Connect (OIDC) authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens), also known as `kubectl oidc-login`.
Here is an example of Kubernetes authentication with the Google Identity Platform:
<img alt="screencast" src="https://user-images.githubusercontent.com/321266/85427290-86e43700-b5b6-11ea-9e97-ffefd736c9b7.gif" width="572" height="391">
<img alt="screencast" src="https://user-images.githubusercontent.com/321266/70971501-7bcebc80-20e4-11ea-8afc-539dcaea0aa8.gif" width="652" height="455">
Kubelogin is designed to run as a [client-go credential plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins).
When you run kubectl, kubelogin opens the browser and you can log in to the provider.
@@ -13,45 +13,41 @@ Take a look at the diagram:
![Diagram of the credential plugin](docs/credential-plugin-diagram.svg)
## Getting Started
### Setup
Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew), [Chocolatey](https://chocolatey.org/packages/kubelogin) or [GitHub Releases](https://github.com/int128/kubelogin/releases).
Install the latest release from [Homebrew](https://brew.sh/), [Krew](https://github.com/kubernetes-sigs/krew) or [GitHub Releases](https://github.com/int128/kubelogin/releases).
```sh
# Homebrew (macOS and Linux)
brew install kubelogin
brew install int128/kubelogin/kubelogin
# Krew (macOS, Linux, Windows and ARM)
kubectl krew install oidc-login
# Chocolatey (Windows)
choco install kubelogin
```
If you install via GitHub releases, save the binary as the name `kubectl-oidc_login` on your path.
When you invoke `kubectl oidc-login`, kubectl finds it by the [naming convention of kubectl plugins](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins/).
The other install methods do this for you.
You need to set up the OIDC provider, cluster role binding, Kubernetes API server and kubeconfig.
Your kubeconfig looks like this:
The kubeconfig looks like:
```yaml
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=ISSUER_URL
- --oidc-client-id=YOUR_CLIENT_ID
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: kubectl
args:
- oidc-login
- get-token
- --oidc-issuer-url=ISSUER_URL
- --oidc-client-id=YOUR_CLIENT_ID
- --oidc-client-secret=YOUR_CLIENT_SECRET
```
See the [setup guide](docs/setup.md) for more.
See [the setup guide](docs/setup.md) for more.
### Run
@@ -62,85 +58,269 @@ kubectl get pods
```
Kubectl executes kubelogin before calling the Kubernetes APIs.
Kubelogin automatically opens the browser, and you can log in to the provider.
Kubelogin automatically opens the browser and you can log in to the provider.
After the authentication, kubelogin returns the credentials to kubectl.
Kubectl then calls the Kubernetes APIs with the credentials.
<img src="docs/keycloak-login.png" alt="keycloak-login" width="455" height="329">
```console
After authentication, kubelogin returns the credentials to kubectl and finally kubectl calls the Kubernetes APIs with the credential.
```
% kubectl get pods
Open http://localhost:8000 for authentication
NAME READY STATUS RESTARTS AGE
echoserver-86c78fdccd-nzmd5 1/1 Running 0 26d
```
Kubelogin stores the ID token and refresh token to the cache.
If the ID token is valid, it just returns it.
If the ID token has expired, it will refresh the token using the refresh token.
If the refresh token has expired, it will perform re-authentication.
Kubelogin writes the ID token and refresh token to the token cache file.
## Troubleshooting
If the cached ID token is valid, kubelogin just returns it.
If the cached ID token has expired, kubelogin will refresh the token using the refresh token.
If the refresh token has expired, kubelogin will perform reauthentication.
### Token cache
Kubelogin stores the token cache to the file system by default.
For enhanced security, it is recommended to store it to the keyring.
See the [token cache](docs/usage.md#token-cache) for details.
### Troubleshoot
You can log out by deleting the token cache.
You can log out by removing the token cache directory (default `~/.kube/cache/oidc-login`).
Kubelogin will perform authentication if the token cache file does not exist.
You can dump the claims of token by passing `-v1` option.
```console
% kubectl oidc-login clean
Deleted the token cache at /home/user/.kube/cache/oidc-login
Deleted the token cache from the keyring
```
Kubelogin will ask you to log in via the browser again.
If the browser has a cookie for the provider, you need to log out from the provider or clear the cookie.
### ID token claims
You can run `setup` command to dump the claims of an ID token from the provider.
```console
% kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=REDACTED
...
You got a token with the following claims:
{
I0221 21:54:08.151850 28231 get_token.go:104] you got a token: {
"sub": "********",
"iss": "https://accounts.google.com",
"aud": "********",
...
"iat": 1582289639,
"exp": 1582293239,
"jti": "********",
"nonce": "********",
"at_hash": "********"
}
```
You can set `-v1` option to increase the log level.
## Usage
This document is for the development version.
If you are looking for a specific version, see [the release tags](https://github.com/int128/kubelogin/tags).
Kubelogin supports the following options:
```
Usage:
kubelogin get-token [flags]
Flags:
--oidc-issuer-url string Issuer URL of the provider (mandatory)
--oidc-client-id string Client ID of the provider (mandatory)
--oidc-client-secret string Client secret of the provider
--oidc-extra-scope strings Scopes to request to the provider
--certificate-authority string Path to a cert file for the certificate authority
--certificate-authority-data string Base64 encoded data for the certificate authority
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--token-cache-dir string Path to a directory for caching tokens (default "~/.kube/cache/oidc-login")
--grant-type string The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
--listen-address strings Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
--listen-port ints (Deprecated: use --listen-address)
--skip-open-browser If true, it does not open the browser on authentication
--oidc-redirect-url-hostname string Hostname of the redirect URL (default "localhost")
--oidc-auth-request-extra-params stringToString Extra query parameters to send with an authentication request (default [])
--username string If set, perform the resource owner password credentials grant
--password string If set, use the password instead of asking it
-h, --help help for get-token
Global Flags:
--add_dir_header If true, adds the file directory to the header
--alsologtostderr log to standard error as well as files
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--log_file string If non-empty, use this log file
--log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
```
See also the options of [standalone mode](docs/standalone-mode.md).
### Extra scopes
You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
```yaml
- --oidc-extra-scope=email
- --oidc-extra-scope=profile
```
### CA Certificate
You can use your self-signed certificate for the provider.
```yaml
- --certificate-authority=/home/user/.kube/keycloak-ca.pem
- --certificate-authority-data=LS0t...
```
### HTTP Proxy
You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
### Authentication flows
#### Authorization code flow
Kubelogin performs the authorization code flow by default.
It starts the local server at port 8000 or 18000 by default.
You need to register the following redirect URIs to the provider:
- `http://localhost:8000`
- `http://localhost:18000` (used if port 8000 is already in use)
You can change the listening address.
```yaml
- --listen-address=127.0.0.1:12345
- --listen-address=127.0.0.1:23456
```
You can change the hostname of redirect URI from the default value `localhost`.
```yaml
- --oidc-redirect-url-hostname=127.0.0.1
```
You can add extra parameters to the authentication request.
```yaml
- --oidc-auth-request-extra-params=ttl=86400
```
#### Authorization code flow with keyboard interactive
If you cannot access the browser, instead use the authorization code flow with keyboard interactive.
```yaml
- --grant-type=authcode-keyboard
```
Kubelogin will show the URL and prompt.
Open the URL in the browser and then copy the code shown.
```
% kubectl get pods
Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
Enter code: YOUR_CODE
```
Note that this flow uses the redirect URI `urn:ietf:wg:oauth:2.0:oob` and
some OIDC providers do not support it.
You can add extra parameters to the authentication request.
```yaml
- --oidc-auth-request-extra-params=ttl=86400
```
#### Resource owner password credentials grant flow
Kubelogin performs the resource owner password credentials grant flow
when `--grant-type=password` or `--username` is set.
Note that most OIDC providers do not support this flow.
Keycloak supports this flow but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
You can set the username and password.
```yaml
- --username=USERNAME
- --password=PASSWORD
```
If the password is not set, kubelogin will show the prompt for the password.
```yaml
- --username=USERNAME
```
```
% kubectl get pods
Password:
```
If the username is not set, kubelogin will show the prompt for the username and password.
```yaml
- --grant-type=password
```
```
% kubectl get pods
Username: foo
Password:
```
### Docker
You can run [the Docker image](https://quay.io/repository/int128/kubelogin) instead of the binary.
The kubeconfig looks like:
```yaml
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1
command: kubectl
args:
- oidc-login
- get-token
- -v1
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
command: docker
args:
- run
- --rm
- -v
- /tmp/.token-cache:/.token-cache
- -p
- 8000:8000
- quay.io/int128/kubelogin
- get-token
- --token-cache-dir=/.token-cache
- --listen-address=0.0.0.0:8000
- --oidc-issuer-url=ISSUER_URL
- --oidc-client-id=YOUR_CLIENT_ID
- --oidc-client-secret=YOUR_CLIENT_SECRET
```
You can run the [acceptance test](acceptance_test) to verify if kubelogin works with your provider.
Known limitations:
## Docs
- It cannot open the browser automatically.
- The container port and listen port must be equal for consistency of the redirect URI.
## Related works
### Kubernetes Dashboard
You can access the Kubernetes Dashboard using kubelogin and [kauthproxy](https://github.com/int128/kauthproxy).
- [Setup guide](docs/setup.md)
- [Usage and options](docs/usage.md)
- [Standalone mode](docs/standalone-mode.md)
- [System test](system_test)
- [Acceptance_test for identity providers](acceptance_test)
## Contributions
This is an open source software licensed under Apache License 2.0.
Feel free to open issues and pull requests for improving code and documents.
### Development
Go 1.13 or later is required.
```sh
# Run lint and tests
make check
# Compile and run the command
make
./kubelogin
```
See also [the acceptance test](acceptance_test).

120
acceptance_test/Makefile
View File

@@ -1,47 +1,109 @@
CLUSTER_NAME := kubelogin-acceptance-test
OUTPUT_DIR := $(CURDIR)/output
PATH := $(PATH):$(OUTPUT_DIR)/bin
export PATH
KUBECONFIG := $(OUTPUT_DIR)/kubeconfig.yaml
export KUBECONFIG
.PHONY: cluster
cluster:
# Create a cluster.
mkdir -p $(OUTPUT_DIR)
sed -e "s|OIDC_ISSUER_URL|$(OIDC_ISSUER_URL)|" -e "s|OIDC_CLIENT_ID|$(OIDC_CLIENT_ID)|" cluster.yaml > $(OUTPUT_DIR)/cluster.yaml
kind create cluster --name $(CLUSTER_NAME) --config $(OUTPUT_DIR)/cluster.yaml
# run the login script instead of opening chrome
BROWSER := $(OUTPUT_DIR)/bin/chromelogin
export BROWSER
# Set up the access control.
kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=$(YOUR_EMAIL)
# Set up kubectl.
.PHONY: test
test: build
# see the setup instruction
kubectl oidc-login setup \
--oidc-issuer-url=https://dex-server:10443/dex \
--oidc-client-id=YOUR_CLIENT_ID \
--oidc-client-secret=YOUR_CLIENT_SECRET \
--oidc-extra-scope=email \
--certificate-authority=$(OUTPUT_DIR)/ca.crt
# set up the kubeconfig
kubectl config set-credentials oidc \
--exec-api-version=client.authentication.k8s.io/v1 \
--exec-interactive-mode=Never \
--exec-command=$(CURDIR)/../kubelogin \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--token-cache-dir=$(OUTPUT_DIR)/token-cache \
--exec-arg=--oidc-issuer-url=$(OIDC_ISSUER_URL) \
--exec-arg=--oidc-client-id=$(OIDC_CLIENT_ID) \
--exec-arg=--oidc-extra-scope=email
# Switch the default user.
--exec-arg=--oidc-issuer-url=https://dex-server:10443/dex \
--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET \
--exec-arg=--oidc-extra-scope=email \
--exec-arg=--certificate-authority=$(OUTPUT_DIR)/ca.crt
# make sure we can access the cluster
kubectl --user=oidc cluster-info
# switch the current context
kubectl config set-context --current --user=oidc
# make sure we can access the cluster
kubectl cluster-info
# Show the kubeconfig.
kubectl config view
.PHONY: setup
setup: build dex cluster setup-chrome
.PHONY: setup-chrome
setup-chrome: $(OUTPUT_DIR)/ca.crt
# add the dex server certificate to the trust store
mkdir -p ~/.pki/nssdb
cd ~/.pki/nssdb && certutil -A -d sql:. -n dex -i $(OUTPUT_DIR)/ca.crt -t "TC,,"
# build binaries
.PHONY: build
build: $(OUTPUT_DIR)/bin/kubectl-oidc_login $(OUTPUT_DIR)/bin/chromelogin
$(OUTPUT_DIR)/bin/kubectl-oidc_login:
go build -o $@ ..
$(OUTPUT_DIR)/bin/chromelogin: chromelogin/main.go
go build -o $@ ./chromelogin
# create a Dex server
.PHONY: dex
dex: $(OUTPUT_DIR)/server.crt $(OUTPUT_DIR)/server.key
docker create --name dex-server -p 10443:10443 --network kind quay.io/dexidp/dex:v2.21.0 serve /dex.yaml
docker cp $(OUTPUT_DIR)/server.crt dex-server:/
docker cp $(OUTPUT_DIR)/server.key dex-server:/
docker cp dex.yaml dex-server:/
docker start dex-server
docker logs dex-server
$(OUTPUT_DIR)/ca.key:
mkdir -p $(OUTPUT_DIR)
openssl genrsa -out $@ 2048
$(OUTPUT_DIR)/ca.csr: $(OUTPUT_DIR)/ca.key
openssl req -new -key $(OUTPUT_DIR)/ca.key -out $@ -subj "/CN=dex-ca" -config openssl.cnf
$(OUTPUT_DIR)/ca.crt: $(OUTPUT_DIR)/ca.key $(OUTPUT_DIR)/ca.csr
openssl x509 -req -in $(OUTPUT_DIR)/ca.csr -signkey $(OUTPUT_DIR)/ca.key -out $@ -days 10
$(OUTPUT_DIR)/server.key:
mkdir -p $(OUTPUT_DIR)
openssl genrsa -out $@ 2048
$(OUTPUT_DIR)/server.csr: openssl.cnf $(OUTPUT_DIR)/server.key
openssl req -new -key $(OUTPUT_DIR)/server.key -out $@ -subj "/CN=dex-server" -config openssl.cnf
$(OUTPUT_DIR)/server.crt: openssl.cnf $(OUTPUT_DIR)/server.csr $(OUTPUT_DIR)/ca.crt $(OUTPUT_DIR)/ca.key
openssl x509 -req -in $(OUTPUT_DIR)/server.csr -CA $(OUTPUT_DIR)/ca.crt -CAkey $(OUTPUT_DIR)/ca.key -CAcreateserial -out $@ -sha256 -days 10 -extensions v3_req -extfile openssl.cnf
# create a Kubernetes cluster
.PHONY: cluster
cluster: dex create-cluster
# add the Dex container IP to /etc/hosts of kube-apiserver
docker inspect -f '{{.NetworkSettings.IPAddress}}' dex-server | sed -e 's,$$, dex-server,' | \
kubectl -n kube-system exec -i kube-apiserver-$(CLUSTER_NAME)-control-plane -- tee -a /etc/hosts
# wait for kube-apiserver oidc initialization
# (oidc authenticator will retry oidc discovery every 10s)
sleep 10
.PHONY: create-cluster
create-cluster: $(OUTPUT_DIR)/ca.crt
cp $(OUTPUT_DIR)/ca.crt /tmp/kubelogin-acceptance-test-dex-ca.crt
kind create cluster --name $(CLUSTER_NAME) --config cluster.yaml
kubectl create clusterrole cluster-readonly --verb=get,watch,list --resource='*.*'
kubectl create clusterrolebinding cluster-readonly --clusterrole=cluster-readonly --user=admin@example.com
# clean up the resources
.PHONY: clean
clean:
-rm -r $(OUTPUT_DIR)
.PHONY: delete-cluster
delete-cluster:
kind delete cluster --name $(CLUSTER_NAME)
.PHONY: check
check:
docker version
kind version
kubectl version --client
.PHONY: delete-dex
delete-dex:
docker stop dex-server
docker rm dex-server

137
acceptance_test/README.md
View File

@@ -1,72 +1,109 @@
# kubelogin/acceptance_test
This is a manual test to verify if the Kubernetes OIDC authentication works with your OIDC provider.
This is an acceptance test for walkthrough of the OIDC initial setup and plugin behavior using a real Kubernetes cluster and OpenID Connect provider, running on [GitHub Actions](https://github.com/int128/kubelogin/actions?query=workflow%3Aacceptance-test).
## Purpose
It is intended to verify the following points:
This test checks the following points:
- User can set up Kubernetes OIDC authentication and this plugin.
- User can access a cluster after login.
1. You can set up your OIDC provider using the [setup guide](../docs/setup.md).
1. The plugin works with your OIDC provider.
It performs the test using the following components:
## Getting Started
- Kubernetes cluster (Kind)
- OIDC provider (Dex)
- Browser (Chrome)
- kubectl command
### Prerequisite
You need to build the plugin into the parent directory.
## How it works
```sh
make -C ..
```
Let's take a look at the diagram.
You need to set up your provider.
See the [setup guide](../docs/setup.md) for more.
![diagram](../docs/acceptance-test-diagram.svg)
You need to install the following tools:
It prepares the following resources:
1. Generate a pair of CA certificate and TLS server certificate for Dex.
1. Run Dex on a container.
1. Create a Kubernetes cluster using Kind.
1. Mutate `/etc/hosts` of the CI machine to access Dex.
1. Mutate `/etc/hosts` of the kube-apiserver pod to access Dex.
It performs the test by the following steps:
1. Run kubectl.
1. kubectl automatically runs kubelogin.
1. kubelogin automatically runs [chromelogin](chromelogin).
1. chromelogin opens the browser, navigates to `http://localhost:8000` and enter the username and password.
1. kubelogin gets an authorization code from the browser.
1. kubelogin gets a token.
1. kubectl accesses an API with the token.
1. kube-apiserver verifies the token by Dex.
1. Check if kubectl exited with code 0.
## Run locally
You need to set up the following components:
- Docker
- Kind
- kubectl
- Chrome or Chromium
You can check if the tools are available.
You need to add the following line to `/etc/hosts` so that the browser can access the Dex.
```sh
make check
```
127.0.0.1 dex-server
```
### 1. Create a cluster
Run the test.
Create a cluster.
For example, you can create a cluster with Google account authentication.
```shell script
# run the test
make
```sh
make OIDC_ISSUER_URL=https://accounts.google.com \
OIDC_CLIENT_ID=REDACTED.apps.googleusercontent.com \
YOUR_EMAIL=REDACTED@gmail.com
```
It will do the following steps:
1. Create a cluster.
1. Set up access control. It allows read-only access from your email address.
1. Set up kubectl to enable the plugin.
You can change kubectl configuration in generated `output/kubeconfig.yaml`.
### 2. Run kubectl
Make sure you can log in to the provider and access the cluster.
```console
% export KUBECONFIG=$PWD/output/kubeconfig.yaml
% kubectl get pods -A
```
### Clean up
To delete the cluster and generated files:
```sh
# clean up
make delete-cluster
make clean
make delete-dex
```
## Technical consideration
### Network and DNS
Consider the following issues:
- kube-apiserver runs on the host network of the kind container.
- kube-apiserver cannot resolve a service name by kube-dns.
- kube-apiserver cannot access a cluster IP.
- kube-apiserver can access another container via the Docker network.
- Chrome requires exactly match of domain name between Dex URL and a server certificate.
Consequently,
- kube-apiserver accesses Dex by resolving `/etc/hosts` and via the Docker network.
- kubelogin and Chrome accesses Dex by resolving `/etc/hosts` and via the Docker network.
### TLS server certificate
Consider the following issues:
- kube-apiserver requires `--oidc-issuer` is HTTPS URL.
- kube-apiserver requires a CA certificate at startup, if `--oidc-ca-file` is given.
- kube-apiserver mounts `/usr/local/share/ca-certificates` from the kind container.
- It is possible to mount a file from the CI machine.
- It is not possible to issue a certificate using Let's Encrypt in runtime.
- Chrome requires a valid certificate in `~/.pki/nssdb`.
As a result,
- kube-apiserver uses the CA certificate of `/usr/local/share/ca-certificates/dex-ca.crt`. See the `extraMounts` section of [`cluster.yaml`](cluster.yaml).
- kubelogin uses the CA certificate in `output/ca.crt`.
- Chrome uses the CA certificate in `~/.pki/nssdb`.
### Test environment
- Set the issuer URL to kubectl. See [`kubeconfig_oidc.yaml`](kubeconfig_oidc.yaml).
- Set the issuer URL to kube-apiserver. See [`cluster.yaml`](cluster.yaml).
- Set `BROWSER` environment variable to run [`chromelogin`](chromelogin) by `xdg-open`.

41
system_test/login/chromelogin/main.go → acceptance_test/chromelogin/main.go
View File

@@ -28,29 +28,20 @@ func main() {
func runBrowser(ctx context.Context, url string) error {
execOpts := chromedp.DefaultExecAllocatorOptions[:]
execOpts = append(execOpts,
chromedp.NoSandbox,
chromedp.WSURLReadTimeout(30*time.Second),
)
ctx, cancelExec := chromedp.NewExecAllocator(ctx, execOpts...)
defer cancelExec()
ctx, cancelCtx := chromedp.NewContext(ctx, chromedp.WithLogf(log.Printf))
defer cancelCtx()
log.Printf("Opening a new browser and navigating to %s", url)
if err := openBrowser(ctx, url); err != nil {
return fmt.Errorf("could not open a new browser: %w", err)
}
ctx, cancelTimeout := context.WithTimeout(ctx, 30*time.Second)
defer cancelTimeout()
log.Printf("Logging in to Dex")
if err := logInToDex(ctx); err != nil {
execOpts = append(execOpts, chromedp.NoSandbox)
ctx, cancel := chromedp.NewExecAllocator(ctx, execOpts...)
defer cancel()
ctx, cancel = chromedp.NewContext(ctx, chromedp.WithLogf(log.Printf))
defer cancel()
ctx, cancel = context.WithTimeout(ctx, 30*time.Second)
defer cancel()
if err := logInToDex(ctx, url); err != nil {
return fmt.Errorf("could not run the browser: %w", err)
}
return nil
}
func openBrowser(ctx context.Context, url string) error {
func logInToDex(ctx context.Context, url string) error {
for {
var location string
err := chromedp.Run(ctx,
@@ -60,16 +51,14 @@ func openBrowser(ctx context.Context, url string) error {
if err != nil {
return err
}
log.Printf("Location: %s", location)
log.Printf("location: %s", location)
if strings.HasPrefix(location, `http://`) || strings.HasPrefix(location, `https://`) {
return nil
break
}
time.Sleep(1 * time.Second)
}
}
func logInToDex(ctx context.Context) error {
return chromedp.Run(ctx,
err := chromedp.Run(ctx,
// https://dex-server:10443/dex/auth/local
chromedp.WaitVisible(`#login`),
logPageMetadata(),
@@ -84,6 +73,10 @@ func logInToDex(ctx context.Context) error {
chromedp.WaitReady(`body`),
logPageMetadata(),
)
if err != nil {
return err
}
return nil
}
func logPageMetadata() chromedp.Action {
@@ -93,7 +86,7 @@ func logPageMetadata() chromedp.Action {
chromedp.Location(&location),
chromedp.Title(&title),
chromedp.ActionFunc(func(ctx context.Context) error {
log.Printf("Location: %s, Title: %s", location, title)
log.Printf("location: %s [%s]", location, title)
return nil
}),
}

11
acceptance_test/cluster.yaml
View File

@@ -1,5 +1,6 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
# https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md
kubeadmConfigPatches:
- |
apiVersion: kubeadm.k8s.io/v1beta2
@@ -8,6 +9,12 @@ kubeadmConfigPatches:
name: config
apiServer:
extraArgs:
oidc-issuer-url: OIDC_ISSUER_URL
oidc-client-id: OIDC_CLIENT_ID
oidc-issuer-url: https://dex-server:10443/dex
oidc-client-id: YOUR_CLIENT_ID
oidc-username-claim: email
oidc-ca-file: /usr/local/share/ca-certificates/dex-ca.crt
nodes:
- role: control-plane
extraMounts:
- hostPath: /tmp/kubelogin-acceptance-test-dex-ca.crt
containerPath: /usr/local/share/ca-certificates/dex-ca.crt

0
system_test/dex/dex.yaml → acceptance_test/dex.yaml
View File

0
system_test/cert/openssl.cnf → acceptance_test/openssl.cnf
View File

13
dist/Dockerfile vendored Normal file
View File

@@ -0,0 +1,13 @@
FROM alpine:3.11
ARG KUBELOGIN_VERSION="{{ env "VERSION" }}"
ARG KUBELOGIN_SHA256="{{ sha256 .linux_amd64_archive }}"
# Download the release and test the checksum
RUN wget -O /kubelogin.zip "https://github.com/int128/kubelogin/releases/download/$KUBELOGIN_VERSION/kubelogin_linux_amd64.zip" && \
echo "$KUBELOGIN_SHA256 /kubelogin.zip" | sha256sum -c - && \
unzip /kubelogin.zip && \
rm /kubelogin.zip
USER daemon
ENTRYPOINT ["/kubelogin"]

27
dist/kubelogin.rb vendored Normal file
View File

@@ -0,0 +1,27 @@
class Kubelogin < Formula
desc "A kubectl plugin for Kubernetes OpenID Connect authentication"
homepage "https://github.com/int128/kubelogin"
baseurl = "https://github.com/int128/kubelogin/releases/download"
version "{{ env "VERSION" }}"
if OS.mac?
kernel = "darwin"
sha256 "{{ sha256 .darwin_amd64_archive }}"
elsif OS.linux?
kernel = "linux"
sha256 "{{ sha256 .linux_amd64_archive }}"
end
url baseurl + "/#{version}/kubelogin_#{kernel}_amd64.zip"
def install
bin.install "kubelogin" => "kubelogin"
ln_s bin/"kubelogin", bin/"kubectl-oidc_login"
end
test do
system "#{bin}/kubelogin -h"
system "#{bin}/kubectl-oidc_login -h"
end
end

88
dist/oidc-login.yaml vendored Normal file
View File

@@ -0,0 +1,88 @@
apiVersion: krew.googlecontainertools.github.com/v1alpha2
kind: Plugin
metadata:
name: oidc-login
spec:
homepage: https://github.com/int128/kubelogin
shortDescription: Log in to the OpenID Connect provider
description: |
This is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication.
## Credential plugin mode
kubectl executes oidc-login before calling the Kubernetes APIs.
oidc-login automatically opens the browser and you can log in to the provider.
After authentication, kubectl gets the token from oidc-login and you can access the cluster.
See https://github.com/int128/kubelogin#credential-plugin-mode for more.
## Standalone mode
Run `kubectl oidc-login`.
It automatically opens the browser and you can log in to the provider.
After authentication, it writes the token to the kubeconfig and you can access the cluster.
See https://github.com/int128/kubelogin#standalone-mode for more.
caveats: |
You need to setup the OIDC provider, Kubernetes API server, role binding and kubeconfig.
See https://github.com/int128/kubelogin for more.
version: {{ env "VERSION" }}
platforms:
- uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_amd64.zip
sha256: "{{ sha256 .linux_amd64_archive }}"
bin: kubelogin
files:
- from: kubelogin
to: .
- from: LICENSE
to: .
selector:
matchLabels:
os: linux
arch: amd64
- uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_darwin_amd64.zip
sha256: "{{ sha256 .darwin_amd64_archive }}"
bin: kubelogin
files:
- from: kubelogin
to: .
- from: LICENSE
to: .
selector:
matchLabels:
os: darwin
arch: amd64
- uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_windows_amd64.zip
sha256: "{{ sha256 .windows_amd64_archive }}"
bin: kubelogin.exe
files:
- from: kubelogin.exe
to: .
- from: LICENSE
to: .
selector:
matchLabels:
os: windows
arch: amd64
- uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm.zip
sha256: "{{ sha256 .linux_arm_archive }}"
bin: kubelogin
files:
- from: kubelogin
to: .
- from: LICENSE
to: .
selector:
matchLabels:
os: linux
arch: arm
- uri: https://github.com/int128/kubelogin/releases/download/{{ env "VERSION" }}/kubelogin_linux_arm64.zip
sha256: "{{ sha256 .linux_arm64_archive }}"
bin: kubelogin
files:
- from: kubelogin
to: .
- from: LICENSE
to: .
selector:
matchLabels:
os: linux
arch: arm64

0
docs/system-test-diagram.svg → docs/acceptance-test-diagram.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

BIN
docs/keycloak-login.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 278 KiB

