2022-09-16 01:21:21 +02:00
|
|
|
using k8s.Authentication;
|
|
|
|
|
using k8s.Autorest;
|
|
|
|
|
using k8s.Exceptions;
|
|
|
|
|
using k8s.KubeConfigModels;
|
|
|
|
|
using k8s.Models;
|
|
|
|
|
using k8s.Tests.Mock;
|
|
|
|
|
using Microsoft.AspNetCore.Hosting;
|
|
|
|
|
using Microsoft.AspNetCore.Server.Kestrel.Https;
|
|
|
|
|
using Org.BouncyCastle.Crypto.Parameters;
|
|
|
|
|
using Org.BouncyCastle.Pkcs;
|
|
|
|
|
using Org.BouncyCastle.Security;
|
2018-09-27 10:50:39 -07:00
|
|
|
using System;
|
2019-03-11 06:39:28 -07:00
|
|
|
using System.Collections.Generic;
|
2018-09-27 10:50:39 -07:00
|
|
|
using System.IO;
|
|
|
|
|
using System.Linq;
|
|
|
|
|
using System.Net;
|
|
|
|
|
using System.Net.Http.Headers;
|
|
|
|
|
using System.Runtime.InteropServices;
|
|
|
|
|
using System.Security.Cryptography;
|
|
|
|
|
using System.Security.Cryptography.X509Certificates;
|
|
|
|
|
using System.Text;
|
|
|
|
|
using System.Threading.Tasks;
|
|
|
|
|
using Xunit;
|
|
|
|
|
using Xunit.Abstractions;
|
|
|
|
|
|
|
|
|
|
namespace k8s.Tests
|
|
|
|
|
{
|
|
|
|
|
public class AuthTests
|
|
|
|
|
{
|
|
|
|
|
private readonly ITestOutputHelper testOutput;
|
|
|
|
|
|
|
|
|
|
public AuthTests(ITestOutputHelper testOutput)
|
|
|
|
|
{
|
|
|
|
|
this.testOutput = testOutput;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private static HttpOperationResponse<V1PodList> ExecuteListPods(IKubernetes client)
|
|
|
|
|
{
|
2022-05-07 13:05:17 -07:00
|
|
|
return client.CoreV1.ListNamespacedPodWithHttpMessagesAsync("default").Result;
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public void Anonymous()
|
|
|
|
|
{
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput))
|
|
|
|
|
{
|
2020-04-23 11:40:06 -07:00
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration { Host = server.Uri.ToString() });
|
2018-09-27 10:50:39 -07:00
|
|
|
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput, cxt =>
|
|
|
|
|
{
|
|
|
|
|
cxt.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
|
|
|
|
|
return Task.FromResult(false);
|
|
|
|
|
}))
|
|
|
|
|
{
|
2020-04-23 11:40:06 -07:00
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration { Host = server.Uri.ToString() });
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-27 10:50:39 -07:00
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
private static void PeelAggregate(Action testcode)
|
|
|
|
|
{
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
testcode();
|
|
|
|
|
}
|
|
|
|
|
catch (AggregateException e)
|
|
|
|
|
{
|
|
|
|
|
if (e.InnerExceptions.Count == 1)
|
|
|
|
|
{
|
|
|
|
|
throw e.InnerExceptions.First();
|
|
|
|
|
}
|
2018-09-27 10:50:39 -07:00
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
throw;
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[Fact]
|
|
|
|
|
public void BasicAuth()
|
|
|
|
|
{
|
|
|
|
|
const string testName = "test_name";
|
|
|
|
|
const string testPassword = "test_password";
|
|
|
|
|
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput, cxt =>
|
|
|
|
|
{
|
|
|
|
|
var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
|
|
|
|
|
|
2020-11-01 12:24:51 -08:00
|
|
|
var expect = new AuthenticationHeaderValue(
|
|
|
|
|
"Basic",
|
|
|
|
|
Convert.ToBase64String(Encoding.UTF8.GetBytes($"{testName}:{testPassword}")))
|
2018-09-27 10:50:39 -07:00
|
|
|
.ToString();
|
|
|
|
|
|
|
|
|
|
if (header != expect)
|
|
|
|
|
{
|
|
|
|
|
