cyberark · tzheleznyak · Dec 28, 2021 · Dec 23, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,10 +8,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Added
 - Add support for tracing with OpenTelemetry. This adds a new function to the authenticator, `AuthenticateWithContext`. The existing funtion, `Authenticate()` is deprecated and will be removed in a future upddate. [cyberark/conjur-authn-k8s-client#423](https://github.com/cyberark/conjur-authn-k8s-client/pull/423)
+- Add support for Authn-JWT flow [cyberark/conjur-authn-k8s-client#426](https://github.com/cyberark/conjur-authn-k8s-client/pull/426)
 
 ### Changed
 - The project Golang version is updated from the end-of-life v1.15 to version v1.16. [cyberark/conjur-authn-k8s-client#416](https://github.com/cyberark/conjur-authn-k8s-client/pull/416)
 - Reduced default timeout for `waitForFile` from 1s to 50ms. [cyberark/conjur-authn-k8s-client#423](https://github.com/cyberark/conjur-authn-k8s-client/pull/423)
+- Instead of getting K8S config object now you get Config Interface using NewConfigFromEnv() and ConfigFromEnv() [cyberark/conjur-authn-k8s-client#425](https://github.com/cyberark/conjur-authn-k8s-client/pull/425)
+- Instead of getting K8S authenticator object now you get Authenticator Interface using NewAuthenticator() and NewAuthenticatorWithAccessToken() [cyberark/conjur-authn-k8s-client#425](https://github.com/cyberark/conjur-authn-k8s-client/pull/425)
 
 ## [0.22.0] - 2021-09-17
 ### Added

diff --git a/pkg/authenticator/authenticator.go b/pkg/authenticator/authenticator.go
@@ -2,9 +2,11 @@ package authenticator
 
 import (
 	"context"
+	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token"
 )
 
 type Authenticator interface {
 	Authenticate() error
 	AuthenticateWithContext(ctx context.Context) error
+	GetAccessToken() access_token.AccessToken
 }
diff --git a/pkg/authenticator/authenticator_factory.go b/pkg/authenticator/authenticator_factory.go
@@ -5,6 +5,7 @@ import (
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/access_token/file"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/config"
+	jwtAuthenticator "github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/jwt"
 	k8sAuthenticator "github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/k8s"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
 )
@@ -25,9 +26,12 @@ func NewAuthenticatorWithAccessToken(conf config.Configuration, token access_tok
 }
 
 func getAuthenticator(conf config.Configuration, token access_token.AccessToken) (Authenticator, error) {
-	if conf.GetAuthenticationType() == k8sAuthenticator.AuthnType {
-		k8sCfg := (conf).(*k8sAuthenticator.Config)
-		return k8sAuthenticator.NewWithAccessToken(*k8sCfg, token)
+	switch c := conf.(type) {
+	case *k8sAuthenticator.Config:
+		return k8sAuthenticator.NewWithAccessToken(*c, token)
+	case *jwtAuthenticator.Config:
+		return jwtAuthenticator.NewWithAccessToken(*c, token)
+	default:
+		return nil, fmt.Errorf(log.CAKC064)
 	}
-	return nil, fmt.Errorf(log.CAKC064)
 }
diff --git a/...or/k8s/tests/authenticator_test_server.go → ...cator/common/authenticator_test_server.go b/...or/k8s/tests/authenticator_test_server.go → ...cator/common/authenticator_test_server.go
@@ -1,4 +1,4 @@
-package tests
+package common
 
 import (
 	"crypto/rand"

diff --git a/pkg/authenticator/common/common_config.go b/pkg/authenticator/common/common_config.go
@@ -27,8 +27,12 @@ func (config *Config) LoadConfig(settings map[string]string) {
 		case "CONJUR_ACCOUNT":
 			config.Account = value
 		case "CONJUR_AUTHN_LOGIN":
-			username, _ := NewUsername(value)
-			config.Username = username
+			if len(value) == 0 {
+				config.Username = nil
+			} else {
+				username, _ := NewUsername(value)
+				config.Username = username
+			}
 		case "CONJUR_AUTHN_URL":
 			config.URL = value
 		case "CONJUR_SSL_CERTIFICATE":

diff --git a/pkg/authenticator/common/validations.go b/pkg/authenticator/common/validations.go
@@ -3,6 +3,8 @@ package common
 import (
 	"errors"
 	"fmt"
+	"io/ioutil"
+	"os"
 	"strconv"
 