174
docs/setup.md
View File

@@ -10,47 +10,156 @@ Let's see the following steps:
1. Set up the kubeconfig
1. Verify cluster access
## 1. Set up the OIDC provider
Kubelogin supports the authentication flows such as Device Authorization Grant or Authorization Code Flow.
For the details of flows supported in Kubelogin, see the [usage](usage.md).
For the details of your provider, ask the administrator of your provider.
### Google Identity Platform
## 2. Authenticate with the OpenID Connect Provider
You can log in with a Google account.
Run the following command to show the instruction to set up the configuration:
Open [Google APIs Console](https://console.developers.google.com/apis/credentials) and create an OAuth client with the following setting:
```sh
kubectl oidc-login setup --oidc-issuer-url=ISSUER_URL --oidc-client-id=YOUR_CLIENT_ID
- Application Type: Other
Check the client ID and secret.
Replace the following variables in the later sections.
Variable | Value
------------------------|------
`ISSUER_URL` | `https://accounts.google.com`
`YOUR_CLIENT_ID` | `xxx.apps.googleusercontent.com`
`YOUR_CLIENT_SECRET` | random string
### Keycloak
You can log in with a user of Keycloak.
Make sure you have an administrator role of the Keycloak realm.
Open Keycloak and create an OIDC client as follows:
- Client ID: `YOUR_CLIENT_ID`
- Valid Redirect URLs:
- `http://localhost:8000`
- `http://localhost:18000` (used if the port 8000 is already in use)
- Issuer URL: `https://keycloak.example.com/auth/realms/YOUR_REALM`
You can associate client roles by adding the following mapper:
- Name: `groups`
- Mapper Type: `User Client Role`
- Client ID: `YOUR_CLIENT_ID`
- Client Role prefix: `kubernetes:`
- Token Claim Name: `groups`
- Add to ID token: on
For example, if you have `admin` role of the client, you will get a JWT with the claim `{"groups": ["kubernetes:admin"]}`.
Replace the following variables in the later sections.
Variable | Value
------------------------|------
`ISSUER_URL` | `https://keycloak.example.com/auth/realms/YOUR_REALM`
`YOUR_CLIENT_ID` | `YOUR_CLIENT_ID`
`YOUR_CLIENT_SECRET` | random string
### Dex with GitHub
You can log in with a GitHub account.
Open [GitHub OAuth Apps](https://github.com/settings/developers) and create an application with the following setting:
- Application name: (any)
- Homepage URL: `https://dex.example.com`
- Authorization callback URL: `https://dex.example.com/callback`
Deploy [Dex](https://github.com/dexidp/dex) with the following config:
```yaml
issuer: https://dex.example.com
connectors:
- type: github
id: github
name: GitHub
config:
clientID: YOUR_GITHUB_CLIENT_ID
clientSecret: YOUR_GITHUB_CLIENT_SECRET
redirectURI: https://dex.example.com/callback
staticClients:
- id: YOUR_CLIENT_ID
name: Kubernetes
redirectURIs:
- http://localhost:8000
- http://localhost:18000
secret: YOUR_DEX_CLIENT_SECRET
```
Set the following flags:
Replace the following variables in the later sections.
- Set the issuer URL of your OpenID Connect provider to `--oidc-issuer-url`.
- Set the client ID for your OpenID Connect provider to `--oidc-client-id`.
- If your provider requires a client secret, set `--oidc-client-secret`.
Variable | Value
------------------------|------
`ISSUER_URL` | `https://dex.example.com`
`YOUR_CLIENT_ID` | `YOUR_CLIENT_ID`
`YOUR_CLIENT_SECRET` | `YOUR_DEX_CLIENT_SECRET`
If your provider supports the Device Authorization Grant, set `--grant-type=device-code`.
It launches the browser and navigates to the authentication page of your provider.
### Okta
If your provider supports the Authorization Code Flow, set `--grant-type=authcode`.
It starts a local server for the authentication.
It launches the browser and navigates to the authentication page of your provider.
You can log in with an Okta user.
Okta supports [the authorization code flow with PKCE](https://developer.okta.com/docs/guides/implement-auth-code-pkce/overview/)
and this section explains how to set up it.
You can see the full options:
Open your Okta organization and create an application with the following options:
- Application type: Native
- Initiate login URI: `http://localhost:8000`
- Login redirect URIs:
- `http://localhost:8000`
- `http://localhost:18000` (used if the port 8000 is already in use)
- Allowed grant types: Authorization Code
- Client authentication: Use PKCE (for public clients)
Replace the following variables in the later sections.
Variable | Value
------------------------|------
`ISSUER_URL` | `https://YOUR_ORGANIZATION.okta.com`
`YOUR_CLIENT_ID` | random string
You do not need to set `YOUR_CLIENT_SECRET`.
## 2. Verify authentication
Run the following command:
```sh
kubectl oidc-login setup \
--oidc-issuer-url=ISSUER_URL \
--oidc-client-id=YOUR_CLIENT_ID \
--oidc-client-secret=YOUR_CLIENT_SECRET
```
It launches the browser and navigates to `http://localhost:8000`.
Please log in to the provider.
You can set extra options, for example, extra scope or CA certificate.
See also the full options.
```sh
kubectl oidc-login setup --help
```
## 3. Bind a cluster role
You can run the following command to bind `cluster-admin` role to you:
Here bind `cluster-admin` role to you.
```sh
kubectl create clusterrolebinding oidc-cluster-admin --clusterrole=cluster-admin --user='ISSUER_URL#YOUR_SUBJECT'
```
As well as you can create a custom cluster role and bind it.
## 4. Set up the Kubernetes API server
Add the following flags to kube-apiserver:
@@ -62,25 +171,40 @@ Add the following flags to kube-apiserver:
See [Kubernetes Authenticating: OpenID Connect Tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) for the all flags.
If you are using [kops](https://github.com/kubernetes/kops), run `kops edit cluster` and append the following settings:
```yaml
spec:
kubeAPIServer:
oidcIssuerURL: ISSUER_URL
oidcClientID: YOUR_CLIENT_ID
```
If you are using [kube-aws](https://github.com/kubernetes-incubator/kube-aws), append the following settings to the `cluster.yaml`:
```yaml
oidc:
enabled: true
issuerUrl: ISSUER_URL
clientId: YOUR_CLIENT_ID
```
## 5. Set up the kubeconfig
Add `oidc` user to the kubeconfig.
```sh
kubectl config set-credentials oidc \
--exec-interactive-mode=Never \
--exec-api-version=client.authentication.k8s.io/v1 \
--exec-api-version=client.authentication.k8s.io/v1beta1 \
--exec-command=kubectl \
--exec-arg=oidc-login \
--exec-arg=get-token \
--exec-arg=--oidc-issuer-url=ISSUER_URL \
--exec-arg=--oidc-client-id=YOUR_CLIENT_ID
--exec-arg=--oidc-client-id=YOUR_CLIENT_ID \
--exec-arg=--oidc-client-secret=YOUR_CLIENT_SECRET
```
If your provider requires a client secret, add `--oidc-client-secret=YOUR_CLIENT_SECRET`.
For security, it is recommended to add `--token-cache-storage=keyring` to store the token cache to the keyring instead of the file system.
If you encounter an error, see the [token cache](usage.md#token-cache) for details.
## 6. Verify cluster access

134
docs/standalone-mode.md
View File

@@ -1,11 +1,9 @@
# Standalone mode
Kubelogin supports the standalone mode as well.
It writes the token to the kubeconfig (typically `~/.kube/config`) after authentication.
You can run kubelogin as a standalone command.
In this mode, you need to manually run the command before running kubectl.
## Getting started
Configure your kubeconfig like:
Configure the kubeconfig like:
```yaml
- name: keycloak
@@ -33,7 +31,7 @@ It automatically opens the browser and you can log in to the provider.
After authentication, kubelogin writes the ID token and refresh token to the kubeconfig.
```console
```
% kubelogin
Open http://localhost:8000 for authentication
You got a valid token until 2019-05-18 10:28:51 +0900 JST
@@ -42,7 +40,7 @@ Updated ~/.kubeconfig
Now you can access the cluster.
```console
```
% kubectl get pods
NAME READY STATUS RESTARTS AGE
echoserver-86c78fdccd-nzmd5 1/1 Running 0 26d
@@ -52,21 +50,21 @@ Your kubeconfig looks like:
```yaml
users:
- name: keycloak
user:
auth-provider:
config:
client-id: YOUR_CLIENT_ID
client-secret: YOUR_CLIENT_SECRET
idp-issuer-url: https://issuer.example.com
id-token: ey... # kubelogin will add or update the ID token here
refresh-token: ey... # kubelogin will add or update the refresh token here
name: oidc
- name: keycloak
user:
auth-provider:
config:
client-id: YOUR_CLIENT_ID
client-secret: YOUR_CLIENT_SECRET
idp-issuer-url: https://issuer.example.com
id-token: ey... # kubelogin will add or update the ID token here
refresh-token: ey... # kubelogin will add or update the refresh token here
name: oidc
```
If the ID token is valid, kubelogin does nothing.
```console
```
% kubelogin
You already have a valid token until 2019-05-18 10:28:51 +0900 JST
```
@@ -74,8 +72,64 @@ You already have a valid token until 2019-05-18 10:28:51 +0900 JST
If the ID token has expired, kubelogin will refresh the token using the refresh token in the kubeconfig.
If the refresh token has expired, kubelogin will proceed the authentication.
## Usage
Kubelogin supports the following options:
```
% kubectl oidc-login -h
Login to the OpenID Connect provider.
You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
Run the following command to show the setup instruction:
kubectl oidc-login setup
See https://github.com/int128/kubelogin for more.
Usage:
main [flags]
main [command]
Available Commands:
get-token Run as a kubectl credential plugin
help Help about any command
setup Show the setup instruction
version Print the version information
Flags:
--kubeconfig string Path to the kubeconfig file
--context string The name of the kubeconfig context to use
--user string The name of the kubeconfig user to use. Prior to --context
--certificate-authority string Path to a cert file for the certificate authority
--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--grant-type string The authorization grant type to use. One of (auto|authcode|authcode-keyboard|password) (default "auto")
--listen-address strings Address to bind to the local server. If multiple addresses are given, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
--listen-port ints (Deprecated: use --listen-address)
--skip-open-browser If true, it does not open the browser on authentication
--oidc-redirect-url-hostname string Hostname of the redirect URL (default "localhost")
--oidc-auth-request-extra-params stringToString Extra query parameters to send with an authentication request (default [])
--username string If set, perform the resource owner password credentials grant
--password string If set, use the password instead of asking it
--add_dir_header If true, adds the file directory to the header
--alsologtostderr log to standard error as well as files
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory
--log_file string If non-empty, use this log file
--log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files
--stderrthreshold severity logs at or above this threshold go to stderr (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
-h, --help help for kubelogin
--version version for kubelogin
```
### Kubeconfig
You can set path to the kubeconfig file by the option or the environment variable just like kubectl.
It defaults to `~/.kube/config`.
@@ -92,15 +146,37 @@ If you set multiple files, kubelogin will find the file which has the current au
Kubelogin supports the following keys of `auth-provider` in a kubeconfig.
See [kubectl authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-kubectl) for more.
| Key | Direction | Value |
| -------------------------------- | ---------------- | ---------------------------------------------------- |
| `idp-issuer-url` | Read (Mandatory) | Issuer URL of the provider. |
| `client-id` | Read (Mandatory) | Client ID of the provider. |
| `client-secret` | Read (Mandatory) | Client Secret of the provider. |
| `idp-certificate-authority` | Read | CA certificate path of the provider. |
| `idp-certificate-authority-data` | Read | Base64 encoded CA certificate of the provider. |
| `extra-scopes` | Read | Scopes to request to the provider (comma separated). |
| `id-token` | Write | ID token got from the provider. |
| `refresh-token` | Write | Refresh token got from the provider. |
Key | Direction | Value
----|-----------|------
`idp-issuer-url` | Read (Mandatory) | Issuer URL of the provider.
`client-id` | Read (Mandatory) | Client ID of the provider.
`client-secret` | Read (Mandatory) | Client Secret of the provider.
`idp-certificate-authority` | Read | CA certificate path of the provider.
`idp-certificate-authority-data` | Read | Base64 encoded CA certificate of the provider.
`extra-scopes` | Read | Scopes to request to the provider (comma separated).
`id-token` | Write | ID token got from the provider.
`refresh-token` | Write | Refresh token got from the provider.
See also [usage.md](usage.md).
### Extra scopes
You can set the extra scopes to request to the provider by `extra-scopes` in the kubeconfig.
```sh
kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=email
```
Currently kubectl does not accept multiple scopes, so you need to edit the kubeconfig as like:
```sh
kubectl config set-credentials keycloak --auth-provider-arg extra-scopes=SCOPES
sed -i '' -e s/SCOPES/email,profile/ $KUBECONFIG
```
### CA Certificates
You can use your self-signed certificates for the provider.
```sh
kubectl config set-credentials keycloak \
--auth-provider-arg idp-certificate-authority=$HOME/.kube/keycloak-ca.pem
```

340
docs/usage.md
View File

@@ -1,340 +0,0 @@
# Usage
Kubelogin supports the following options:
```
Usage:
kubelogin get-token [flags]
Flags:
--oidc-issuer-url string Issuer URL of the provider (mandatory)
--oidc-client-id string Client ID of the provider (mandatory)
--oidc-client-secret string Client secret of the provider
--oidc-redirect-url string [authcode, authcode-keyboard] Redirect URL
--oidc-extra-scope strings Scopes to request to the provider
--oidc-use-access-token Instead of using the id_token, use the access_token to authenticate to Kubernetes
--oidc-request-header stringToString HTTP headers to send with an authentication request (default [])
--force-refresh If set, refresh the ID token regardless of its expiration time
--token-cache-dir string Path to a directory of the token cache (default "~/.kube/cache/oidc-login")
--token-cache-storage string Storage for the token cache. One of (disk|keyring|none) (default "disk")
--certificate-authority stringArray Path to a cert file for the certificate authority
--certificate-authority-data stringArray Base64 encoded cert for the certificate authority
--insecure-skip-tls-verify [SECURITY RISK] If set, the server's certificate will not be checked for validity
--tls-renegotiation-once If set, allow a remote server to request renegotiation once per connection
--tls-renegotiation-freely If set, allow a remote server to repeatedly request renegotiation
--oidc-pkce-method string PKCE code challenge method. Automatically determined by default. One of (auto|no|S256) (default "auto")
--grant-type string Authorization grant type to use. One of (auto|authcode|authcode-keyboard|password|device-code|client-credentials) (default "auto")
--listen-address strings [authcode] Address to bind to the local server. If multiple addresses are set, it will try binding in order (default [127.0.0.1:8000,127.0.0.1:18000])
--skip-open-browser [authcode] Do not open the browser automatically
--browser-command string [authcode] Command to open the browser
--authentication-timeout-sec int [authcode] Timeout of authentication in seconds (default 180)
--local-server-cert string [authcode] Certificate path for the local server
--local-server-key string [authcode] Certificate key path for the local server
--open-url-after-authentication string [authcode] If set, open the URL in the browser after authentication
--oidc-auth-request-extra-params stringToString [authcode, authcode-keyboard, client-credentials] Extra query parameters to send with an authentication request (default [])
--username string [password] Username for resource owner password credentials grant
--password string [password] Password for resource owner password credentials grant
-h, --help help for get-token
Global Flags:
--add_dir_header If true, adds the file directory to the header of the log messages
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
--log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log_dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
--log_file string If non-empty, use this log file (no effect when -logtostderr=true)
--log_file_max_size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--one_output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--skip_headers If true, avoid header prefixes in the log messages
--skip_log_headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=true) (default 2)
-v, --v Level number for the log level verbosity
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
```
## Options
### Authentication timeout
By default, you need to log in to your provider in the browser within 3 minutes.
This prevents a process from remaining forever.
You can change the timeout by the following flag:
```yaml
- --authentication-timeout-sec=60
```
For now this timeout works only for the authorization code flow.
### Extra scopes
You can set the extra scopes to request to the provider by `--oidc-extra-scope`.
```yaml
- --oidc-extra-scope=email
- --oidc-extra-scope=profile
```
### PKCE
Kubelogin automatically uses the PKCE if the provider supports it.
It determines the code challenge method by the `code_challenge_methods_supported` claim of the OpenID Connect Discovery document.
If your provider does not return a valid `code_challenge_methods_supported` claim,
you can enforce the code challenge method by `--oidc-pkce-method`.
```yaml
- --oidc-pkce-method=S256
```
For the most providers, you don't need to set this option explicitly.
### HTTP headers
If your provider requires extra HTTP headers, you can set them by `--oidc-request-header`.
For Azure AD Single Page Application with PKCE, you can set `Origin` header as follows:
```yaml
- --oidc-request-header=Origin=localhost
```
### CA certificate
You can use your self-signed certificate for the provider.
```yaml
- --certificate-authority=/home/user/.kube/keycloak-ca.pem
- --certificate-authority-data=LS0t...
```
### HTTP proxy
You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
### Token cache
Kubelogin stores the token cache to the file system by default.
You can store the token cache to the OS keyring for enhanced security.
It depends on [zalando/go-keyring](https://github.com/zalando/go-keyring).
```yaml
- --token-cache-storage=keyring
```
You can delete the token cache by the clean command.
```console
% kubectl oidc-login clean
Deleted the token cache at /home/user/.kube/cache/oidc-login
Deleted the token cache from the keyring
```
For systems with immutable storage and no keyring, a cache type of none is available.
### Home directory expansion
If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
- `--certificate-authority`
- `--local-server-cert`
- `--local-server-key`
- `--token-cache-dir`
## Authentication flows
Kubelogin support the following flows:
- [Device Authorization Grant](#device-authorization-grant)
- [Authorization Code Flow](#authorization-code-flow)
- [Authorization Code Flow with a Keyboard](#authorization-code-flow-with-a-keyboard)
- [Resource Owner Password Credentials Grant](#resource-owner-password-credentials-grant)
- [Client Credentials Flow](#client-credentials-flow)
### Device Authorization Grant
It performs the [Device Authorization Grant (RFC 8628)](https://tools.ietf.org/html/rfc8628) when `--grant-type=device-code` is set.
```yaml
- --grant-type=device-code
```
It automatically opens the browser.
If the provider returns the `verification_uri_complete` parameter, you don't need to enter the code.
Otherwise, you need to enter the code shown.
If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
```yaml
# Change the browser command
- --browser-command=google-chrome
# Do not open the browser
- --skip-open-browser
```
### Authorization Code Flow
It performs the [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) when `--grant-type=authcode` is set or the flag is not given.
It starts the local server at port 8000 or 18000 by default.
You need to register the following redirect URIs to the provider:
- `http://localhost:8000`
- `http://localhost:18000` (used if port 8000 is already in use)
You can change the listening address.
```yaml
- --listen-address=127.0.0.1:12345
- --listen-address=127.0.0.1:23456
```
The redirect URL defaults to `http://localhost` with the listening port.
You can override the redirect URL.
```yaml
- --oidc-redirect-url=http://127.0.0.1:8000/
- --oidc-redirect-url=http://your-local-hostname:8000/
```
You can specify a certificate for the local webserver if HTTPS is required by your identity provider.
```yaml
- --local-server-cert=localhost.crt
- --local-server-key=localhost.key
```
You can add extra parameters to the authentication request.
```yaml
- --oidc-auth-request-extra-params=ttl=86400
```
When authentication completed, kubelogin shows a message to close the browser.
You can change the URL to show after authentication.
```yaml
- --open-url-after-authentication=https://example.com/success.html
```
If you encounter a problem with the browser, you can change the browser command or skip opening the browser.
```yaml
# Change the browser command
- --browser-command=google-chrome
# Do not open the browser
- --skip-open-browser
```
### Authorization Code Flow with a keyboard
If you cannot access the browser, instead use the authorization code flow with a keyboard.
```yaml
- --grant-type=authcode-keyboard
```
You need to explicitly set the redirect URL.
```yaml
- --oidc-redirect-url=urn:ietf:wg:oauth:2.0:oob
- --oidc-redirect-url=http://localhost
```
Kubelogin will show the URL and prompt.
Open the URL in the browser and then copy the code shown.
```
% kubectl get pods
Open https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&client_id=...
Enter code: YOUR_CODE
```
You can add extra parameters to the authentication request.
```yaml
- --oidc-auth-request-extra-params=ttl=86400
```
### Resource Owner Password Credentials Grant
It performs the [Resource Owner Password Credentials Grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
when `--grant-type=password` or `--username` is set.
Note that most OIDC providers do not support this grant.
Keycloak supports this grant but you need to explicitly enable the "Direct Access Grants" feature in the client settings.
You can set the username and password.
```yaml
- --username=USERNAME
- --password=PASSWORD
```
If the password is not set, kubelogin will show the prompt for the password.
```yaml
- --username=USERNAME
```
```
% kubectl get pods
Password:
```
If the username is not set, kubelogin will show the prompt for the username and password.
```yaml
- --grant-type=password
```
```
% kubectl get pods
Username: foo
Password:
```
### Client Credentials Flow
It performs the [OAuth 2.0 Client Credentials Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4) when `--grant-type=client-credentials` is set.
```yaml
- --grant-type=client-credentials
```
Per specification, this flow only returns authorization tokens.
## Run in Docker
You can run [the Docker image](https://ghcr.io/int128/kubelogin) instead of the binary.
The kubeconfig looks like:
```yaml
users:
- name: oidc
user:
exec:
apiVersion: client.authentication.k8s.io/v1
command: docker
args:
- run
- --rm
- -v
- /tmp/.token-cache:/.token-cache
- -p
- 8000:8000
- ghcr.io/int128/kubelogin
- get-token
- --token-cache-dir=/.token-cache
- --listen-address=0.0.0.0:8000
- --oidc-issuer-url=ISSUER_URL
- --oidc-client-id=YOUR_CLIENT_ID
- --oidc-client-secret=YOUR_CLIENT_SECRET
```
Known limitations:
- It cannot open the browser automatically.
- The container port and listen port must be equal for consistency of the redirect URI.

293
go.mod
View File

@@ -1,277 +1,26 @@
module github.com/int128/kubelogin
go 1.25.3
go 1.12
require (
github.com/chromedp/chromedp v0.14.2
github.com/coreos/go-oidc/v3 v3.17.0
github.com/gofrs/flock v0.13.0
github.com/golang-jwt/jwt/v5 v5.3.0
github.com/google/go-cmp v0.7.0
github.com/google/wire v0.7.0
github.com/int128/oauth2cli v1.18.0
github.com/int128/oauth2dev v1.1.0
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
github.com/spf13/cobra v1.10.1
github.com/spf13/pflag v1.0.10
github.com/stretchr/testify v1.11.1
github.com/zalando/go-keyring v0.2.6
golang.org/x/oauth2 v0.33.0
golang.org/x/sync v0.18.0
golang.org/x/term v0.37.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/apimachinery v0.33.4
k8s.io/client-go v0.33.4
k8s.io/klog/v2 v2.130.1
)
require (
4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
4d63.com/gochecknoglobals v0.2.2 // indirect
al.essio.dev/pkg/shellescape v1.5.1 // indirect
codeberg.org/chavacava/garif v0.2.0 // indirect
dev.gaijin.team/go/exhaustruct/v4 v4.0.0 // indirect
dev.gaijin.team/go/golib v0.6.0 // indirect
github.com/4meepo/tagalign v1.4.3 // indirect
github.com/Abirdcfly/dupword v0.1.6 // indirect
github.com/AdminBenni/iota-mixing v1.0.0 // indirect
github.com/AlwxSin/noinlineerr v1.0.5 // indirect
github.com/Antonboom/errname v1.1.1 // indirect
github.com/Antonboom/nilnil v1.1.1 // indirect
github.com/Antonboom/testifylint v1.6.4 // indirect
github.com/BurntSushi/toml v1.5.0 // indirect
github.com/Djarvur/go-err113 v0.1.1 // indirect
github.com/Masterminds/semver/v3 v3.3.1 // indirect
github.com/MirrexOne/unqueryvet v1.2.1 // indirect
github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
github.com/alecthomas/chroma/v2 v2.20.0 // indirect
github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
github.com/alexkohler/prealloc v1.0.0 // indirect
github.com/alfatraining/structtag v1.0.0 // indirect
github.com/alingse/asasalint v0.0.11 // indirect
github.com/alingse/nilnesserr v0.2.0 // indirect
github.com/ashanbrown/forbidigo/v2 v2.1.0 // indirect
github.com/ashanbrown/makezero/v2 v2.0.1 // indirect
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bkielbasa/cyclop v1.2.3 // indirect
github.com/blizzy78/varnamelen v0.8.0 // indirect
github.com/bombsimon/wsl/v4 v4.7.0 // indirect
github.com/bombsimon/wsl/v5 v5.2.0 // indirect
github.com/breml/bidichk v0.3.3 // indirect
github.com/breml/errchkjson v0.4.1 // indirect
github.com/brunoga/deep v1.2.4 // indirect
github.com/butuzov/ireturn v0.4.0 // indirect
github.com/butuzov/mirror v1.3.0 // indirect
github.com/catenacyber/perfsprint v0.9.1 // indirect
github.com/ccojocar/zxcvbn-go v1.0.4 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/charithe/durationcheck v0.0.10 // indirect
github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
github.com/charmbracelet/lipgloss v1.1.0 // indirect
github.com/charmbracelet/x/ansi v0.8.0 // indirect
github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
github.com/charmbracelet/x/term v0.2.1 // indirect
github.com/chromedp/cdproto v0.0.0-20250724212937-08a3db8b4327 // indirect
github.com/chromedp/sysutil v1.1.0 // indirect
github.com/ckaznocha/intrange v0.3.1 // indirect
github.com/curioswitch/go-reassign v0.3.0 // indirect
github.com/daixiang0/gci v0.13.7 // indirect
github.com/danieljoos/wincred v1.2.2 // indirect
github.com/dave/dst v0.27.3 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/denis-tingaikin/go-header v0.5.0 // indirect
github.com/dlclark/regexp2 v1.11.5 // indirect
github.com/ettle/strcase v0.2.0 // indirect
github.com/fatih/color v1.18.0 // indirect
github.com/fatih/structs v1.1.0 // indirect
github.com/fatih/structtag v1.2.0 // indirect
github.com/firefart/nonamedreturns v1.0.6 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/fzipp/gocyclo v0.6.0 // indirect
github.com/ghostiam/protogetter v0.3.16 // indirect
github.com/go-critic/go-critic v0.13.0 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-json-experiment/json v0.0.0-20250725192818-e39067aee2d2 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-toolsmith/astcast v1.1.0 // indirect
github.com/go-toolsmith/astcopy v1.1.0 // indirect
github.com/go-toolsmith/astequal v1.2.0 // indirect
github.com/go-toolsmith/astfmt v1.1.0 // indirect
github.com/go-toolsmith/astp v1.1.0 // indirect
github.com/go-toolsmith/strparse v1.1.0 // indirect
github.com/go-toolsmith/typep v1.1.0 // indirect
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gobwas/httphead v0.1.0 // indirect
github.com/gobwas/pool v0.2.1 // indirect
github.com/gobwas/ws v1.4.0 // indirect
github.com/godbus/dbus/v5 v5.1.0 // indirect
github.com/godoc-lint/godoc-lint v0.10.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golangci/asciicheck v0.5.0 // indirect
github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
github.com/golangci/go-printf-func-name v0.1.1 // indirect
github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
github.com/golangci/golangci-lint/v2 v2.5.0 // indirect
github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 // indirect
github.com/golangci/misspell v0.7.0 // indirect
github.com/golangci/nilerr v0.0.0-20250918000102-015671e622fe // indirect
github.com/golangci/plugin-module-register v0.1.2 // indirect
github.com/golangci/revgrep v0.8.0 // indirect
github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e // indirect
github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
github.com/google/subcommands v1.2.0 // indirect
github.com/gordonklaus/ineffassign v0.2.0 // indirect
github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
github.com/gostaticanalysis/comment v1.5.0 // indirect
github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
github.com/hashicorp/go-version v1.7.0 // indirect
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
github.com/hexops/gotextdiff v1.0.3 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/int128/listener v1.3.0 // indirect
github.com/jedib0t/go-pretty/v6 v6.6.7 // indirect
github.com/jgautheron/goconst v1.8.2 // indirect
github.com/jingyugao/rowserrcheck v1.1.1 // indirect
github.com/jjti/go-spancheck v0.6.5 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/julz/importas v0.2.0 // indirect
github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
github.com/kisielk/errcheck v1.9.0 // indirect
github.com/kkHAIKE/contextcheck v1.1.6 // indirect
github.com/knadh/koanf/maps v0.1.2 // indirect
github.com/knadh/koanf/parsers/yaml v0.1.0 // indirect
github.com/knadh/koanf/providers/env v1.0.0 // indirect
github.com/knadh/koanf/providers/file v1.1.2 // indirect
github.com/knadh/koanf/providers/posflag v0.1.0 // indirect
github.com/knadh/koanf/providers/structs v0.1.0 // indirect
github.com/knadh/koanf/v2 v2.3.0 // indirect
github.com/kulti/thelper v0.7.1 // indirect
github.com/kunwardeep/paralleltest v1.0.14 // indirect
github.com/lasiar/canonicalheader v1.1.2 // indirect
github.com/ldez/exptostd v0.4.4 // indirect
github.com/ldez/gomoddirectives v0.7.0 // indirect
github.com/ldez/grignotin v0.10.1 // indirect
github.com/ldez/tagliatelle v0.7.2 // indirect
github.com/ldez/usetesting v0.5.0 // indirect
github.com/leonklingele/grouper v1.1.2 // indirect
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
github.com/macabu/inamedparam v0.2.0 // indirect
github.com/mailru/easyjson v0.9.0 // indirect
github.com/manuelarte/embeddedstructfieldcheck v0.4.0 // indirect
github.com/manuelarte/funcorder v0.5.0 // indirect
github.com/maratori/testableexamples v1.0.0 // indirect
github.com/maratori/testpackage v1.1.1 // indirect
github.com/matoous/godox v1.1.0 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.16 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
github.com/mgechev/revive v1.12.0 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/moricho/tparallel v0.3.2 // indirect
github.com/muesli/termenv v0.16.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/nakabonne/nestif v0.3.1 // indirect
github.com/nishanths/exhaustive v0.12.0 // indirect
github.com/nishanths/predeclared v0.2.2 // indirect
github.com/nunnatsa/ginkgolinter v0.21.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/polyfloyd/go-errorlint v1.8.0 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/quasilyte/go-ruleguard v0.4.4 // indirect
