Add PoP token support to interactive+spn get-token/convert-kubeconfig flows

go.mod

@@ -7,8 +7,11 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
 	github.com/Azure/go-autorest/autorest v0.11.29
 	github.com/Azure/go-autorest/autorest/adal v0.9.23
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/golang/mock v1.6.0
+	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
@@ -36,11 +39,9 @@ require (
 	github.com/go-openapi/jsonreference v0.20.1 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect

go.sum

@@ -22,8 +22,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0 h1:hVeq+yCyUi+MsoO/CU95yqCIcdzra5ovzk8Q2BBpV2M=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
@@ -74,6 +74,8 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=

pkg/converter/convert.go

@@ -33,6 +33,8 @@ const (
 	argAuthorityHost      = "--authority-host"
 	argFederatedTokenFile = "--federated-token-file"
 	argTokenCacheDir      = "--token-cache-dir"
+	argIsPoPTokenEnabled  = "--pop-enabled"
+	argPoPTokenClaims     = "--pop-claims"
 
 	flagAzureConfigDir     = "azure-config-dir"
 	flagClientID           = "client-id"
@@ -51,6 +53,8 @@ const (
 	flagAuthorityHost      = "authority-host"
 	flagFederatedTokenFile = "federated-token-file"
 	flagTokenCacheDir      = "token-cache-dir"
+	flagIsPoPTokenEnabled  = "pop-enabled"
+	flagPoPTokenClaims     = "pop-claims"
 
 	execName        = "kubelogin"
 	getTokenCommand = "get-token"
@@ -64,7 +68,16 @@ To learn more, please go to https://azure.github.io/kubelogin/
 	azureConfigDir = "AZURE_CONFIG_DIR"
 )
 
-func getArgValues(o Options, authInfo *api.AuthInfo) (argServerIDVal, argClientIDVal, argEnvironmentVal, argTenantIDVal, argTokenCacheDirVal string, argIsLegacyConfigModeVal bool) {
+func getArgValues(o Options, authInfo *api.AuthInfo) (
+	argServerIDVal,
+	argClientIDVal,
+	argEnvironmentVal,
+	argTenantIDVal,
+	argTokenCacheDirVal,
+	argPoPTokenClaimsVal string,
+	argIsLegacyConfigModeVal,
+	argIsPoPTokenEnabledVal bool,
+) {
 	if authInfo == nil {
 		return
 	}
@@ -129,6 +142,20 @@ func getArgValues(o Options, authInfo *api.AuthInfo) (argServerIDVal, argClientI
 		argTokenCacheDirVal = getExecArg(authInfo, argTokenCacheDir)
 	}
 
+	if o.isSet(flagIsPoPTokenEnabled) {
+		argIsPoPTokenEnabledVal = o.TokenOptions.IsPoPTokenEnabled
+	} else {
+		if found := getExecBoolArg(authInfo, argIsPoPTokenEnabled); found {
+			argIsPoPTokenEnabledVal = true
+		}
+	}
+
+	if o.isSet(flagPoPTokenClaims) {
+		argPoPTokenClaimsVal = o.TokenOptions.PoPTokenClaims
+	} else {
+		argPoPTokenClaimsVal = getExecArg(authInfo, argPoPTokenClaims)
+	}
+
 	return
 }
 
@@ -198,7 +225,7 @@ func Convert(o Options, pathOptions *clientcmd.PathOptions) error {
 
 		klog.V(5).Info("converting...")
 
-		argServerIDVal, argClientIDVal, argEnvironmentVal, argTenantIDVal, argTokenCacheDirVal, isLegacyConfigMode := getArgValues(o, authInfo)
+		argServerIDVal, argClientIDVal, argEnvironmentVal, argTenantIDVal, argTokenCacheDirVal, argPoPTokenClaimsVal, isLegacyConfigMode, isPoPTokenEnabled := getArgValues(o, authInfo)
 		exec := &api.ExecConfig{
 			Command: execName,
 			Args: []string{
@@ -282,6 +309,12 @@ func Convert(o Options, pathOptions *clientcmd.PathOptions) error {
 				exec.Args = append(exec.Args, argEnvironment, argEnvironmentVal)
 			}
 