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
@@ -25,6 +27,9 @@ func validInt(key, value string) error {
 }
 
 func validUsername(key, value string) error {
+	if len(value) == 0 {
+		return nil
+	}
 	_, err := NewUsername(value)
 	return err
 }
@@ -53,6 +58,8 @@ func ValidateSetting(key string, value string) error {
 		return validTimeout(key, value)
 	case "CONJUR_VERSION":
 		return validConjurVersion(key, value)
+	case "JWT_TOKEN_PATH":
+		return validatePath(value)
 	default:
 		return nil
 	}
@@ -70,3 +77,19 @@ func ReadSSLCert(settings map[string]string, readFile ReadFileFunc) ([]byte, err
 	}
 	return readFile(SSLCertPath)
 }
+
+func validatePath(path string) error {
+	// Check if file already exists
+	if _, err := os.Stat(path); err == nil {
+		return nil
+	}
+
+	// Attempt to create the file and delete it right after
+	var emptyData []byte
+	if err := ioutil.WriteFile(path, emptyData, 0644); err == nil {
+		os.Remove(path) // And delete it
+		return nil
+	}
+
+	return fmt.Errorf(log.CAKC065, path)
+}
diff --git a/pkg/authenticator/config/configuration_factory.go b/pkg/authenticator/config/configuration_factory.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"strings"
 
+	jwtAuthenticator "github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/jwt"
 	k8sAuthenticator "github.com/cyberark/conjur-authn-k8s-client/pkg/authenticator/k8s"
 	"github.com/cyberark/conjur-authn-k8s-client/pkg/log"
 )
@@ -24,6 +25,8 @@ func NewConfigFromEnv() (Configuration, error) {
 
 // ConfigFromEnv returns a new authenticator configuration object
 func ConfigFromEnv(readFileFunc common.ReadFileFunc) (Configuration, error) {
+	configureLogLevel(os.Getenv("DEBUG"))
+
 	authnUrl := os.Getenv(authnURLVarName)
 	conf, error := getConfiguration(authnUrl)
 	if error != nil {
@@ -42,10 +45,14 @@ func ConfigFromEnv(readFileFunc common.ReadFileFunc) (Configuration, error) {
 }
 
 func getConfiguration(url string) (Configuration, error) {
-	if strings.Contains(url, k8sAuthenticator.AuthnType) {
+	switch {
+	case strings.Contains(url, k8sAuthenticator.AuthnType):
 		return &k8sAuthenticator.Config{}, nil
+	case strings.Contains(url, jwtAuthenticator.AuthnType):
+		return &jwtAuthenticator.Config{}, nil
+	default:
+		return nil, fmt.Errorf(log.CAKC063, url)
 	}
-	return nil, fmt.Errorf(log.CAKC063, url)
 }
 