github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
github.com/quasilyte/gogrep v0.5.0 // indirect
github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
github.com/raeperd/recvcheck v0.2.0 // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/rogpeppe/go-internal v1.14.1 // indirect
github.com/rs/zerolog v1.33.0 // indirect
github.com/ryancurrah/gomodguard v1.4.1 // indirect
github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
github.com/sagikazarmark/locafero v0.7.0 // indirect
github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
github.com/sashamelentyev/usestdlibvars v1.29.0 // indirect
github.com/securego/gosec/v2 v2.22.8 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sivchari/containedctx v1.0.3 // indirect
github.com/sonatard/noctx v0.4.0 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/sourcegraph/go-diff v0.7.0 // indirect
github.com/spf13/afero v1.14.0 // indirect
github.com/spf13/cast v1.7.1 // indirect
github.com/spf13/viper v1.20.0 // indirect
github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/tetafro/godot v1.5.4 // indirect
github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
github.com/timonwong/loggercheck v0.11.0 // indirect
github.com/tomarrell/wrapcheck/v2 v2.11.0 // indirect
github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
github.com/ultraware/funlen v0.2.0 // indirect
github.com/ultraware/whitespace v0.2.0 // indirect
github.com/uudashr/gocognit v1.2.0 // indirect
github.com/uudashr/iface v1.4.1 // indirect
github.com/vektra/mockery/v3 v3.6.1 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xen0n/gosmopolitan v1.3.0 // indirect
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
github.com/yagipy/maintidx v1.0.0 // indirect
github.com/yeya24/promlinter v0.3.0 // indirect
github.com/ykadowak/zerologlint v0.1.5 // indirect
gitlab.com/bosi/decorder v0.4.2 // indirect
go-simpler.org/musttag v0.14.0 // indirect
go-simpler.org/sloglint v0.11.1 // indirect
go.augendre.info/arangolint v0.2.0 // indirect
go.augendre.info/fatcontext v0.8.1 // indirect
go.uber.org/automaxprocs v1.6.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
golang.org/x/exp/typeparams v0.0.0-20250911091902-df9299821621 // indirect
golang.org/x/mod v0.28.0 // indirect
golang.org/x/net v0.44.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/text v0.29.0 // indirect
golang.org/x/time v0.12.0 // indirect
golang.org/x/tools v0.37.0 // indirect
google.golang.org/protobuf v1.36.6 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
honnef.co/go/tools v0.6.1 // indirect
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
mvdan.cc/gofumpt v0.9.1 // indirect
mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
tool (
github.com/golangci/golangci-lint/v2/cmd/golangci-lint
github.com/google/wire/cmd/wire
github.com/vektra/mockery/v3
github.com/chromedp/chromedp v0.5.3
github.com/coreos/go-oidc v2.2.1+incompatible
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/golang/mock v1.4.3
github.com/google/go-cmp v0.4.1
github.com/google/wire v0.4.0
github.com/int128/oauth2cli v1.11.0
github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
github.com/spf13/cobra v0.0.7
github.com/spf13/pflag v1.0.5
golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
gopkg.in/square/go-jose.v2 v2.3.1 // indirect
gopkg.in/yaml.v2 v2.3.0
k8s.io/apimachinery v0.18.3
k8s.io/client-go v0.18.3
k8s.io/klog v1.0.0
)

1228
go.sum
View File

File diff suppressed because it is too large Load Diff

27
integration_test/clean_test.go
View File

@@ -1,27 +0,0 @@
package integration_test
import (
"context"
"os"
"testing"
"time"
"github.com/int128/kubelogin/integration_test/httpdriver"
"github.com/int128/kubelogin/pkg/di"
"github.com/int128/kubelogin/pkg/testing/clock"
"github.com/int128/kubelogin/pkg/testing/logger"
)
func TestClean(t *testing.T) {
tokenCacheDir := t.TempDir()
cmd := di.NewCmdForHeadless(clock.Fake(time.Now()), os.Stdin, os.Stdout, logger.New(t), httpdriver.Zero(t))
exitCode := cmd.Run(context.TODO(), []string{
"kubelogin",
"clean",
"--token-cache-dir", tokenCacheDir,
}, "HEAD")
if exitCode != 0 {
t.Errorf("exit status wants 0 but %d", exitCode)
}
}

333
integration_test/credetial_plugin_test.go
View File

@@ -5,6 +5,7 @@ import (
"context"
"encoding/json"
"io"
"io/ioutil"
"os"
"testing"
"time"
@@ -13,13 +14,12 @@ import (
"github.com/int128/kubelogin/integration_test/httpdriver"
"github.com/int128/kubelogin/integration_test/keypair"
"github.com/int128/kubelogin/integration_test/oidcserver"
"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
"github.com/int128/kubelogin/pkg/adaptors/browser"
"github.com/int128/kubelogin/pkg/di"
"github.com/int128/kubelogin/pkg/infrastructure/browser"
"github.com/int128/kubelogin/pkg/testing/clock"
"github.com/int128/kubelogin/pkg/testing/logger"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthenticationv1 "k8s.io/client-go/pkg/apis/clientauthentication/v1"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
)
// Run the integration tests of the credential plugin use-case.
@@ -28,10 +28,19 @@ import (
// 2. Run the Cmd.
// 3. Open a request for the local server.
// 4. Verify the output.
//
func TestCredentialPlugin(t *testing.T) {
timeout := 10 * time.Second
timeout := 3 * time.Second
now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
tokenCacheDir := t.TempDir()
tokenCacheDir, err := ioutil.TempDir("", "kube")
if err != nil {
t.Fatalf("could not create a cache dir: %s", err)
}
defer func() {
if err := os.RemoveAll(tokenCacheDir); err != nil {
t.Errorf("could not clean up the cache dir: %s", err)
}
}()
for name, tc := range map[string]struct {
keyPair keypair.KeyPair
@@ -43,57 +52,53 @@ func TestCredentialPlugin(t *testing.T) {
args: []string{"--certificate-authority", keypair.Server.CACertPath},
},
} {
httpDriverConfig := httpdriver.Config{
TLSConfig: tc.keyPair.TLSConfig,
BodyContains: "Authenticated",
}
t.Run(name, func(t *testing.T) {
t.Run("AuthCode", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpDriverConfig),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now,
stdout: &stdout,
args: tc.args,
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("ROPC", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, tc.keyPair, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
Username: "USER1",
Password: "PASS1",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.Zero(t),
now: now,
stdout: &stdout,
@@ -102,200 +107,172 @@ func TestCredentialPlugin(t *testing.T) {
"--password", "PASS1",
}, tc.args...),
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("TokenCacheLifecycle", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, tc.keyPair, testconfig.Config{})
sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
defer sv.Shutdown(t, ctx)
t.Run("NoCache", func(t *testing.T) {
svc.SetConfig(testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
sv.SetConfig(oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
RefreshToken: "REFRESH_TOKEN_1",
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
RefreshToken: "REFRESH_TOKEN_1",
},
})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpDriverConfig),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now,
stdout: &stdout,
args: tc.args,
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("Valid", func(t *testing.T) {
svc.SetConfig(testconfig.Config{})
sv.SetConfig(oidcserver.Config{})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.Zero(t),
now: now,
stdout: &stdout,
args: tc.args,
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("Refresh", func(t *testing.T) {
svc.SetConfig(testconfig.Config{
Want: testconfig.Want{
sv.SetConfig(oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
RefreshToken: "REFRESH_TOKEN_1",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(3 * time.Hour),
RefreshToken: "REFRESH_TOKEN_2",
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(3 * time.Hour),
RefreshToken: "REFRESH_TOKEN_2",
},
})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpDriverConfig),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now.Add(2 * time.Hour),
stdout: &stdout,
args: tc.args,
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(3*time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(3*time.Hour))
})
t.Run("RefreshAgain", func(t *testing.T) {
svc.SetConfig(testconfig.Config{
Want: testconfig.Want{
sv.SetConfig(oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
RefreshToken: "REFRESH_TOKEN_2",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(5 * time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(5 * time.Hour),
},
})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpDriverConfig),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now.Add(4 * time.Hour),
stdout: &stdout,
args: tc.args,
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(5*time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(5*time.Hour))
})
})
})
}
t.Run("PKCE", func(t *testing.T) {
t.Run("Not supported by provider", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: nil,
},
})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
now: now,
stdout: &stdout,
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("Enforce", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: nil,
},
})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
now: now,
stdout: &stdout,
args: []string{"--oidc-use-pkce"},
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
})
})
t.Run("TLSData", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.Server, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, keypair.None, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig, BodyContains: "Authenticated"}),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, nil),
now: now,
stdout: &stdout,
})
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("TLSData", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, keypair.Server.TLSConfig),
now: now,
stdout: &stdout,
args: []string{"--certificate-authority-data", keypair.Server.CACertBase64},
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("ExtraScopes", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
Scope: "email profile openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
sv := oidcserver.New(t, keypair.None, oidcserver.Config{
Want: oidcserver.Want{
Scope: "email profile openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, nil),
now: now,
stdout: &stdout,
args: []string{
@@ -303,90 +280,58 @@ func TestCredentialPlugin(t *testing.T) {
"--oidc-extra-scope", "profile",
},
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("OpenURLAfterAuthentication", func(t *testing.T) {
t.Run("RedirectURLHostname", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
sv := oidcserver.New(t, keypair.None, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://127.0.0.1:",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "URL=https://example.com/success"}),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, nil),
now: now,
stdout: &stdout,
args: []string{"--open-url-after-authentication", "https://example.com/success"},
args: []string{"--oidc-redirect-url-hostname", "127.0.0.1"},
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("RedirectURLHTTPS", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "https://localhost:",
CodeChallengeMethod: "S256",
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
},
})
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{
TLSConfig: keypair.Server.TLSConfig,
BodyContains: "Authenticated",
}),
now: now,
stdout: &stdout,
args: []string{
"--local-server-cert", keypair.Server.CertPath,
"--local-server-key", keypair.Server.KeyPath,
},
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
t.Run("ExtraParams", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
svc := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
CodeChallengeMethod: "S256",
sv := oidcserver.New(t, keypair.None, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
ExtraParams: map[string]string{
"ttl": "86400",
"reauth": "false",
},
},
Response: testconfig.Response{
IDTokenExpiry: now.Add(time.Hour),
CodeChallengeMethodsSupported: []string{"plain", "S256"},
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
var stdout bytes.Buffer
runGetToken(t, ctx, getTokenConfig{
tokenCacheDir: tokenCacheDir,
issuerURL: svc.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{BodyContains: "Authenticated"}),
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, nil),
now: now,
stdout: &stdout,
args: []string{
@@ -394,7 +339,7 @@ func TestCredentialPlugin(t *testing.T) {
"--oidc-auth-request-extra-params", "reauth=false",
},
})
assertCredentialPluginStdout(t, &stdout, svc.LastTokenResponse().IDToken, now.Add(time.Hour))
assertCredentialPluginStdout(t, &stdout, sv.LastTokenResponse().IDToken, now.Add(time.Hour))
})
}
@@ -409,10 +354,6 @@ type getTokenConfig struct {
func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
cmd := di.NewCmdForHeadless(clock.Fake(cfg.now), os.Stdin, cfg.stdout, logger.New(t), cfg.httpDriver)
t.Setenv(
"KUBERNETES_EXEC_INFO",
`{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1","spec":{"interactive":true}}`,
)
exitCode := cmd.Run(ctx, append([]string{
"kubelogin",
"get-token",
@@ -427,22 +368,22 @@ func runGetToken(t *testing.T, ctx context.Context, cfg getTokenConfig) {
}
func assertCredentialPluginStdout(t *testing.T, stdout io.Reader, token string, expiry time.Time) {
var got clientauthenticationv1.ExecCredential
var got clientauthenticationv1beta1.ExecCredential
if err := json.NewDecoder(stdout).Decode(&got); err != nil {
t.Errorf("could not decode json of the credential plugin: %s", err)
return
}
want := clientauthenticationv1.ExecCredential{
want := clientauthenticationv1beta1.ExecCredential{
TypeMeta: metav1.TypeMeta{
APIVersion: "client.authentication.k8s.io/v1",
APIVersion: "client.authentication.k8s.io/v1beta1",
Kind: "ExecCredential",
},
Status: &clientauthenticationv1.ExecCredentialStatus{
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
Token: token,
ExpirationTimestamp: &metav1.Time{Time: expiry},
},
}
if diff := cmp.Diff(want, got); diff != "" {
t.Errorf("stdout mismatch (-want +got):\n%s", diff)
t.Errorf("kubeconfig mismatch (-want +got):\n%s", diff)
}
}

42
integration_test/httpdriver/http_driver.go
View File

@@ -4,20 +4,13 @@ package httpdriver
import (
"context"
"crypto/tls"
"io"
"net/http"
"strings"
"testing"
)
type Config struct {
TLSConfig *tls.Config
BodyContains string
}
// New returns a client to simulate browser access.
func New(ctx context.Context, t *testing.T, config Config) *client {
return &client{ctx, t, config}
func New(ctx context.Context, t *testing.T, tlsConfig *tls.Config) *client {
return &client{ctx, t, tlsConfig}
}
// Zero returns a client which call is not expected.
@@ -26,13 +19,13 @@ func Zero(t *testing.T) *zeroClient {
}
type client struct {
ctx context.Context
t *testing.T
config Config
ctx context.Context
t *testing.T
tlsConfig *tls.Config
}
func (c *client) Open(url string) error {
client := http.Client{Transport: &http.Transport{TLSClientConfig: c.config.TLSConfig}}
client := http.Client{Transport: &http.Transport{TLSClientConfig: c.tlsConfig}}
req, err := http.NewRequest("GET", url, nil)
if err != nil {
c.t.Errorf("could not create a request: %s", err)
@@ -44,30 +37,13 @@ func (c *client) Open(url string) error {
c.t.Errorf("could not send a request: %s", err)
return nil
}
defer func() {
if err := resp.Body.Close(); err != nil {
c.t.Errorf("could not close response body: %s", err)
}
}()
defer resp.Body.Close()
if resp.StatusCode != 200 {
c.t.Errorf("StatusCode wants 200 but %d", resp.StatusCode)
}
b, err := io.ReadAll(resp.Body)
if err != nil {
c.t.Errorf("could not read body: %s", err)
return nil
}
body := string(b)
if !strings.Contains(body, c.config.BodyContains) {
c.t.Errorf("body should contain %s but was %s", c.config.BodyContains, body)
}
return nil
}
func (c *client) OpenCommand(_ context.Context, url, _ string) error {
return c.Open(url)
}
type zeroClient struct {
t *testing.T
}
@@ -76,7 +52,3 @@ func (c *zeroClient) Open(url string) error {
c.t.Errorf("unexpected function call Open(%s)", url)
return nil
}
func (c *zeroClient) OpenCommand(_ context.Context, url, _ string) error {
return c.Open(url)
}

9
integration_test/keypair/keypair.go
View File

@@ -5,6 +5,7 @@ import (
"crypto/x509"
"encoding/base64"
"io"
"io/ioutil"
"os"
"strings"
)
@@ -36,11 +37,7 @@ func readAsBase64(name string) string {
if err != nil {
panic(err)
}
defer func() {
if err := f.Close(); err != nil {
panic(err)
}
}()
defer f.Close()
var s strings.Builder
e := base64.NewEncoder(base64.StdEncoding, &s)
if _, err := io.Copy(e, f); err != nil {
@@ -53,7 +50,7 @@ func readAsBase64(name string) string {
}
func newTLSConfig(name string) *tls.Config {
b, err := os.ReadFile(name)
b, err := ioutil.ReadFile(name)
if err != nil {
panic(err)
}

21
integration_test/kubeconfig/kubeconfig.go
View File

@@ -2,11 +2,11 @@ package kubeconfig
import (
"html/template"
"io/ioutil"
"os"
"path/filepath"
"testing"
"gopkg.in/yaml.v3"
"gopkg.in/yaml.v2"
)
// Values represents values in .kubeconfig template.
@@ -22,16 +22,11 @@ type Values struct {
// Create creates a kubeconfig file and returns path to it.
func Create(t *testing.T, v *Values) string {
t.Helper()
name := filepath.Join(t.TempDir(), "kubeconfig")
f, err := os.Create(name)
f, err := ioutil.TempFile("", "kubeconfig")
if err != nil {
t.Fatal(err)
}
defer func() {
if err := f.Close(); err != nil {
t.Fatal(err)
}
}()
defer f.Close()
tpl, err := template.ParseFiles("kubeconfig/testdata/kubeconfig.yaml")
if err != nil {
t.Fatal(err)
@@ -39,7 +34,7 @@ func Create(t *testing.T, v *Values) string {
if err := tpl.Execute(f, v); err != nil {
t.Fatal(err)
}
return name
return f.Name()
}
type AuthProviderConfig struct {
@@ -55,11 +50,7 @@ func Verify(t *testing.T, kubeconfig string, want AuthProviderConfig) {
t.Errorf("could not open kubeconfig: %s", err)
return
}
defer func() {
if err := f.Close(); err != nil {
t.Errorf("could not close kubeconfig: %s", err)
}
}()
defer f.Close()
var y struct {
Users []struct {

106
integration_test/oidcserver/handler/handler.go
View File

@@ -1,39 +1,35 @@
// Package handler provides HTTP handlers for the OpenID Connect Provider.
// Package handler provides a HTTP handler for the OpenID Connect Provider.
package handler
import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"testing"
"github.com/int128/kubelogin/integration_test/oidcserver/service"
"golang.org/x/xerrors"
)
func Register(t *testing.T, mux *http.ServeMux, provider service.Provider) {
h := &Handlers{t, provider}
mux.HandleFunc("GET /.well-known/openid-configuration", h.Discovery)
mux.HandleFunc("GET /certs", h.GetCertificates)
mux.HandleFunc("GET /auth", h.AuthenticateCode)
mux.HandleFunc("POST /token", h.Exchange)
func New(t *testing.T, provider Provider) *Handler {
return &Handler{t, provider}
}
// Handlers provides HTTP handlers for the OpenID Connect Provider.
// Handler provides a HTTP handler for the OpenID Connect Provider.
// You need to implement the Provider interface.
// Note that this skips some security checks and is only for testing.
type Handlers struct {
type Handler struct {
t *testing.T
provider service.Provider
provider Provider
}
func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func() error) {
err := f()
func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
wr := &responseWriterRecorder{w, 200}
err := h.serveHTTP(wr, r)
if err == nil {
h.t.Logf("%d %s %s", wr.statusCode, r.Method, r.RequestURI)
return
}
if errResp := new(service.ErrorResponse); errors.As(err, &errResp) {
if errResp := new(ErrorResponse); xerrors.As(err, &errResp) {
h.t.Logf("400 %s %s: %s", r.Method, r.RequestURI, err)
w.Header().Add("Content-Type", "application/json")
w.WriteHeader(400)
@@ -47,35 +43,38 @@ func (h *Handlers) handleError(w http.ResponseWriter, r *http.Request, f func()
http.Error(w, err.Error(), 500)
}
func (h *Handlers) Discovery(w http.ResponseWriter, r *http.Request) {
h.handleError(w, r, func() error {
type responseWriterRecorder struct {
http.ResponseWriter
statusCode int
}
func (w *responseWriterRecorder) WriteHeader(statusCode int) {
w.ResponseWriter.WriteHeader(statusCode)
w.statusCode = statusCode
}
func (h *Handler) serveHTTP(w http.ResponseWriter, r *http.Request) error {
m := r.Method
p := r.URL.Path
switch {
case m == "GET" && p == "/.well-known/openid-configuration":
discoveryResponse := h.provider.Discovery()
w.Header().Add("Content-Type", "application/json")
e := json.NewEncoder(w)
if err := e.Encode(discoveryResponse); err != nil {
return fmt.Errorf("could not render json: %w", err)
return xerrors.Errorf("could not render json: %w", err)
}
return nil
})
}
func (h *Handlers) GetCertificates(w http.ResponseWriter, r *http.Request) {
h.handleError(w, r, func() error {
case m == "GET" && p == "/certs":
certificatesResponse := h.provider.GetCertificates()
w.Header().Add("Content-Type", "application/json")
e := json.NewEncoder(w)
if err := e.Encode(certificatesResponse); err != nil {
return fmt.Errorf("could not render json: %w", err)
return xerrors.Errorf("could not render json: %w", err)
}
return nil
})
}
func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
h.handleError(w, r, func() error {
case m == "GET" && p == "/auth":
q := r.URL.Query()
redirectURI, state := q.Get("redirect_uri"), q.Get("state")
code, err := h.provider.AuthenticateCode(service.AuthenticationRequest{
code, err := h.provider.AuthenticateCode(AuthenticationRequest{
RedirectURI: redirectURI,
State: state,
Scope: q.Get("scope"),
@@ -85,37 +84,28 @@ func (h *Handlers) AuthenticateCode(w http.ResponseWriter, r *http.Request) {
RawQuery: q,
})
if err != nil {
return fmt.Errorf("authentication error: %w", err)
return xerrors.Errorf("authentication error: %w", err)
}
redirectTo, err := url.Parse(redirectURI)
if err != nil {
return fmt.Errorf("invalid redirect_uri: %w", err)
}
redirectTo.RawQuery = url.Values{"state": {state}, "code": {code}}.Encode()
http.Redirect(w, r, redirectTo.String(), http.StatusFound)
return nil
})
}
func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
h.handleError(w, r, func() error {
to := fmt.Sprintf("%s?state=%s&code=%s", redirectURI, state, code)
http.Redirect(w, r, to, 302)
case m == "POST" && p == "/token":
if err := r.ParseForm(); err != nil {
return fmt.Errorf("could not parse the form: %w", err)
return xerrors.Errorf("could not parse the form: %w", err)
}
grantType := r.Form.Get("grant_type")
switch grantType {
case "authorization_code":
tokenResponse, err := h.provider.Exchange(service.TokenRequest{
tokenResponse, err := h.provider.Exchange(TokenRequest{
Code: r.Form.Get("code"),
CodeVerifier: r.Form.Get("code_verifier"),
})
if err != nil {
return fmt.Errorf("token request error: %w", err)
return xerrors.Errorf("token request error: %w", err)
}
w.Header().Add("Content-Type", "application/json")
e := json.NewEncoder(w)
if err := e.Encode(tokenResponse); err != nil {
return fmt.Errorf("could not render json: %w", err)
return xerrors.Errorf("could not render json: %w", err)
}
case "password":
// 4.3. Resource Owner Password Credentials Grant
@@ -123,12 +113,12 @@ func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
username, password, scope := r.Form.Get("username"), r.Form.Get("password"), r.Form.Get("scope")
tokenResponse, err := h.provider.AuthenticatePassword(username, password, scope)
if err != nil {
return fmt.Errorf("authentication error: %w", err)
return xerrors.Errorf("authentication error: %w", err)
}
w.Header().Add("Content-Type", "application/json")
e := json.NewEncoder(w)
if err := e.Encode(tokenResponse); err != nil {
return fmt.Errorf("could not render json: %w", err)
return xerrors.Errorf("could not render json: %w", err)
}
case "refresh_token":
// 12.1. Refresh Request
@@ -136,21 +126,23 @@ func (h *Handlers) Exchange(w http.ResponseWriter, r *http.Request) {
refreshToken := r.Form.Get("refresh_token")
tokenResponse, err := h.provider.Refresh(refreshToken)
if err != nil {
return fmt.Errorf("token refresh error: %w", err)
return xerrors.Errorf("token refresh error: %w", err)
}
w.Header().Add("Content-Type", "application/json")
e := json.NewEncoder(w)
if err := e.Encode(tokenResponse); err != nil {
return fmt.Errorf("could not render json: %w", err)
return xerrors.Errorf("could not render json: %w", err)
}
default:
// 5.2. Error Response
// https://tools.ietf.org/html/rfc6749#section-5.2
return &service.ErrorResponse{
return &ErrorResponse{
Code: "invalid_grant",
Description: fmt.Sprintf("unknown grant_type %s", grantType),
}
}
return nil
})
default:
http.NotFound(w, r)
}
return nil
}

31
integration_test/oidcserver/service/types.go → integration_test/oidcserver/handler/types.go
View File

@@ -1,24 +1,11 @@
package service
package handler
import (
"fmt"
"net/url"
"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
)
// Service represents the test service of OpenID Connect Provider.
// It provides the feature of Provider and additional methods for testing.
type Service interface {
Provider
IssuerURL() string
SetConfig(config testconfig.Config)
LastTokenResponse() *TokenResponse
}
// Provider represents an OpenID Connect Provider.
//
// Provider provides discovery and authentication methods.
// If an implemented method returns an ErrorResponse,
// the handler will respond 400 and corresponding json of the ErrorResponse.
// Otherwise, the handler will respond 500 and fail the current test.
@@ -31,8 +18,6 @@ type Provider interface {
Refresh(refreshToken string) (*TokenResponse, error)
}
// DiscoveryResponse represents the type of:
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
type DiscoveryResponse struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
@@ -49,14 +34,10 @@ type DiscoveryResponse struct {
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
}
// CertificatesResponse represents the type of:
// https://datatracker.ietf.org/doc/html/rfc7517#section-5
type CertificatesResponse struct {
Keys []*CertificatesResponseKey `json:"keys"`
}
// CertificatesResponseKey represents the type of:
// https://datatracker.ietf.org/doc/html/rfc7517#section-4
type CertificatesResponseKey struct {
Kty string `json:"kty"`
Alg string `json:"alg"`
@@ -66,7 +47,7 @@ type CertificatesResponseKey struct {
E string `json:"e"`
}
// AuthenticationRequest represents the type of:
// AuthenticationRequest represents a type of:
// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
type AuthenticationRequest struct {
RedirectURI string
@@ -78,15 +59,13 @@ type AuthenticationRequest struct {
RawQuery url.Values
}
// TokenRequest represents the type of:
// TokenRequest represents a type of:
// https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
type TokenRequest struct {
Code string
CodeVerifier string
}
// TokenResponse represents the type of:
// https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
type TokenResponse struct {
AccessToken string `json:"access_token"`
TokenType string `json:"token_type"`
@@ -95,7 +74,7 @@ type TokenResponse struct {
IDToken string `json:"id_token"`
}
// ErrorResponse represents the error response described in the following section:
// ErrorResponse represents an error response described in the following section:
// 5.2 Error Response
// https://tools.ietf.org/html/rfc6749#section-5.2
type ErrorResponse struct {

78
integration_test/oidcserver/http/http.go Normal file
View File

@@ -0,0 +1,78 @@
// Package http provides a http server running on localhost for testing.
package http
import (
"context"
"net"
"net/http"
"testing"
"github.com/int128/kubelogin/integration_test/keypair"
)
type Shutdowner interface {
Shutdown(t *testing.T, ctx context.Context)
}
type shutdowner struct {
s *http.Server
}
func (s *shutdowner) Shutdown(t *testing.T, ctx context.Context) {
if err := s.s.Shutdown(ctx); err != nil {
t.Errorf("could not shutdown the server: %s", err)
}
}
func Start(t *testing.T, h http.Handler, k keypair.KeyPair) (string, Shutdowner) {
if k == keypair.None {
return startNoTLS(t, h)
}
return startTLS(t, h, k)
}
func startNoTLS(t *testing.T, h http.Handler) (string, *shutdowner) {
t.Helper()
l, port := newLocalhostListener(t)
url := "http://localhost:" + port
s := &http.Server{
Handler: h,
}
go func() {
err := s.Serve(l)
if err != nil && err != http.ErrServerClosed {
t.Error(err)
}
}()
return url, &shutdowner{s}
}
func startTLS(t *testing.T, h http.Handler, k keypair.KeyPair) (string, *shutdowner) {
t.Helper()
l, port := newLocalhostListener(t)
url := "https://localhost:" + port
s := &http.Server{
Handler: h,
}
go func() {
err := s.ServeTLS(l, k.CertPath, k.KeyPath)
if err != nil && err != http.ErrServerClosed {
t.Error(err)
}
}()
return url, &shutdowner{s}
}
func newLocalhostListener(t *testing.T) (net.Listener, string) {
t.Helper()
l, err := net.Listen("tcp", "localhost:0")
if err != nil {
t.Fatalf("Could not create a listener: %s", err)
}
addr := l.Addr().String()
_, port, err := net.SplitHostPort(addr)
if err != nil {
t.Fatalf("Could not parse the address %s: %s", addr, err)
}
return l, port
}

54
integration_test/oidcserver/oidcserver.go
View File

@@ -1,54 +0,0 @@
// Package oidcserver provides a stub of OpenID Connect provider.
package oidcserver
import (
"context"
"errors"
"fmt"
"net"
"net/http"
"net/http/httptest"
"testing"
"github.com/int128/kubelogin/integration_test/keypair"
"github.com/int128/kubelogin/integration_test/oidcserver/handler"
"github.com/int128/kubelogin/integration_test/oidcserver/service"
"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
)
// New starts a server for the OpenID Connect provider.
func New(t *testing.T, kp keypair.KeyPair, config testconfig.Config) service.Service {
mux := http.NewServeMux()
serverURL := startServer(t, mux, kp)
svc := service.New(t, serverURL, config)
handler.Register(t, mux, svc)
return svc
}
func startServer(t *testing.T, h http.Handler, kp keypair.KeyPair) string {
if kp == keypair.None {
srv := httptest.NewServer(h)
t.Cleanup(srv.Close)
return srv.URL
}
// Unfortunately, httptest package did not work with keypair.KeyPair.
// We use httptest package only for allocating a new port.
portAllocator := httptest.NewUnstartedServer(h)
t.Cleanup(portAllocator.Close)
serverURL := fmt.Sprintf("https://localhost:%d", portAllocator.Listener.Addr().(*net.TCPAddr).Port)
srv := &http.Server{Handler: h}
go func() {
err := srv.ServeTLS(portAllocator.Listener, kp.CertPath, kp.KeyPath)
if err != nil && !errors.Is(err, http.ErrServerClosed) {
t.Error(err)
}
}()
t.Cleanup(func() {
if err := srv.Shutdown(context.TODO()); err != nil {
t.Errorf("could not shutdown the server: %s", err)
}
})
return serverURL
}

217
integration_test/oidcserver/server.go Normal file
View File

@@ -0,0 +1,217 @@
// Package oidcserver provides a stub of OpenID Connect provider.
package oidcserver
import (
"crypto/sha256"
"encoding/base64"
"math/big"
"strings"
"testing"
"time"
"github.com/int128/kubelogin/integration_test/keypair"
"github.com/int128/kubelogin/integration_test/oidcserver/handler"
"github.com/int128/kubelogin/integration_test/oidcserver/http"
"github.com/int128/kubelogin/pkg/testing/jwt"
"golang.org/x/xerrors"
)
type Server interface {
http.Shutdowner
IssuerURL() string
SetConfig(Config)
LastTokenResponse() *handler.TokenResponse
}
// Want represents a set of expected values.
type Want struct {
Scope string
RedirectURIPrefix string
CodeChallengeMethod string // optional
ExtraParams map[string]string // optional
Username string // optional
Password string // optional
RefreshToken string // optional
}
// Response represents a set of response values.
type Response struct {
IDTokenExpiry time.Time
RefreshToken string
RefreshError string // if set, Refresh() will return the error
CodeChallengeMethodsSupported []string // optional
}
// Config represents a configuration of the OpenID Connect provider.
type Config struct {
Want Want
Response Response
}
// New starts a HTTP server for the OpenID Connect provider.
func New(t *testing.T, k keypair.KeyPair, c Config) Server {
sv := server{Config: c, t: t}