+			// PoP token flags are optional but must be provided together
+			exec.Args, err = validatePoPClaims(exec.Args, isPoPTokenEnabled, argPoPTokenClaims, argPoPTokenClaimsVal)
+			if err != nil {
+				return err
+			}
+
 		case token.ServicePrincipalLogin:
 
 			if argClientIDVal == "" {
@@ -317,6 +350,12 @@ func Convert(o Options, pathOptions *clientcmd.PathOptions) error {
 				exec.Args = append(exec.Args, argIsLegacy)
 			}
 
+			// PoP token flags are optional but must be provided together
+			exec.Args, err = validatePoPClaims(exec.Args, isPoPTokenEnabled, argPoPTokenClaims, argPoPTokenClaimsVal)
+			if err != nil {
+				return err
+			}
+
 		case token.MSILogin:
 
 			if o.isSet(flagClientID) {
@@ -420,3 +459,25 @@ func getExecBoolArg(authInfoPtr *api.AuthInfo, someArg string) bool {
 	}
 	return false
 }
+
+// If enabling PoP token support, users must provide both "--pop-enabled" and "--pop-claims" flags together.
+// If either is provided without the other, validation should throw an error, otherwise the get-token command
+// will fail under the hood.
+func validatePoPClaims(args []string, isPopTokenEnabled bool, popTokenClaimsFlag, popTokenClaimsVal string) ([]string, error) {
+	if isPopTokenEnabled && popTokenClaimsVal == "" {
+		// pop-enabled and pop-claims must be provided together
+		return args, fmt.Errorf("%s is required when specifying %s", argPoPTokenClaims, argIsPoPTokenEnabled)
+	}
+
+	if popTokenClaimsVal != "" && !isPopTokenEnabled {
+		// pop-enabled and pop-claims must be provided together
+		return args, fmt.Errorf("%s is required when specifying %s", argIsPoPTokenEnabled, argPoPTokenClaims)
+	}
+
+	if isPopTokenEnabled && popTokenClaimsVal != "" {
+		args = append(args, argIsPoPTokenEnabled)
+		args = append(args, popTokenClaimsFlag, popTokenClaimsVal)
+	}
+
+	return args, nil
+}

