-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add azure auth provider #225
Changes from 5 commits
a0c4b90
cdc8810
883d2d4
02f06e5
f7d672d
1155d12
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
defmodule K8s.Conn.Auth.Azure do | ||
@moduledoc """ | ||
`auth-provider` for azure | ||
""" | ||
alias K8s.Conn.Error | ||
alias K8s.Conn.RequestOptions | ||
|
||
require Logger | ||
@behaviour K8s.Conn.Auth | ||
|
||
defstruct [:token] | ||
|
||
@type t :: %__MODULE__{ | ||
token: String.t() | ||
} | ||
|
||
@impl true | ||
@spec create(map, String.t()) :: {:ok, t} | :skip | ||
def create( | ||
%{ | ||
"auth-provider" => %{ | ||
"config" => %{ | ||
"access-token" => token, | ||
"tenant-id" => tenant, | ||
"expires-on" => expires_on, | ||
"refresh-token" => refresh_token, | ||
"client-id" => client_id, | ||
"apiserver-id" => apiserver_id | ||
}, | ||
"name" => "azure" | ||
} | ||
}, | ||
_ | ||
) do | ||
if DateTime.diff(DateTime.utc_now(), parse_expires(expires_on)) >= 0 do | ||
Logger.info( | ||
"Azure token expired, using refresh token get new access, this will stop working when refresh token expires" | ||
) | ||
|
||
{:ok, %__MODULE__{token: refresh_token(tenant, refresh_token, client_id, apiserver_id)}} | ||
else | ||
{:ok, %__MODULE__{token: token}} | ||
end | ||
end | ||
|
||
def create(_, _), do: :skip | ||
|
||
@spec parse_expires(String.t()) :: DateTime.t() | ||
defp parse_expires(expires_on) do | ||
case Integer.parse(expires_on) do | ||
{expires_on, _} -> DateTime.from_unix!(expires_on) | ||
:error -> DateTime.from_iso8601(expires_on) | ||
end | ||
end | ||
|
||
@spec refresh_token(String.t(), String.t(), String.t(), String.t()) :: String.t() | ||
defp refresh_token(tenant, refresh_token, client_id, _apiserver_id) do | ||
payload = | ||
URI.encode_query(%{ | ||
"client_id" => client_id, | ||
"grant_type" => "refresh_token", | ||
"refresh_token" => refresh_token | ||
}) | ||
|
||
{:ok, res} = | ||
K8s.Client.MintHTTPProvider.request( | ||
:post, | ||
URI.new!("https://login.microsoftonline.com/#{tenant}/oauth2/v2.0/token"), | ||
payload, | ||
%{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think the function expects:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Looking at the spec
I think it is correct to use the post atom, but I will change the header to a list |
||
"Content-Type" => "application/x-www-form-urlencoded" | ||
}, | ||
ssl: [] | ||
) | ||
|
||
res["access_token"] | ||
end | ||
|
||
defimpl RequestOptions, for: __MODULE__ do | ||
@spec generate(K8s.Conn.Auth.Azure.t()) :: RequestOptions.generate_t() | ||
def generate(%K8s.Conn.Auth.Azure{token: token}) do | ||
{:ok, | ||
%RequestOptions{ | ||
headers: [{:Authorization, "Bearer #{token}"}], | ||
ssl_options: [] | ||
}} | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
defmodule K8s.Conn.Auth.AzureTest do | ||
@moduledoc false | ||
use ExUnit.Case, async: true | ||
|
||
alias K8s.Conn | ||
alias K8s.Conn.Auth.Azure | ||
|
||
describe "create/2" do | ||
test "creates a Azure struct from data" do | ||
non_expired_unix_ts = DateTime.utc_now() |> DateTime.add(10, :minute) |> DateTime.to_unix() | ||
|
||
auth = %{ | ||
"auth-provider" => %{ | ||
"config" => %{ | ||
"access-token" => "xxx", | ||
"apiserver-id" => "service_id", | ||
"client-id" => "client_id", | ||
"expires-on" => "#{non_expired_unix_ts}", | ||
"refresh-token" => "yyy", | ||
"tenant-id" => "tenant" | ||
}, | ||
"name" => "azure" | ||
} | ||
} | ||
|
||
assert {:ok, | ||
%Azure{ | ||
token: "xxx" | ||
}} = Azure.create(auth, nil) | ||
end | ||
|
||
@tag :skip | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. or remove/replace? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added it mostly to demonstrate that we can indeed make a HTTP request against the azure api. I will remove it, not sure we will get much from mocking this out. |
||
test "fails when token is expired" do | ||
expired_unix_ts = DateTime.utc_now() |> DateTime.add(-10, :minute) |> DateTime.to_unix() | ||
|
||
auth = %{ | ||
"auth-provider" => %{ | ||
"config" => %{ | ||
"access-token" => "xxx", | ||
"apiserver-id" => "service_id", | ||
"client-id" => "client_id", | ||
"expires-on" => "#{expired_unix_ts}", | ||
"refresh-token" => "yyy", | ||
"tenant-id" => "tenant" | ||
}, | ||
"name" => "azure" | ||
} | ||
} | ||
|
||
assert {:error, | ||
%K8s.Conn.Error{ | ||
message: "Azure token expired please refresh manually" | ||
}} = Azure.create(auth, nil) | ||
end | ||
end | ||
|
||
test "creates http request signing options" do | ||
provider = %Azure{ | ||
token: "xxx" | ||
} | ||
|
||
{:ok, %Conn.RequestOptions{headers: headers, ssl_options: ssl_options}} = | ||
Conn.RequestOptions.generate(provider) | ||
|
||
assert headers == [{:Authorization, "Bearer xxx"}] | ||
assert ssl_options == [] | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you elaborate on this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The azure end point is returning a response with content type
application/json; charset=utf-8
since the charset is not needed for the parsing I just threw it away