cxt.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
|
|
|
|
|
return Task.FromResult(false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Task.FromResult(true);
|
|
|
|
|
}))
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
Username = testName,
|
2020-04-23 11:40:06 -07:00
|
|
|
Password = testPassword,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
Username = "wrong name",
|
2020-04-23 11:40:06 -07:00
|
|
|
Password = testPassword,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
Username = testName,
|
2020-04-23 11:40:06 -07:00
|
|
|
Password = "wrong password",
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
Username = "both wrong",
|
2020-04-23 11:40:06 -07:00
|
|
|
Password = "wrong password",
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
2020-04-23 11:40:06 -07:00
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration { Host = server.Uri.ToString() });
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
2020-04-23 11:40:06 -07:00
|
|
|
Username = "xx",
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-21 05:06:35 +01:00
|
|
|
// this test doesn't work on OSX
|
|
|
|
|
[OperatingSystemDependentFact(Exclude = OperatingSystems.OSX)]
|
2018-09-27 10:50:39 -07:00
|
|
|
public void Cert()
|
|
|
|
|
{
|
|
|
|
|
var serverCertificateData = File.ReadAllText("assets/apiserver-pfx-data.txt");
|
|
|
|
|
|
|
|
|
|
var clientCertificateKeyData = File.ReadAllText("assets/client-key-data.txt");
|
|
|
|
|
var clientCertificateData = File.ReadAllText("assets/client-certificate-data.txt");
|
|
|
|
|
|
|
|
|
|
X509Certificate2 serverCertificate = null;
|
|
|
|
|
|
|
|
|
|
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
|
|
|
|
|
{
|
2020-11-22 14:52:09 -08:00
|
|
|
using (var serverCertificateStream =
|
2020-04-23 11:40:06 -07:00
|
|
|
new MemoryStream(Convert.FromBase64String(serverCertificateData)))
|
2018-09-27 10:50:39 -07:00
|
|
|
{
|
|
|
|
|
serverCertificate = OpenCertificateStore(serverCertificateStream);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2025-09-22 14:18:16 -07:00
|
|
|
#if NET9_0_OR_GREATER
|
|
|
|
|
serverCertificate = X509CertificateLoader.LoadPkcs12(Convert.FromBase64String(serverCertificateData), "");
|
|
|
|
|
#else
|
2018-09-27 10:50:39 -07:00
|
|
|
serverCertificate = new X509Certificate2(Convert.FromBase64String(serverCertificateData), "");
|
2025-09-22 14:18:16 -07:00
|
|
|
#endif
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
2025-09-22 14:18:16 -07:00
|
|
|
#if NET9_0_OR_GREATER
|
|
|
|
|
var clientCertificate = X509CertificateLoader.LoadCertificate(Convert.FromBase64String(clientCertificateData));
|
|
|
|
|
#else
|
2018-09-27 10:50:39 -07:00
|
|
|
var clientCertificate = new X509Certificate2(Convert.FromBase64String(clientCertificateData), "");
|
2025-09-22 14:18:16 -07:00
|
|
|
#endif
|
2018-09-27 10:50:39 -07:00
|
|
|
|
|
|
|
|
var clientCertificateValidationCalled = false;
|
|
|
|
|
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput, listenConfigure: options =>
|
|
|
|
|
{
|
|
|
|
|
options.UseHttps(new HttpsConnectionAdapterOptions
|
|
|
|
|
{
|
|
|
|
|
ServerCertificate = serverCertificate,
|
|
|
|
|
ClientCertificateMode = ClientCertificateMode.RequireCertificate,
|
|
|
|
|
ClientCertificateValidation = (certificate, chain, valid) =>
|
|
|
|
|
{
|
|
|
|
|
clientCertificateValidationCalled = true;
|
|
|
|
|
return clientCertificate.Equals(certificate);
|
2020-04-23 11:40:06 -07:00