 // GatherSettings retrieves authenticator client configuration settings from a slice
@@ -121,3 +128,18 @@ func getConfigVariable(getters ...func(key string) string) func(string) string {
 		return ""
 	}
 }
+
+func configureLogLevel(level string) {
+	validVal := "true"
+
+	switch level {
+	case validVal:
+		log.EnableDebugMode()
+	case "":
+		// Log level not configured
+		break
+	default:
+		// Log level is configured but it's invalid
+		log.Warn(log.CAKC034, level, validVal)
+	}
+}
diff --git a/pkg/authenticator/config/validate_test.go b/pkg/authenticator/config/validate_test.go
@@ -18,12 +18,12 @@ func TestValidate(t *testing.T) {
 		assert      errorAssertFunc
 	}{
 		{
-			description: "happy path",
+			description: "happy path - k8s",
 			settings: AuthnSettings{
 				// required variables
-				"CONJUR_AUTHN_URL":   "filepath",
+				"CONJUR_AUTHN_URL":   "authn-k8s",
 				"CONJUR_ACCOUNT":     "testAccount",
-				"CONJUR_AUTHN_LOGIN": "host",
+				"CONJUR_AUTHN_LOGIN": "host/myapp",
 				"MY_POD_NAME":        "testPodName",
 				"MY_POD_NAMESPACE":   "testNameSpace",
 				// correct value types
@@ -37,15 +37,49 @@ func TestValidate(t *testing.T) {
 			},
 			assert: assertEmptyErrorList(),
 		},
+		{
+			description: "happy path - jwt",
+			settings: AuthnSettings{
+				// required variables
+				"CONJUR_AUTHN_URL": "authn-jwt",
+				"CONJUR_ACCOUNT":   "testAccount",
+				"JWT_TOKEN_PATH":   "/tmp/token",
+				// correct value types
+				"CONJUR_CLIENT_CERT_RETRY_COUNT_LIMIT": "7",
+				"CONJUR_TOKEN_TIMEOUT":                 "6m0s",
+				"CONTAINER_MODE":                       "init",
+				// certificate provided
+				"CONJUR_SSL_CERTIFICATE": "samplecertificate",
+			},
+			assert: assertEmptyErrorList(),
+		},
+		{
+			description: "invalid jwt token path",
+			settings: AuthnSettings{
+				// required variables
+				"CONJUR_AUTHN_URL": "authn-jwt",
+				"CONJUR_ACCOUNT":   "testAccount",
+				// correct value types
+				"CONJUR_CLIENT_CERT_RETRY_COUNT_LIMIT": "7",
+				"CONJUR_TOKEN_TIMEOUT":                 "6m0s",
+				"CONTAINER_MODE":                       "init",
+				// certificate provided
+				"CONJUR_SSL_CERTIFICATE": "samplecertificate",
+				"JWT_TOKEN_PATH":         "invalid//path",
+			},
+			assert: assertErrorInList(fmt.Errorf(logger.CAKC065, "invalid//path")),
+		},
 		{
 			description: "error raised for missing required setting",
-			settings:    AuthnSettings{},
-			assert:      assertErrorInList(fmt.Errorf(logger.CAKC062, "CONJUR_AUTHN_URL")),
+			settings: AuthnSettings{
+				"CONJUR_AUTHN_URL": "authn-jwt",
+			},
+			assert: assertErrorInList(fmt.Errorf(logger.CAKC062, "CONJUR_ACCOUNT")),
 		},
 		{
 			description: "error raised for invalid username",
 			settings: AuthnSettings{
-				"CONJUR_AUTHN_URL":   "filepath",
+				"CONJUR_AUTHN_URL":   "authn-k8s",
 				"CONJUR_ACCOUNT":     "testAccount",
 				"CONJUR_AUTHN_LOGIN": "bad-username",
 				"MY_POD_NAME":        "testPodName",
@@ -56,7 +90,7 @@ func TestValidate(t *testing.T) {
 		{
 			description: "error raised for invalid retry count limit",
 			settings: AuthnSettings{
-				"CONJUR_AUTHN_URL":                     "filepath",
+				"CONJUR_AUTHN_URL":                     "authn-k8s",
 				"CONJUR_ACCOUNT":                       "testAccount",
 				"CONJUR_AUTHN_LOGIN":                   "host",
 				"MY_POD_NAME":                          "testPodName",
@@ -68,7 +102,7 @@ func TestValidate(t *testing.T) {
 		{
 			description: "error raised for invalid timeout",
 			settings: AuthnSettings{
-				"CONJUR_AUTHN_URL":                     "filepath",
+				"CONJUR_AUTHN_URL":                     "authn-k8s",
 				"CONJUR_ACCOUNT":                       "testAccount",
 				"CONJUR_AUTHN_LOGIN":                   "host",
 				"MY_POD_NAME":                          "testPodName",
@@ -81,7 +115,7 @@ func TestValidate(t *testing.T) {
 		{
 			description: "error raised for invalid certificate",
 			settings: AuthnSettings{
-				"CONJUR_AUTHN_URL":                     "filepath",
+				"CONJUR_AUTHN_URL":                     "authn-k8s",
 				"CONJUR_ACCOUNT":                       "testAccount",
 				"CONJUR_AUTHN_LOGIN":                   "host",
 				"MY_POD_NAME":                          "testPodName",
@@ -99,7 +133,8 @@ func TestValidate(t *testing.T) {
 	for _, tc := range TestCases {
 		t.Run(tc.description, func(t *testing.T) {
 			// SETUP & EXERCISE
-			errLogs := tc.settings.validate(&k8s.Config{}, successfulMockReadFile)
+			configObj, _ := getConfiguration(tc.settings["CONJUR_AUTHN_URL"])
+			errLogs := tc.settings.validate(configObj, successfulMockReadFile)
 
 			// ASSERT
 			tc.assert(t, errLogs)