Expand homedir paths in get-token options (#498)

* Expand homedir paths in get-token options * Replace go-homedir with Go 1.16 os.UserHomeDir()
int128 · Mar 15, 2021 · eb7ce56 · eb7ce56
1 parent 97cc85d
commit eb7ce56
Show file tree

Hide file tree

Showing 8 changed files with 108 additions and 62 deletions.
diff --git a/docs/usage.md b/docs/usage.md
@@ -83,6 +83,16 @@ You can use your self-signed certificate for the provider.
 You can set the following environment variables if you are behind a proxy: `HTTP_PROXY`, `HTTPS_PROXY` and `NO_PROXY`.
 See also [net/http#ProxyFromEnvironment](https://golang.org/pkg/net/http/#ProxyFromEnvironment).
 
+### Home directory expansion
+
+If a value in the following options begins with a tilde character `~`, it is expanded to the home directory.
+
+- `--certificate-authority`
+- `--local-server-cert`
+- `--local-server-key`
+- `--token-cache-dir`
+
+
 ## Authentication flows
 
 Kubelogin support the following flows:

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/int128/kubelogin
 
-go 1.13
+go 1.16
 
 require (
 	github.com/alexflint/go-filemutex v1.1.0
@@ -11,7 +11,6 @@ require (
 	github.com/google/go-cmp v0.5.5
 	github.com/google/wire v0.5.0
 	github.com/int128/oauth2cli v1.13.0
-	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4
 	github.com/spf13/cobra v1.1.3
 	github.com/spf13/pflag v1.0.5

diff --git a/go.sum b/go.sum
diff --git a/pkg/cmd/authentication.go b/pkg/cmd/authentication.go
@@ -67,6 +67,19 @@ func (o *authenticationOptions) addFlags(f *pflag.FlagSet) {
 	f.StringVar(&o.Password, "password", "", "[password] Password for resource owner password credentials grant")
 }
 
+func (o *authenticationOptions) expandHomedir() error {
+	var err error
+	o.LocalServerCertFile, err = expandHomedir(o.LocalServerCertFile)
+	if err != nil {
+		return fmt.Errorf("invalid --local-server-cert: %w", err)
+	}
+	o.LocalServerKeyFile, err = expandHomedir(o.LocalServerKeyFile)
+	if err != nil {
+		return fmt.Errorf("invalid --local-server-key: %w", err)
+	}
+	return nil
+}
+
 func (o *authenticationOptions) grantOptionSet() (s authentication.GrantOptionSet, err error) {
 	switch {
 	case o.GrantType == "authcode" || (o.GrantType == "auto" && o.Username == ""):

diff --git a/pkg/cmd/cmd_test.go b/pkg/cmd/cmd_test.go
@@ -2,12 +2,14 @@ package cmd
 
 import (
 	"context"
+	"os"
 	"testing"
 	"time"
 
 	"github.com/golang/mock/gomock"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/testing/logger"
+	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/int128/kubelogin/pkg/usecases/authentication"
 	"github.com/int128/kubelogin/pkg/usecases/authentication/authcode"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
@@ -98,6 +100,11 @@ func TestCmd_Run(t *testing.T) {
 	})
 
 	t.Run("get-token", func(t *testing.T) {
+		userHomeDir, err := os.UserHomeDir()
+		if err != nil {
+			t.Fatalf("os.UserHomeDir error: %s", err)
+		}
+
 		tests := map[string]struct {
 			args []string
 			in   credentialplugin.Input
@@ -109,7 +116,7 @@ func TestCmd_Run(t *testing.T) {
 					"--oidc-client-id", "YOUR_CLIENT_ID",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
+					TokenCacheDir: userHomeDir + "/.kube/cache/oidc-login",
 					Provider: oidc.Provider{
 						IssuerURL: "https://issuer.example.com",
 						ClientID:  "YOUR_CLIENT_ID",
@@ -134,7 +141,7 @@ func TestCmd_Run(t *testing.T) {
 					"-v1",
 				},
 				in: credentialplugin.Input{
-					TokenCacheDir: defaultTokenCacheDir,
+					TokenCacheDir: userHomeDir + "/.kube/cache/oidc-login",
 					Provider: oidc.Provider{
 						IssuerURL:    "https://issuer.example.com",
 						ClientID:     "YOUR_CLIENT_ID",
@@ -150,6 +157,36 @@ func TestCmd_Run(t *testing.T) {
 					},
 				},
 			},
+			"HomedirExpansion": {
+				args: []string{executable,
+					"get-token",
+					"--oidc-issuer-url", "https://issuer.example.com",
+					"--oidc-client-id", "YOUR_CLIENT_ID",
+					"--certificate-authority", "~/.kube/ca.crt",
+					"--local-server-cert", "~/.kube/oidc-server.crt",
+					"--local-server-key", "~/.kube/oidc-server.key",
+					"--token-cache-dir", "~/.kube/oidc-cache",
+				},
+				in: credentialplugin.Input{
+					TokenCacheDir: userHomeDir + "/.kube/oidc-cache",
+					Provider: oidc.Provider{
+						IssuerURL: "https://issuer.example.com",
+						ClientID:  "YOUR_CLIENT_ID",
+					},
+					GrantOptionSet: authentication.GrantOptionSet{
+						AuthCodeBrowserOption: &authcode.BrowserOption{
+							BindAddress:           defaultListenAddress,
+							AuthenticationTimeout: defaultAuthenticationTimeoutSec * time.Second,
+							RedirectURLHostname:   "localhost",
+							LocalServerCertFile:   userHomeDir + "/.kube/oidc-server.crt",
+							LocalServerKeyFile:    userHomeDir + "/.kube/oidc-server.key",
+						},
+					},
+					TLSClientConfig: tlsclientconfig.Config{
+						CACertFilename: []string{userHomeDir + "/.kube/ca.crt"},
+					},
+				},
+			},
 		}
 		for name, c := range tests {
 			t.Run(name, func(t *testing.T) {