|
|
|
},
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
}))
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
clientCertificateValidationCalled = false;
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
ClientCertificateData = clientCertificateData,
|
|
|
|
|
ClientCertificateKeyData = clientCertificateKeyData,
|
2019-03-11 06:39:28 -07:00
|
|
|
SslCaCerts = new X509Certificate2Collection(serverCertificate),
|
2020-04-23 11:40:06 -07:00
|
|
|
SkipTlsVerify = false,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
|
|
|
|
|
Assert.True(clientCertificateValidationCalled);
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
clientCertificateValidationCalled = false;
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
ClientCertificateData = clientCertificateData,
|
|
|
|
|
ClientCertificateKeyData = clientCertificateKeyData,
|
2020-04-23 11:40:06 -07:00
|
|
|
SkipTlsVerify = true,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
|
|
|
|
|
Assert.True(clientCertificateValidationCalled);
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
clientCertificateValidationCalled = false;
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
2020-04-23 11:40:06 -07:00
|
|
|
ClientCertificateFilePath =
|
|
|
|
|
"assets/client.crt", // TODO amazoning why client.crt != client-data.txt
|
2018-09-27 10:50:39 -07:00
|
|
|
ClientKeyFilePath = "assets/client.key",
|
2020-04-23 11:40:06 -07:00
|
|
|
SkipTlsVerify = true,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Assert.ThrowsAny<Exception>(() => ExecuteListPods(client));
|
|
|
|
|
Assert.True(clientCertificateValidationCalled);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
clientCertificateValidationCalled = false;
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
2020-04-23 11:40:06 -07:00
|
|
|
SkipTlsVerify = true,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
Assert.ThrowsAny<Exception>(() => ExecuteListPods(client));
|
|
|
|
|
Assert.False(clientCertificateValidationCalled);
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-06-08 09:47:39 +10:00
|
|
|
}
|
|
|
|
|
|
2025-01-21 05:06:35 +01:00
|
|
|
[OperatingSystemDependentFact(Exclude = OperatingSystems.OSX)]
|
2020-09-25 17:45:12 +01:00
|
|
|
public void ExternalCertificate()
|
|
|
|
|
{
|
|
|
|
|
const string name = "testing_irrelevant";
|
|
|
|
|
|
|
|
|
|
var serverCertificateData = Convert.FromBase64String(File.ReadAllText("assets/apiserver-pfx-data.txt"));
|
|
|
|
|
|
|
|
|
|
var clientCertificateKeyData = Convert.FromBase64String(File.ReadAllText("assets/client-key-data.txt"));
|
|
|
|
|
var clientCertificateData = Convert.FromBase64String(File.ReadAllText("assets/client-certificate-data.txt"));
|
|
|
|
|
|
|
|
|
|
X509Certificate2 serverCertificate = null;
|
|
|
|
|
|
|
|
|
|
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
|
|
|
|
|
{
|
2020-11-22 14:52:09 -08:00
|
|
|
using (var serverCertificateStream = new MemoryStream(serverCertificateData))
|
2020-09-25 17:45:12 +01:00
|
|
|
{
|
|
|
|
|
serverCertificate = OpenCertificateStore(serverCertificateStream);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2025-09-22 14:18:16 -07:00
|
|
|
#if NET9_0_OR_GREATER
|
|
|
|
|
serverCertificate = X509CertificateLoader.LoadPkcs12(serverCertificateData, "");
|
|
|
|
|
#else
|
2020-09-25 17:45:12 +01:00
|
|
|
serverCertificate = new X509Certificate2(serverCertificateData, "");
|
2025-09-22 14:18:16 -07:00
