Support persisting config from kubecfg AuthProvider plugins

pkg/client/restclient/config.go

@@ -70,6 +70,9 @@ type Config struct {
 	// Server requires plugin-specified authentication.
 	AuthProvider *clientcmdapi.AuthProviderConfig
 
+	// Callback to persist config for AuthProvider.
+	AuthConfigPersister AuthProviderConfigPersister
+
 	// TLSClientConfig contains settings to enable transport layer security
 	TLSClientConfig
 

pkg/client/restclient/plugin.go

@@ -30,9 +30,22 @@ type AuthProvider interface {
 	// WrapTransport allows the plugin to create a modified RoundTripper that
 	// attaches authorization headers (or other info) to requests.
 	WrapTransport(http.RoundTripper) http.RoundTripper
+	// Login allows the plugin to initialize its configuration. It must not
+	// require direct user interaction.
+	Login() error
 }
 
-type Factory func() (AuthProvider, error)
+// Factory generates an AuthProvider plugin.
+//  clusterAddress is the address of the current cluster.
+//  config is the inital configuration for this plugin.
+//  persister allows the plugin to save updated configuration.
+type Factory func(clusterAddress string, config map[string]string, persister AuthProviderConfigPersister) (AuthProvider, error)
+
+// AuthProviderConfigPersister allows a plugin to persist configuration info
+// for just itself.
+type AuthProviderConfigPersister interface {
+	Persist(map[string]string) error
+}
 
 // All registered auth provider plugins.
 var pluginsLock sync.Mutex
@@ -49,12 +62,12 @@ func RegisterAuthProviderPlugin(name string, plugin Factory) error {
 	return nil
 }
 
-func GetAuthProvider(apc *clientcmdapi.AuthProviderConfig) (AuthProvider, error) {
+func GetAuthProvider(clusterAddress string, apc *clientcmdapi.AuthProviderConfig, persister AuthProviderConfigPersister) (AuthProvider, error) {
 	pluginsLock.Lock()
 	defer pluginsLock.Unlock()
 	p, ok := plugins[apc.Name]
 	if !ok {
 		return nil, fmt.Errorf("No Auth Provider found for name %q", apc.Name)
 	}
-	return p()
+	return p(clusterAddress, apc.Config, persister)
 }

pkg/client/restclient/transport_test.go → pkg/client/restclient/plugin_test.go

@@ -19,12 +19,14 @@ package restclient
 import (
 	"fmt"
 	"net/http"
+	"reflect"
+	"strconv"
 	"testing"
 
 	clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api"
 )
 
-func TestTransportConfigAuthPlugins(t *testing.T) {
+func TestAuthPluginWrapTransport(t *testing.T) {
 	if err := RegisterAuthProviderPlugin("pluginA", pluginAProvider); err != nil {
 		t.Errorf("Unexpected error: failed to register pluginA: %v", err)
 	}
@@ -92,6 +94,83 @@ func TestTransportConfigAuthPlugins(t *testing.T) {
 	}
 }
 