pkg/converter/convert_test.go

@@ -1186,6 +1186,117 @@ func TestConvert(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "with exec format kubeconfig, convert from devicecode to interactive with only pop-enabled specified, Convert should return error",
+			execArgItems: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.DeviceCodeLogin,
+				argIsPoPTokenEnabled,
+			},
+			overrideFlags: map[string]string{
+				flagLoginMethod: token.InteractiveLogin,
+			},
+			command:       execName,
+			expectedError: "--pop-claims is required when specifying --pop-enabled",
+		},
+		{
+			name: "with exec format kubeconfig, convert from devicecode to interactive with only pop-claims specified, Convert should return error",
+			execArgItems: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.DeviceCodeLogin,
+				argPoPTokenClaims, "u=testhost",
+			},
+			overrideFlags: map[string]string{
+				flagLoginMethod: token.InteractiveLogin,
+			},
+			command:       execName,
+			expectedError: "--pop-enabled is required when specifying --pop-claims",
+		},
+		{
+			name: "with exec format kubeconfig, convert from devicecode to interactive with pop-enabled and pop-claims",
+			execArgItems: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.DeviceCodeLogin,
+				argIsPoPTokenEnabled,
+				argPoPTokenClaims, "u=testhost, 1=2",
+			},
+			overrideFlags: map[string]string{
+				flagLoginMethod: token.InteractiveLogin,
+			},
+			expectedArgs: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.InteractiveLogin,
+				argIsPoPTokenEnabled,
+				argPoPTokenClaims, "u=testhost, 1=2",
+			},
+			command: execName,
+		},
+		{
+			name: "with exec format kubeconfig, convert from devicecode to spn with pop-enabled and pop-claims as flags",
+			execArgItems: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argEnvironment, envName,
+				argLoginMethod, token.DeviceCodeLogin,
+			},
+			overrideFlags: map[string]string{
+				flagLoginMethod:       token.ServicePrincipalLogin,
+				flagIsPoPTokenEnabled: "true",
+				flagPoPTokenClaims:    "u=testhost, 1=2",
+			},
+			expectedArgs: []string{
+				getTokenCommand,
+				argEnvironment, envName,
+				argServerID, serverID,
+				argTenantID, tenantID,
+				argClientID, clientID,
+				argLoginMethod, token.ServicePrincipalLogin,
+				argIsPoPTokenEnabled,
+				argPoPTokenClaims, "u=testhost, 1=2",
+			},
+			command: execName,
+		},
+		{
+			name: "with exec format kubeconfig, convert from azurecli to devicecode with pop-enabled and pop-claims, expect pop args to be ignored",
+			execArgItems: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argLoginMethod, token.AzureCLILogin,
+				argIsPoPTokenEnabled,
+				argPoPTokenClaims, "u=testhost, 1=2",
+			},
+			overrideFlags: map[string]string{
+				flagClientID:    clientID,
+				flagTenantID:    tenantID,
+				flagLoginMethod: token.DeviceCodeLogin,
+			},
+			expectedArgs: []string{
+				getTokenCommand,
+				argServerID, serverID,
+				argClientID, clientID,
+				argTenantID, tenantID,
+				argLoginMethod, token.DeviceCodeLogin,
+			},
+			command: execName,
+		},
 	}
 	rootTmpDir, err := os.MkdirTemp("", "kubelogin-test")
 	if err != nil {
@@ -1236,20 +1347,23 @@ func TestConvert(t *testing.T) {
 			err = Convert(o, &pathOptions)
 			if data.expectedError == "" && err != nil {
 				t.Fatalf("Unexpected error from Convert: %v", err)
-			} else if data.expectedError != "" && (err == nil || err.Error() != data.expectedError) {
-				t.Fatalf("Expected error: %q, but got: %q", data.expectedError, err)
-			}
-
-			if o.context != "" {
-				// when --context is specified, convert-kubeconfig will convert only the targeted context
-				// hence, we expect the second auth info not to change
-				validate(t, clusterName1, config.AuthInfos[clusterName1], data.authProviderConfig, data.expectedArgs, data.expectedExecName, data.expectedInstallHint, data.expectedEnv)
-				validateAuthInfoThatShouldNotChange(t, clusterName2, config.AuthInfos[clusterName2], data.authProviderConfig)
+			} else if data.expectedError != "" {
+				if err == nil || err.Error() != data.expectedError {
+					t.Fatalf("Expected error: %q, but got: %q", data.expectedError, err)
+				}
 			} else {
-				// when --context is not specified, convert-kubeconfig will convert every auth info in the kubeconfig
-				// hence, we expect the second auth info to be converted in the same way as the first one
-				validate(t, clusterName1, config.AuthInfos[clusterName1], data.authProviderConfig, data.expectedArgs, data.expectedExecName, data.expectedInstallHint, data.expectedEnv)
-				validate(t, clusterName2, config.AuthInfos[clusterName2], data.authProviderConfig, data.expectedArgs, data.expectedExecName, data.expectedInstallHint, data.expectedEnv)
+				// only need to validate fields if we're not expecting an error
+				if o.context != "" {
+					// when --context is specified, convert-kubeconfig will convert only the targeted context
+					// hence, we expect the second auth info not to change
+					validate(t, clusterName1, config.AuthInfos[clusterName1], data.authProviderConfig, data.expectedArgs, data.expectedExecName, data.expectedInstallHint, data.expectedEnv)
+					validateAuthInfoThatShouldNotChange(t, clusterName2, config.AuthInfos[clusterName2], data.authProviderConfig)
+				} else {
+					// when --context is not specified, convert-kubeconfig will convert every auth info in the kubeconfig
+					// hence, we expect the second auth info to be converted in the same way as the first one
+					validate(t, clusterName1, config.AuthInfos[clusterName1], data.authProviderConfig, data.expectedArgs, data.expectedExecName, data.expectedInstallHint, data.expectedEnv)
+					validate(t, clusterName2, config.AuthInfos[clusterName2], data.authProviderConfig, data.expectedArgs, data.expectedExecName, data.expectedInstallHint, data.expectedEnv)
+				}
 			}
 		})
 	}
@@ -1333,7 +1447,7 @@ func validate(
 		t.Fatalf("[context:%s]: expected exec command: %s, actual: %s", clusterName, expectedExecName, exec.Command)
 	}
 
-	// defautl to the kubelogin install hint
+	// default to the kubelogin install hint
 	if expectedInstallHint == "" {
 		expectedInstallHint = execInstallHint
 	}