sv.issuerURL, sv.Shutdowner = http.Start(t, handler.New(t, &sv), k)
return &sv
}
type server struct {
Config
http.Shutdowner
t *testing.T
issuerURL string
lastAuthenticationRequest *handler.AuthenticationRequest
lastTokenResponse *handler.TokenResponse
}
func (sv *server) IssuerURL() string {
return sv.issuerURL
}
func (sv *server) SetConfig(cfg Config) {
sv.Config = cfg
}
func (sv *server) LastTokenResponse() *handler.TokenResponse {
return sv.lastTokenResponse
}
func (sv *server) Discovery() *handler.DiscoveryResponse {
// based on https://accounts.google.com/.well-known/openid-configuration
return &handler.DiscoveryResponse{
Issuer: sv.issuerURL,
AuthorizationEndpoint: sv.issuerURL + "/auth",
TokenEndpoint: sv.issuerURL + "/token",
JwksURI: sv.issuerURL + "/certs",
UserinfoEndpoint: sv.issuerURL + "/userinfo",
RevocationEndpoint: sv.issuerURL + "/revoke",
ResponseTypesSupported: []string{"code id_token"},
SubjectTypesSupported: []string{"public"},
IDTokenSigningAlgValuesSupported: []string{"RS256"},
ScopesSupported: []string{"openid", "email", "profile"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
CodeChallengeMethodsSupported: sv.Config.Response.CodeChallengeMethodsSupported,
ClaimsSupported: []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
}
}
func (sv *server) GetCertificates() *handler.CertificatesResponse {
idTokenKeyPair := jwt.PrivateKey
return &handler.CertificatesResponse{
Keys: []*handler.CertificatesResponseKey{
{
Kty: "RSA",
Alg: "RS256",
Use: "sig",
Kid: "dummy",
E: base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
N: base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
},
},
}
}
func (sv *server) AuthenticateCode(req handler.AuthenticationRequest) (code string, err error) {
if req.Scope != sv.Want.Scope {
sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, req.Scope)
}
if !strings.HasPrefix(req.RedirectURI, sv.Want.RedirectURIPrefix) {
sv.t.Errorf("redirectURI wants prefix `%s` but was `%s`", sv.Want.RedirectURIPrefix, req.RedirectURI)
}
if req.CodeChallengeMethod != sv.Want.CodeChallengeMethod {
sv.t.Errorf("code_challenge_method wants `%s` but was `%s`", sv.Want.CodeChallengeMethod, req.CodeChallengeMethod)
}
for k, v := range sv.Want.ExtraParams {
got := req.RawQuery.Get(k)
if got != v {
sv.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
}
}
sv.lastAuthenticationRequest = &req
return "YOUR_AUTH_CODE", nil
}
func (sv *server) Exchange(req handler.TokenRequest) (*handler.TokenResponse, error) {
if req.Code != "YOUR_AUTH_CODE" {
return nil, xerrors.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
}
if sv.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
// https://tools.ietf.org/html/rfc7636#section-4.6
challenge := computeS256Challenge(req.CodeVerifier)
if challenge != sv.lastAuthenticationRequest.CodeChallenge {
sv.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", sv.lastAuthenticationRequest.CodeChallenge, challenge)
}
}
resp := &handler.TokenResponse{
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "YOUR_ACCESS_TOKEN",
RefreshToken: sv.Response.RefreshToken,
IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
claims.Issuer = sv.issuerURL
claims.Subject = "SUBJECT"
claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
claims.Audience = []string{"kubernetes"}
claims.Nonce = sv.lastAuthenticationRequest.Nonce
}),
}
sv.lastTokenResponse = resp
return resp, nil
}
func computeS256Challenge(verifier string) string {
c := sha256.Sum256([]byte(verifier))
return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
}
func (sv *server) AuthenticatePassword(username, password, scope string) (*handler.TokenResponse, error) {
if scope != sv.Want.Scope {
sv.t.Errorf("scope wants `%s` but was `%s`", sv.Want.Scope, scope)
}
if username != sv.Want.Username {
sv.t.Errorf("username wants `%s` but was `%s`", sv.Want.Username, username)
}
if password != sv.Want.Password {
sv.t.Errorf("password wants `%s` but was `%s`", sv.Want.Password, password)
}
resp := &handler.TokenResponse{
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "YOUR_ACCESS_TOKEN",
RefreshToken: sv.Response.RefreshToken,
IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
claims.Issuer = sv.issuerURL
claims.Subject = "SUBJECT"
claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
claims.Audience = []string{"kubernetes"}
}),
}
sv.lastTokenResponse = resp
return resp, nil
}
func (sv *server) Refresh(refreshToken string) (*handler.TokenResponse, error) {
if refreshToken != sv.Want.RefreshToken {
sv.t.Errorf("refreshToken wants %s but was %s", sv.Want.RefreshToken, refreshToken)
}
if sv.Response.RefreshError != "" {
return nil, &handler.ErrorResponse{Code: "invalid_request", Description: sv.Response.RefreshError}
}
resp := &handler.TokenResponse{
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "YOUR_ACCESS_TOKEN",
RefreshToken: sv.Response.RefreshToken,
IDToken: jwt.EncodeF(sv.t, func(claims *jwt.Claims) {
claims.Issuer = sv.issuerURL
claims.Subject = "SUBJECT"
claims.IssuedAt = sv.Response.IDTokenExpiry.Add(-time.Hour).Unix()
claims.ExpiresAt = sv.Response.IDTokenExpiry.Unix()
claims.Audience = []string{"kubernetes"}
}),
}
sv.lastTokenResponse = resp
return resp, nil
}

184
integration_test/oidcserver/service/service.go
View File

@@ -1,184 +0,0 @@
package service
import (
"crypto/sha256"
"encoding/base64"
"fmt"
"math/big"
"strings"
"testing"
"time"
"github.com/golang-jwt/jwt/v5"
"github.com/google/go-cmp/cmp"
"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
testingJWT "github.com/int128/kubelogin/pkg/testing/jwt"
)
func New(t *testing.T, issuerURL string, config testconfig.Config) Service {
return &service{
config: config,
t: t,
issuerURL: issuerURL,
}
}
type service struct {
config testconfig.Config
t *testing.T
issuerURL string
lastAuthenticationRequest *AuthenticationRequest
lastTokenResponse *TokenResponse
}
func (svc *service) IssuerURL() string {
return svc.issuerURL
}
func (svc *service) SetConfig(cfg testconfig.Config) {
svc.config = cfg
}
func (svc *service) LastTokenResponse() *TokenResponse {
return svc.lastTokenResponse
}
func (svc *service) Discovery() *DiscoveryResponse {
// based on https://accounts.google.com/.well-known/openid-configuration
return &DiscoveryResponse{
Issuer: svc.issuerURL,
AuthorizationEndpoint: svc.issuerURL + "/auth",
TokenEndpoint: svc.issuerURL + "/token",
JwksURI: svc.issuerURL + "/certs",
UserinfoEndpoint: svc.issuerURL + "/userinfo",
RevocationEndpoint: svc.issuerURL + "/revoke",
ResponseTypesSupported: []string{"code id_token"},
SubjectTypesSupported: []string{"public"},
IDTokenSigningAlgValuesSupported: []string{"RS256"},
ScopesSupported: []string{"openid", "email", "profile"},
TokenEndpointAuthMethodsSupported: []string{"client_secret_post", "client_secret_basic"},
CodeChallengeMethodsSupported: svc.config.Response.CodeChallengeMethodsSupported,
ClaimsSupported: []string{"aud", "email", "exp", "iat", "iss", "name", "sub"},
}
}
func (svc *service) GetCertificates() *CertificatesResponse {
idTokenKeyPair := testingJWT.PrivateKey
return &CertificatesResponse{
Keys: []*CertificatesResponseKey{
{
Kty: "RSA",
Alg: "RS256",
Use: "sig",
Kid: "dummy",
E: base64.RawURLEncoding.EncodeToString(big.NewInt(int64(idTokenKeyPair.E)).Bytes()),
N: base64.RawURLEncoding.EncodeToString(idTokenKeyPair.N.Bytes()),
},
},
}
}
func (svc *service) AuthenticateCode(req AuthenticationRequest) (code string, err error) {
if req.Scope != svc.config.Want.Scope {
svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, req.Scope)
}
if !strings.HasPrefix(req.RedirectURI, svc.config.Want.RedirectURIPrefix) {
svc.t.Errorf("redirectURI wants prefix `%s` but was `%s`", svc.config.Want.RedirectURIPrefix, req.RedirectURI)
}
if diff := cmp.Diff(svc.config.Want.CodeChallengeMethod, req.CodeChallengeMethod); diff != "" {
svc.t.Errorf("code_challenge_method mismatch (-want +got):\n%s", diff)
}
for k, v := range svc.config.Want.ExtraParams {
got := req.RawQuery.Get(k)
if got != v {
svc.t.Errorf("parameter %s wants `%s` but was `%s`", k, v, got)
}
}
svc.lastAuthenticationRequest = &req
return "YOUR_AUTH_CODE", nil
}
func (svc *service) Exchange(req TokenRequest) (*TokenResponse, error) {
if req.Code != "YOUR_AUTH_CODE" {
return nil, fmt.Errorf("code wants %s but was %s", "YOUR_AUTH_CODE", req.Code)
}
if svc.lastAuthenticationRequest.CodeChallengeMethod == "S256" {
// https://tools.ietf.org/html/rfc7636#section-4.6
challenge := computeS256Challenge(req.CodeVerifier)
if challenge != svc.lastAuthenticationRequest.CodeChallenge {
svc.t.Errorf("pkce S256 challenge did not match (want %s but was %s)", svc.lastAuthenticationRequest.CodeChallenge, challenge)
}
}
resp := &TokenResponse{
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "YOUR_ACCESS_TOKEN",
RefreshToken: svc.config.Response.RefreshToken,
IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
claims.Issuer = svc.issuerURL
claims.Subject = "SUBJECT"
claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
claims.Audience = []string{"kubernetes"}
claims.Nonce = svc.lastAuthenticationRequest.Nonce
}),
}
svc.lastTokenResponse = resp
return resp, nil
}
func computeS256Challenge(verifier string) string {
c := sha256.Sum256([]byte(verifier))
return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(c[:])
}
func (svc *service) AuthenticatePassword(username, password, scope string) (*TokenResponse, error) {
if scope != svc.config.Want.Scope {
svc.t.Errorf("scope wants `%s` but was `%s`", svc.config.Want.Scope, scope)
}
if username != svc.config.Want.Username {
svc.t.Errorf("username wants `%s` but was `%s`", svc.config.Want.Username, username)
}
if password != svc.config.Want.Password {
svc.t.Errorf("password wants `%s` but was `%s`", svc.config.Want.Password, password)
}
resp := &TokenResponse{
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "YOUR_ACCESS_TOKEN",
RefreshToken: svc.config.Response.RefreshToken,
IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
claims.Issuer = svc.issuerURL
claims.Subject = "SUBJECT"
claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
claims.Audience = []string{"kubernetes"}
}),
}
svc.lastTokenResponse = resp
return resp, nil
}
func (svc *service) Refresh(refreshToken string) (*TokenResponse, error) {
if refreshToken != svc.config.Want.RefreshToken {
svc.t.Errorf("refreshToken wants %s but was %s", svc.config.Want.RefreshToken, refreshToken)
}
if svc.config.Response.RefreshError != "" {
return nil, &ErrorResponse{Code: "invalid_request", Description: svc.config.Response.RefreshError}
}
resp := &TokenResponse{
TokenType: "Bearer",
ExpiresIn: 3600,
AccessToken: "YOUR_ACCESS_TOKEN",
RefreshToken: svc.config.Response.RefreshToken,
IDToken: testingJWT.EncodeF(svc.t, func(claims *testingJWT.Claims) {
claims.Issuer = svc.issuerURL
claims.Subject = "SUBJECT"
claims.IssuedAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry.Add(-time.Hour))
claims.ExpiresAt = jwt.NewNumericDate(svc.config.Response.IDTokenExpiry)
claims.Audience = []string{"kubernetes"}
}),
}
svc.lastTokenResponse = resp
return resp, nil
}

28
integration_test/oidcserver/testconfig/types.go
View File

@@ -1,28 +0,0 @@
package testconfig
import "time"
// Want represents a set of expected values.
type Want struct {
Scope string
RedirectURIPrefix string
CodeChallengeMethod string
ExtraParams map[string]string // optional
Username string // optional
Password string // optional
RefreshToken string // optional
}
// Response represents a set of response values.
type Response struct {
IDTokenExpiry time.Time
RefreshToken string
RefreshError string // if set, Refresh() will return the error
CodeChallengeMethodsSupported []string
}
// Config represents a configuration of the OpenID Connect provider.
type Config struct {
Want Want
Response Response
}

104
integration_test/standalone_test.go
View File

@@ -10,9 +10,8 @@ import (
"github.com/int128/kubelogin/integration_test/keypair"
"github.com/int128/kubelogin/integration_test/kubeconfig"
"github.com/int128/kubelogin/integration_test/oidcserver"
"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
"github.com/int128/kubelogin/pkg/adaptors/browser"
"github.com/int128/kubelogin/pkg/di"
"github.com/int128/kubelogin/pkg/infrastructure/browser"
"github.com/int128/kubelogin/pkg/testing/clock"
"github.com/int128/kubelogin/pkg/testing/logger"
)
@@ -23,6 +22,7 @@ import (
// 2. Run the Cmd.
// 3. Open a request for the local server.
// 4. Verify the kubeconfig.
//
func TestStandalone(t *testing.T) {
timeout := 3 * time.Second
now := time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
@@ -36,33 +36,30 @@ func TestStandalone(t *testing.T) {
keyPair: keypair.Server,
},
} {
httpDriverOption := httpdriver.Config{
TLSConfig: tc.keyPair.TLSConfig,
BodyContains: "Authenticated",
}
t.Run(name, func(t *testing.T) {
t.Run("AuthCode", func(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
Issuer: sv.IssuerURL(),
IDPCertificateAuthority: tc.keyPair.CACertPath,
})
defer os.Remove(kubeConfigFilename)
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
httpDriver: httpdriver.New(ctx, t, httpDriverOption),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now,
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -75,21 +72,23 @@ func TestStandalone(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, tc.keyPair, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
Username: "USER1",
Password: "PASS1",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
Issuer: sv.IssuerURL(),
IDPCertificateAuthority: tc.keyPair.CACertPath,
})
defer os.Remove(kubeConfigFilename)
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
@@ -110,19 +109,21 @@ func TestStandalone(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, tc.keyPair, testconfig.Config{})
sv := oidcserver.New(t, tc.keyPair, oidcserver.Config{})
defer sv.Shutdown(t, ctx)
kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
Issuer: sv.IssuerURL(),
IDPCertificateAuthority: tc.keyPair.CACertPath,
})
defer os.Remove(kubeConfigFilename)
t.Run("NoToken", func(t *testing.T) {
sv.SetConfig(testconfig.Config{
Want: testconfig.Want{
sv.SetConfig(oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
RefreshToken: "REFRESH_TOKEN_1",
},
@@ -130,7 +131,7 @@ func TestStandalone(t *testing.T) {
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
httpDriver: httpdriver.New(ctx, t, httpDriverOption),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now,
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -139,7 +140,7 @@ func TestStandalone(t *testing.T) {
})
})
t.Run("Valid", func(t *testing.T) {
sv.SetConfig(testconfig.Config{})
sv.SetConfig(oidcserver.Config{})
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
@@ -152,13 +153,13 @@ func TestStandalone(t *testing.T) {
})
})
t.Run("Refresh", func(t *testing.T) {
sv.SetConfig(testconfig.Config{
Want: testconfig.Want{
sv.SetConfig(oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
RefreshToken: "REFRESH_TOKEN_1",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(3 * time.Hour),
RefreshToken: "REFRESH_TOKEN_2",
},
@@ -166,7 +167,7 @@ func TestStandalone(t *testing.T) {
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
httpDriver: httpdriver.New(ctx, t, httpDriverOption),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now.Add(2 * time.Hour),
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -175,20 +176,20 @@ func TestStandalone(t *testing.T) {
})
})
t.Run("RefreshAgain", func(t *testing.T) {
sv.SetConfig(testconfig.Config{
Want: testconfig.Want{
sv.SetConfig(oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
RefreshToken: "REFRESH_TOKEN_2",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(5 * time.Hour),
},
})
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
httpDriver: httpdriver.New(ctx, t, httpDriverOption),
httpDriver: httpdriver.New(ctx, t, tc.keyPair.TLSConfig),
now: now.Add(4 * time.Hour),
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -204,23 +205,25 @@ func TestStandalone(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, keypair.Server, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, keypair.Server, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
Issuer: sv.IssuerURL(),
IDPCertificateAuthorityData: keypair.Server.CACertBase64,
})
defer os.Remove(kubeConfigFilename)
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{TLSConfig: keypair.Server.TLSConfig}),
httpDriver: httpdriver.New(ctx, t, keypair.Server.TLSConfig),
now: now,
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -232,22 +235,25 @@ func TestStandalone(t *testing.T) {
t.Run("env_KUBECONFIG", func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, keypair.None, oidcserver.Config{
Want: oidcserver.Want{
Scope: "openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
Issuer: sv.IssuerURL(),
})
t.Setenv("KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
defer os.Remove(kubeConfigFilename)
setenv(t, "KUBECONFIG", kubeConfigFilename+string(os.PathListSeparator)+"kubeconfig/testdata/dummy.yaml")
defer unsetenv(t, "KUBECONFIG")
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{}),
httpDriver: httpdriver.New(ctx, t, nil),
now: now,
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -260,23 +266,25 @@ func TestStandalone(t *testing.T) {
t.Parallel()
ctx, cancel := context.WithTimeout(context.TODO(), timeout)
defer cancel()
sv := oidcserver.New(t, keypair.None, testconfig.Config{
Want: testconfig.Want{
sv := oidcserver.New(t, keypair.None, oidcserver.Config{
Want: oidcserver.Want{
Scope: "profile groups openid",
RedirectURIPrefix: "http://localhost:",
},
Response: testconfig.Response{
Response: oidcserver.Response{
IDTokenExpiry: now.Add(time.Hour),
},
})
defer sv.Shutdown(t, ctx)
kubeConfigFilename := kubeconfig.Create(t, &kubeconfig.Values{
Issuer: sv.IssuerURL(),
ExtraScopes: "profile,groups",
})
defer os.Remove(kubeConfigFilename)
runStandalone(t, ctx, standaloneConfig{
issuerURL: sv.IssuerURL(),
kubeConfigFilename: kubeConfigFilename,
httpDriver: httpdriver.New(ctx, t, httpdriver.Config{}),
httpDriver: httpdriver.New(ctx, t, nil),
now: now,
})
kubeconfig.Verify(t, kubeConfigFilename, kubeconfig.AuthProviderConfig{
@@ -305,3 +313,17 @@ func runStandalone(t *testing.T, ctx context.Context, cfg standaloneConfig) {
t.Errorf("exit status wants 0 but %d", exitCode)
}
}
func setenv(t *testing.T, key, value string) {
t.Helper()
if err := os.Setenv(key, value); err != nil {
t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
}
}
func unsetenv(t *testing.T, key string) {
t.Helper()
if err := os.Unsetenv(key); err != nil {
t.Fatalf("Could not unset the env var %s: %s", key, err)
}
}

7
main.go
View File

@@ -3,8 +3,6 @@ package main
import (
"context"
"os"
"os/signal"
"syscall"
"github.com/int128/kubelogin/pkg/di"
)
@@ -12,8 +10,5 @@ import (
var version = "HEAD"
func main() {
ctx := context.Background()
ctx, stop := signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM)
defer stop()
os.Exit(di.NewCmd().Run(ctx, os.Args, version))
os.Exit(di.NewCmd().Run(context.Background(), os.Args, version))
}

895
mocks/github.com/int128/kubelogin/integration_test/oidcserver/service_mock/mocks.go
View File

@@ -1,895 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package service_mock
import (
"github.com/int128/kubelogin/integration_test/oidcserver/service"
"github.com/int128/kubelogin/integration_test/oidcserver/testconfig"
mock "github.com/stretchr/testify/mock"
)
// NewMockService creates a new instance of MockService. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockService(t interface {
mock.TestingT
Cleanup(func())
}) *MockService {
mock := &MockService{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockService is an autogenerated mock type for the Service type
type MockService struct {
mock.Mock
}
type MockService_Expecter struct {
mock *mock.Mock
}
func (_m *MockService) EXPECT() *MockService_Expecter {
return &MockService_Expecter{mock: &_m.Mock}
}
// AuthenticateCode provides a mock function for the type MockService
func (_mock *MockService) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
ret := _mock.Called(req)
if len(ret) == 0 {
panic("no return value specified for AuthenticateCode")
}
var r0 string
var r1 error
if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
return returnFunc(req)
}
if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
r0 = returnFunc(req)
} else {
r0 = ret.Get(0).(string)
}
if returnFunc, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
r1 = returnFunc(req)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockService_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
type MockService_AuthenticateCode_Call struct {
*mock.Call
}
// AuthenticateCode is a helper method to define mock.On call
// - req service.AuthenticationRequest
func (_e *MockService_Expecter) AuthenticateCode(req interface{}) *MockService_AuthenticateCode_Call {
return &MockService_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
}
func (_c *MockService_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockService_AuthenticateCode_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 service.AuthenticationRequest
if args[0] != nil {
arg0 = args[0].(service.AuthenticationRequest)
}
run(
arg0,
)
})
return _c
}
func (_c *MockService_AuthenticateCode_Call) Return(code string, err error) *MockService_AuthenticateCode_Call {
_c.Call.Return(code, err)
return _c
}
func (_c *MockService_AuthenticateCode_Call) RunAndReturn(run func(req service.AuthenticationRequest) (string, error)) *MockService_AuthenticateCode_Call {
_c.Call.Return(run)
return _c
}
// AuthenticatePassword provides a mock function for the type MockService
func (_mock *MockService) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
ret := _mock.Called(username, password, scope)
if len(ret) == 0 {
panic("no return value specified for AuthenticatePassword")
}
var r0 *service.TokenResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
return returnFunc(username, password, scope)
}
if returnFunc, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
r0 = returnFunc(username, password, scope)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(string, string, string) error); ok {
r1 = returnFunc(username, password, scope)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockService_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
type MockService_AuthenticatePassword_Call struct {
*mock.Call
}
// AuthenticatePassword is a helper method to define mock.On call
// - username string
// - password string
// - scope string
func (_e *MockService_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockService_AuthenticatePassword_Call {
return &MockService_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
}
func (_c *MockService_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockService_AuthenticatePassword_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 string
if args[1] != nil {
arg1 = args[1].(string)
}
var arg2 string
if args[2] != nil {
arg2 = args[2].(string)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockService_AuthenticatePassword_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_AuthenticatePassword_Call {
_c.Call.Return(tokenResponse, err)
return _c
}
func (_c *MockService_AuthenticatePassword_Call) RunAndReturn(run func(username string, password string, scope string) (*service.TokenResponse, error)) *MockService_AuthenticatePassword_Call {
_c.Call.Return(run)
return _c
}
// Discovery provides a mock function for the type MockService
func (_mock *MockService) Discovery() *service.DiscoveryResponse {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for Discovery")
}
var r0 *service.DiscoveryResponse
if returnFunc, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
r0 = returnFunc()
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.DiscoveryResponse)
}
}
return r0
}
// MockService_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
type MockService_Discovery_Call struct {
*mock.Call
}
// Discovery is a helper method to define mock.On call
func (_e *MockService_Expecter) Discovery() *MockService_Discovery_Call {
return &MockService_Discovery_Call{Call: _e.mock.On("Discovery")}
}
func (_c *MockService_Discovery_Call) Run(run func()) *MockService_Discovery_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockService_Discovery_Call) Return(discoveryResponse *service.DiscoveryResponse) *MockService_Discovery_Call {
_c.Call.Return(discoveryResponse)
return _c
}
func (_c *MockService_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockService_Discovery_Call {
_c.Call.Return(run)
return _c
}
// Exchange provides a mock function for the type MockService
func (_mock *MockService) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
ret := _mock.Called(req)
if len(ret) == 0 {
panic("no return value specified for Exchange")
}
var r0 *service.TokenResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
return returnFunc(req)
}
if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
r0 = returnFunc(req)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
r1 = returnFunc(req)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockService_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
type MockService_Exchange_Call struct {
*mock.Call
}
// Exchange is a helper method to define mock.On call
// - req service.TokenRequest
func (_e *MockService_Expecter) Exchange(req interface{}) *MockService_Exchange_Call {
return &MockService_Exchange_Call{Call: _e.mock.On("Exchange", req)}
}
func (_c *MockService_Exchange_Call) Run(run func(req service.TokenRequest)) *MockService_Exchange_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 service.TokenRequest
if args[0] != nil {
arg0 = args[0].(service.TokenRequest)
}
run(
arg0,
)
})
return _c
}
func (_c *MockService_Exchange_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_Exchange_Call {
_c.Call.Return(tokenResponse, err)
return _c
}
func (_c *MockService_Exchange_Call) RunAndReturn(run func(req service.TokenRequest) (*service.TokenResponse, error)) *MockService_Exchange_Call {
_c.Call.Return(run)
return _c
}
// GetCertificates provides a mock function for the type MockService
func (_mock *MockService) GetCertificates() *service.CertificatesResponse {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for GetCertificates")
}
var r0 *service.CertificatesResponse
if returnFunc, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
r0 = returnFunc()
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.CertificatesResponse)
}
}
return r0
}
// MockService_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
type MockService_GetCertificates_Call struct {
*mock.Call
}
// GetCertificates is a helper method to define mock.On call
func (_e *MockService_Expecter) GetCertificates() *MockService_GetCertificates_Call {
return &MockService_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
}
func (_c *MockService_GetCertificates_Call) Run(run func()) *MockService_GetCertificates_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockService_GetCertificates_Call) Return(certificatesResponse *service.CertificatesResponse) *MockService_GetCertificates_Call {
_c.Call.Return(certificatesResponse)
return _c
}
func (_c *MockService_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockService_GetCertificates_Call {
_c.Call.Return(run)
return _c
}
// IssuerURL provides a mock function for the type MockService
func (_mock *MockService) IssuerURL() string {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for IssuerURL")
}
var r0 string
if returnFunc, ok := ret.Get(0).(func() string); ok {
r0 = returnFunc()
} else {
r0 = ret.Get(0).(string)
}
return r0
}
// MockService_IssuerURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IssuerURL'
type MockService_IssuerURL_Call struct {
*mock.Call
}
// IssuerURL is a helper method to define mock.On call
func (_e *MockService_Expecter) IssuerURL() *MockService_IssuerURL_Call {
return &MockService_IssuerURL_Call{Call: _e.mock.On("IssuerURL")}
}
func (_c *MockService_IssuerURL_Call) Run(run func()) *MockService_IssuerURL_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockService_IssuerURL_Call) Return(s string) *MockService_IssuerURL_Call {
_c.Call.Return(s)
return _c
}
func (_c *MockService_IssuerURL_Call) RunAndReturn(run func() string) *MockService_IssuerURL_Call {
_c.Call.Return(run)
return _c
}
// LastTokenResponse provides a mock function for the type MockService
func (_mock *MockService) LastTokenResponse() *service.TokenResponse {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for LastTokenResponse")
}
var r0 *service.TokenResponse
if returnFunc, ok := ret.Get(0).(func() *service.TokenResponse); ok {
r0 = returnFunc()
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
return r0
}
// MockService_LastTokenResponse_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'LastTokenResponse'
type MockService_LastTokenResponse_Call struct {
*mock.Call
}
// LastTokenResponse is a helper method to define mock.On call
func (_e *MockService_Expecter) LastTokenResponse() *MockService_LastTokenResponse_Call {
return &MockService_LastTokenResponse_Call{Call: _e.mock.On("LastTokenResponse")}
}
func (_c *MockService_LastTokenResponse_Call) Run(run func()) *MockService_LastTokenResponse_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockService_LastTokenResponse_Call) Return(tokenResponse *service.TokenResponse) *MockService_LastTokenResponse_Call {
_c.Call.Return(tokenResponse)
return _c
}
func (_c *MockService_LastTokenResponse_Call) RunAndReturn(run func() *service.TokenResponse) *MockService_LastTokenResponse_Call {
_c.Call.Return(run)
return _c
}
// Refresh provides a mock function for the type MockService
func (_mock *MockService) Refresh(refreshToken string) (*service.TokenResponse, error) {
ret := _mock.Called(refreshToken)
if len(ret) == 0 {
panic("no return value specified for Refresh")
}
var r0 *service.TokenResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
return returnFunc(refreshToken)
}
if returnFunc, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
r0 = returnFunc(refreshToken)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(string) error); ok {
r1 = returnFunc(refreshToken)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockService_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
type MockService_Refresh_Call struct {
*mock.Call
}
// Refresh is a helper method to define mock.On call
// - refreshToken string
func (_e *MockService_Expecter) Refresh(refreshToken interface{}) *MockService_Refresh_Call {
return &MockService_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
}
func (_c *MockService_Refresh_Call) Run(run func(refreshToken string)) *MockService_Refresh_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
run(
arg0,
)
})
return _c
}
func (_c *MockService_Refresh_Call) Return(tokenResponse *service.TokenResponse, err error) *MockService_Refresh_Call {
_c.Call.Return(tokenResponse, err)
return _c
}
func (_c *MockService_Refresh_Call) RunAndReturn(run func(refreshToken string) (*service.TokenResponse, error)) *MockService_Refresh_Call {
_c.Call.Return(run)
return _c
}
// SetConfig provides a mock function for the type MockService
func (_mock *MockService) SetConfig(config testconfig.Config) {
_mock.Called(config)
return
}
// MockService_SetConfig_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'SetConfig'
type MockService_SetConfig_Call struct {
*mock.Call
}
// SetConfig is a helper method to define mock.On call
// - config testconfig.Config
func (_e *MockService_Expecter) SetConfig(config interface{}) *MockService_SetConfig_Call {
return &MockService_SetConfig_Call{Call: _e.mock.On("SetConfig", config)}
}
func (_c *MockService_SetConfig_Call) Run(run func(config testconfig.Config)) *MockService_SetConfig_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 testconfig.Config
if args[0] != nil {
arg0 = args[0].(testconfig.Config)
}
run(
arg0,
)
})
return _c
}
func (_c *MockService_SetConfig_Call) Return() *MockService_SetConfig_Call {
_c.Call.Return()
return _c
}
func (_c *MockService_SetConfig_Call) RunAndReturn(run func(config testconfig.Config)) *MockService_SetConfig_Call {
_c.Run(run)