|
|
|
#endif
|
2020-09-25 17:45:12 +01:00
|
|
|
}
|
|
|
|
|
|
2025-09-22 14:18:16 -07:00
|
|
|
#if NET9_0_OR_GREATER
|
|
|
|
|
var clientCertificate = X509CertificateLoader.LoadCertificate(clientCertificateData);
|
|
|
|
|
#else
|
2020-09-25 17:45:12 +01:00
|
|
|
var clientCertificate = new X509Certificate2(clientCertificateData, "");
|
2025-09-22 14:18:16 -07:00
|
|
|
#endif
|
2020-09-25 17:45:12 +01:00
|
|
|
|
|
|
|
|
var clientCertificateValidationCalled = false;
|
|
|
|
|
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput, listenConfigure: options =>
|
|
|
|
|
{
|
|
|
|
|
options.UseHttps(new HttpsConnectionAdapterOptions
|
|
|
|
|
{
|
|
|
|
|
ServerCertificate = serverCertificate,
|
|
|
|
|
ClientCertificateMode = ClientCertificateMode.RequireCertificate,
|
|
|
|
|
ClientCertificateValidation = (certificate, chain, valid) =>
|
|
|
|
|
{
|
|
|
|
|
clientCertificateValidationCalled = true;
|
|
|
|
|
return clientCertificate.Equals(certificate);
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
}))
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
var clientCertificateText = Encoding.ASCII.GetString(clientCertificateData).Replace("\n", "\\n");
|
|
|
|
|
var clientCertificateKeyText = Encoding.ASCII.GetString(clientCertificateKeyData).Replace("\n", "\\n");
|
|
|
|
|
var responseJson = $"{{\"apiVersion\":\"testingversion\",\"status\":{{\"clientCertificateData\":\"{clientCertificateText}\",\"clientKeyData\":\"{clientCertificateKeyText}\"}}}}";
|
|
|
|
|
var kubernetesConfig = GetK8SConfiguration(server.Uri.ToString(), responseJson, name);
|
|
|
|
|
var clientConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(kubernetesConfig, name);
|
|
|
|
|
var client = new Kubernetes(clientConfig);
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2020-09-25 17:45:12 +01:00
|
|
|
}
|
2020-10-23 08:31:57 -07:00
|
|
|
|
2020-09-25 17:45:12 +01:00
|
|
|
{
|
|
|
|
|
var clientCertificateText = File.ReadAllText("assets/client.crt").Replace("\n", "\\n");
|
|
|
|
|
var clientCertificateKeyText = File.ReadAllText("assets/client.key").Replace("\n", "\\n");
|
|
|
|
|
var responseJson = $"{{\"apiVersion\":\"testingversion\",\"status\":{{\"clientCertificateData\":\"{clientCertificateText}\",\"clientKeyData\":\"{clientCertificateKeyText}\"}}}}";
|
|
|
|
|
var kubernetesConfig = GetK8SConfiguration(server.Uri.ToString(), responseJson, name);
|
|
|
|
|
var clientConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(kubernetesConfig, name);
|
|
|
|
|
var client = new Kubernetes(clientConfig);
|
|
|
|
|
Assert.ThrowsAny<Exception>(() => ExecuteListPods(client));
|
|
|
|
|
Assert.True(clientCertificateValidationCalled);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-27 10:50:39 -07:00
|
|
|
|
2020-03-05 09:12:38 -08:00
|
|
|
[Fact]
|
|
|
|
|
public void ExternalToken()
|
|
|
|
|
{
|
2020-09-25 17:07:12 +01:00
|
|
|
const string token = "testingtoken";
|
|
|
|
|
const string name = "testing_irrelevant";
|
2020-03-05 09:12:38 -08:00
|
|
|
|
2020-09-25 17:07:12 +01:00
|
|
|
using (var server = new MockKubeApiServer(testOutput, cxt =>
|
|
|
|
|
{
|
|
|
|
|
var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
|
2020-03-05 09:12:38 -08:00
|
|
|
|
2020-09-25 17:07:12 +01:00
|
|
|
var expect = new AuthenticationHeaderValue("Bearer", token).ToString();
|
2020-03-05 09:12:38 -08:00
|
|
|
|
2020-09-25 17:07:12 +01:00
|
|
|
if (header != expect)
|
|
|
|
|
{
|
|