diff --git a/pkg/cmd/get_token.go b/pkg/cmd/get_token.go
@@ -3,6 +3,8 @@ package cmd
 import (
 	"errors"
 	"fmt"
+	"os"
+	"strings"
 
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
@@ -32,6 +34,21 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	o.authenticationOptions.addFlags(f)
 }
 
+func (o *getTokenOptions) expandHomedir() error {
+	var err error
+	o.TokenCacheDir, err = expandHomedir(o.TokenCacheDir)
+	if err != nil {
+		return fmt.Errorf("invalid --token-cache-dir: %w", err)
+	}
+	if err = o.authenticationOptions.expandHomedir(); err != nil {
+		return err
+	}
+	if err = o.tlsOptions.expandHomedir(); err != nil {
+		return err
+	}
+	return nil
+}
+
 type GetToken struct {
 	GetToken credentialplugin.Interface
 	Logger   logger.Interface
@@ -55,6 +72,9 @@ func (cmd *GetToken) New() *cobra.Command {
 			return nil
 		},
 		RunE: func(c *cobra.Command, _ []string) error {
+			if err := o.expandHomedir(); err != nil {
+				return err
+			}
 			grantOptionSet, err := o.authenticationOptions.grantOptionSet()
 			if err != nil {
 				return fmt.Errorf("get-token: %w", err)
@@ -80,3 +100,14 @@ func (cmd *GetToken) New() *cobra.Command {
 	o.addFlags(c.Flags())
 	return c
 }
+
+func expandHomedir(s string) (string, error) {
+	if !strings.HasPrefix(s, "~"+string(os.PathSeparator)) {
+		return s, nil
+	}
+	userHomeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", fmt.Errorf("could not expand homedir: %w", err)
+	}
+	return userHomeDir + strings.TrimPrefix(s, "~"), nil
+}
diff --git a/pkg/cmd/tls.go b/pkg/cmd/tls.go
@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"crypto/tls"
+	"fmt"
 
 	"github.com/int128/kubelogin/pkg/tlsclientconfig"
 	"github.com/spf13/pflag"
@@ -23,6 +24,19 @@ func (o *tlsOptions) addFlags(f *pflag.FlagSet) {
 	f.BoolVar(&o.RenegotiateFreelyAsClient, "tls-renegotiation-freely", false, "If set, allow a remote server to repeatedly request renegotiation")
 }
 
+func (o *tlsOptions) expandHomedir() error {
+	var caCertFilenames []string
+	for _, caCertFilename := range o.CACertFilename {
+		expanded, err := expandHomedir(caCertFilename)
+		if err != nil {
+			return fmt.Errorf("invalid --certificate-authority: %w", err)
+		}
+		caCertFilenames = append(caCertFilenames, expanded)
+	}
+	o.CACertFilename = caCertFilenames
+	return nil
+}
+
 func (o tlsOptions) tlsClientConfig() tlsclientconfig.Config {
 	return tlsclientconfig.Config{
 		CACertFilename: o.CACertFilename,

diff --git a/pkg/tokencache/repository/repository.go b/pkg/tokencache/repository/repository.go
@@ -12,7 +12,6 @@ import (
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/tokencache"
-	homedir "github.com/mitchellh/go-homedir"
 )
 
 //go:generate mockgen -destination mock_repository/mock_repository.go github.com/int128/kubelogin/pkg/tokencache/repository Interface
@@ -42,10 +41,6 @@ func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet,
 	if err != nil {
 		return nil, fmt.Errorf("could not compute the key: %w", err)
 	}
-	dir, err = homedir.Expand(dir)
-	if err != nil {
-		return nil, fmt.Errorf("could not expand homedir: %w", err)
-	}
 	p := filepath.Join(dir, filename)
 	f, err := os.Open(p)
 	if err != nil {
@@ -64,10 +59,6 @@ func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet,
 }
 
 func (r *Repository) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
-	dir, err := homedir.Expand(dir)
-	if err != nil {
-		return fmt.Errorf("could not expand homedir: %w", err)
-	}
 	if err := os.MkdirAll(dir, 0700); err != nil {
 		return fmt.Errorf("could not create directory %s: %w", dir, err)
 	}