diff --git a/api/config.go b/api/config.go index ae107322401..4b0a1778c1f 100644 --- a/api/config.go +++ b/api/config.go @@ -18,12 +18,15 @@ package api import ( "crypto/x509" - "io/ioutil" "net" "strconv" "strings" "time" + xoauth2 "golang.org/x/oauth2" + + "k8s.io/klog/v2" + "github.com/minio/operator/pkg/auth/idp/oauth2" xcerts "github.com/minio/pkg/certs" @@ -60,14 +63,20 @@ var ( GlobalTLSCertsManager *xcerts.Manager ) -// getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the -// /var/run/secrets/kubernetes.io/serviceaccount/token file -func getK8sSAToken() string { - dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") - if err != nil { +// getK8sSAToken assumes the plugin is running inside a k8s pod and gets the token directly from IdP as id_token +// if id_token is valid token for k8s, then user will have access as described in k8s documentation: +// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens +func getK8sSAToken(oauth2Token *xoauth2.Token) string { + var idToken interface{} + if oauth2Token != nil { + // The extraction of id_token alone + idToken = oauth2Token.Extra("id_token") + } + if idToken == nil { + klog.Warning("we no longer provide console-sa access token but rather your should consider configuring k8s idp to get the token in a production environment") return env.Get(OperatorSAToken, "") } - return string(dat) + return idToken.(string) } // Get Marketplace deployment platform diff --git a/api/config_test.go b/api/config_test.go index 113a9ac0d82..c8648c05815 100644 --- a/api/config_test.go +++ b/api/config_test.go @@ -19,6 +19,8 @@ package api import ( "os" "testing" + + xoauth2 "golang.org/x/oauth2" ) func Test_getK8sSAToken(t *testing.T) { @@ -47,7 +49,8 @@ func Test_getK8sSAToken(t *testing.T) { os.Setenv(k, v) } } - if got := getK8sSAToken(); got != tt.want { + var oauth2Token *xoauth2.Token + if got := getK8sSAToken(oauth2Token); got != tt.want { t.Errorf("getK8sSAToken() = %v, want %v", got, tt.want) } if tt.envs != nil { diff --git a/api/login.go b/api/login.go index 5c70cc73ba7..2301396aefc 100644 --- a/api/login.go +++ b/api/login.go @@ -184,14 +184,19 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.L KeyFunc: oauth2.DefaultDerivedKey, Client: oauth2Client, } + + // Pointer to extract the whole token from IdP + var oauth2Token *xoauth2.Token + // Validate user against IDP - _, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State) + oauth2Token, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State) if err != nil { return nil, ErrorWithContext(ctx, err) } + // If we pass here that means the IDP correctly authenticate the user with the operator resource // we proceed to use the service account token configured in the operator-console pod - creds, err := newConsoleCredentials(getK8sSAToken()) + creds, err := newConsoleCredentials(getK8sSAToken(oauth2Token)) if err != nil { return nil, ErrorWithContext(ctx, err) }