|
|
|
cxt.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
|
|
|
|
|
return Task.FromResult(false);
|
|
|
|
|
}
|
2020-03-05 09:12:38 -08:00
|
|
|
|
2020-09-25 17:07:12 +01:00
|
|
|
return Task.FromResult(true);
|
|
|
|
|
}))
|
2020-03-05 09:12:38 -08:00
|
|
|
{
|
|
|
|
|
{
|
2020-09-25 17:45:12 +01:00
|
|
|
var responseJson = $"{{\"apiVersion\":\"testingversion\",\"status\":{{\"token\":\"{token}\"}}}}";
|
|
|
|
|
var kubernetesConfig = GetK8SConfiguration(server.Uri.ToString(), responseJson, name);
|
2020-09-25 17:07:12 +01:00
|
|
|
var clientConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(kubernetesConfig, name);
|
|
|
|
|
var client = new Kubernetes(clientConfig);
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
2020-03-05 09:12:38 -08:00
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2020-03-05 09:12:38 -08:00
|
|
|
}
|
2020-10-23 08:31:57 -07:00
|
|
|
|
2020-03-05 09:12:38 -08:00
|
|
|
{
|
2020-09-25 17:45:12 +01:00
|
|
|
var responseJson = "{\"apiVersion\":\"testingversion\",\"status\":{\"token\":\"wrong_token\"}}";
|
|
|
|
|
var kubernetesConfig = GetK8SConfiguration(server.Uri.ToString(), responseJson, name);
|
2020-09-25 17:07:12 +01:00
|
|
|
var clientConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(kubernetesConfig, name);
|
|
|
|
|
var client = new Kubernetes(clientConfig);
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2020-03-05 09:12:38 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-27 10:50:39 -07:00
|
|
|
[Fact]
|
|
|
|
|
public void Token()
|
|
|
|
|
{
|
|
|
|
|
const string token = "testingtoken";
|
|
|
|
|
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput, cxt =>
|
|
|
|
|
{
|
|
|
|
|
var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
|
|
|
|
|
|
|
|
|
|
var expect = new AuthenticationHeaderValue("Bearer", token).ToString();
|
|
|
|
|
|
|
|
|
|
if (header != expect)
|
|
|
|
|
{
|
|
|
|
|
cxt.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
|
|
|
|
|
return Task.FromResult(false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Task.FromResult(true);
|
|
|
|
|
}))
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
2020-04-23 11:40:06 -07:00
|
|
|
AccessToken = token,
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
2020-04-23 11:40:06 -07:00
|
|
|
AccessToken = "wrong token",
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
Username = "wrong name",
|
2020-04-23 11:40:06 -07:00
|
|
|
Password = "same password",
|
2018-09-27 10:50:39 -07:00
|
|
|
});
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
2020-04-23 11:40:06 -07:00
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration { Host = server.Uri.ToString() });
|
2018-09-27 10:50:39 -07:00
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
ShouldThrowUnauthorized(client);
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
2018-06-25 22:13:09 +08:00
|
|
|
}
|
2018-06-08 09:47:39 +10:00
|
|
|
}
|
|
|
|
|
|
2021-05-24 09:33:39 -07:00
|
|
|
[Fact]
|
|
|
|
|
public void Oidc()
|
|
|
|
|
{
|
|
|
|
|
var clientId = "CLIENT_ID";
|
|
|
|
|
var clientSecret = "CLIENT_SECRET";
|
|
|
|
|
var idpIssuerUrl = "https://idp.issuer.url";
|
|
|
|
|
var unexpiredIdToken = "eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjAsImV4cCI6MjAwMDAwMDAwMH0.8Ata5uKlrqYfeIaMwS91xVgVFHu7ntHx1sGN95i2Zho";
|
|
|
|
|
var expiredIdToken = "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjB9.f37LFpIw_XIS5TZt3wdtEjjyCNshYy03lOWpyDViRM0";