return _c
}
// NewMockProvider creates a new instance of MockProvider. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockProvider(t interface {
mock.TestingT
Cleanup(func())
}) *MockProvider {
mock := &MockProvider{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockProvider is an autogenerated mock type for the Provider type
type MockProvider struct {
mock.Mock
}
type MockProvider_Expecter struct {
mock *mock.Mock
}
func (_m *MockProvider) EXPECT() *MockProvider_Expecter {
return &MockProvider_Expecter{mock: &_m.Mock}
}
// AuthenticateCode provides a mock function for the type MockProvider
func (_mock *MockProvider) AuthenticateCode(req service.AuthenticationRequest) (string, error) {
ret := _mock.Called(req)
if len(ret) == 0 {
panic("no return value specified for AuthenticateCode")
}
var r0 string
var r1 error
if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) (string, error)); ok {
return returnFunc(req)
}
if returnFunc, ok := ret.Get(0).(func(service.AuthenticationRequest) string); ok {
r0 = returnFunc(req)
} else {
r0 = ret.Get(0).(string)
}
if returnFunc, ok := ret.Get(1).(func(service.AuthenticationRequest) error); ok {
r1 = returnFunc(req)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockProvider_AuthenticateCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticateCode'
type MockProvider_AuthenticateCode_Call struct {
*mock.Call
}
// AuthenticateCode is a helper method to define mock.On call
// - req service.AuthenticationRequest
func (_e *MockProvider_Expecter) AuthenticateCode(req interface{}) *MockProvider_AuthenticateCode_Call {
return &MockProvider_AuthenticateCode_Call{Call: _e.mock.On("AuthenticateCode", req)}
}
func (_c *MockProvider_AuthenticateCode_Call) Run(run func(req service.AuthenticationRequest)) *MockProvider_AuthenticateCode_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 service.AuthenticationRequest
if args[0] != nil {
arg0 = args[0].(service.AuthenticationRequest)
}
run(
arg0,
)
})
return _c
}
func (_c *MockProvider_AuthenticateCode_Call) Return(code string, err error) *MockProvider_AuthenticateCode_Call {
_c.Call.Return(code, err)
return _c
}
func (_c *MockProvider_AuthenticateCode_Call) RunAndReturn(run func(req service.AuthenticationRequest) (string, error)) *MockProvider_AuthenticateCode_Call {
_c.Call.Return(run)
return _c
}
// AuthenticatePassword provides a mock function for the type MockProvider
func (_mock *MockProvider) AuthenticatePassword(username string, password string, scope string) (*service.TokenResponse, error) {
ret := _mock.Called(username, password, scope)
if len(ret) == 0 {
panic("no return value specified for AuthenticatePassword")
}
var r0 *service.TokenResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(string, string, string) (*service.TokenResponse, error)); ok {
return returnFunc(username, password, scope)
}
if returnFunc, ok := ret.Get(0).(func(string, string, string) *service.TokenResponse); ok {
r0 = returnFunc(username, password, scope)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(string, string, string) error); ok {
r1 = returnFunc(username, password, scope)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockProvider_AuthenticatePassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AuthenticatePassword'
type MockProvider_AuthenticatePassword_Call struct {
*mock.Call
}
// AuthenticatePassword is a helper method to define mock.On call
// - username string
// - password string
// - scope string
func (_e *MockProvider_Expecter) AuthenticatePassword(username interface{}, password interface{}, scope interface{}) *MockProvider_AuthenticatePassword_Call {
return &MockProvider_AuthenticatePassword_Call{Call: _e.mock.On("AuthenticatePassword", username, password, scope)}
}
func (_c *MockProvider_AuthenticatePassword_Call) Run(run func(username string, password string, scope string)) *MockProvider_AuthenticatePassword_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 string
if args[1] != nil {
arg1 = args[1].(string)
}
var arg2 string
if args[2] != nil {
arg2 = args[2].(string)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockProvider_AuthenticatePassword_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_AuthenticatePassword_Call {
_c.Call.Return(tokenResponse, err)
return _c
}
func (_c *MockProvider_AuthenticatePassword_Call) RunAndReturn(run func(username string, password string, scope string) (*service.TokenResponse, error)) *MockProvider_AuthenticatePassword_Call {
_c.Call.Return(run)
return _c
}
// Discovery provides a mock function for the type MockProvider
func (_mock *MockProvider) Discovery() *service.DiscoveryResponse {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for Discovery")
}
var r0 *service.DiscoveryResponse
if returnFunc, ok := ret.Get(0).(func() *service.DiscoveryResponse); ok {
r0 = returnFunc()
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.DiscoveryResponse)
}
}
return r0
}
// MockProvider_Discovery_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Discovery'
type MockProvider_Discovery_Call struct {
*mock.Call
}
// Discovery is a helper method to define mock.On call
func (_e *MockProvider_Expecter) Discovery() *MockProvider_Discovery_Call {
return &MockProvider_Discovery_Call{Call: _e.mock.On("Discovery")}
}
func (_c *MockProvider_Discovery_Call) Run(run func()) *MockProvider_Discovery_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockProvider_Discovery_Call) Return(discoveryResponse *service.DiscoveryResponse) *MockProvider_Discovery_Call {
_c.Call.Return(discoveryResponse)
return _c
}
func (_c *MockProvider_Discovery_Call) RunAndReturn(run func() *service.DiscoveryResponse) *MockProvider_Discovery_Call {
_c.Call.Return(run)
return _c
}
// Exchange provides a mock function for the type MockProvider
func (_mock *MockProvider) Exchange(req service.TokenRequest) (*service.TokenResponse, error) {
ret := _mock.Called(req)
if len(ret) == 0 {
panic("no return value specified for Exchange")
}
var r0 *service.TokenResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) (*service.TokenResponse, error)); ok {
return returnFunc(req)
}
if returnFunc, ok := ret.Get(0).(func(service.TokenRequest) *service.TokenResponse); ok {
r0 = returnFunc(req)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(service.TokenRequest) error); ok {
r1 = returnFunc(req)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockProvider_Exchange_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Exchange'
type MockProvider_Exchange_Call struct {
*mock.Call
}
// Exchange is a helper method to define mock.On call
// - req service.TokenRequest
func (_e *MockProvider_Expecter) Exchange(req interface{}) *MockProvider_Exchange_Call {
return &MockProvider_Exchange_Call{Call: _e.mock.On("Exchange", req)}
}
func (_c *MockProvider_Exchange_Call) Run(run func(req service.TokenRequest)) *MockProvider_Exchange_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 service.TokenRequest
if args[0] != nil {
arg0 = args[0].(service.TokenRequest)
}
run(
arg0,
)
})
return _c
}
func (_c *MockProvider_Exchange_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_Exchange_Call {
_c.Call.Return(tokenResponse, err)
return _c
}
func (_c *MockProvider_Exchange_Call) RunAndReturn(run func(req service.TokenRequest) (*service.TokenResponse, error)) *MockProvider_Exchange_Call {
_c.Call.Return(run)
return _c
}
// GetCertificates provides a mock function for the type MockProvider
func (_mock *MockProvider) GetCertificates() *service.CertificatesResponse {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for GetCertificates")
}
var r0 *service.CertificatesResponse
if returnFunc, ok := ret.Get(0).(func() *service.CertificatesResponse); ok {
r0 = returnFunc()
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.CertificatesResponse)
}
}
return r0
}
// MockProvider_GetCertificates_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCertificates'
type MockProvider_GetCertificates_Call struct {
*mock.Call
}
// GetCertificates is a helper method to define mock.On call
func (_e *MockProvider_Expecter) GetCertificates() *MockProvider_GetCertificates_Call {
return &MockProvider_GetCertificates_Call{Call: _e.mock.On("GetCertificates")}
}
func (_c *MockProvider_GetCertificates_Call) Run(run func()) *MockProvider_GetCertificates_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockProvider_GetCertificates_Call) Return(certificatesResponse *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
_c.Call.Return(certificatesResponse)
return _c
}
func (_c *MockProvider_GetCertificates_Call) RunAndReturn(run func() *service.CertificatesResponse) *MockProvider_GetCertificates_Call {
_c.Call.Return(run)
return _c
}
// Refresh provides a mock function for the type MockProvider
func (_mock *MockProvider) Refresh(refreshToken string) (*service.TokenResponse, error) {
ret := _mock.Called(refreshToken)
if len(ret) == 0 {
panic("no return value specified for Refresh")
}
var r0 *service.TokenResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(string) (*service.TokenResponse, error)); ok {
return returnFunc(refreshToken)
}
if returnFunc, ok := ret.Get(0).(func(string) *service.TokenResponse); ok {
r0 = returnFunc(refreshToken)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*service.TokenResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(string) error); ok {
r1 = returnFunc(refreshToken)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockProvider_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
type MockProvider_Refresh_Call struct {
*mock.Call
}
// Refresh is a helper method to define mock.On call
// - refreshToken string
func (_e *MockProvider_Expecter) Refresh(refreshToken interface{}) *MockProvider_Refresh_Call {
return &MockProvider_Refresh_Call{Call: _e.mock.On("Refresh", refreshToken)}
}
func (_c *MockProvider_Refresh_Call) Run(run func(refreshToken string)) *MockProvider_Refresh_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
run(
arg0,
)
})
return _c
}
func (_c *MockProvider_Refresh_Call) Return(tokenResponse *service.TokenResponse, err error) *MockProvider_Refresh_Call {
_c.Call.Return(tokenResponse, err)
return _c
}
func (_c *MockProvider_Refresh_Call) RunAndReturn(run func(refreshToken string) (*service.TokenResponse, error)) *MockProvider_Refresh_Call {
_c.Call.Return(run)
return _c
}

101
mocks/github.com/int128/kubelogin/pkg/cmd_mock/mocks.go
View File

@@ -1,101 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package cmd_mock
import (
"context"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Run provides a mock function for the type MockInterface
func (_mock *MockInterface) Run(ctx context.Context, args []string, version string) int {
ret := _mock.Called(ctx, args, version)
if len(ret) == 0 {
panic("no return value specified for Run")
}
var r0 int
if returnFunc, ok := ret.Get(0).(func(context.Context, []string, string) int); ok {
r0 = returnFunc(ctx, args, version)
} else {
r0 = ret.Get(0).(int)
}
return r0
}
// MockInterface_Run_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Run'
type MockInterface_Run_Call struct {
*mock.Call
}
// Run is a helper method to define mock.On call
// - ctx context.Context
// - args []string
// - version string
func (_e *MockInterface_Expecter) Run(ctx interface{}, args interface{}, version interface{}) *MockInterface_Run_Call {
return &MockInterface_Run_Call{Call: _e.mock.On("Run", ctx, args, version)}
}
func (_c *MockInterface_Run_Call) Run(run func(ctx context.Context, args []string, version string)) *MockInterface_Run_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 []string
if args[1] != nil {
arg1 = args[1].([]string)
}
var arg2 string
if args[2] != nil {
arg2 = args[2].(string)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockInterface_Run_Call) Return(n int) *MockInterface_Run_Call {
_c.Call.Return(n)
return _c
}
func (_c *MockInterface_Run_Call) RunAndReturn(run func(ctx context.Context, args []string, version string) int) *MockInterface_Run_Call {
_c.Call.Return(run)
return _c
}

90
mocks/github.com/int128/kubelogin/pkg/credentialplugin/reader_mock/mocks.go
View File

@@ -1,90 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package reader_mock
import (
"github.com/int128/kubelogin/pkg/credentialplugin"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Read provides a mock function for the type MockInterface
func (_mock *MockInterface) Read() (credentialplugin.Input, error) {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for Read")
}
var r0 credentialplugin.Input
var r1 error
if returnFunc, ok := ret.Get(0).(func() (credentialplugin.Input, error)); ok {
return returnFunc()
}
if returnFunc, ok := ret.Get(0).(func() credentialplugin.Input); ok {
r0 = returnFunc()
} else {
r0 = ret.Get(0).(credentialplugin.Input)
}
if returnFunc, ok := ret.Get(1).(func() error); ok {
r1 = returnFunc()
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
type MockInterface_Read_Call struct {
*mock.Call
}
// Read is a helper method to define mock.On call
func (_e *MockInterface_Expecter) Read() *MockInterface_Read_Call {
return &MockInterface_Read_Call{Call: _e.mock.On("Read")}
}
func (_c *MockInterface_Read_Call) Run(run func()) *MockInterface_Read_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockInterface_Read_Call) Return(input credentialplugin.Input, err error) *MockInterface_Read_Call {
_c.Call.Return(input, err)
return _c
}
func (_c *MockInterface_Read_Call) RunAndReturn(run func() (credentialplugin.Input, error)) *MockInterface_Read_Call {
_c.Call.Return(run)
return _c
}

88
mocks/github.com/int128/kubelogin/pkg/credentialplugin/writer_mock/mocks.go
View File

@@ -1,88 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package writer_mock
import (
"github.com/int128/kubelogin/pkg/credentialplugin"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Write provides a mock function for the type MockInterface
func (_mock *MockInterface) Write(out credentialplugin.Output) error {
ret := _mock.Called(out)
if len(ret) == 0 {
panic("no return value specified for Write")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(credentialplugin.Output) error); ok {
r0 = returnFunc(out)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
type MockInterface_Write_Call struct {
*mock.Call
}
// Write is a helper method to define mock.On call
// - out credentialplugin.Output
func (_e *MockInterface_Expecter) Write(out interface{}) *MockInterface_Write_Call {
return &MockInterface_Write_Call{Call: _e.mock.On("Write", out)}
}
func (_c *MockInterface_Write_Call) Run(run func(out credentialplugin.Output)) *MockInterface_Write_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 credentialplugin.Output
if args[0] != nil {
arg0 = args[0].(credentialplugin.Output)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_Write_Call) Return(err error) *MockInterface_Write_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Write_Call) RunAndReturn(run func(out credentialplugin.Output) error) *MockInterface_Write_Call {
_c.Call.Return(run)
return _c
}

152
mocks/github.com/int128/kubelogin/pkg/infrastructure/browser_mock/mocks.go
View File

@@ -1,152 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package browser_mock
import (
"context"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Open provides a mock function for the type MockInterface
func (_mock *MockInterface) Open(url string) error {
ret := _mock.Called(url)
if len(ret) == 0 {
panic("no return value specified for Open")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(string) error); ok {
r0 = returnFunc(url)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Open_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Open'
type MockInterface_Open_Call struct {
*mock.Call
}
// Open is a helper method to define mock.On call
// - url string
func (_e *MockInterface_Expecter) Open(url interface{}) *MockInterface_Open_Call {
return &MockInterface_Open_Call{Call: _e.mock.On("Open", url)}
}
func (_c *MockInterface_Open_Call) Run(run func(url string)) *MockInterface_Open_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_Open_Call) Return(err error) *MockInterface_Open_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Open_Call) RunAndReturn(run func(url string) error) *MockInterface_Open_Call {
_c.Call.Return(run)
return _c
}
// OpenCommand provides a mock function for the type MockInterface
func (_mock *MockInterface) OpenCommand(ctx context.Context, url string, command string) error {
ret := _mock.Called(ctx, url, command)
if len(ret) == 0 {
panic("no return value specified for OpenCommand")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
r0 = returnFunc(ctx, url, command)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_OpenCommand_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'OpenCommand'
type MockInterface_OpenCommand_Call struct {
*mock.Call
}
// OpenCommand is a helper method to define mock.On call
// - ctx context.Context
// - url string
// - command string
func (_e *MockInterface_Expecter) OpenCommand(ctx interface{}, url interface{}, command interface{}) *MockInterface_OpenCommand_Call {
return &MockInterface_OpenCommand_Call{Call: _e.mock.On("OpenCommand", ctx, url, command)}
}
func (_c *MockInterface_OpenCommand_Call) Run(run func(ctx context.Context, url string, command string)) *MockInterface_OpenCommand_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 string
if args[1] != nil {
arg1 = args[1].(string)
}
var arg2 string
if args[2] != nil {
arg2 = args[2].(string)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockInterface_OpenCommand_Call) Return(err error) *MockInterface_OpenCommand_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_OpenCommand_Call) RunAndReturn(run func(ctx context.Context, url string, command string) error) *MockInterface_OpenCommand_Call {
_c.Call.Return(run)
return _c
}

82
mocks/github.com/int128/kubelogin/pkg/infrastructure/clock_mock/mocks.go
View File

@@ -1,82 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package clock_mock
import (
"time"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Now provides a mock function for the type MockInterface
func (_mock *MockInterface) Now() time.Time {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for Now")
}
var r0 time.Time
if returnFunc, ok := ret.Get(0).(func() time.Time); ok {
r0 = returnFunc()
} else {
r0 = ret.Get(0).(time.Time)
}
return r0
}
// MockInterface_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
type MockInterface_Now_Call struct {
*mock.Call
}
// Now is a helper method to define mock.On call
func (_e *MockInterface_Expecter) Now() *MockInterface_Now_Call {
return &MockInterface_Now_Call{Call: _e.mock.On("Now")}
}
func (_c *MockInterface_Now_Call) Run(run func()) *MockInterface_Now_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockInterface_Now_Call) Return(time1 time.Time) *MockInterface_Now_Call {
_c.Call.Return(time1)
return _c
}
func (_c *MockInterface_Now_Call) RunAndReturn(run func() time.Time) *MockInterface_Now_Call {
_c.Call.Return(run)
return _c
}

398
mocks/github.com/int128/kubelogin/pkg/infrastructure/logger_mock/mocks.go
View File

@@ -1,398 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package logger_mock
import (
"github.com/int128/kubelogin/pkg/infrastructure/logger"
"github.com/spf13/pflag"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// AddFlags provides a mock function for the type MockInterface
func (_mock *MockInterface) AddFlags(f *pflag.FlagSet) {
_mock.Called(f)
return
}
// MockInterface_AddFlags_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'AddFlags'
type MockInterface_AddFlags_Call struct {
*mock.Call
}
// AddFlags is a helper method to define mock.On call
// - f *pflag.FlagSet
func (_e *MockInterface_Expecter) AddFlags(f interface{}) *MockInterface_AddFlags_Call {
return &MockInterface_AddFlags_Call{Call: _e.mock.On("AddFlags", f)}
}
func (_c *MockInterface_AddFlags_Call) Run(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 *pflag.FlagSet
if args[0] != nil {
arg0 = args[0].(*pflag.FlagSet)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_AddFlags_Call) Return() *MockInterface_AddFlags_Call {
_c.Call.Return()
return _c
}
func (_c *MockInterface_AddFlags_Call) RunAndReturn(run func(f *pflag.FlagSet)) *MockInterface_AddFlags_Call {
_c.Run(run)
return _c
}
// IsEnabled provides a mock function for the type MockInterface
func (_mock *MockInterface) IsEnabled(level int) bool {
ret := _mock.Called(level)
if len(ret) == 0 {
panic("no return value specified for IsEnabled")
}
var r0 bool
if returnFunc, ok := ret.Get(0).(func(int) bool); ok {
r0 = returnFunc(level)
} else {
r0 = ret.Get(0).(bool)
}
return r0
}
// MockInterface_IsEnabled_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'IsEnabled'
type MockInterface_IsEnabled_Call struct {
*mock.Call
}
// IsEnabled is a helper method to define mock.On call
// - level int
func (_e *MockInterface_Expecter) IsEnabled(level interface{}) *MockInterface_IsEnabled_Call {
return &MockInterface_IsEnabled_Call{Call: _e.mock.On("IsEnabled", level)}
}
func (_c *MockInterface_IsEnabled_Call) Run(run func(level int)) *MockInterface_IsEnabled_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 int
if args[0] != nil {
arg0 = args[0].(int)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_IsEnabled_Call) Return(b bool) *MockInterface_IsEnabled_Call {
_c.Call.Return(b)
return _c
}
func (_c *MockInterface_IsEnabled_Call) RunAndReturn(run func(level int) bool) *MockInterface_IsEnabled_Call {
_c.Call.Return(run)
return _c
}
// Printf provides a mock function for the type MockInterface
func (_mock *MockInterface) Printf(format string, args ...interface{}) {
if len(args) > 0 {
_mock.Called(format, args)
} else {
_mock.Called(format)
}
return
}
// MockInterface_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
type MockInterface_Printf_Call struct {
*mock.Call
}
// Printf is a helper method to define mock.On call
// - format string
// - args ...interface{}
func (_e *MockInterface_Expecter) Printf(format interface{}, args ...interface{}) *MockInterface_Printf_Call {
return &MockInterface_Printf_Call{Call: _e.mock.On("Printf",
append([]interface{}{format}, args...)...)}
}
func (_c *MockInterface_Printf_Call) Run(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 []interface{}
var variadicArgs []interface{}
if len(args) > 1 {
variadicArgs = args[1].([]interface{})
}
arg1 = variadicArgs
run(
arg0,
arg1...,
)
})
return _c
}
func (_c *MockInterface_Printf_Call) Return() *MockInterface_Printf_Call {
_c.Call.Return()
return _c
}
func (_c *MockInterface_Printf_Call) RunAndReturn(run func(format string, args ...interface{})) *MockInterface_Printf_Call {
_c.Run(run)
return _c
}
// V provides a mock function for the type MockInterface
func (_mock *MockInterface) V(level int) logger.Verbose {
ret := _mock.Called(level)
if len(ret) == 0 {
panic("no return value specified for V")
}
var r0 logger.Verbose
if returnFunc, ok := ret.Get(0).(func(int) logger.Verbose); ok {
r0 = returnFunc(level)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(logger.Verbose)
}
}
return r0
}
// MockInterface_V_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'V'
type MockInterface_V_Call struct {
*mock.Call
}
// V is a helper method to define mock.On call
// - level int
func (_e *MockInterface_Expecter) V(level interface{}) *MockInterface_V_Call {
return &MockInterface_V_Call{Call: _e.mock.On("V", level)}
}
func (_c *MockInterface_V_Call) Run(run func(level int)) *MockInterface_V_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 int
if args[0] != nil {
arg0 = args[0].(int)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_V_Call) Return(verbose logger.Verbose) *MockInterface_V_Call {
_c.Call.Return(verbose)
return _c
}
func (_c *MockInterface_V_Call) RunAndReturn(run func(level int) logger.Verbose) *MockInterface_V_Call {
_c.Call.Return(run)
return _c
}
// NewMockVerbose creates a new instance of MockVerbose. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockVerbose(t interface {
mock.TestingT
Cleanup(func())
}) *MockVerbose {
mock := &MockVerbose{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockVerbose is an autogenerated mock type for the Verbose type
type MockVerbose struct {
mock.Mock
}
type MockVerbose_Expecter struct {
mock *mock.Mock
}
func (_m *MockVerbose) EXPECT() *MockVerbose_Expecter {
return &MockVerbose_Expecter{mock: &_m.Mock}
}
// Infof provides a mock function for the type MockVerbose
func (_mock *MockVerbose) Infof(format string, args ...interface{}) {
if len(args) > 0 {
_mock.Called(format, args)
} else {
_mock.Called(format)
}
return
}
// MockVerbose_Infof_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Infof'
type MockVerbose_Infof_Call struct {
*mock.Call
}
// Infof is a helper method to define mock.On call
// - format string
// - args ...interface{}
func (_e *MockVerbose_Expecter) Infof(format interface{}, args ...interface{}) *MockVerbose_Infof_Call {
return &MockVerbose_Infof_Call{Call: _e.mock.On("Infof",
append([]interface{}{format}, args...)...)}
}
func (_c *MockVerbose_Infof_Call) Run(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 []interface{}
var variadicArgs []interface{}
if len(args) > 1 {
variadicArgs = args[1].([]interface{})
}
arg1 = variadicArgs
run(
arg0,
arg1...,
)
})
return _c
}
func (_c *MockVerbose_Infof_Call) Return() *MockVerbose_Infof_Call {
_c.Call.Return()
return _c
}
func (_c *MockVerbose_Infof_Call) RunAndReturn(run func(format string, args ...interface{})) *MockVerbose_Infof_Call {
_c.Run(run)
return _c
}
// newMockgoLogger creates a new instance of mockgoLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func newMockgoLogger(t interface {
mock.TestingT
Cleanup(func())
}) *mockgoLogger {
mock := &mockgoLogger{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// mockgoLogger is an autogenerated mock type for the goLogger type
type mockgoLogger struct {
mock.Mock
}
type mockgoLogger_Expecter struct {
mock *mock.Mock
}
func (_m *mockgoLogger) EXPECT() *mockgoLogger_Expecter {
return &mockgoLogger_Expecter{mock: &_m.Mock}
}
// Printf provides a mock function for the type mockgoLogger
func (_mock *mockgoLogger) Printf(format string, v ...interface{}) {
if len(v) > 0 {
_mock.Called(format, v)
} else {
_mock.Called(format)
}
return
}
// mockgoLogger_Printf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Printf'
type mockgoLogger_Printf_Call struct {
*mock.Call
}
// Printf is a helper method to define mock.On call
// - format string
// - v ...interface{}
func (_e *mockgoLogger_Expecter) Printf(format interface{}, v ...interface{}) *mockgoLogger_Printf_Call {
return &mockgoLogger_Printf_Call{Call: _e.mock.On("Printf",
append([]interface{}{format}, v...)...)}
}
func (_c *mockgoLogger_Printf_Call) Run(run func(format string, v ...interface{})) *mockgoLogger_Printf_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 []interface{}
var variadicArgs []interface{}
if len(args) > 1 {
variadicArgs = args[1].([]interface{})
}
arg1 = variadicArgs
run(
arg0,
arg1...,
)
})
return _c
}
func (_c *mockgoLogger_Printf_Call) Return() *mockgoLogger_Printf_Call {
_c.Call.Return()
return _c
}
func (_c *mockgoLogger_Printf_Call) RunAndReturn(run func(format string, v ...interface{})) *mockgoLogger_Printf_Call {
_c.Run(run)
return _c
}

156
mocks/github.com/int128/kubelogin/pkg/infrastructure/reader_mock/mocks.go
View File

@@ -1,156 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package reader_mock
import (
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// ReadPassword provides a mock function for the type MockInterface
func (_mock *MockInterface) ReadPassword(prompt string) (string, error) {
ret := _mock.Called(prompt)
if len(ret) == 0 {
panic("no return value specified for ReadPassword")
}
var r0 string
var r1 error
if returnFunc, ok := ret.Get(0).(func(string) (string, error)); ok {
return returnFunc(prompt)
}
if returnFunc, ok := ret.Get(0).(func(string) string); ok {
r0 = returnFunc(prompt)
} else {
r0 = ret.Get(0).(string)
}
if returnFunc, ok := ret.Get(1).(func(string) error); ok {
r1 = returnFunc(prompt)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_ReadPassword_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadPassword'
type MockInterface_ReadPassword_Call struct {
*mock.Call
}
// ReadPassword is a helper method to define mock.On call
// - prompt string
func (_e *MockInterface_Expecter) ReadPassword(prompt interface{}) *MockInterface_ReadPassword_Call {
return &MockInterface_ReadPassword_Call{Call: _e.mock.On("ReadPassword", prompt)}
}
func (_c *MockInterface_ReadPassword_Call) Run(run func(prompt string)) *MockInterface_ReadPassword_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_ReadPassword_Call) Return(s string, err error) *MockInterface_ReadPassword_Call {
_c.Call.Return(s, err)
return _c
}
func (_c *MockInterface_ReadPassword_Call) RunAndReturn(run func(prompt string) (string, error)) *MockInterface_ReadPassword_Call {
_c.Call.Return(run)
return _c
}
// ReadString provides a mock function for the type MockInterface
func (_mock *MockInterface) ReadString(prompt string) (string, error) {
ret := _mock.Called(prompt)
if len(ret) == 0 {
panic("no return value specified for ReadString")
}
var r0 string
var r1 error
if returnFunc, ok := ret.Get(0).(func(string) (string, error)); ok {
return returnFunc(prompt)
}
if returnFunc, ok := ret.Get(0).(func(string) string); ok {
r0 = returnFunc(prompt)
} else {
r0 = ret.Get(0).(string)
}
if returnFunc, ok := ret.Get(1).(func(string) error); ok {
r1 = returnFunc(prompt)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_ReadString_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ReadString'
type MockInterface_ReadString_Call struct {
*mock.Call
}
// ReadString is a helper method to define mock.On call
// - prompt string
func (_e *MockInterface_Expecter) ReadString(prompt interface{}) *MockInterface_ReadString_Call {
return &MockInterface_ReadString_Call{Call: _e.mock.On("ReadString", prompt)}
}
func (_c *MockInterface_ReadString_Call) Run(run func(prompt string)) *MockInterface_ReadString_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_ReadString_Call) Return(s string, err error) *MockInterface_ReadString_Call {
_c.Call.Return(s, err)
return _c
}
func (_c *MockInterface_ReadString_Call) RunAndReturn(run func(prompt string) (string, error)) *MockInterface_ReadString_Call {
_c.Call.Return(run)
return _c
}

183
mocks/github.com/int128/kubelogin/pkg/infrastructure/stdio_mock/mocks.go
View File

@@ -1,183 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package stdio_mock
import (
mock "github.com/stretchr/testify/mock"
)
// NewMockStdout creates a new instance of MockStdout. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockStdout(t interface {
mock.TestingT
Cleanup(func())
}) *MockStdout {
mock := &MockStdout{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockStdout is an autogenerated mock type for the Stdout type
type MockStdout struct {
mock.Mock
}
type MockStdout_Expecter struct {
mock *mock.Mock
}
func (_m *MockStdout) EXPECT() *MockStdout_Expecter {
return &MockStdout_Expecter{mock: &_m.Mock}
}
// Write provides a mock function for the type MockStdout
func (_mock *MockStdout) Write(p []byte) (int, error) {
ret := _mock.Called(p)
if len(ret) == 0 {
panic("no return value specified for Write")
}
var r0 int
var r1 error
if returnFunc, ok := ret.Get(0).(func([]byte) (int, error)); ok {
return returnFunc(p)
}
if returnFunc, ok := ret.Get(0).(func([]byte) int); ok {
r0 = returnFunc(p)
} else {
r0 = ret.Get(0).(int)
}
if returnFunc, ok := ret.Get(1).(func([]byte) error); ok {
r1 = returnFunc(p)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockStdout_Write_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Write'
type MockStdout_Write_Call struct {
*mock.Call
}
// Write is a helper method to define mock.On call
// - p []byte
func (_e *MockStdout_Expecter) Write(p interface{}) *MockStdout_Write_Call {
return &MockStdout_Write_Call{Call: _e.mock.On("Write", p)}
}
func (_c *MockStdout_Write_Call) Run(run func(p []byte)) *MockStdout_Write_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 []byte
