Skip to content

Commit

Permalink
security: Using k8s idp instead of providing console-sa (#2166)
Browse files Browse the repository at this point in the history
Using k8s idp instead of providing console-sa
  • Loading branch information
cniackz authored Jun 19, 2024
1 parent bdc3404 commit fd7ede7
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 10 deletions.
23 changes: 16 additions & 7 deletions api/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,15 @@ package api

import (
"crypto/x509"
"io/ioutil"
"net"
"strconv"
"strings"
"time"

xoauth2 "golang.org/x/oauth2"

"k8s.io/klog/v2"

"github.com/minio/operator/pkg/auth/idp/oauth2"

xcerts "github.com/minio/pkg/certs"
Expand Down Expand Up @@ -60,14 +63,20 @@ var (
GlobalTLSCertsManager *xcerts.Manager
)

// getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the
// /var/run/secrets/kubernetes.io/serviceaccount/token file
func getK8sSAToken() string {
dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
if err != nil {
// getK8sSAToken assumes the plugin is running inside a k8s pod and gets the token directly from IdP as id_token
// if id_token is valid token for k8s, then user will have access as described in k8s documentation:
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
func getK8sSAToken(oauth2Token *xoauth2.Token) string {
var idToken interface{}
if oauth2Token != nil {
// The extraction of id_token alone
idToken = oauth2Token.Extra("id_token")
}
if idToken == nil {
klog.Warning("we no longer provide console-sa access token but rather your should consider configuring k8s idp to get the token in a production environment")
return env.Get(OperatorSAToken, "")
}
return string(dat)
return idToken.(string)
}

// Get Marketplace deployment platform
Expand Down
5 changes: 4 additions & 1 deletion api/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ package api
import (
"os"
"testing"

xoauth2 "golang.org/x/oauth2"
)

func Test_getK8sSAToken(t *testing.T) {
Expand Down Expand Up @@ -47,7 +49,8 @@ func Test_getK8sSAToken(t *testing.T) {
os.Setenv(k, v)
}
}
if got := getK8sSAToken(); got != tt.want {
var oauth2Token *xoauth2.Token
if got := getK8sSAToken(oauth2Token); got != tt.want {
t.Errorf("getK8sSAToken() = %v, want %v", got, tt.want)
}
if tt.envs != nil {
Expand Down
9 changes: 7 additions & 2 deletions api/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,14 +184,19 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.L
KeyFunc: oauth2.DefaultDerivedKey,
Client: oauth2Client,
}

// Pointer to extract the whole token from IdP
var oauth2Token *xoauth2.Token

// Validate user against IDP
_, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State)
oauth2Token, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State)
if err != nil {
return nil, ErrorWithContext(ctx, err)
}

// If we pass here that means the IDP correctly authenticate the user with the operator resource
// we proceed to use the service account token configured in the operator-console pod
creds, err := newConsoleCredentials(getK8sSAToken())
creds, err := newConsoleCredentials(getK8sSAToken(oauth2Token))
if err != nil {
return nil, ErrorWithContext(ctx, err)
}
Expand Down

0 comments on commit fd7ede7

Please sign in to comment.