+func TestAuthPluginPersist(t *testing.T) {
+	// register pluginA by a different name so we don't collide across tests.
+	if err := RegisterAuthProviderPlugin("pluginA2", pluginAProvider); err != nil {
+		t.Errorf("Unexpected error: failed to register pluginA: %v", err)
+	}
+	if err := RegisterAuthProviderPlugin("pluginPersist", pluginPersistProvider); err != nil {
+		t.Errorf("Unexpected error: failed to register pluginPersist: %v", err)
+	}
+	fooBarConfig := map[string]string{"foo": "bar"}
+	testCases := []struct {
+		plugin                       string
+		startingConfig               map[string]string
+		expectedConfigAfterLogin     map[string]string
+		expectedConfigAfterRoundTrip map[string]string
+	}{
+		// non-persisting plugins should work fine without modifying config.
+		{"pluginA2", map[string]string{}, map[string]string{}, map[string]string{}},
+		{"pluginA2", fooBarConfig, fooBarConfig, fooBarConfig},
+		// plugins that persist config should be able to persist when they want.
+		{
+			"pluginPersist",
+			map[string]string{},
+			map[string]string{
+				"login": "Y",
+			},
+			map[string]string{
+				"login":      "Y",
+				"roundTrips": "1",
+			},
+		},
+		{
+			"pluginPersist",
+			map[string]string{
+				"login":      "Y",
+				"roundTrips": "123",
+			},
+			map[string]string{
+				"login":      "Y",
+				"roundTrips": "123",
+			},
+			map[string]string{
+				"login":      "Y",
+				"roundTrips": "124",
+			},
+		},
+	}
+	for i, tc := range testCases {
+		cfg := &clientcmdapi.AuthProviderConfig{
+			Name:   tc.plugin,
+			Config: tc.startingConfig,
+		}
+		persister := &inMemoryPersister{make(map[string]string)}
+		persister.Persist(tc.startingConfig)
+		plugin, err := GetAuthProvider("127.0.0.1", cfg, persister)
+		if err != nil {
+			t.Errorf("%d. Unexpected error: failed to get plugin %q: %v", i, tc.plugin, err)
+		}
+		if err := plugin.Login(); err != nil {
+			t.Errorf("%d. Unexpected error calling Login() w/ plugin %q: %v", i, tc.plugin, err)
+		}
+		// Make sure the plugin persisted what we expect after Login().
+		if !reflect.DeepEqual(persister.savedConfig, tc.expectedConfigAfterLogin) {
+			t.Errorf("%d. Unexpected persisted config after calling %s.Login(): \nGot:\n%v\nExpected:\n%v",
+				i, tc.plugin, persister.savedConfig, tc.expectedConfigAfterLogin)
+		}
+		if _, err := plugin.WrapTransport(&emptyTransport{}).RoundTrip(&http.Request{}); err != nil {
+			t.Errorf("%d. Unexpected error round-tripping w/ plugin %q: %v", i, tc.plugin, err)
+		}
+		// Make sure the plugin persisted what we expect after RoundTrip().
+		if !reflect.DeepEqual(persister.savedConfig, tc.expectedConfigAfterRoundTrip) {
+			t.Errorf("%d. Unexpected persisted config after calling %s.WrapTransport.RoundTrip(): \nGot:\n%v\nExpected:\n%v",
+				i, tc.plugin, persister.savedConfig, tc.expectedConfigAfterLogin)
+		}
+	}
+
+}
+
 // emptyTransport provides an empty http.Response with an initialized header
 // to allow wrapping RoundTrippers to set header values.
 type emptyTransport struct{}
@@ -137,7 +216,9 @@ func (*pluginA) WrapTransport(rt http.RoundTripper) http.RoundTripper {
 	return &wrapTransportA{rt}
 }
 
-func pluginAProvider() (AuthProvider, error) {
+func (*pluginA) Login() error { return nil }
+
+func pluginAProvider(string, map[string]string, AuthProviderConfigPersister) (AuthProvider, error) {
 	return &pluginA{}, nil
 }
 
@@ -161,11 +242,70 @@ func (*pluginB) WrapTransport(rt http.RoundTripper) http.RoundTripper {
 	return &wrapTransportB{rt}
 }
 
-func pluginBProvider() (AuthProvider, error) {
+func (*pluginB) Login() error { return nil }
+
+func pluginBProvider(string, map[string]string, AuthProviderConfigPersister) (AuthProvider, error) {
 	return &pluginB{}, nil
 }
 