if args[0] != nil {
arg0 = args[0].([]byte)
}
run(
arg0,
)
})
return _c
}
func (_c *MockStdout_Write_Call) Return(n int, err error) *MockStdout_Write_Call {
_c.Call.Return(n, err)
return _c
}
func (_c *MockStdout_Write_Call) RunAndReturn(run func(p []byte) (int, error)) *MockStdout_Write_Call {
_c.Call.Return(run)
return _c
}
// NewMockStdin creates a new instance of MockStdin. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockStdin(t interface {
mock.TestingT
Cleanup(func())
}) *MockStdin {
mock := &MockStdin{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockStdin is an autogenerated mock type for the Stdin type
type MockStdin struct {
mock.Mock
}
type MockStdin_Expecter struct {
mock *mock.Mock
}
func (_m *MockStdin) EXPECT() *MockStdin_Expecter {
return &MockStdin_Expecter{mock: &_m.Mock}
}
// Read provides a mock function for the type MockStdin
func (_mock *MockStdin) Read(p []byte) (int, error) {
ret := _mock.Called(p)
if len(ret) == 0 {
panic("no return value specified for Read")
}
var r0 int
var r1 error
if returnFunc, ok := ret.Get(0).(func([]byte) (int, error)); ok {
return returnFunc(p)
}
if returnFunc, ok := ret.Get(0).(func([]byte) int); ok {
r0 = returnFunc(p)
} else {
r0 = ret.Get(0).(int)
}
if returnFunc, ok := ret.Get(1).(func([]byte) error); ok {
r1 = returnFunc(p)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockStdin_Read_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Read'
type MockStdin_Read_Call struct {
*mock.Call
}
// Read is a helper method to define mock.On call
// - p []byte
func (_e *MockStdin_Expecter) Read(p interface{}) *MockStdin_Read_Call {
return &MockStdin_Read_Call{Call: _e.mock.On("Read", p)}
}
func (_c *MockStdin_Read_Call) Run(run func(p []byte)) *MockStdin_Read_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 []byte
if args[0] != nil {
arg0 = args[0].([]byte)
}
run(
arg0,
)
})
return _c
}
func (_c *MockStdin_Read_Call) Return(n int, err error) *MockStdin_Read_Call {
_c.Call.Return(n, err)
return _c
}
func (_c *MockStdin_Read_Call) RunAndReturn(run func(p []byte) (int, error)) *MockStdin_Read_Call {
_c.Call.Return(run)
return _c
}

82
mocks/github.com/int128/kubelogin/pkg/jwt_mock/mocks.go
View File

@@ -1,82 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package jwt_mock
import (
"time"
mock "github.com/stretchr/testify/mock"
)
// NewMockClock creates a new instance of MockClock. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockClock(t interface {
mock.TestingT
Cleanup(func())
}) *MockClock {
mock := &MockClock{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockClock is an autogenerated mock type for the Clock type
type MockClock struct {
mock.Mock
}
type MockClock_Expecter struct {
mock *mock.Mock
}
func (_m *MockClock) EXPECT() *MockClock_Expecter {
return &MockClock_Expecter{mock: &_m.Mock}
}
// Now provides a mock function for the type MockClock
func (_mock *MockClock) Now() time.Time {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for Now")
}
var r0 time.Time
if returnFunc, ok := ret.Get(0).(func() time.Time); ok {
r0 = returnFunc()
} else {
r0 = ret.Get(0).(time.Time)
}
return r0
}
// MockClock_Now_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Now'
type MockClock_Now_Call struct {
*mock.Call
}
// Now is a helper method to define mock.On call
func (_e *MockClock_Expecter) Now() *MockClock_Now_Call {
return &MockClock_Now_Call{Call: _e.mock.On("Now")}
}
func (_c *MockClock_Now_Call) Run(run func()) *MockClock_Now_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockClock_Now_Call) Return(time1 time.Time) *MockClock_Now_Call {
_c.Call.Return(time1)
return _c
}
func (_c *MockClock_Now_Call) RunAndReturn(run func() time.Time) *MockClock_Now_Call {
_c.Call.Return(run)
return _c
}

111
mocks/github.com/int128/kubelogin/pkg/kubeconfig/loader_mock/mocks.go
View File

@@ -1,111 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package loader_mock
import (
"github.com/int128/kubelogin/pkg/kubeconfig"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// GetCurrentAuthProvider provides a mock function for the type MockInterface
func (_mock *MockInterface) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
ret := _mock.Called(explicitFilename, contextName, userName)
if len(ret) == 0 {
panic("no return value specified for GetCurrentAuthProvider")
}
var r0 *kubeconfig.AuthProvider
var r1 error
if returnFunc, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) (*kubeconfig.AuthProvider, error)); ok {
return returnFunc(explicitFilename, contextName, userName)
}
if returnFunc, ok := ret.Get(0).(func(string, kubeconfig.ContextName, kubeconfig.UserName) *kubeconfig.AuthProvider); ok {
r0 = returnFunc(explicitFilename, contextName, userName)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*kubeconfig.AuthProvider)
}
}
if returnFunc, ok := ret.Get(1).(func(string, kubeconfig.ContextName, kubeconfig.UserName) error); ok {
r1 = returnFunc(explicitFilename, contextName, userName)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_GetCurrentAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetCurrentAuthProvider'
type MockInterface_GetCurrentAuthProvider_Call struct {
*mock.Call
}
// GetCurrentAuthProvider is a helper method to define mock.On call
// - explicitFilename string
// - contextName kubeconfig.ContextName
// - userName kubeconfig.UserName
func (_e *MockInterface_Expecter) GetCurrentAuthProvider(explicitFilename interface{}, contextName interface{}, userName interface{}) *MockInterface_GetCurrentAuthProvider_Call {
return &MockInterface_GetCurrentAuthProvider_Call{Call: _e.mock.On("GetCurrentAuthProvider", explicitFilename, contextName, userName)}
}
func (_c *MockInterface_GetCurrentAuthProvider_Call) Run(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName)) *MockInterface_GetCurrentAuthProvider_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 kubeconfig.ContextName
if args[1] != nil {
arg1 = args[1].(kubeconfig.ContextName)
}
var arg2 kubeconfig.UserName
if args[2] != nil {
arg2 = args[2].(kubeconfig.UserName)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockInterface_GetCurrentAuthProvider_Call) Return(authProvider *kubeconfig.AuthProvider, err error) *MockInterface_GetCurrentAuthProvider_Call {
_c.Call.Return(authProvider, err)
return _c
}
func (_c *MockInterface_GetCurrentAuthProvider_Call) RunAndReturn(run func(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)) *MockInterface_GetCurrentAuthProvider_Call {
_c.Call.Return(run)
return _c
}

88
mocks/github.com/int128/kubelogin/pkg/kubeconfig/writer_mock/mocks.go
View File

@@ -1,88 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package writer_mock
import (
"github.com/int128/kubelogin/pkg/kubeconfig"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// UpdateAuthProvider provides a mock function for the type MockInterface
func (_mock *MockInterface) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
ret := _mock.Called(p)
if len(ret) == 0 {
panic("no return value specified for UpdateAuthProvider")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(kubeconfig.AuthProvider) error); ok {
r0 = returnFunc(p)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_UpdateAuthProvider_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'UpdateAuthProvider'
type MockInterface_UpdateAuthProvider_Call struct {
*mock.Call
}
// UpdateAuthProvider is a helper method to define mock.On call
// - p kubeconfig.AuthProvider
func (_e *MockInterface_Expecter) UpdateAuthProvider(p interface{}) *MockInterface_UpdateAuthProvider_Call {
return &MockInterface_UpdateAuthProvider_Call{Call: _e.mock.On("UpdateAuthProvider", p)}
}
func (_c *MockInterface_UpdateAuthProvider_Call) Run(run func(p kubeconfig.AuthProvider)) *MockInterface_UpdateAuthProvider_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 kubeconfig.AuthProvider
if args[0] != nil {
arg0 = args[0].(kubeconfig.AuthProvider)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_UpdateAuthProvider_Call) Return(err error) *MockInterface_UpdateAuthProvider_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_UpdateAuthProvider_Call) RunAndReturn(run func(p kubeconfig.AuthProvider) error) *MockInterface_UpdateAuthProvider_Call {
_c.Call.Return(run)
return _c
}

721
mocks/github.com/int128/kubelogin/pkg/oidc/client_mock/mocks.go
View File

@@ -1,721 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package client_mock
import (
"context"
"github.com/int128/kubelogin/pkg/oidc"
"github.com/int128/kubelogin/pkg/oidc/client"
"github.com/int128/kubelogin/pkg/pkce"
"github.com/int128/kubelogin/pkg/tlsclientconfig"
"github.com/int128/oauth2dev"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// ExchangeAuthCode provides a mock function for the type MockInterface
func (_mock *MockInterface) ExchangeAuthCode(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error) {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for ExchangeAuthCode")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)); ok {
return returnFunc(ctx, in)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, client.ExchangeAuthCodeInput) *oidc.TokenSet); ok {
r0 = returnFunc(ctx, in)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, client.ExchangeAuthCodeInput) error); ok {
r1 = returnFunc(ctx, in)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_ExchangeAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeAuthCode'
type MockInterface_ExchangeAuthCode_Call struct {
*mock.Call
}
// ExchangeAuthCode is a helper method to define mock.On call
// - ctx context.Context
// - in client.ExchangeAuthCodeInput
func (_e *MockInterface_Expecter) ExchangeAuthCode(ctx interface{}, in interface{}) *MockInterface_ExchangeAuthCode_Call {
return &MockInterface_ExchangeAuthCode_Call{Call: _e.mock.On("ExchangeAuthCode", ctx, in)}
}
func (_c *MockInterface_ExchangeAuthCode_Call) Run(run func(ctx context.Context, in client.ExchangeAuthCodeInput)) *MockInterface_ExchangeAuthCode_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 client.ExchangeAuthCodeInput
if args[1] != nil {
arg1 = args[1].(client.ExchangeAuthCodeInput)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_ExchangeAuthCode_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_ExchangeAuthCode_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_ExchangeAuthCode_Call) RunAndReturn(run func(ctx context.Context, in client.ExchangeAuthCodeInput) (*oidc.TokenSet, error)) *MockInterface_ExchangeAuthCode_Call {
_c.Call.Return(run)
return _c
}
// ExchangeDeviceCode provides a mock function for the type MockInterface
func (_mock *MockInterface) ExchangeDeviceCode(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error) {
ret := _mock.Called(ctx, authResponse)
if len(ret) == 0 {
panic("no return value specified for ExchangeDeviceCode")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)); ok {
return returnFunc(ctx, authResponse)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, *oauth2dev.AuthorizationResponse) *oidc.TokenSet); ok {
r0 = returnFunc(ctx, authResponse)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, *oauth2dev.AuthorizationResponse) error); ok {
r1 = returnFunc(ctx, authResponse)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_ExchangeDeviceCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'ExchangeDeviceCode'
type MockInterface_ExchangeDeviceCode_Call struct {
*mock.Call
}
// ExchangeDeviceCode is a helper method to define mock.On call
// - ctx context.Context
// - authResponse *oauth2dev.AuthorizationResponse
func (_e *MockInterface_Expecter) ExchangeDeviceCode(ctx interface{}, authResponse interface{}) *MockInterface_ExchangeDeviceCode_Call {
return &MockInterface_ExchangeDeviceCode_Call{Call: _e.mock.On("ExchangeDeviceCode", ctx, authResponse)}
}
func (_c *MockInterface_ExchangeDeviceCode_Call) Run(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse)) *MockInterface_ExchangeDeviceCode_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 *oauth2dev.AuthorizationResponse
if args[1] != nil {
arg1 = args[1].(*oauth2dev.AuthorizationResponse)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_ExchangeDeviceCode_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_ExchangeDeviceCode_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_ExchangeDeviceCode_Call) RunAndReturn(run func(ctx context.Context, authResponse *oauth2dev.AuthorizationResponse) (*oidc.TokenSet, error)) *MockInterface_ExchangeDeviceCode_Call {
_c.Call.Return(run)
return _c
}
// GetAuthCodeURL provides a mock function for the type MockInterface
func (_mock *MockInterface) GetAuthCodeURL(in client.AuthCodeURLInput) string {
ret := _mock.Called(in)
if len(ret) == 0 {
panic("no return value specified for GetAuthCodeURL")
}
var r0 string
if returnFunc, ok := ret.Get(0).(func(client.AuthCodeURLInput) string); ok {
r0 = returnFunc(in)
} else {
r0 = ret.Get(0).(string)
}
return r0
}
// MockInterface_GetAuthCodeURL_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetAuthCodeURL'
type MockInterface_GetAuthCodeURL_Call struct {
*mock.Call
}
// GetAuthCodeURL is a helper method to define mock.On call
// - in client.AuthCodeURLInput
func (_e *MockInterface_Expecter) GetAuthCodeURL(in interface{}) *MockInterface_GetAuthCodeURL_Call {
return &MockInterface_GetAuthCodeURL_Call{Call: _e.mock.On("GetAuthCodeURL", in)}
}
func (_c *MockInterface_GetAuthCodeURL_Call) Run(run func(in client.AuthCodeURLInput)) *MockInterface_GetAuthCodeURL_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 client.AuthCodeURLInput
if args[0] != nil {
arg0 = args[0].(client.AuthCodeURLInput)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_GetAuthCodeURL_Call) Return(s string) *MockInterface_GetAuthCodeURL_Call {
_c.Call.Return(s)
return _c
}
func (_c *MockInterface_GetAuthCodeURL_Call) RunAndReturn(run func(in client.AuthCodeURLInput) string) *MockInterface_GetAuthCodeURL_Call {
_c.Call.Return(run)
return _c
}
// GetDeviceAuthorization provides a mock function for the type MockInterface
func (_mock *MockInterface) GetDeviceAuthorization(ctx context.Context) (*oauth2dev.AuthorizationResponse, error) {
ret := _mock.Called(ctx)
if len(ret) == 0 {
panic("no return value specified for GetDeviceAuthorization")
}
var r0 *oauth2dev.AuthorizationResponse
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context) (*oauth2dev.AuthorizationResponse, error)); ok {
return returnFunc(ctx)
}
if returnFunc, ok := ret.Get(0).(func(context.Context) *oauth2dev.AuthorizationResponse); ok {
r0 = returnFunc(ctx)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oauth2dev.AuthorizationResponse)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context) error); ok {
r1 = returnFunc(ctx)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_GetDeviceAuthorization_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetDeviceAuthorization'
type MockInterface_GetDeviceAuthorization_Call struct {
*mock.Call
}
// GetDeviceAuthorization is a helper method to define mock.On call
// - ctx context.Context
func (_e *MockInterface_Expecter) GetDeviceAuthorization(ctx interface{}) *MockInterface_GetDeviceAuthorization_Call {
return &MockInterface_GetDeviceAuthorization_Call{Call: _e.mock.On("GetDeviceAuthorization", ctx)}
}
func (_c *MockInterface_GetDeviceAuthorization_Call) Run(run func(ctx context.Context)) *MockInterface_GetDeviceAuthorization_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_GetDeviceAuthorization_Call) Return(authorizationResponse *oauth2dev.AuthorizationResponse, err error) *MockInterface_GetDeviceAuthorization_Call {
_c.Call.Return(authorizationResponse, err)
return _c
}
func (_c *MockInterface_GetDeviceAuthorization_Call) RunAndReturn(run func(ctx context.Context) (*oauth2dev.AuthorizationResponse, error)) *MockInterface_GetDeviceAuthorization_Call {
_c.Call.Return(run)
return _c
}
// GetTokenByAuthCode provides a mock function for the type MockInterface
func (_mock *MockInterface) GetTokenByAuthCode(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error) {
ret := _mock.Called(ctx, in, localServerReadyChan)
if len(ret) == 0 {
panic("no return value specified for GetTokenByAuthCode")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) (*oidc.TokenSet, error)); ok {
return returnFunc(ctx, in, localServerReadyChan)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) *oidc.TokenSet); ok {
r0 = returnFunc(ctx, in, localServerReadyChan)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, client.GetTokenByAuthCodeInput, chan<- string) error); ok {
r1 = returnFunc(ctx, in, localServerReadyChan)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_GetTokenByAuthCode_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByAuthCode'
type MockInterface_GetTokenByAuthCode_Call struct {
*mock.Call
}
// GetTokenByAuthCode is a helper method to define mock.On call
// - ctx context.Context
// - in client.GetTokenByAuthCodeInput
// - localServerReadyChan chan<- string
func (_e *MockInterface_Expecter) GetTokenByAuthCode(ctx interface{}, in interface{}, localServerReadyChan interface{}) *MockInterface_GetTokenByAuthCode_Call {
return &MockInterface_GetTokenByAuthCode_Call{Call: _e.mock.On("GetTokenByAuthCode", ctx, in, localServerReadyChan)}
}
func (_c *MockInterface_GetTokenByAuthCode_Call) Run(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string)) *MockInterface_GetTokenByAuthCode_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 client.GetTokenByAuthCodeInput
if args[1] != nil {
arg1 = args[1].(client.GetTokenByAuthCodeInput)
}
var arg2 chan<- string
if args[2] != nil {
arg2 = args[2].(chan<- string)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockInterface_GetTokenByAuthCode_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_GetTokenByAuthCode_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_GetTokenByAuthCode_Call) RunAndReturn(run func(ctx context.Context, in client.GetTokenByAuthCodeInput, localServerReadyChan chan<- string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByAuthCode_Call {
_c.Call.Return(run)
return _c
}
// GetTokenByClientCredentials provides a mock function for the type MockInterface
func (_mock *MockInterface) GetTokenByClientCredentials(ctx context.Context, in client.GetTokenByClientCredentialsInput) (*oidc.TokenSet, error) {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for GetTokenByClientCredentials")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByClientCredentialsInput) (*oidc.TokenSet, error)); ok {
return returnFunc(ctx, in)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, client.GetTokenByClientCredentialsInput) *oidc.TokenSet); ok {
r0 = returnFunc(ctx, in)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, client.GetTokenByClientCredentialsInput) error); ok {
r1 = returnFunc(ctx, in)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_GetTokenByClientCredentials_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByClientCredentials'
type MockInterface_GetTokenByClientCredentials_Call struct {
*mock.Call
}
// GetTokenByClientCredentials is a helper method to define mock.On call
// - ctx context.Context
// - in client.GetTokenByClientCredentialsInput
func (_e *MockInterface_Expecter) GetTokenByClientCredentials(ctx interface{}, in interface{}) *MockInterface_GetTokenByClientCredentials_Call {
return &MockInterface_GetTokenByClientCredentials_Call{Call: _e.mock.On("GetTokenByClientCredentials", ctx, in)}
}
func (_c *MockInterface_GetTokenByClientCredentials_Call) Run(run func(ctx context.Context, in client.GetTokenByClientCredentialsInput)) *MockInterface_GetTokenByClientCredentials_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 client.GetTokenByClientCredentialsInput
if args[1] != nil {
arg1 = args[1].(client.GetTokenByClientCredentialsInput)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_GetTokenByClientCredentials_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_GetTokenByClientCredentials_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_GetTokenByClientCredentials_Call) RunAndReturn(run func(ctx context.Context, in client.GetTokenByClientCredentialsInput) (*oidc.TokenSet, error)) *MockInterface_GetTokenByClientCredentials_Call {
_c.Call.Return(run)
return _c
}
// GetTokenByROPC provides a mock function for the type MockInterface
func (_mock *MockInterface) GetTokenByROPC(ctx context.Context, username string, password string) (*oidc.TokenSet, error) {
ret := _mock.Called(ctx, username, password)
if len(ret) == 0 {
panic("no return value specified for GetTokenByROPC")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) (*oidc.TokenSet, error)); ok {
return returnFunc(ctx, username, password)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, string, string) *oidc.TokenSet); ok {
r0 = returnFunc(ctx, username, password)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
r1 = returnFunc(ctx, username, password)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_GetTokenByROPC_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTokenByROPC'
type MockInterface_GetTokenByROPC_Call struct {
*mock.Call
}
// GetTokenByROPC is a helper method to define mock.On call
// - ctx context.Context
// - username string
// - password string
func (_e *MockInterface_Expecter) GetTokenByROPC(ctx interface{}, username interface{}, password interface{}) *MockInterface_GetTokenByROPC_Call {
return &MockInterface_GetTokenByROPC_Call{Call: _e.mock.On("GetTokenByROPC", ctx, username, password)}
}
func (_c *MockInterface_GetTokenByROPC_Call) Run(run func(ctx context.Context, username string, password string)) *MockInterface_GetTokenByROPC_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 string
if args[1] != nil {
arg1 = args[1].(string)
}
var arg2 string
if args[2] != nil {
arg2 = args[2].(string)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockInterface_GetTokenByROPC_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_GetTokenByROPC_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_GetTokenByROPC_Call) RunAndReturn(run func(ctx context.Context, username string, password string) (*oidc.TokenSet, error)) *MockInterface_GetTokenByROPC_Call {
_c.Call.Return(run)
return _c
}
// NegotiatedPKCEMethod provides a mock function for the type MockInterface
func (_mock *MockInterface) NegotiatedPKCEMethod() pkce.Method {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for NegotiatedPKCEMethod")
}
var r0 pkce.Method
if returnFunc, ok := ret.Get(0).(func() pkce.Method); ok {
r0 = returnFunc()
} else {
r0 = ret.Get(0).(pkce.Method)
}
return r0
}
// MockInterface_NegotiatedPKCEMethod_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'NegotiatedPKCEMethod'
type MockInterface_NegotiatedPKCEMethod_Call struct {
*mock.Call
}
// NegotiatedPKCEMethod is a helper method to define mock.On call
func (_e *MockInterface_Expecter) NegotiatedPKCEMethod() *MockInterface_NegotiatedPKCEMethod_Call {
return &MockInterface_NegotiatedPKCEMethod_Call{Call: _e.mock.On("NegotiatedPKCEMethod")}
}
func (_c *MockInterface_NegotiatedPKCEMethod_Call) Run(run func()) *MockInterface_NegotiatedPKCEMethod_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockInterface_NegotiatedPKCEMethod_Call) Return(method pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
_c.Call.Return(method)
return _c
}
func (_c *MockInterface_NegotiatedPKCEMethod_Call) RunAndReturn(run func() pkce.Method) *MockInterface_NegotiatedPKCEMethod_Call {
_c.Call.Return(run)
return _c
}
// Refresh provides a mock function for the type MockInterface
func (_mock *MockInterface) Refresh(ctx context.Context, refreshToken string) (*oidc.TokenSet, error) {
ret := _mock.Called(ctx, refreshToken)
if len(ret) == 0 {
panic("no return value specified for Refresh")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, string) (*oidc.TokenSet, error)); ok {
return returnFunc(ctx, refreshToken)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, string) *oidc.TokenSet); ok {
r0 = returnFunc(ctx, refreshToken)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, string) error); ok {
r1 = returnFunc(ctx, refreshToken)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_Refresh_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Refresh'
type MockInterface_Refresh_Call struct {
*mock.Call
}
// Refresh is a helper method to define mock.On call
// - ctx context.Context
// - refreshToken string
func (_e *MockInterface_Expecter) Refresh(ctx interface{}, refreshToken interface{}) *MockInterface_Refresh_Call {
return &MockInterface_Refresh_Call{Call: _e.mock.On("Refresh", ctx, refreshToken)}
}
func (_c *MockInterface_Refresh_Call) Run(run func(ctx context.Context, refreshToken string)) *MockInterface_Refresh_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 string
if args[1] != nil {
arg1 = args[1].(string)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Refresh_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_Refresh_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_Refresh_Call) RunAndReturn(run func(ctx context.Context, refreshToken string) (*oidc.TokenSet, error)) *MockInterface_Refresh_Call {
_c.Call.Return(run)
return _c
}
// NewMockFactoryInterface creates a new instance of MockFactoryInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockFactoryInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockFactoryInterface {
mock := &MockFactoryInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockFactoryInterface is an autogenerated mock type for the FactoryInterface type
type MockFactoryInterface struct {
mock.Mock
}
type MockFactoryInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockFactoryInterface) EXPECT() *MockFactoryInterface_Expecter {
return &MockFactoryInterface_Expecter{mock: &_m.Mock}
}
// New provides a mock function for the type MockFactoryInterface
func (_mock *MockFactoryInterface) New(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error) {
ret := _mock.Called(ctx, prov, tlsClientConfig)
if len(ret) == 0 {
panic("no return value specified for New")
}
var r0 client.Interface
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) (client.Interface, error)); ok {
return returnFunc(ctx, prov, tlsClientConfig)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, oidc.Provider, tlsclientconfig.Config) client.Interface); ok {
r0 = returnFunc(ctx, prov, tlsClientConfig)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(client.Interface)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, oidc.Provider, tlsclientconfig.Config) error); ok {
r1 = returnFunc(ctx, prov, tlsClientConfig)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockFactoryInterface_New_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'New'
type MockFactoryInterface_New_Call struct {
*mock.Call
}
// New is a helper method to define mock.On call
// - ctx context.Context
// - prov oidc.Provider
// - tlsClientConfig tlsclientconfig.Config
func (_e *MockFactoryInterface_Expecter) New(ctx interface{}, prov interface{}, tlsClientConfig interface{}) *MockFactoryInterface_New_Call {
return &MockFactoryInterface_New_Call{Call: _e.mock.On("New", ctx, prov, tlsClientConfig)}
}
func (_c *MockFactoryInterface_New_Call) Run(run func(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config)) *MockFactoryInterface_New_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 oidc.Provider
if args[1] != nil {
arg1 = args[1].(oidc.Provider)
}
var arg2 tlsclientconfig.Config
if args[2] != nil {
arg2 = args[2].(tlsclientconfig.Config)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockFactoryInterface_New_Call) Return(interfaceParam client.Interface, err error) *MockFactoryInterface_New_Call {
_c.Call.Return(interfaceParam, err)
return _c
}
func (_c *MockFactoryInterface_New_Call) RunAndReturn(run func(ctx context.Context, prov oidc.Provider, tlsClientConfig tlsclientconfig.Config) (client.Interface, error)) *MockFactoryInterface_New_Call {
_c.Call.Return(run)
return _c
}

90
mocks/github.com/int128/kubelogin/pkg/testing/logger_mock/mocks.go
View File

@@ -1,90 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package logger_mock
import (
mock "github.com/stretchr/testify/mock"
)
// newMocktestingLogger creates a new instance of mocktestingLogger. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func newMocktestingLogger(t interface {
mock.TestingT
Cleanup(func())
}) *mocktestingLogger {
mock := &mocktestingLogger{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// mocktestingLogger is an autogenerated mock type for the testingLogger type
type mocktestingLogger struct {
mock.Mock
}
type mocktestingLogger_Expecter struct {
mock *mock.Mock
}
func (_m *mocktestingLogger) EXPECT() *mocktestingLogger_Expecter {
return &mocktestingLogger_Expecter{mock: &_m.Mock}
}
// Logf provides a mock function for the type mocktestingLogger
func (_mock *mocktestingLogger) Logf(format string, v ...interface{}) {
if len(v) > 0 {
_mock.Called(format, v)
} else {
_mock.Called(format)
}
return
}
// mocktestingLogger_Logf_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Logf'
type mocktestingLogger_Logf_Call struct {
*mock.Call
}
// Logf is a helper method to define mock.On call
// - format string
// - v ...interface{}
func (_e *mocktestingLogger_Expecter) Logf(format interface{}, v ...interface{}) *mocktestingLogger_Logf_Call {
return &mocktestingLogger_Logf_Call{Call: _e.mock.On("Logf",
append([]interface{}{format}, v...)...)}
}
func (_c *mocktestingLogger_Logf_Call) Run(run func(format string, v ...interface{})) *mocktestingLogger_Logf_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 string
if args[0] != nil {
arg0 = args[0].(string)
}
var arg1 []interface{}
var variadicArgs []interface{}
if len(args) > 1 {
variadicArgs = args[1].([]interface{})
}
arg1 = variadicArgs
run(
arg0,
arg1...,
)
})
return _c
}
func (_c *mocktestingLogger_Logf_Call) Return() *mocktestingLogger_Logf_Call {
_c.Call.Return()
return _c
}
func (_c *mocktestingLogger_Logf_Call) RunAndReturn(run func(format string, v ...interface{})) *mocktestingLogger_Logf_Call {
_c.Run(run)
return _c
}

101
mocks/github.com/int128/kubelogin/pkg/tlsclientconfig/loader_mock/mocks.go
View File

@@ -1,101 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package loader_mock
import (
"crypto/tls"
"github.com/int128/kubelogin/pkg/tlsclientconfig"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Load provides a mock function for the type MockInterface
func (_mock *MockInterface) Load(config tlsclientconfig.Config) (*tls.Config, error) {
ret := _mock.Called(config)
if len(ret) == 0 {
panic("no return value specified for Load")
}
var r0 *tls.Config
var r1 error
if returnFunc, ok := ret.Get(0).(func(tlsclientconfig.Config) (*tls.Config, error)); ok {
return returnFunc(config)
}
if returnFunc, ok := ret.Get(0).(func(tlsclientconfig.Config) *tls.Config); ok {
r0 = returnFunc(config)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*tls.Config)
}
}
if returnFunc, ok := ret.Get(1).(func(tlsclientconfig.Config) error); ok {
r1 = returnFunc(config)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_Load_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Load'
type MockInterface_Load_Call struct {
*mock.Call
}
// Load is a helper method to define mock.On call
// - config tlsclientconfig.Config
func (_e *MockInterface_Expecter) Load(config interface{}) *MockInterface_Load_Call {
return &MockInterface_Load_Call{Call: _e.mock.On("Load", config)}
}
func (_c *MockInterface_Load_Call) Run(run func(config tlsclientconfig.Config)) *MockInterface_Load_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 tlsclientconfig.Config
if args[0] != nil {
arg0 = args[0].(tlsclientconfig.Config)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_Load_Call) Return(config1 *tls.Config, err error) *MockInterface_Load_Call {
_c.Call.Return(config1, err)
return _c
}
func (_c *MockInterface_Load_Call) RunAndReturn(run func(config tlsclientconfig.Config) (*tls.Config, error)) *MockInterface_Load_Call {
_c.Call.Return(run)
return _c
}

290
mocks/github.com/int128/kubelogin/pkg/tokencache/repository_mock/mocks.go
View File

@@ -1,290 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package repository_mock
import (
"io"
"github.com/int128/kubelogin/pkg/oidc"