|
|
|
|
|
var refreshToken = "REFRESH_TOKEN";
|
|
|
|
|
|
|
|
|
|
using (var server = new MockKubeApiServer(testOutput, cxt =>
|
|
|
|
|
{
|
|
|
|
|
var header = cxt.Request.Headers["Authorization"].FirstOrDefault();
|
|
|
|
|
|
|
|
|
|
var expect = new AuthenticationHeaderValue("Bearer", unexpiredIdToken).ToString();
|
|
|
|
|
|
|
|
|
|
if (header != expect)
|
|
|
|
|
{
|
|
|
|
|
cxt.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
|
|
|
|
|
return Task.FromResult(false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Task.FromResult(true);
|
|
|
|
|
}))
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
// use unexpired id token as bearer, do not attempt to refresh
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
AccessToken = unexpiredIdToken,
|
|
|
|
|
TokenProvider = new OidcTokenProvider(clientId, clientSecret, idpIssuerUrl, unexpiredIdToken, refreshToken),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var listTask = ExecuteListPods(client);
|
|
|
|
|
Assert.True(listTask.Response.IsSuccessStatusCode);
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Single(listTask.Body.Items);
|
2021-05-24 09:33:39 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
// attempt to refresh id token when expired
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
AccessToken = expiredIdToken,
|
|
|
|
|
TokenProvider = new OidcTokenProvider(clientId, clientSecret, idpIssuerUrl, expiredIdToken, refreshToken),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
PeelAggregate(() => ExecuteListPods(client));
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Fail("should not be here");
|
2021-05-24 09:33:39 -07:00
|
|
|
}
|
|
|
|
|
catch (KubernetesClientException e)
|
|
|
|
|
{
|
|
|
|
|
Assert.StartsWith("Unable to refresh OIDC token.", e.Message);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
// attempt to refresh id token when null
|
|
|
|
|
var client = new Kubernetes(new KubernetesClientConfiguration
|
|
|
|
|
{
|
|
|
|
|
Host = server.Uri.ToString(),
|
|
|
|
|
AccessToken = expiredIdToken,
|
|
|
|
|
TokenProvider = new OidcTokenProvider(clientId, clientSecret, idpIssuerUrl, null, refreshToken),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
PeelAggregate(() => ExecuteListPods(client));
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Fail("should not be here");
|
2021-05-24 09:33:39 -07:00
|
|
|
}
|
|
|
|
|
catch (KubernetesClientException e)
|
|
|
|
|
{
|
|
|
|
|
Assert.StartsWith("Unable to refresh OIDC token.", e.Message);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-27 08:56:00 -07:00
|
|
|
private static void ShouldThrowUnauthorized(Kubernetes client)
|
|
|
|
|
{
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
PeelAggregate(() => ExecuteListPods(client));
|
2023-07-30 08:02:01 -07:00
|
|
|
Assert.Fail("should not be here");
|
2020-10-27 08:56:00 -07:00
|
|
|
}
|
|
|
|
|
catch (HttpOperationException e)
|
|
|
|
|
{
|
|
|
|
|
Assert.Equal(HttpStatusCode.Unauthorized, e.Response.StatusCode);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-27 10:50:39 -07:00
|
|
|
private X509Certificate2 OpenCertificateStore(Stream stream)
|
|
|
|
|
{
|
2020-11-22 14:52:09 -08:00
|
|
|
var store = new Pkcs12Store();
|
2018-09-27 10:50:39 -07:00
|
|
|
store.Load(stream, new char[] { });
|
|
|
|
|
|
2024-01-09 09:05:26 -08:00
|
|
|
var keyAlias = store.Aliases.Cast<string>().SingleOrDefault(store.IsKeyEntry);
