fix: Remove client private key from client auth REST config

Signed-off-by: Alex Collins <alex_collins@intuit.com>
argoproj · Aug 8, 2021 · 96ee4d2 · 96ee4d2
1 parent 8d60296
commit 96ee4d2
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 21 deletions.
diff --git a/test/e2e/argo_server_test.go b/test/e2e/argo_server_test.go
@@ -33,6 +33,7 @@ const baseUrl = "http://localhost:2746"
 // testing behaviour really is a non-goal
 type ArgoServerSuite struct {
 	fixtures.E2ESuite
+	username    string
 	bearerToken string
 }
 
@@ -54,7 +55,9 @@ func (s *ArgoServerSuite) e() *httpexpect.Expect {
 			Client: httpClient,
 		}).
 		Builder(func(req *httpexpect.Request) {
-			if s.bearerToken != "" {
+			if s.username != "" {
+				req.WithBasicAuth(s.username, "garbage")
+			} else if s.bearerToken != "" {
 				req.WithHeader("Authorization", "Bearer "+s.bearerToken)
 			}
 		})
@@ -319,14 +322,21 @@ func (s *ArgoServerSuite) TestOauth() {
 }
 
 func (s *ArgoServerSuite) TestUnauthorized() {
-	s.T().Skip("K3S RBAC appears to be broken: https://github.com/k3s-io/k3s/issues/3756")
-
 	token := s.bearerToken
-	defer func() { s.bearerToken = token }()
-	s.bearerToken = "test-token"
-	s.e().GET("/api/v1/workflows/argo").
-		Expect().
-		Status(401)
+	s.T().Run("Bearer", func(t *testing.T) {
+		s.bearerToken = "test-token"
+		defer func() { s.bearerToken = token }()
+		s.e().GET("/api/v1/workflows/argo").
+			Expect().
+			Status(401)
+	})
+	s.T().Run("Basic", func(t *testing.T) {
+		s.username = "garbage"
+		defer func() { s.username = "" }()
+		s.e().GET("/api/v1/workflows/argo").
+			Expect().
+			Status(401)
+	})
 }
 
 func (s *ArgoServerSuite) TestCookieAuth() {
@@ -340,8 +350,6 @@ func (s *ArgoServerSuite) TestCookieAuth() {
 }
 
 func (s *ArgoServerSuite) TestPermission() {
-	s.T().Skip("K3S RBAC appears to be broken: https://github.com/k3s-io/k3s/issues/3756")
-
 	nsName := fixtures.Namespace
 	// Create good serviceaccount
 	goodSaName := "argotestgood"

diff --git a/util/kubeconfig/kubeconfig.go b/util/kubeconfig/kubeconfig.go
@@ -57,33 +57,63 @@ func GetRestConfig(token string) (*restclient.Config, error) {
 
 // convert a basic token (username, password) into a REST config
 func GetBasicRestConfig(username, password string) (*restclient.Config, error) {
-	restConfig, err := DefaultRestConfig()
+	restConfig, err := restConfigWithoutAuth()
 	if err != nil {
 		return nil, err
 	}
-	restConfig.BearerToken = ""
-	restConfig.BearerTokenFile = ""
 	restConfig.Username = username
 	restConfig.Password = password
 	return restConfig, nil
 }
 
 // convert a bearer token into a REST config
 func GetBearerRestConfig(token string) (*restclient.Config, error) {
-	restConfig, err := DefaultRestConfig()
+	restConfig, err := restConfigWithoutAuth()
 	if err != nil {
 		return nil, err
 	}
-	restConfig.BearerToken = ""
-	restConfig.BearerTokenFile = ""
-	restConfig.Username = ""
-	restConfig.Password = ""
-	if token != "" {
-		restConfig.BearerToken = token
-	}
+	restConfig.BearerToken = token
 	return restConfig, nil
 }
 
+// populate everything except
+// - username
+// - password
+// - bearerToken
+// - client private key
+func restConfigWithoutAuth() (*restclient.Config, error) {
+	c, err := DefaultRestConfig()
+	if err != nil {
+		return nil, err
+	}
+	t := c.TLSClientConfig
+	return &restclient.Config{
+		Host:          c.Host,
+		APIPath:       c.APIPath,
+		ContentConfig: c.ContentConfig,
+		TLSClientConfig: restclient.TLSClientConfig{
+			Insecure:   t.Insecure,
+			ServerName: t.ServerName,
+			CertFile:   t.CertFile,
+			CAFile:     t.CAFile,
+			CertData:   t.CertData,
+			CAData:     t.CAData,
+			NextProtos: c.NextProtos,
+		},
+		UserAgent:          c.UserAgent,
+		DisableCompression: c.DisableCompression,
+		Transport:          c.Transport,
+		WrapTransport:      c.WrapTransport,
+		QPS:                c.QPS,
+		Burst:              c.Burst,
+		RateLimiter:        c.RateLimiter,
+		WarningHandler:     c.WarningHandler,
+		Timeout:            c.Timeout,
+		Dial:               c.Dial,
+		Proxy:              c.Proxy,
+	}, nil
+}
+
 // Return the AuthString include Auth type(Basic or Bearer)
 func GetAuthString(in *restclient.Config, explicitKubeConfigPath string) (string, error) {
 	// Checking Basic Auth