"github.com/int128/kubelogin/pkg/tokencache"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// DeleteAll provides a mock function for the type MockInterface
func (_mock *MockInterface) DeleteAll(config tokencache.Config) error {
ret := _mock.Called(config)
if len(ret) == 0 {
panic("no return value specified for DeleteAll")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(tokencache.Config) error); ok {
r0 = returnFunc(config)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_DeleteAll_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'DeleteAll'
type MockInterface_DeleteAll_Call struct {
*mock.Call
}
// DeleteAll is a helper method to define mock.On call
// - config tokencache.Config
func (_e *MockInterface_Expecter) DeleteAll(config interface{}) *MockInterface_DeleteAll_Call {
return &MockInterface_DeleteAll_Call{Call: _e.mock.On("DeleteAll", config)}
}
func (_c *MockInterface_DeleteAll_Call) Run(run func(config tokencache.Config)) *MockInterface_DeleteAll_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 tokencache.Config
if args[0] != nil {
arg0 = args[0].(tokencache.Config)
}
run(
arg0,
)
})
return _c
}
func (_c *MockInterface_DeleteAll_Call) Return(err error) *MockInterface_DeleteAll_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_DeleteAll_Call) RunAndReturn(run func(config tokencache.Config) error) *MockInterface_DeleteAll_Call {
_c.Call.Return(run)
return _c
}
// FindByKey provides a mock function for the type MockInterface
func (_mock *MockInterface) FindByKey(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error) {
ret := _mock.Called(config, key)
if len(ret) == 0 {
panic("no return value specified for FindByKey")
}
var r0 *oidc.TokenSet
var r1 error
if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (*oidc.TokenSet, error)); ok {
return returnFunc(config, key)
}
if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) *oidc.TokenSet); ok {
r0 = returnFunc(config, key)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*oidc.TokenSet)
}
}
if returnFunc, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
r1 = returnFunc(config, key)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_FindByKey_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'FindByKey'
type MockInterface_FindByKey_Call struct {
*mock.Call
}
// FindByKey is a helper method to define mock.On call
// - config tokencache.Config
// - key tokencache.Key
func (_e *MockInterface_Expecter) FindByKey(config interface{}, key interface{}) *MockInterface_FindByKey_Call {
return &MockInterface_FindByKey_Call{Call: _e.mock.On("FindByKey", config, key)}
}
func (_c *MockInterface_FindByKey_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_FindByKey_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 tokencache.Config
if args[0] != nil {
arg0 = args[0].(tokencache.Config)
}
var arg1 tokencache.Key
if args[1] != nil {
arg1 = args[1].(tokencache.Key)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_FindByKey_Call) Return(tokenSet *oidc.TokenSet, err error) *MockInterface_FindByKey_Call {
_c.Call.Return(tokenSet, err)
return _c
}
func (_c *MockInterface_FindByKey_Call) RunAndReturn(run func(config tokencache.Config, key tokencache.Key) (*oidc.TokenSet, error)) *MockInterface_FindByKey_Call {
_c.Call.Return(run)
return _c
}
// Lock provides a mock function for the type MockInterface
func (_mock *MockInterface) Lock(config tokencache.Config, key tokencache.Key) (io.Closer, error) {
ret := _mock.Called(config, key)
if len(ret) == 0 {
panic("no return value specified for Lock")
}
var r0 io.Closer
var r1 error
if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) (io.Closer, error)); ok {
return returnFunc(config, key)
}
if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key) io.Closer); ok {
r0 = returnFunc(config, key)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(io.Closer)
}
}
if returnFunc, ok := ret.Get(1).(func(tokencache.Config, tokencache.Key) error); ok {
r1 = returnFunc(config, key)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_Lock_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Lock'
type MockInterface_Lock_Call struct {
*mock.Call
}
// Lock is a helper method to define mock.On call
// - config tokencache.Config
// - key tokencache.Key
func (_e *MockInterface_Expecter) Lock(config interface{}, key interface{}) *MockInterface_Lock_Call {
return &MockInterface_Lock_Call{Call: _e.mock.On("Lock", config, key)}
}
func (_c *MockInterface_Lock_Call) Run(run func(config tokencache.Config, key tokencache.Key)) *MockInterface_Lock_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 tokencache.Config
if args[0] != nil {
arg0 = args[0].(tokencache.Config)
}
var arg1 tokencache.Key
if args[1] != nil {
arg1 = args[1].(tokencache.Key)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Lock_Call) Return(closer io.Closer, err error) *MockInterface_Lock_Call {
_c.Call.Return(closer, err)
return _c
}
func (_c *MockInterface_Lock_Call) RunAndReturn(run func(config tokencache.Config, key tokencache.Key) (io.Closer, error)) *MockInterface_Lock_Call {
_c.Call.Return(run)
return _c
}
// Save provides a mock function for the type MockInterface
func (_mock *MockInterface) Save(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error {
ret := _mock.Called(config, key, tokenSet)
if len(ret) == 0 {
panic("no return value specified for Save")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(tokencache.Config, tokencache.Key, oidc.TokenSet) error); ok {
r0 = returnFunc(config, key, tokenSet)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Save_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Save'
type MockInterface_Save_Call struct {
*mock.Call
}
// Save is a helper method to define mock.On call
// - config tokencache.Config
// - key tokencache.Key
// - tokenSet oidc.TokenSet
func (_e *MockInterface_Expecter) Save(config interface{}, key interface{}, tokenSet interface{}) *MockInterface_Save_Call {
return &MockInterface_Save_Call{Call: _e.mock.On("Save", config, key, tokenSet)}
}
func (_c *MockInterface_Save_Call) Run(run func(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet)) *MockInterface_Save_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 tokencache.Config
if args[0] != nil {
arg0 = args[0].(tokencache.Config)
}
var arg1 tokencache.Key
if args[1] != nil {
arg1 = args[1].(tokencache.Key)
}
var arg2 oidc.TokenSet
if args[2] != nil {
arg2 = args[2].(oidc.TokenSet)
}
run(
arg0,
arg1,
arg2,
)
})
return _c
}
func (_c *MockInterface_Save_Call) Return(err error) *MockInterface_Save_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Save_Call) RunAndReturn(run func(config tokencache.Config, key tokencache.Key, tokenSet oidc.TokenSet) error) *MockInterface_Save_Call {
_c.Call.Return(run)
return _c
}

107
mocks/github.com/int128/kubelogin/pkg/usecases/authentication_mock/mocks.go
View File

@@ -1,107 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package authentication_mock
import (
"context"
"github.com/int128/kubelogin/pkg/usecases/authentication"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Do provides a mock function for the type MockInterface
func (_mock *MockInterface) Do(ctx context.Context, in authentication.Input) (*authentication.Output, error) {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for Do")
}
var r0 *authentication.Output
var r1 error
if returnFunc, ok := ret.Get(0).(func(context.Context, authentication.Input) (*authentication.Output, error)); ok {
return returnFunc(ctx, in)
}
if returnFunc, ok := ret.Get(0).(func(context.Context, authentication.Input) *authentication.Output); ok {
r0 = returnFunc(ctx, in)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*authentication.Output)
}
}
if returnFunc, ok := ret.Get(1).(func(context.Context, authentication.Input) error); ok {
r1 = returnFunc(ctx, in)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
type MockInterface_Do_Call struct {
*mock.Call
}
// Do is a helper method to define mock.On call
// - ctx context.Context
// - in authentication.Input
func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
}
func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in authentication.Input)) *MockInterface_Do_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 authentication.Input
if args[1] != nil {
arg1 = args[1].(authentication.Input)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Do_Call) Return(output *authentication.Output, err error) *MockInterface_Do_Call {
_c.Call.Return(output, err)
return _c
}
func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in authentication.Input) (*authentication.Output, error)) *MockInterface_Do_Call {
_c.Call.Return(run)
return _c
}

96
mocks/github.com/int128/kubelogin/pkg/usecases/clean_mock/mocks.go
View File

@@ -1,96 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package clean_mock
import (
"context"
"github.com/int128/kubelogin/pkg/usecases/clean"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Do provides a mock function for the type MockInterface
func (_mock *MockInterface) Do(ctx context.Context, in clean.Input) error {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for Do")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(context.Context, clean.Input) error); ok {
r0 = returnFunc(ctx, in)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
type MockInterface_Do_Call struct {
*mock.Call
}
// Do is a helper method to define mock.On call
// - ctx context.Context
// - in clean.Input
func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
}
func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in clean.Input)) *MockInterface_Do_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 clean.Input
if args[1] != nil {
arg1 = args[1].(clean.Input)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in clean.Input) error) *MockInterface_Do_Call {
_c.Call.Return(run)
return _c
}

96
mocks/github.com/int128/kubelogin/pkg/usecases/credentialplugin_mock/mocks.go
View File

@@ -1,96 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package credentialplugin_mock
import (
"context"
"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Do provides a mock function for the type MockInterface
func (_mock *MockInterface) Do(ctx context.Context, in credentialplugin.Input) error {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for Do")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(context.Context, credentialplugin.Input) error); ok {
r0 = returnFunc(ctx, in)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
type MockInterface_Do_Call struct {
*mock.Call
}
// Do is a helper method to define mock.On call
// - ctx context.Context
// - in credentialplugin.Input
func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
}
func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in credentialplugin.Input)) *MockInterface_Do_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 credentialplugin.Input
if args[1] != nil {
arg1 = args[1].(credentialplugin.Input)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in credentialplugin.Input) error) *MockInterface_Do_Call {
_c.Call.Return(run)
return _c
}

96
mocks/github.com/int128/kubelogin/pkg/usecases/setup_mock/mocks.go
View File

@@ -1,96 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package setup_mock
import (
"context"
"github.com/int128/kubelogin/pkg/usecases/setup"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Do provides a mock function for the type MockInterface
func (_mock *MockInterface) Do(ctx context.Context, in setup.Input) error {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for Do")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(context.Context, setup.Input) error); ok {
r0 = returnFunc(ctx, in)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
type MockInterface_Do_Call struct {
*mock.Call
}
// Do is a helper method to define mock.On call
// - ctx context.Context
// - in setup.Input
func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
}
func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in setup.Input)) *MockInterface_Do_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 setup.Input
if args[1] != nil {
arg1 = args[1].(setup.Input)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in setup.Input) error) *MockInterface_Do_Call {
_c.Call.Return(run)
return _c
}

96
mocks/github.com/int128/kubelogin/pkg/usecases/standalone_mock/mocks.go
View File

@@ -1,96 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package standalone_mock
import (
"context"
"github.com/int128/kubelogin/pkg/usecases/standalone"
mock "github.com/stretchr/testify/mock"
)
// NewMockInterface creates a new instance of MockInterface. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockInterface(t interface {
mock.TestingT
Cleanup(func())
}) *MockInterface {
mock := &MockInterface{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockInterface is an autogenerated mock type for the Interface type
type MockInterface struct {
mock.Mock
}
type MockInterface_Expecter struct {
mock *mock.Mock
}
func (_m *MockInterface) EXPECT() *MockInterface_Expecter {
return &MockInterface_Expecter{mock: &_m.Mock}
}
// Do provides a mock function for the type MockInterface
func (_mock *MockInterface) Do(ctx context.Context, in standalone.Input) error {
ret := _mock.Called(ctx, in)
if len(ret) == 0 {
panic("no return value specified for Do")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func(context.Context, standalone.Input) error); ok {
r0 = returnFunc(ctx, in)
} else {
r0 = ret.Error(0)
}
return r0
}
// MockInterface_Do_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Do'
type MockInterface_Do_Call struct {
*mock.Call
}
// Do is a helper method to define mock.On call
// - ctx context.Context
// - in standalone.Input
func (_e *MockInterface_Expecter) Do(ctx interface{}, in interface{}) *MockInterface_Do_Call {
return &MockInterface_Do_Call{Call: _e.mock.On("Do", ctx, in)}
}
func (_c *MockInterface_Do_Call) Run(run func(ctx context.Context, in standalone.Input)) *MockInterface_Do_Call {
_c.Call.Run(func(args mock.Arguments) {
var arg0 context.Context
if args[0] != nil {
arg0 = args[0].(context.Context)
}
var arg1 standalone.Input
if args[1] != nil {
arg1 = args[1].(standalone.Input)
}
run(
arg0,
arg1,
)
})
return _c
}
func (_c *MockInterface_Do_Call) Return(err error) *MockInterface_Do_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockInterface_Do_Call) RunAndReturn(run func(ctx context.Context, in standalone.Input) error) *MockInterface_Do_Call {
_c.Call.Return(run)
return _c
}

80
mocks/io_mock/mocks.go
View File

@@ -1,80 +0,0 @@
// Code generated by mockery; DO NOT EDIT.
// github.com/vektra/mockery
// template: testify
package io_mock
import (
mock "github.com/stretchr/testify/mock"
)
// NewMockCloser creates a new instance of MockCloser. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
// The first argument is typically a *testing.T value.
func NewMockCloser(t interface {
mock.TestingT
Cleanup(func())
}) *MockCloser {
mock := &MockCloser{}
mock.Mock.Test(t)
t.Cleanup(func() { mock.AssertExpectations(t) })
return mock
}
// MockCloser is an autogenerated mock type for the Closer type
type MockCloser struct {
mock.Mock
}
type MockCloser_Expecter struct {
mock *mock.Mock
}
func (_m *MockCloser) EXPECT() *MockCloser_Expecter {
return &MockCloser_Expecter{mock: &_m.Mock}
}
// Close provides a mock function for the type MockCloser
func (_mock *MockCloser) Close() error {
ret := _mock.Called()
if len(ret) == 0 {
panic("no return value specified for Close")
}
var r0 error
if returnFunc, ok := ret.Get(0).(func() error); ok {
r0 = returnFunc()
} else {
r0 = ret.Error(0)
}
return r0
}
// MockCloser_Close_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'Close'
type MockCloser_Close_Call struct {
*mock.Call
}
// Close is a helper method to define mock.On call
func (_e *MockCloser_Expecter) Close() *MockCloser_Close_Call {
return &MockCloser_Close_Call{Call: _e.mock.On("Close")}
}
func (_c *MockCloser_Close_Call) Run(run func()) *MockCloser_Close_Call {
_c.Call.Run(func(args mock.Arguments) {
run()
})
return _c
}
func (_c *MockCloser_Close_Call) Return(err error) *MockCloser_Close_Call {
_c.Call.Return(err)
return _c
}
func (_c *MockCloser_Close_Call) RunAndReturn(run func() error) *MockCloser_Close_Call {
_c.Call.Return(run)
return _c
}

13
pkg/infrastructure/browser/browser.go → pkg/adaptors/browser/browser.go
View File

@@ -1,14 +1,14 @@
package browser
import (
"context"
"os"
"os/exec"
"github.com/google/wire"
"github.com/pkg/browser"
)
//go:generate mockgen -destination mock_browser/mock_browser.go github.com/int128/kubelogin/pkg/adaptors/browser Interface
func init() {
// In credential plugin mode, some browser launcher writes a message to stdout
// and it may break the credential json for client-go.
@@ -23,7 +23,6 @@ var Set = wire.NewSet(
type Interface interface {
Open(url string) error
OpenCommand(ctx context.Context, url, command string) error
}
type Browser struct{}
@@ -32,11 +31,3 @@ type Browser struct{}
func (*Browser) Open(url string) error {
return browser.OpenURL(url)
}
// OpenCommand opens the browser using the command.
func (*Browser) OpenCommand(ctx context.Context, url, command string) error {
c := exec.CommandContext(ctx, command, url)
c.Stdout = os.Stderr // see above
c.Stderr = os.Stderr
return c.Run()
}

47
pkg/adaptors/browser/mock_browser/mock_browser.go Normal file
View File

@@ -0,0 +1,47 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/int128/kubelogin/pkg/adaptors/browser (interfaces: Interface)
// Package mock_browser is a generated GoMock package.
package mock_browser
import (
gomock "github.com/golang/mock/gomock"
reflect "reflect"
)
// MockInterface is a mock of Interface interface
type MockInterface struct {
ctrl *gomock.Controller
recorder *MockInterfaceMockRecorder
}
// MockInterfaceMockRecorder is the mock recorder for MockInterface
type MockInterfaceMockRecorder struct {
mock *MockInterface
}
// NewMockInterface creates a new mock instance
func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
mock := &MockInterface{ctrl: ctrl}
mock.recorder = &MockInterfaceMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
return m.recorder
}
// Open mocks base method
func (m *MockInterface) Open(arg0 string) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "Open", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// Open indicates an expected call of Open
func (mr *MockInterfaceMockRecorder) Open(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Open", reflect.TypeOf((*MockInterface)(nil).Open), arg0)
}

71
pkg/adaptors/certpool/cert.go Normal file
View File

@@ -0,0 +1,71 @@
// Package certpool provides loading certificates from files or base64 encoded string.
package certpool
import (
"crypto/tls"
"crypto/x509"
"encoding/base64"
"io/ioutil"
"github.com/google/wire"
"golang.org/x/xerrors"
)
//go:generate mockgen -destination mock_certpool/mock_certpool.go github.com/int128/kubelogin/pkg/adaptors/certpool Interface
// Set provides an implementation and interface.
var Set = wire.NewSet(
wire.Value(NewFunc(New)),
wire.Struct(new(CertPool), "*"),
wire.Bind(new(Interface), new(*CertPool)),
)
type NewFunc func() Interface
// New returns an instance which implements the Interface.
func New() Interface {
return &CertPool{pool: x509.NewCertPool()}
}
type Interface interface {
AddFile(filename string) error
AddBase64Encoded(s string) error
SetRootCAs(cfg *tls.Config)
}
// CertPool represents a pool of certificates.
type CertPool struct {
pool *x509.CertPool
}
// SetRootCAs sets cfg.RootCAs if it has any certificate.
// Otherwise do nothing.
func (p *CertPool) SetRootCAs(cfg *tls.Config) {
if len(p.pool.Subjects()) > 0 {
cfg.RootCAs = p.pool
}
}
// AddFile loads the certificate from the file.
func (p *CertPool) AddFile(filename string) error {
b, err := ioutil.ReadFile(filename)
if err != nil {
return xerrors.Errorf("could not read %s: %w", filename, err)
}
if !p.pool.AppendCertsFromPEM(b) {
return xerrors.Errorf("could not append certificate from %s", filename)
}
return nil
}
// AddBase64Encoded loads the certificate from the base64 encoded string.
func (p *CertPool) AddBase64Encoded(s string) error {
b, err := base64.StdEncoding.DecodeString(s)
if err != nil {
return xerrors.Errorf("could not decode base64: %w", err)
}
if !p.pool.AppendCertsFromPEM(b) {
return xerrors.Errorf("could not append certificate")
}
return nil
}

58
pkg/adaptors/certpool/cert_test.go Normal file
View File

@@ -0,0 +1,58 @@
package certpool
import (
"crypto/tls"
"io/ioutil"
"testing"
)
func TestCertPool_AddFile(t *testing.T) {
t.Run("Valid", func(t *testing.T) {
p := New()
if err := p.AddFile("testdata/ca1.crt"); err != nil {
t.Errorf("AddFile error: %s", err)
}
var cfg tls.Config
p.SetRootCAs(&cfg)
if n := len(cfg.RootCAs.Subjects()); n != 1 {
t.Errorf("n wants 1 but was %d", n)
}
})
t.Run("Invalid", func(t *testing.T) {
p := New()
err := p.AddFile("testdata/Makefile")
if err == nil {
t.Errorf("AddFile wants an error but was nil")
}
})
}
func TestCertPool_AddBase64Encoded(t *testing.T) {
p := New()
if err := p.AddBase64Encoded(readFile(t, "testdata/ca2.crt.base64")); err != nil {
t.Errorf("AddBase64Encoded error: %s", err)
}
var cfg tls.Config
p.SetRootCAs(&cfg)
if n := len(cfg.RootCAs.Subjects()); n != 1 {
t.Errorf("n wants 1 but was %d", n)
}
}
func TestCertPool_SetRootCAs(t *testing.T) {
p := New()
var cfg tls.Config
p.SetRootCAs(&cfg)
if cfg.RootCAs != nil {
t.Errorf("cfg.RootCAs wants nil but was %+v", cfg.RootCAs)
}
}
func readFile(t *testing.T, filename string) string {
t.Helper()
b, err := ioutil.ReadFile(filename)
if err != nil {
t.Fatalf("ReadFile error: %s", err)
}
return string(b)
}

74
pkg/adaptors/certpool/mock_certpool/mock_certpool.go Normal file
View File

@@ -0,0 +1,74 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/int128/kubelogin/pkg/adaptors/certpool (interfaces: Interface)
// Package mock_certpool is a generated GoMock package.
package mock_certpool
import (
tls "crypto/tls"
gomock "github.com/golang/mock/gomock"
reflect "reflect"
)
// MockInterface is a mock of Interface interface
type MockInterface struct {
ctrl *gomock.Controller
recorder *MockInterfaceMockRecorder
}
// MockInterfaceMockRecorder is the mock recorder for MockInterface
type MockInterfaceMockRecorder struct {
mock *MockInterface
}
// NewMockInterface creates a new mock instance
func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
mock := &MockInterface{ctrl: ctrl}
mock.recorder = &MockInterfaceMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
return m.recorder
}
// AddBase64Encoded mocks base method
func (m *MockInterface) AddBase64Encoded(arg0 string) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddBase64Encoded", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddBase64Encoded indicates an expected call of AddBase64Encoded
func (mr *MockInterfaceMockRecorder) AddBase64Encoded(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddBase64Encoded", reflect.TypeOf((*MockInterface)(nil).AddBase64Encoded), arg0)
}
// AddFile mocks base method
func (m *MockInterface) AddFile(arg0 string) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "AddFile", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// AddFile indicates an expected call of AddFile
func (mr *MockInterfaceMockRecorder) AddFile(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddFile", reflect.TypeOf((*MockInterface)(nil).AddFile), arg0)
}
// SetRootCAs mocks base method
func (m *MockInterface) SetRootCAs(arg0 *tls.Config) {
m.ctrl.T.Helper()
m.ctrl.Call(m, "SetRootCAs", arg0)
}
// SetRootCAs indicates an expected call of SetRootCAs
func (mr *MockInterfaceMockRecorder) SetRootCAs(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRootCAs", reflect.TypeOf((*MockInterface)(nil).SetRootCAs), arg0)
}

0
pkg/tlsclientconfig/loader/testdata/Makefile → pkg/adaptors/certpool/testdata/Makefile vendored
View File

0
pkg/tlsclientconfig/loader/testdata/ca1.crt → pkg/adaptors/certpool/testdata/ca1.crt vendored
View File

0
pkg/tlsclientconfig/loader/testdata/ca1.crt.base64 → pkg/adaptors/certpool/testdata/ca1.crt.base64 vendored
View File

0
pkg/tlsclientconfig/loader/testdata/ca2.crt → pkg/adaptors/certpool/testdata/ca2.crt vendored
View File

0
pkg/tlsclientconfig/loader/testdata/ca2.crt.base64 → pkg/adaptors/certpool/testdata/ca2.crt.base64 vendored
View File

0
pkg/tlsclientconfig/loader/testdata/ca3.crt → pkg/adaptors/certpool/testdata/ca3.crt vendored
View File

0
pkg/tlsclientconfig/loader/testdata/ca3.crt.base64 → pkg/adaptors/certpool/testdata/ca3.crt.base64 vendored
View File

0
pkg/infrastructure/clock/clock.go → pkg/adaptors/clock/clock.go
View File

11
pkg/cmd/cmd.go → pkg/adaptors/cmd/cmd.go
View File

@@ -5,8 +5,9 @@ import (
"runtime"
"github.com/google/wire"
"github.com/int128/kubelogin/pkg/infrastructure/logger"
"github.com/int128/kubelogin/pkg/adaptors/logger"
"github.com/spf13/cobra"
"k8s.io/client-go/util/homedir"
)
// Set provides an implementation and interface for Cmd.
@@ -16,7 +17,6 @@ var Set = wire.NewSet(
wire.Struct(new(Root), "*"),
wire.Struct(new(GetToken), "*"),
wire.Struct(new(Setup), "*"),
wire.Struct(new(Clean), "*"),
)
type Interface interface {
@@ -24,15 +24,13 @@ type Interface interface {
}
var defaultListenAddress = []string{"127.0.0.1:8000", "127.0.0.1:18000"}
const defaultAuthenticationTimeoutSec = 180
var defaultTokenCacheDir = homedir.HomeDir() + "/.kube/cache/oidc-login"
// Cmd provides interaction with command line interface (CLI).
type Cmd struct {
Root *Root
GetToken *GetToken
Setup *Setup
Clean *Clean
Logger logger.Interface
}
@@ -50,9 +48,6 @@ func (cmd *Cmd) Run(ctx context.Context, args []string, version string) int {
setupCmd := cmd.Setup.New()
rootCmd.AddCommand(setupCmd)
cleanCmd := cmd.Clean.New()
rootCmd.AddCommand(cleanCmd)
versionCmd := &cobra.Command{
Use: "version",
Short: "Print the version information",

374
pkg/adaptors/cmd/cmd_test.go Normal file
View File

@@ -0,0 +1,374 @@
package cmd
import (
"context"
"testing"
"github.com/golang/mock/gomock"
"github.com/int128/kubelogin/pkg/testing/logger"
"github.com/int128/kubelogin/pkg/usecases/authentication"
"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
"github.com/int128/kubelogin/pkg/usecases/credentialplugin/mock_credentialplugin"
"github.com/int128/kubelogin/pkg/usecases/standalone"
"github.com/int128/kubelogin/pkg/usecases/standalone/mock_standalone"
)
func TestCmd_Run(t *testing.T) {
const executable = "kubelogin"
const version = "HEAD"
t.Run("root", func(t *testing.T) {
tests := map[string]struct {
args []string
in standalone.Input
}{
"Defaults": {
args: []string{executable},
in: standalone.Input{
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeOption: &authentication.AuthCodeOption{
BindAddress: defaultListenAddress,
RedirectURLHostname: "localhost",
},
},
},
},
"when --listen-port is set, it should convert the port to address": {
args: []string{
executable,
"--listen-port", "10080",
"--listen-port", "20080",
},
in: standalone.Input{
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeOption: &authentication.AuthCodeOption{
BindAddress: []string{"127.0.0.1:10080", "127.0.0.1:20080"},
RedirectURLHostname: "localhost",
},
},
},
},
"when --listen-port is set, it should ignore --listen-address flags": {
args: []string{
executable,
"--listen-port", "10080",
"--listen-port", "20080",
"--listen-address", "127.0.0.1:30080",
"--listen-address", "127.0.0.1:40080",
},
in: standalone.Input{
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeOption: &authentication.AuthCodeOption{
BindAddress: []string{"127.0.0.1:10080", "127.0.0.1:20080"},
RedirectURLHostname: "localhost",
},
},
},
},
"FullOptions": {
args: []string{executable,
"--kubeconfig", "/path/to/kubeconfig",
"--context", "hello.k8s.local",
"--user", "google",
"--certificate-authority", "/path/to/cacert",
"--insecure-skip-tls-verify",
"-v1",
"--grant-type", "authcode",
"--listen-address", "127.0.0.1:10080",
"--listen-address", "127.0.0.1:20080",
"--skip-open-browser",
"--username", "USER",
"--password", "PASS",
},
in: standalone.Input{
KubeconfigFilename: "/path/to/kubeconfig",
KubeconfigContext: "hello.k8s.local",
KubeconfigUser: "google",
CACertFilename: "/path/to/cacert",
SkipTLSVerify: true,
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeOption: &authentication.AuthCodeOption{
BindAddress: []string{"127.0.0.1:10080", "127.0.0.1:20080"},
SkipOpenBrowser: true,
RedirectURLHostname: "localhost",
},
},
},
},
"GrantType=authcode-keyboard": {
args: []string{executable,
"--grant-type", "authcode-keyboard",
},
in: standalone.Input{
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{},
},
},
},
"GrantType=password": {
args: []string{executable,
"--grant-type", "password",
"--listen-address", "127.0.0.1:10080",
"--listen-address", "127.0.0.1:20080",
"--username", "USER",
"--password", "PASS",
},
in: standalone.Input{
GrantOptionSet: authentication.GrantOptionSet{
ROPCOption: &authentication.ROPCOption{
Username: "USER",
Password: "PASS",
},
},
},
},
"GrantType=auto": {
args: []string{executable,
"--listen-address", "127.0.0.1:10080",
"--listen-address", "127.0.0.1:20080",
"--username", "USER",
"--password", "PASS",
},
in: standalone.Input{
GrantOptionSet: authentication.GrantOptionSet{
ROPCOption: &authentication.ROPCOption{
Username: "USER",
Password: "PASS",
},
},
},
},
}
for name, c := range tests {
t.Run(name, func(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
ctx := context.TODO()
mockStandalone := mock_standalone.NewMockInterface(ctrl)
mockStandalone.EXPECT().
Do(ctx, c.in)
cmd := Cmd{
Root: &Root{
Standalone: mockStandalone,
Logger: logger.New(t),
},
Logger: logger.New(t),
}
exitCode := cmd.Run(ctx, c.args, version)
if exitCode != 0 {
t.Errorf("exitCode wants 0 but %d", exitCode)
}
})
}
t.Run("TooManyArgs", func(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
cmd := Cmd{
Root: &Root{
Standalone: mock_standalone.NewMockInterface(ctrl),
Logger: logger.New(t),
},
Logger: logger.New(t),
}
exitCode := cmd.Run(context.TODO(), []string{executable, "some"}, version)
if exitCode != 1 {
t.Errorf("exitCode wants 1 but %d", exitCode)
}
})
})
t.Run("get-token", func(t *testing.T) {
tests := map[string]struct {
args []string
in credentialplugin.Input
}{
"Defaults": {
args: []string{executable,
"get-token",
"--oidc-issuer-url", "https://issuer.example.com",
"--oidc-client-id", "YOUR_CLIENT_ID",
},
in: credentialplugin.Input{
TokenCacheDir: defaultTokenCacheDir,
IssuerURL: "https://issuer.example.com",
ClientID: "YOUR_CLIENT_ID",
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeOption: &authentication.AuthCodeOption{
BindAddress: []string{"127.0.0.1:8000", "127.0.0.1:18000"},
RedirectURLHostname: "localhost",
},
},
},
},
"FullOptions": {
args: []string{executable,
"get-token",
"--oidc-issuer-url", "https://issuer.example.com",
"--oidc-client-id", "YOUR_CLIENT_ID",
"--oidc-client-secret", "YOUR_CLIENT_SECRET",
"--oidc-extra-scope", "email",
"--oidc-extra-scope", "profile",
"--certificate-authority", "/path/to/cacert",
"--certificate-authority-data", "BASE64ENCODED",
"--insecure-skip-tls-verify",
"-v1",
"--grant-type", "authcode",
"--listen-address", "127.0.0.1:10080",
"--listen-address", "127.0.0.1:20080",
"--skip-open-browser",
"--oidc-auth-request-extra-params", "ttl=86400",
"--oidc-auth-request-extra-params", "reauth=true",
"--username", "USER",
"--password", "PASS",
},
in: credentialplugin.Input{
TokenCacheDir: defaultTokenCacheDir,
IssuerURL: "https://issuer.example.com",
ClientID: "YOUR_CLIENT_ID",
ClientSecret: "YOUR_CLIENT_SECRET",
ExtraScopes: []string{"email", "profile"},
CACertFilename: "/path/to/cacert",
CACertData: "BASE64ENCODED",
SkipTLSVerify: true,
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeOption: &authentication.AuthCodeOption{
BindAddress: []string{"127.0.0.1:10080", "127.0.0.1:20080"},
SkipOpenBrowser: true,
RedirectURLHostname: "localhost",
AuthRequestExtraParams: map[string]string{"ttl": "86400", "reauth": "true"},
},
},
},
},
"GrantType=authcode-keyboard": {
args: []string{executable,
"get-token",
"--oidc-issuer-url", "https://issuer.example.com",