|
2018-09-27 10:50:39 -07:00
|
|
|
|
|
|
|
|
var key = (RsaPrivateCrtKeyParameters)store.GetKey(keyAlias).Key;
|
|
|
|
|
var bouncyCertificate = store.GetCertificate(keyAlias).Certificate;
|
|
|
|
|
|
|
|
|
|
var certificate = new X509Certificate2(DotNetUtilities.ToX509Certificate(bouncyCertificate));
|
|
|
|
|
var parameters = DotNetUtilities.ToRSAParameters(key);
|
|
|
|
|
|
2020-11-22 14:52:09 -08:00
|
|
|
var rsa = new RSACryptoServiceProvider();
|
2018-09-27 10:50:39 -07:00
|
|
|
rsa.ImportParameters(parameters);
|
|
|
|
|
|
|
|
|
|
certificate = RSACertificateExtensions.CopyWithPrivateKey(certificate, rsa);
|
|
|
|
|
|
|
|
|
|
return certificate;
|
|
|
|
|
}
|
2020-03-05 09:12:38 -08:00
|
|
|
|
2020-09-25 17:45:12 +01:00
|
|
|
private K8SConfiguration GetK8SConfiguration(string serverUri, string responseJson, string name)
|
2020-03-05 09:12:38 -08:00
|
|
|
{
|
|
|
|
|
const string username = "testinguser";
|
|
|
|
|
|
|
|
|
|
var contexts = new List<Context>
|
|
|
|
|
{
|
2020-10-23 08:31:57 -07:00
|
|
|
new Context { Name = name, ContextDetails = new ContextDetails { Cluster = name, User = username } },
|
2020-03-05 09:12:38 -08:00
|
|
|
};
|
|
|
|
|
{
|
|
|
|
|
var clusters = new List<Cluster>
|
|
|
|
|
{
|
|
|
|
|
new Cluster
|
|
|
|
|
{
|
|
|
|
|
Name = name,
|
2020-10-23 08:31:57 -07:00
|
|
|
ClusterEndpoint = new ClusterEndpoint { SkipTlsVerify = true, Server = serverUri },
|
2020-04-23 11:40:06 -07:00
|
|
|
},
|
2020-03-05 09:12:38 -08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
var command = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? "cmd.exe" : "echo";
|
|
|
|
|
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
|
2020-04-23 11:40:06 -07:00
|
|
|
{
|
2020-03-05 09:12:38 -08:00
|
|
|
command = "printf";
|
2020-04-23 11:40:06 -07:00
|
|
|
}
|
2020-03-05 09:12:38 -08:00
|
|
|
|
|
|
|
|
var arguments = new string[] { };
|
|
|
|
|
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
|
2020-04-23 11:40:06 -07:00
|
|
|
{
|
2020-09-25 17:45:12 +01:00
|
|
|
arguments = new[] { "/c", "echo", responseJson };
|
2020-04-23 11:40:06 -07:00
|
|
|
}
|
|
|
|
|
|
2020-09-25 17:07:12 +01:00
|
|
|
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
|
2020-04-23 11:40:06 -07:00
|
|
|
{
|
2020-09-25 17:07:12 +01:00
|
|
|
arguments = new[] { responseJson.Replace("\"", "\\\"") };
|
2020-04-23 11:40:06 -07:00
|
|
|
}
|
2020-03-05 09:12:38 -08:00
|
|
|
|
2020-09-25 17:07:12 +01:00
|
|
|
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
|
|
|
|
|
{
|
|
|
|
|
arguments = new[] { "\"%s\"", responseJson.Replace("\"", "\\\"") };
|
|
|
|
|
}
|
2020-03-05 09:12:38 -08:00
|
|
|
|
|
|
|
|
var users = new List<User>
|
|
|
|
|
{
|
|
|
|
|
new User
|
|
|
|
|
{
|
|
|
|
|
Name = username,
|
|
|
|
|
UserCredentials = new UserCredentials
|
|
|
|
|
{
|
|
|
|
|
ExternalExecution = new ExternalExecution
|
|
|
|
|
{
|
|
|
|
|
ApiVersion = "testingversion",
|
|
|
|
|
Command = command,
|
2020-10-23 08:31:57 -07:00
|
|
|
Arguments = arguments.ToList(),
|
|
|
|
|
},
|
|
|
|
|
},
|
2020-04-23 11:40:06 -07:00
|
|
|
},
|
2020-03-05 09:12:38 -08:00
|
|
|
};
|
2020-04-22 12:15:45 -07:00
|
|
|
var kubernetesConfig = new K8SConfiguration { Clusters = clusters, Users = users, Contexts = contexts };
|
2020-03-05 09:12:38 -08:00
|
|
|
return kubernetesConfig;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-09-27 10:50:39 -07:00
|
|
|
}
|
|
|
|
|
}
|
