Skip to content
This repository was archived by the owner on Mar 13, 2022. It is now read-only.

Resolve #218, Resolves kubernetes-client/python#1335 #220

Closed
wants to merge 1 commit into from
Closed

Resolve #218, Resolves kubernetes-client/python#1335 #220

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 16 additions & 17 deletions config/kube_config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,11 +265,9 @@ def set_active_context(self, context_name=None):

def _load_authentication(self):
"""Read authentication from kube-config user section if exists.

This function goes through various authentication methods in user
section of kube-config and stops if it finds a valid authentication
method. The order of authentication methods is:

1. auth-provider (gcp, azure, oidc)
2. token field (point to a token file)
3. exec provided plugin
Expand Down Expand Up @@ -368,31 +366,36 @@ def _load_oid_token(self, provider):
if 'config' not in provider:
return

reserved_characters = frozenset(["=", "+", "/"])
urlunsafe_revision = {"=":"", "+":"-", "/":"_"}
token = provider['config']['id-token']

if any(char in token for char in reserved_characters):
# Invalid jwt, as it contains url-unsafe chars
return
if any(char in token for char in urlunsafe_revision.keys()):
for key, value in urlunsafe_revision.items():
token = token.replace(key, value)

parts = token.split('.')
if len(parts) != 3: # Not a valid JWT
return
if len(parts) != 3:
# Not a valid JWT
raise ConfigException(
'Invalid kube-config file. '
'Not a vaild oidc token')

padding = (4 - len(parts[1]) % 4) * '='
if len(padding) == 3:
# According to spec, 3 padding characters cannot occur
# in a valid jwt
# https://tools.ietf.org/html/rfc7515#appendix-C
return
raise ConfigException(
'Invalid kube-config file. '
'Not a vaild oidc token')

if PY3:
jwt_attributes = json.loads(
base64.b64decode(parts[1] + padding).decode('utf-8')
base64.urlsafe_b64decode(parts[1] + padding).decode('utf-8')
)
else:
jwt_attributes = json.loads(
base64.b64decode(parts[1] + padding)
base64.urlsafe_b64decode(parts[1] + padding)
)

expire = jwt_attributes.get('exp')
Expand All @@ -416,11 +419,11 @@ def _refresh_oidc(self, provider):
ca_cert = tempfile.NamedTemporaryFile(delete=True)

if PY3:
cert = base64.b64decode(
cert = base64.urlsafe_b64decode(
provider['config']['idp-certificate-authority-data']
).decode('utf-8')
else:
cert = base64.b64decode(
cert = base64.urlsafe_b64decode(
provider['config']['idp-certificate-authority-data'] + "=="
)

Expand Down Expand Up @@ -655,10 +658,8 @@ class KubeConfigMerger:

"""Reads and merges configuration from one or more kube-config's.
The propery `config` can be passed to the KubeConfigLoader as config_dict.

It uses a path attribute from ConfigNode to store the path to kubeconfig.
This path is required to load certs from relative paths.

A method `save_changes` updates changed kubeconfig's (it compares current
state of dicts with).
"""
Expand Down Expand Up @@ -776,7 +777,6 @@ def load_kube_config(config_file=None, context=None,
persist_config=True):
"""Loads authentication and cluster information from kube-config file
and stores them in kubernetes.client.configuration.

:param config_file: Name of the kube-config file.
:param context: set the active context. If is set to None, current_context
from config file will be used.
Expand Down Expand Up @@ -806,7 +806,6 @@ def load_kube_config_from_dict(config_dict, context=None,
persist_config=True):
"""Loads authentication and cluster information from config_dict file
and stores them in kubernetes.client.configuration.

:param config_dict: Takes the config file as a dict.
:param context: set the active context. If is set to None, current_context
from config file will be used.
Expand Down