"--oidc-client-id", "YOUR_CLIENT_ID",
"--grant-type", "authcode-keyboard",
"--oidc-auth-request-extra-params", "ttl=86400",
},
in: credentialplugin.Input{
TokenCacheDir: defaultTokenCacheDir,
IssuerURL: "https://issuer.example.com",
ClientID: "YOUR_CLIENT_ID",
GrantOptionSet: authentication.GrantOptionSet{
AuthCodeKeyboardOption: &authentication.AuthCodeKeyboardOption{
AuthRequestExtraParams: map[string]string{"ttl": "86400"},
},
},
},
},
"GrantType=password": {
args: []string{executable,
"get-token",
"--oidc-issuer-url", "https://issuer.example.com",
"--oidc-client-id", "YOUR_CLIENT_ID",
"--grant-type", "password",
"--listen-address", "127.0.0.1:10080",
"--listen-address", "127.0.0.1:20080",
"--username", "USER",
"--password", "PASS",
},
in: credentialplugin.Input{
TokenCacheDir: defaultTokenCacheDir,
IssuerURL: "https://issuer.example.com",
ClientID: "YOUR_CLIENT_ID",
GrantOptionSet: authentication.GrantOptionSet{
ROPCOption: &authentication.ROPCOption{
Username: "USER",
Password: "PASS",
},
},
},
},
"GrantType=auto": {
args: []string{executable,
"get-token",
"--oidc-issuer-url", "https://issuer.example.com",
"--oidc-client-id", "YOUR_CLIENT_ID",
"--listen-address", "127.0.0.1:10080",
"--listen-address", "127.0.0.1:20080",
"--username", "USER",
"--password", "PASS",
},
in: credentialplugin.Input{
TokenCacheDir: defaultTokenCacheDir,
IssuerURL: "https://issuer.example.com",
ClientID: "YOUR_CLIENT_ID",
GrantOptionSet: authentication.GrantOptionSet{
ROPCOption: &authentication.ROPCOption{
Username: "USER",
Password: "PASS",
},
},
},
},
}
for name, c := range tests {
t.Run(name, func(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
ctx := context.TODO()
getToken := mock_credentialplugin.NewMockInterface(ctrl)
getToken.EXPECT().
Do(ctx, c.in)
cmd := Cmd{
Root: &Root{
Logger: logger.New(t),
},
GetToken: &GetToken{
GetToken: getToken,
Logger: logger.New(t),
},
Logger: logger.New(t),
}
exitCode := cmd.Run(ctx, c.args, version)
if exitCode != 0 {
t.Errorf("exitCode wants 0 but %d", exitCode)
}
})
}
t.Run("MissingMandatoryOptions", func(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
ctx := context.TODO()
cmd := Cmd{
Root: &Root{
Logger: logger.New(t),
},
GetToken: &GetToken{
GetToken: mock_credentialplugin.NewMockInterface(ctrl),
Logger: logger.New(t),
},
Logger: logger.New(t),
}
exitCode := cmd.Run(ctx, []string{executable, "get-token"}, version)
if exitCode != 1 {
t.Errorf("exitCode wants 1 but %d", exitCode)
}
})
t.Run("TooManyArgs", func(t *testing.T) {
ctrl := gomock.NewController(t)
defer ctrl.Finish()
ctx := context.TODO()
cmd := Cmd{
Root: &Root{
Logger: logger.New(t),
},
GetToken: &GetToken{
GetToken: mock_credentialplugin.NewMockInterface(ctrl),
Logger: logger.New(t),
},
Logger: logger.New(t),
}
exitCode := cmd.Run(ctx, []string{executable, "get-token", "foo"}, version)
if exitCode != 1 {
t.Errorf("exitCode wants 1 but %d", exitCode)
}
})
})
}

83
pkg/adaptors/cmd/get_token.go Normal file
View File

@@ -0,0 +1,83 @@
package cmd
import (
"github.com/int128/kubelogin/pkg/adaptors/logger"
"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"golang.org/x/xerrors"
)
// getTokenOptions represents the options for get-token command.
type getTokenOptions struct {
IssuerURL string
ClientID string
ClientSecret string
ExtraScopes []string
CACertFilename string
CACertData string
SkipTLSVerify bool
TokenCacheDir string
authenticationOptions authenticationOptions
}
func (o *getTokenOptions) register(f *pflag.FlagSet) {
f.SortFlags = false
f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider (mandatory)")
f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider (mandatory)")
f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for caching tokens")
o.authenticationOptions.register(f)
}
type GetToken struct {
GetToken credentialplugin.Interface
Logger logger.Interface
}
func (cmd *GetToken) New() *cobra.Command {
var o getTokenOptions
c := &cobra.Command{
Use: "get-token [flags]",
Short: "Run as a kubectl credential plugin",
Args: func(c *cobra.Command, args []string) error {
if err := cobra.NoArgs(c, args); err != nil {
return err
}
if o.IssuerURL == "" {
return xerrors.New("--oidc-issuer-url is missing")
}
if o.ClientID == "" {
return xerrors.New("--oidc-client-id is missing")
}
return nil
},
RunE: func(c *cobra.Command, _ []string) error {
grantOptionSet, err := o.authenticationOptions.grantOptionSet()
if err != nil {
return xerrors.Errorf("get-token: %w", err)
}
in := credentialplugin.Input{
IssuerURL: o.IssuerURL,
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
ExtraScopes: o.ExtraScopes,
CACertFilename: o.CACertFilename,
CACertData: o.CACertData,
SkipTLSVerify: o.SkipTLSVerify,
TokenCacheDir: o.TokenCacheDir,
GrantOptionSet: grantOptionSet,
}
if err := cmd.GetToken.Do(c.Context(), in); err != nil {
return xerrors.Errorf("get-token: %w", err)
}
return nil
},
}
o.register(c.Flags())
return c
}

149
pkg/adaptors/cmd/root.go Normal file
View File

@@ -0,0 +1,149 @@
package cmd
import (
"fmt"
"strings"
"github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
"github.com/int128/kubelogin/pkg/adaptors/logger"
"github.com/int128/kubelogin/pkg/usecases/authentication"
"github.com/int128/kubelogin/pkg/usecases/standalone"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"golang.org/x/xerrors"
)
const longDescription = `Login to the OpenID Connect provider.
You need to set up the OIDC provider, role binding, Kubernetes API server and kubeconfig.
Run the following command to show the setup instruction:
kubectl oidc-login setup
See https://github.com/int128/kubelogin for more.
`
// rootOptions represents the options for the root command.
type rootOptions struct {
Kubeconfig string
Context string
User string
CertificateAuthority string
SkipTLSVerify bool
authenticationOptions authenticationOptions
}
func (o *rootOptions) register(f *pflag.FlagSet) {
f.SortFlags = false
f.StringVar(&o.Kubeconfig, "kubeconfig", "", "Path to the kubeconfig file")
f.StringVar(&o.Context, "context", "", "The name of the kubeconfig context to use")
f.StringVar(&o.User, "user", "", "The name of the kubeconfig user to use. Prior to --context")
f.StringVar(&o.CertificateAuthority, "certificate-authority", "", "Path to a cert file for the certificate authority")
f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
o.authenticationOptions.register(f)
}
type authenticationOptions struct {
GrantType string
ListenAddress []string
ListenPort []int // deprecated
SkipOpenBrowser bool
RedirectURLHostname string
AuthRequestExtraParams map[string]string
Username string
Password string
}
// determineListenAddress returns the addresses from the flags.
// Note that --listen-address is always given due to the default value.
// If --listen-port is not set, it returns --listen-address.
// If --listen-port is set, it returns the strings of --listen-port.
func (o *authenticationOptions) determineListenAddress() []string {
if len(o.ListenPort) == 0 {
return o.ListenAddress
}
var a []string
for _, p := range o.ListenPort {
a = append(a, fmt.Sprintf("127.0.0.1:%d", p))
}
return a
}
var allGrantType = strings.Join([]string{
"auto",
"authcode",
"authcode-keyboard",
"password",
}, "|")
func (o *authenticationOptions) register(f *pflag.FlagSet) {
f.StringVar(&o.GrantType, "grant-type", "auto", fmt.Sprintf("The authorization grant type to use. One of (%s)", allGrantType))
f.StringSliceVar(&o.ListenAddress, "listen-address", defaultListenAddress, "Address to bind to the local server. If multiple addresses are given, it will try binding in order")
//TODO: remove the deprecated flag
f.IntSliceVar(&o.ListenPort, "listen-port", nil, "(Deprecated: use --listen-address)")
f.BoolVar(&o.SkipOpenBrowser, "skip-open-browser", false, "If true, it does not open the browser on authentication")
f.StringVar(&o.RedirectURLHostname, "oidc-redirect-url-hostname", "localhost", "Hostname of the redirect URL")
f.StringToStringVar(&o.AuthRequestExtraParams, "oidc-auth-request-extra-params", nil, "Extra query parameters to send with an authentication request")
f.StringVar(&o.Username, "username", "", "If set, perform the resource owner password credentials grant")
f.StringVar(&o.Password, "password", "", "If set, use the password instead of asking it")
}
func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
switch {
case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):
s.AuthCodeOption = &authentication.AuthCodeOption{
BindAddress: o.determineListenAddress(),
SkipOpenBrowser: o.SkipOpenBrowser,
RedirectURLHostname: o.RedirectURLHostname,
AuthRequestExtraParams: o.AuthRequestExtraParams,
}
case o.GrantType == "authcode-keyboard":
s.AuthCodeKeyboardOption = &authentication.AuthCodeKeyboardOption{
AuthRequestExtraParams: o.AuthRequestExtraParams,
}
case o.GrantType == "password" || (o.GrantType == "auto" && o.Username != ""):
s.ROPCOption = &authentication.ROPCOption{
Username: o.Username,
Password: o.Password,
}
default:
err = xerrors.Errorf("grant-type must be one of (%s)", allGrantType)
}
return
}
type Root struct {
Standalone standalone.Interface
Logger logger.Interface
}
func (cmd *Root) New() *cobra.Command {
var o rootOptions
rootCmd := &cobra.Command{
Use: "kubelogin",
Short: "Login to the OpenID Connect provider",
Long: longDescription,
Args: cobra.NoArgs,
RunE: func(c *cobra.Command, _ []string) error {
grantOptionSet, err := o.authenticationOptions.grantOptionSet()
if err != nil {
return xerrors.Errorf("invalid option: %w", err)
}
in := standalone.Input{
KubeconfigFilename: o.Kubeconfig,
KubeconfigContext: kubeconfig.ContextName(o.Context),
KubeconfigUser: kubeconfig.UserName(o.User),
CACertFilename: o.CertificateAuthority,
SkipTLSVerify: o.SkipTLSVerify,
GrantOptionSet: grantOptionSet,
}
if err := cmd.Standalone.Do(c.Context(), in); err != nil {
return xerrors.Errorf("login: %w", err)
}
return nil
},
}
o.register(rootCmd.Flags())
cmd.Logger.AddFlags(rootCmd.PersistentFlags())
return rootCmd
}

74
pkg/adaptors/cmd/setup.go Normal file
View File

@@ -0,0 +1,74 @@
package cmd
import (
"github.com/int128/kubelogin/pkg/usecases/setup"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
"golang.org/x/xerrors"
)
// setupOptions represents the options for setup command.
type setupOptions struct {
IssuerURL string
ClientID string
ClientSecret string
ExtraScopes []string
CACertFilename string
CACertData string
SkipTLSVerify bool
authenticationOptions authenticationOptions
}
func (o *setupOptions) register(f *pflag.FlagSet) {
f.SortFlags = false
f.StringVar(&o.IssuerURL, "oidc-issuer-url", "", "Issuer URL of the provider")
f.StringVar(&o.ClientID, "oidc-client-id", "", "Client ID of the provider")
f.StringVar(&o.ClientSecret, "oidc-client-secret", "", "Client secret of the provider")
f.StringSliceVar(&o.ExtraScopes, "oidc-extra-scope", nil, "Scopes to request to the provider")
f.StringVar(&o.CACertFilename, "certificate-authority", "", "Path to a cert file for the certificate authority")
f.StringVar(&o.CACertData, "certificate-authority-data", "", "Base64 encoded data for the certificate authority")
f.BoolVar(&o.SkipTLSVerify, "insecure-skip-tls-verify", false, "If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure")
o.authenticationOptions.register(f)
}
type Setup struct {
Setup setup.Interface
}
func (cmd *Setup) New() *cobra.Command {
var o setupOptions
c := &cobra.Command{
Use: "setup",
Short: "Show the setup instruction",
Args: cobra.NoArgs,
RunE: func(c *cobra.Command, _ []string) error {
grantOptionSet, err := o.authenticationOptions.grantOptionSet()
if err != nil {
return xerrors.Errorf("setup: %w", err)
}
in := setup.Stage2Input{
IssuerURL: o.IssuerURL,
ClientID: o.ClientID,
ClientSecret: o.ClientSecret,
ExtraScopes: o.ExtraScopes,
CACertFilename: o.CACertFilename,
CACertData: o.CACertData,
SkipTLSVerify: o.SkipTLSVerify,
GrantOptionSet: grantOptionSet,
}
if c.Flags().Lookup("listen-address").Changed {
in.ListenAddressArgs = o.authenticationOptions.ListenAddress
}
if in.IssuerURL == "" || in.ClientID == "" {
cmd.Setup.DoStage1()
return nil
}
if err := cmd.Setup.DoStage2(c.Context(), in); err != nil {
return xerrors.Errorf("setup: %w", err)
}
return nil
},
}
o.register(c.Flags())
return c
}

53
pkg/adaptors/credentialpluginwriter/credential_plugin.go Normal file
View File

@@ -0,0 +1,53 @@
// Package credentialpluginwriter provides a writer for a credential plugin.
package credentialpluginwriter
import (
"encoding/json"
"time"
"github.com/google/wire"
"github.com/int128/kubelogin/pkg/adaptors/stdio"
"golang.org/x/xerrors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
clientauthenticationv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
)
//go:generate mockgen -destination mock_credentialpluginwriter/mock_credentialpluginwriter.go github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter Interface
var Set = wire.NewSet(
wire.Struct(new(Writer), "*"),
wire.Bind(new(Interface), new(*Writer)),
)
type Interface interface {
Write(out Output) error
}
// Output represents an output object of the credential plugin.
type Output struct {
Token string
Expiry time.Time
}
type Writer struct {
Stdout stdio.Stdout
}
// Write writes the ExecCredential to standard output for kubectl.
func (w *Writer) Write(out Output) error {
ec := &clientauthenticationv1beta1.ExecCredential{
TypeMeta: metav1.TypeMeta{
APIVersion: "client.authentication.k8s.io/v1beta1",
Kind: "ExecCredential",
},
Status: &clientauthenticationv1beta1.ExecCredentialStatus{
Token: out.Token,
ExpirationTimestamp: &metav1.Time{Time: out.Expiry},
},
}
e := json.NewEncoder(w.Stdout)
if err := e.Encode(ec); err != nil {
return xerrors.Errorf("could not write the ExecCredential: %w", err)
}
return nil
}

48
pkg/adaptors/credentialpluginwriter/mock_credentialpluginwriter/mock_credentialpluginwriter.go Normal file
View File

@@ -0,0 +1,48 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter (interfaces: Interface)
// Package mock_credentialpluginwriter is a generated GoMock package.
package mock_credentialpluginwriter
import (
gomock "github.com/golang/mock/gomock"
credentialpluginwriter "github.com/int128/kubelogin/pkg/adaptors/credentialpluginwriter"
reflect "reflect"
)
// MockInterface is a mock of Interface interface
type MockInterface struct {
ctrl *gomock.Controller
recorder *MockInterfaceMockRecorder
}
// MockInterfaceMockRecorder is the mock recorder for MockInterface
type MockInterfaceMockRecorder struct {
mock *MockInterface
}
// NewMockInterface creates a new mock instance
func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
mock := &MockInterface{ctrl: ctrl}
mock.recorder = &MockInterfaceMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
return m.recorder
}
// Write mocks base method
func (m *MockInterface) Write(arg0 credentialpluginwriter.Output) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "Write", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// Write indicates an expected call of Write
func (mr *MockInterfaceMockRecorder) Write(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Write", reflect.TypeOf((*MockInterface)(nil).Write), arg0)
}

22
pkg/kubeconfig/types.go → pkg/adaptors/kubeconfig/kubeconfig.go
View File

@@ -1,5 +1,23 @@
package kubeconfig
import (
"github.com/google/wire"
"github.com/int128/kubelogin/pkg/adaptors/logger"
)
//go:generate mockgen -destination mock_kubeconfig/mock_kubeconfig.go github.com/int128/kubelogin/pkg/adaptors/kubeconfig Interface
// Set provides an implementation and interface for Kubeconfig.
var Set = wire.NewSet(
wire.Struct(new(Kubeconfig), "*"),
wire.Bind(new(Interface), new(*Kubeconfig)),
)
type Interface interface {
GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error)
UpdateAuthProvider(auth *AuthProvider) error
}
// ContextName represents name of a context.
type ContextName string
@@ -21,3 +39,7 @@ type AuthProvider struct {
IDToken string // (optional) id-token
RefreshToken string // (optional) refresh-token
}
type Kubeconfig struct {
Logger logger.Interface
}

44
pkg/kubeconfig/loader/load.go → pkg/adaptors/kubeconfig/load.go
View File

@@ -1,35 +1,21 @@
package loader
package kubeconfig
import (
"errors"
"fmt"
"strings"
"github.com/google/wire"
"github.com/int128/kubelogin/pkg/kubeconfig"
"golang.org/x/xerrors"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/client-go/tools/clientcmd/api"
)
var Set = wire.NewSet(
wire.Struct(new(Loader), "*"),
wire.Bind(new(Interface), new(*Loader)),
)
type Interface interface {
GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error)
}
type Loader struct{}
func (Loader) GetCurrentAuthProvider(explicitFilename string, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
func (*Kubeconfig) GetCurrentAuthProvider(explicitFilename string, contextName ContextName, userName UserName) (*AuthProvider, error) {
config, err := loadByDefaultRules(explicitFilename)
if err != nil {
return nil, fmt.Errorf("could not load the kubeconfig: %w", err)
return nil, xerrors.Errorf("could not load the kubeconfig: %w", err)
}
auth, err := findCurrentAuthProvider(config, contextName, userName)
if err != nil {
return nil, fmt.Errorf("could not find the current auth provider: %w", err)
return nil, xerrors.Errorf("could not find the current auth provider: %w", err)
}
return auth, nil
}
@@ -39,7 +25,7 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
rules.ExplicitPath = explicitFilename
config, err := rules.Load()
if err != nil {
return nil, fmt.Errorf("load error: %w", err)
return nil, xerrors.Errorf("load error: %w", err)
}
return config, err
}
@@ -48,29 +34,29 @@ func loadByDefaultRules(explicitFilename string) (*api.Config, error) {
// If contextName is given, this returns the user of the context.
// If userName is given, this ignores the context and returns the user.
// If any context or user is not found, this returns an error.
func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextName, userName kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
func findCurrentAuthProvider(config *api.Config, contextName ContextName, userName UserName) (*AuthProvider, error) {
if userName == "" {
if contextName == "" {
contextName = kubeconfig.ContextName(config.CurrentContext)
contextName = ContextName(config.CurrentContext)
}
contextNode, ok := config.Contexts[string(contextName)]
if !ok {
return nil, fmt.Errorf("context %s does not exist", contextName)
return nil, xerrors.Errorf("context %s does not exist", contextName)
}
userName = kubeconfig.UserName(contextNode.AuthInfo)
userName = UserName(contextNode.AuthInfo)
}
userNode, ok := config.AuthInfos[string(userName)]
if !ok {
return nil, fmt.Errorf("user %s does not exist", userName)
return nil, xerrors.Errorf("user %s does not exist", userName)
}
if userNode.AuthProvider == nil {
return nil, errors.New("auth-provider is missing")
return nil, xerrors.New("auth-provider is missing")
}
if userNode.AuthProvider.Name != "oidc" {
return nil, fmt.Errorf("auth-provider.name must be oidc but is %s", userNode.AuthProvider.Name)
return nil, xerrors.Errorf("auth-provider.name must be oidc but is %s", userNode.AuthProvider.Name)
}
if userNode.AuthProvider.Config == nil {
return nil, errors.New("auth-provider.config is missing")
return nil, xerrors.New("auth-provider.config is missing")
}
m := userNode.AuthProvider.Config
@@ -78,7 +64,7 @@ func findCurrentAuthProvider(config *api.Config, contextName kubeconfig.ContextN
if m["extra-scopes"] != "" {
extraScopes = strings.Split(m["extra-scopes"], ",")
}
return &kubeconfig.AuthProvider{
return &AuthProvider{
LocationOfOrigin: userNode.LocationOfOrigin,
UserName: userName,
ContextName: contextName,

29
pkg/kubeconfig/loader/load_test.go → pkg/adaptors/kubeconfig/load_test.go
View File

@@ -1,17 +1,17 @@
package loader
package kubeconfig
import (
"os"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/int128/kubelogin/pkg/kubeconfig"
"k8s.io/client-go/tools/clientcmd/api"
)
func Test_loadByDefaultRules(t *testing.T) {
t.Run("google.yaml>keycloak.yaml", func(t *testing.T) {
t.Setenv("KUBECONFIG", "testdata/kubeconfig.google.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.keycloak.yaml")
setenv(t, "KUBECONFIG", "testdata/kubeconfig.google.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.keycloak.yaml")
defer unsetenv(t, "KUBECONFIG")
config, err := loadByDefaultRules("")
if err != nil {
@@ -35,7 +35,8 @@ func Test_loadByDefaultRules(t *testing.T) {
})
t.Run("keycloak.yaml>google.yaml", func(t *testing.T) {
t.Setenv("KUBECONFIG", "testdata/kubeconfig.keycloak.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.google.yaml")
setenv(t, "KUBECONFIG", "testdata/kubeconfig.keycloak.yaml"+string(os.PathListSeparator)+"testdata/kubeconfig.google.yaml")
defer unsetenv(t, "KUBECONFIG")
config, err := loadByDefaultRules("")
if err != nil {
@@ -59,6 +60,20 @@ func Test_loadByDefaultRules(t *testing.T) {
})
}
func setenv(t *testing.T, key, value string) {
t.Helper()
if err := os.Setenv(key, value); err != nil {
t.Fatalf("Could not set the env var %s=%s: %s", key, value, err)
}
}
func unsetenv(t *testing.T, key string) {
t.Helper()
if err := os.Unsetenv(key); err != nil {
t.Fatalf("Could not unset the env var %s: %s", key, err)
}
}
func Test_findCurrentAuthProvider(t *testing.T) {
t.Run("CurrentContext", func(t *testing.T) {
got, err := findCurrentAuthProvider(&api.Config{
@@ -90,7 +105,7 @@ func Test_findCurrentAuthProvider(t *testing.T) {
if err != nil {
t.Fatalf("Could not find the current auth: %s", err)
}
want := &kubeconfig.AuthProvider{
want := &AuthProvider{
LocationOfOrigin: "/path/to/kubeconfig",
UserName: "theUser",
ContextName: "theContext",
@@ -130,7 +145,7 @@ func Test_findCurrentAuthProvider(t *testing.T) {
if err != nil {
t.Fatalf("Could not find the current auth: %s", err)
}
want := &kubeconfig.AuthProvider{
want := &AuthProvider{
LocationOfOrigin: "/path/to/kubeconfig",
UserName: "theUser",
ContextName: "theContext",
@@ -158,7 +173,7 @@ func Test_findCurrentAuthProvider(t *testing.T) {
if err != nil {
t.Fatalf("Could not find the current auth: %s", err)
}
want := &kubeconfig.AuthProvider{
want := &AuthProvider{
LocationOfOrigin: "/path/to/kubeconfig",
UserName: "theUser",
IDPIssuerURL: "https://accounts.google.com",

63
pkg/adaptors/kubeconfig/mock_kubeconfig/mock_kubeconfig.go Normal file
View File

@@ -0,0 +1,63 @@
// Code generated by MockGen. DO NOT EDIT.
// Source: github.com/int128/kubelogin/pkg/adaptors/kubeconfig (interfaces: Interface)
// Package mock_kubeconfig is a generated GoMock package.
package mock_kubeconfig
import (
gomock "github.com/golang/mock/gomock"
kubeconfig "github.com/int128/kubelogin/pkg/adaptors/kubeconfig"
reflect "reflect"
)
// MockInterface is a mock of Interface interface
type MockInterface struct {
ctrl *gomock.Controller
recorder *MockInterfaceMockRecorder
}
// MockInterfaceMockRecorder is the mock recorder for MockInterface
type MockInterfaceMockRecorder struct {
mock *MockInterface
}
// NewMockInterface creates a new mock instance
func NewMockInterface(ctrl *gomock.Controller) *MockInterface {
mock := &MockInterface{ctrl: ctrl}
mock.recorder = &MockInterfaceMockRecorder{mock}
return mock
}
// EXPECT returns an object that allows the caller to indicate expected use
func (m *MockInterface) EXPECT() *MockInterfaceMockRecorder {
return m.recorder
}
// GetCurrentAuthProvider mocks base method
func (m *MockInterface) GetCurrentAuthProvider(arg0 string, arg1 kubeconfig.ContextName, arg2 kubeconfig.UserName) (*kubeconfig.AuthProvider, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetCurrentAuthProvider", arg0, arg1, arg2)
ret0, _ := ret[0].(*kubeconfig.AuthProvider)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// GetCurrentAuthProvider indicates an expected call of GetCurrentAuthProvider
func (mr *MockInterfaceMockRecorder) GetCurrentAuthProvider(arg0, arg1, arg2 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCurrentAuthProvider", reflect.TypeOf((*MockInterface)(nil).GetCurrentAuthProvider), arg0, arg1, arg2)
}
// UpdateAuthProvider mocks base method
func (m *MockInterface) UpdateAuthProvider(arg0 *kubeconfig.AuthProvider) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "UpdateAuthProvider", arg0)
ret0, _ := ret[0].(error)
return ret0
}
// UpdateAuthProvider indicates an expected call of UpdateAuthProvider
func (mr *MockInterfaceMockRecorder) UpdateAuthProvider(arg0 interface{}) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateAuthProvider", reflect.TypeOf((*MockInterface)(nil).UpdateAuthProvider), arg0)
}

0
pkg/kubeconfig/loader/testdata/kubeconfig.google.yaml → pkg/adaptors/kubeconfig/testdata/kubeconfig.google.yaml vendored
View File

0
pkg/kubeconfig/loader/testdata/kubeconfig.keycloak.yaml → pkg/adaptors/kubeconfig/testdata/kubeconfig.keycloak.yaml vendored
View File

31
pkg/kubeconfig/writer/write.go → pkg/adaptors/kubeconfig/write.go
View File

@@ -1,48 +1,35 @@
package writer
package kubeconfig
import (
"fmt"
"strings"
"github.com/google/wire"
"github.com/int128/kubelogin/pkg/kubeconfig"
"golang.org/x/xerrors"
"k8s.io/client-go/tools/clientcmd"
)
var Set = wire.NewSet(
wire.Struct(new(Writer), "*"),
wire.Bind(new(Interface), new(*Writer)),
)
type Interface interface {
UpdateAuthProvider(p kubeconfig.AuthProvider) error
}
type Writer struct{}
func (Writer) UpdateAuthProvider(p kubeconfig.AuthProvider) error {
func (*Kubeconfig) UpdateAuthProvider(p *AuthProvider) error {
config, err := clientcmd.LoadFromFile(p.LocationOfOrigin)
if err != nil {
return fmt.Errorf("could not load %s: %w", p.LocationOfOrigin, err)
return xerrors.Errorf("could not load %s: %w", p.LocationOfOrigin, err)
}
userNode, ok := config.AuthInfos[string(p.UserName)]
if !ok {
return fmt.Errorf("user %s does not exist", p.UserName)
return xerrors.Errorf("user %s does not exist", p.UserName)
}
if userNode.AuthProvider == nil {
return fmt.Errorf("auth-provider is missing")
return xerrors.Errorf("auth-provider is missing")
}
if userNode.AuthProvider.Name != "oidc" {
return fmt.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
return xerrors.Errorf("auth-provider must be oidc but is %s", userNode.AuthProvider.Name)
}
copyAuthProviderConfig(p, userNode.AuthProvider.Config)
if err := clientcmd.WriteToFile(*config, p.LocationOfOrigin); err != nil {
return fmt.Errorf("could not update %s: %w", p.LocationOfOrigin, err)
return xerrors.Errorf("could not update %s: %w", p.LocationOfOrigin, err)
}
return nil
}
func copyAuthProviderConfig(p kubeconfig.AuthProvider, m map[string]string) {
func copyAuthProviderConfig(p *AuthProvider, m map[string]string) {
setOrDeleteKey(m, "idp-issuer-url", p.IDPIssuerURL)
setOrDeleteKey(m, "client-id", p.ClientID)
setOrDeleteKey(m, "client-secret", p.ClientSecret)

46
pkg/kubeconfig/writer/write_test.go → pkg/adaptors/kubeconfig/write_test.go
View File

@@ -1,21 +1,25 @@
package writer
package kubeconfig
import (
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/int128/kubelogin/pkg/kubeconfig"
)
func TestKubeconfig_UpdateAuth(t *testing.T) {
var w Writer
var k Kubeconfig
t.Run("MinimumKeys", func(t *testing.T) {
f := newKubeconfigFile(t)
if err := w.UpdateAuthProvider(kubeconfig.AuthProvider{
LocationOfOrigin: f,
defer func() {
if err := os.Remove(f.Name()); err != nil {
t.Errorf("Could not remove the temp file: %s", err)
}
}()
if err := k.UpdateAuthProvider(&AuthProvider{
LocationOfOrigin: f.Name(),
UserName: "google",
IDPIssuerURL: "https://accounts.google.com",
ClientID: "GOOGLE_CLIENT_ID",
@@ -25,7 +29,7 @@ func TestKubeconfig_UpdateAuth(t *testing.T) {
}); err != nil {
t.Fatalf("Could not update auth: %s", err)
}
b, err := os.ReadFile(f)
b, err := ioutil.ReadFile(f.Name())
if err != nil {
t.Fatalf("Could not read kubeconfig: %s", err)
}
@@ -56,8 +60,13 @@ users:
t.Run("FullKeys", func(t *testing.T) {
f := newKubeconfigFile(t)
if err := w.UpdateAuthProvider(kubeconfig.AuthProvider{
LocationOfOrigin: f,
defer func() {
if err := os.Remove(f.Name()); err != nil {
t.Errorf("Could not remove the temp file: %s", err)
}
}()
if err := k.UpdateAuthProvider(&AuthProvider{
LocationOfOrigin: f.Name(),
UserName: "google",
IDPIssuerURL: "https://accounts.google.com",
ClientID: "GOOGLE_CLIENT_ID",
@@ -70,7 +79,7 @@ users:
}); err != nil {
t.Fatalf("Could not update auth: %s", err)
}
b, err := os.ReadFile(f)
b, err := ioutil.ReadFile(f.Name())
if err != nil {
t.Fatalf("Could not read kubeconfig: %s", err)
}
@@ -103,8 +112,8 @@ users:
})
}
const kubeconfigContent = `
apiVersion: v1
func newKubeconfigFile(t *testing.T) *os.File {
content := `apiVersion: v1
clusters: []
kind: Config
preferences: {}
@@ -114,12 +123,13 @@ users:
auth-provider:
config:
idp-issuer-url: https://accounts.google.com
name: oidc
`
func newKubeconfigFile(t *testing.T) string {
f := filepath.Join(t.TempDir(), "kubeconfig")
if err := os.WriteFile(f, []byte(kubeconfigContent), 0644); err != nil {
name: oidc`
f, err := ioutil.TempFile("", "kubeconfig")
if err != nil {
t.Fatalf("Could not create a file: %s", err)
}
defer f.Close()
if _, err := f.Write([]byte(content)); err != nil {
t.Fatalf("Could not write kubeconfig: %s", err)
}
return f

4
pkg/infrastructure/logger/logger.go → pkg/adaptors/logger/logger.go
View File

@@ -7,7 +7,7 @@ import (
"github.com/google/wire"
"github.com/spf13/pflag"
"k8s.io/klog/v2"
"k8s.io/klog"
)
// Set provides an implementation and interface for Logger.
@@ -56,5 +56,5 @@ func (*Logger) V(level int) Verbose {
// IsEnabled returns true if the level is enabled.
func (*Logger) IsEnabled(level int) bool {
return klog.V(klog.Level(level)).Enabled()
return bool(klog.V(klog.Level(level)))
}

93
pkg/adaptors/oidcclient/factory.go Normal file
View File

@@ -0,0 +1,93 @@
// Package oidcclient provides a client of OpenID Connect.
package oidcclient
import (
"context"
"crypto/tls"
"fmt"
"net/http"
"github.com/coreos/go-oidc"
"github.com/google/wire"
"github.com/int128/kubelogin/pkg/adaptors/certpool"
"github.com/int128/kubelogin/pkg/adaptors/clock"
"github.com/int128/kubelogin/pkg/adaptors/logger"
"github.com/int128/kubelogin/pkg/adaptors/oidcclient/logging"
"golang.org/x/oauth2"
"golang.org/x/xerrors"
)
var Set = wire.NewSet(
wire.Struct(new(Factory), "*"),
wire.Bind(new(FactoryInterface), new(*Factory)),
)
type FactoryInterface interface {
New(ctx context.Context, config Config) (Interface, error)
}
// Config represents a configuration of OpenID Connect client.
type Config struct {
IssuerURL string
ClientID string
ClientSecret string
ExtraScopes []string // optional
CertPool certpool.Interface
SkipTLSVerify bool
}
type Factory struct {
Clock clock.Interface
Logger logger.Interface
}
// New returns an instance of adaptors.Interface with the given configuration.
func (f *Factory) New(ctx context.Context, config Config) (Interface, error) {
var tlsConfig tls.Config
tlsConfig.InsecureSkipVerify = config.SkipTLSVerify
config.CertPool.SetRootCAs(&tlsConfig)
baseTransport := &http.Transport{
TLSClientConfig: &tlsConfig,
Proxy: http.ProxyFromEnvironment,
}
loggingTransport := &logging.Transport{
Base: baseTransport,
Logger: f.Logger,
}
httpClient := &http.Client{
Transport: loggingTransport,
}
ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
provider, err := oidc.NewProvider(ctx, config.IssuerURL)
if err != nil {
return nil, xerrors.Errorf("oidc discovery error: %w", err)
}
supportedPKCEMethods, err := extractSupportedPKCEMethods(provider)
if err != nil {
return nil, xerrors.Errorf("could not determine supported PKCE methods: %w", err)
}
return &client{
httpClient: httpClient,
provider: provider,
oauth2Config: oauth2.Config{
Endpoint: provider.Endpoint(),
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
Scopes: append(config.ExtraScopes, oidc.ScopeOpenID),
},
clock: f.Clock,
logger: f.Logger,
supportedPKCEMethods: supportedPKCEMethods,
}, nil
}
func extractSupportedPKCEMethods(provider *oidc.Provider) ([]string, error) {
var d struct {
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
}
if err := provider.Claims(&d); err != nil {
return nil, fmt.Errorf("invalid discovery document: %w", err)
}
return d.CodeChallengeMethodsSupported, nil
}

Some files were not shown because too many files have changed in this diff Show More