Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PoP token support to interactive+spn get-token/convert-kubeconfig flows #319

Merged
merged 41 commits into from
Sep 6, 2023
Merged

Add PoP token support to interactive+spn get-token/convert-kubeconfig flows #319

merged 41 commits into from
Sep 6, 2023

Conversation

rharpavat
Copy link
Contributor

@rharpavat rharpavat commented Aug 15, 2023
edited
Loading

Adds support for getting a Proof-of-Possession (PoP) token when running kubelogin get-token with --login interactive mode.

Adds 2 new flags to kubelogin get-token and kubelogin convert-kubeconfig:

  1. --pop-enabled: boolean flag indicating whether or not to request a PoP token
  2. --pop-claims: string slice formatted as a comma-separated list of key/value pairs, eg. "u=host,key2=val2"

Both flags must be provided together in order to use the PoP token flow; providing one but not the other will result in an error during flag validation. PoP claims must contain the u claim containing the ARM ID of the cluster (host) to request the PoP token for, in the format "u=<ARM_ID>".

rharpavat and others added 6 commits August 8, 2023 14:22
Add --pop-enabled flag for get-token
d3a19d7 
- When true, flag allows a PoP token to be passed
(https://learn.microsoft.com/en-us/entra/msal/dotnet/advanced/proof-of-possession-tokens)
instead of a regular bearer token
- Flag is false by default (when not provided), i.e. the default flow is
still to request a regular bearer token
Add dependency on authnscheme branch of msal
92af2da 
- Adds a dependency on microsoft authentication library for go
- Specifically uses the branch that adds PoP token support
Add pop token support for interactive flow
3e0ee76
Add pop token support to devicecode flow
6bb2f5c
@rharpavat
Clean up pop claim parsing
50d877e
@rharpavat
Update unit test, fix some linting errors
247f286 
- Use go-cmp to compare Options struct equality in unit test
- Fix comment formatting to remove lint errors
@codecov-commenter
Copy link

codecov-commenter commented Aug 16, 2023
edited
Loading

Codecov Report

Merging #319 (e776bbe) into master (9791038) will increase coverage by 5.97%.
The diff coverage is 69.15%.

@@            Coverage Diff             @@
##           master     #319      +/-   ##
==========================================
+ Coverage   60.68%   66.66%   +5.97%     
==========================================
  Files          16       22       +6     
  Lines        1249     1629     +380     
==========================================
+ Hits          758     1086     +328     
- Misses        445      485      +40     
- Partials       46       58      +12
Files Changed Coverage Δ
pkg/testutils/govcrutils.go 0.00% <0.00%> (ø)
pkg/token/interactive.go 22.36% <4.34%> (+22.36%) ⬆️
pkg/pop/msal.go 38.75% <38.75%> (ø)
pkg/token/serviceprincipaltokencertificate.go 71.96% <71.96%> (ø)
pkg/token/serviceprincipaltokensecret.go 86.95% <86.95%> (ø)
pkg/pop/authnscheme.go 90.00% <90.00%> (ø)
pkg/pop/poptoken.go 90.62% <90.62%> (ø)
pkg/converter/convert.go 81.36% <91.42%> (+2.12%) ⬆️
pkg/token/serviceprincipaltoken.go 95.08% <93.33%> (+30.51%) ⬆️
pkg/testutils/testutils.go 100.00% <100.00%> (ø)
... and 2 more

... and 4 files with indirect coverage changes

@julienstroheker julienstroheker mentioned this pull request Aug 21, 2023
Merged
3 tasks
weinong
weinong reviewed Aug 30, 2023
View reviewed changes
pkg/pop/poptoken.go Outdated Show resolved Hide resolved
weinong
weinong reviewed Aug 30, 2023
View reviewed changes
pkg/pop/poptoken.go Outdated Show resolved Hide resolved
julienstroheker
julienstroheker reviewed Sep 5, 2023
View reviewed changes
pkg/pop/poptoken.go Outdated Show resolved Hide resolved
julienstroheker
julienstroheker suggested changes Sep 5, 2023
View reviewed changes
Copy link
Contributor

@julienstroheker julienstroheker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL

@rharpavat rharpavat changed the title [Work in Progress - Do Not Merge] Add PoP token support to get-token interactive flow Add PoP token support to interactive+spn get-token/convert-kubeconfig flows Sep 5, 2023
julienstroheker
julienstroheker reviewed Sep 5, 2023
View reviewed changes
pkg/pop/poptoken.go Outdated Show resolved Hide resolved
julienstroheker
julienstroheker reviewed Sep 5, 2023
View reviewed changes
pkg/pop/poptoken.go Outdated Show resolved Hide resolved
julienstroheker
julienstroheker reviewed Sep 5, 2023
View reviewed changes
pkg/pop/poptoken.go Outdated Show resolved Hide resolved
julienstroheker
julienstroheker suggested changes Sep 5, 2023
View reviewed changes
Copy link
Contributor

@julienstroheker julienstroheker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PTAL

weinong
weinong approved these changes Sep 5, 2023
View reviewed changes
Copy link
Contributor

@weinong weinong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@weinong weinong merged commit c4cf27c into Azure:master Sep 6, 2023
@rharpavat rharpavat deleted the rharpavat/add-pop-token-support branch September 8, 2023 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julienstroheker julienstroheker julienstroheker approved these changes

@weinong weinong weinong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rharpavat @codecov-commenter @weinong @julienstroheker