 // pluginFailProvider simulates a registered AuthPlugin that fails to load.
-func pluginFailProvider() (AuthProvider, error) {
+func pluginFailProvider(string, map[string]string, AuthProviderConfigPersister) (AuthProvider, error) {
 	return nil, fmt.Errorf("Failed to load AuthProvider")
 }
+
+type inMemoryPersister struct {
+	savedConfig map[string]string
+}
+
+func (i *inMemoryPersister) Persist(config map[string]string) error {
+	i.savedConfig = make(map[string]string)
+	for k, v := range config {
+		i.savedConfig[k] = v
+	}
+	return nil
+}
+
+// wrapTransportPersist increments the "roundTrips" entry from the config when
+// roundTrip is called.
+type wrapTransportPersist struct {
+	rt        http.RoundTripper
+	config    map[string]string
+	persister AuthProviderConfigPersister
+}
+
+func (w *wrapTransportPersist) RoundTrip(req *http.Request) (*http.Response, error) {
+	roundTrips := 0
+	if rtVal, ok := w.config["roundTrips"]; ok {
+		var err error
+		roundTrips, err = strconv.Atoi(rtVal)
+		if err != nil {
+			return nil, err
+		}
+	}
+	roundTrips++
+	w.config["roundTrips"] = fmt.Sprintf("%d", roundTrips)
+	if err := w.persister.Persist(w.config); err != nil {
+		return nil, err
+	}
+	return w.rt.RoundTrip(req)
+}
+
+type pluginPersist struct {
+	config    map[string]string
+	persister AuthProviderConfigPersister
+}
+
+func (p *pluginPersist) WrapTransport(rt http.RoundTripper) http.RoundTripper {
+	return &wrapTransportPersist{rt, p.config, p.persister}
+}
+
+// Login sets the config entry "login" to "Y".
+func (p *pluginPersist) Login() error {
+	p.config["login"] = "Y"
+	p.persister.Persist(p.config)
+	return nil
+}
+
+func pluginPersistProvider(_ string, config map[string]string, persister AuthProviderConfigPersister) (AuthProvider, error) {
+	return &pluginPersist{config, persister}, nil
+}

pkg/client/restclient/transport.go

@@ -60,7 +60,7 @@ func HTTPWrappersForConfig(config *Config, rt http.RoundTripper) (http.RoundTrip
 func (c *Config) transportConfig() (*transport.Config, error) {
 	wt := c.WrapTransport
 	if c.AuthProvider != nil {
-		provider, err := GetAuthProvider(c.AuthProvider)
+		provider, err := GetAuthProvider(c.Host, c.AuthProvider, c.AuthConfigPersister)
 		if err != nil {
 			return nil, err
 		}

pkg/client/unversioned/clientcmd/api/types.go

@@ -116,7 +116,8 @@ type Context struct {
 
 // AuthProviderConfig holds the configuration for a specified auth provider.
 type AuthProviderConfig struct {
-	Name string `json:"name"`
+	Name   string            `json:"name"`
+	Config map[string]string `json:"config,omitempty"`
 }
 
 // NewConfig is a convenience function that returns a new Config object with non-nil maps

pkg/client/unversioned/clientcmd/api/types_test.go

@@ -59,7 +59,13 @@ func Example_ofOptionsConfig() {
 		Token: "my-secret-token",
 	}
 	defaultConfig.AuthInfos["black-mage-via-auth-provider"] = &AuthInfo{
-		AuthProvider: &AuthProviderConfig{Name: "gcp"},
+		AuthProvider: &AuthProviderConfig{
+			Name: "gcp",
+			Config: map[string]string{
+				"foo":   "bar",
+				"token": "s3cr3t-t0k3n",
+			},
+		},
 	}
 	defaultConfig.Contexts["bravo-as-black-mage"] = &Context{
 		Cluster:   "bravo",
@@ -115,6 +121,9 @@ func Example_ofOptionsConfig() {
 	//   black-mage-via-auth-provider:
 	//     LocationOfOrigin: ""
 	//     auth-provider:
+	//       config:
+	//         foo: bar
+	//         token: s3cr3t-t0k3n
 	//       name: gcp
 	//   red-mage-via-token:
 	//     LocationOfOrigin: ""

pkg/client/unversioned/clientcmd/api/v1/types.go

@@ -140,5 +140,6 @@ type NamedExtension struct {
 
 // AuthProviderConfig holds the configuration for a specified auth provider.
 type AuthProviderConfig struct {
-	Name string `json:"name"`
+	Name   string            `json:"name"`
+	Config map[string]string `json:"config"`
 }