fabric8io · manusa · Apr 9, 2024 · Mar 19, 2024
@@ -4,6 +4,7 @@
 
 #### Bugs
 * Fix #5853: [java-generator] Gracefully handle colliding enum definitions
+* Fix #5817: NPE on EKS OIDC cluster when token needs to be refreshed
 
 #### Improvements
 

@@ -29,6 +29,8 @@
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
@@ -89,7 +91,7 @@ public static CompletableFuture<String> resolveOIDCTokenFromAuthConfig(Config cu
     String clientId = currentAuthProviderConfig.get(CLIENT_ID_KUBECONFIG);
     String refreshToken = currentAuthProviderConfig.get(REFRESH_TOKEN_KUBECONFIG);
     String clientSecret = currentAuthProviderConfig.getOrDefault(CLIENT_SECRET_KUBECONFIG, "");
-    String idpCert = currentAuthProviderConfig.getOrDefault(IDP_CERT_DATA, currentConfig.getCaCertData());
+    String idpCert = currentAuthProviderConfig.getOrDefault(IDP_CERT_DATA, getClientCertDataFromConfig(currentConfig));
     if (isTokenRefreshSupported(currentAuthProviderConfig)) {
       return getOIDCProviderTokenEndpointAndRefreshToken(issuer, clientId, refreshToken, clientSecret, idpCert, clientBuilder)
           .thenApply(map -> {
@@ -352,4 +354,18 @@ private static boolean isValidJwt(String token) {
     }
     return false;
   }
+
+  private static String getClientCertDataFromConfig(Config config) {
+    if (config.getCaCertData() != null && !config.getCaCertData().isEmpty()) {
+      return config.getCaCertData();
+    }
+    try {
+      if (config.getCaCertFile() != null) {
+        return java.util.Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(config.getCaCertFile())));
+      }
+    } catch (IOException e) {
+      LOGGER.debug("Failure in reading certificate data from {}", config.getCaCertFile());
+    }
+    return null;
+  }
 }
@@ -24,6 +24,7 @@
 import io.fabric8.kubernetes.client.internal.KubeConfigUtils;
 import io.fabric8.kubernetes.client.internal.SSLUtils;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 
@@ -229,6 +230,34 @@ void resolveOIDCTokenFromAuthConfig_whenIDPCertNotPresentInAuthConfig_thenUseCer
     }
   }
 
+  @Test
+  void resolveOIDCTokenFromAuthConfig_whenIDPCertNotPresentInAuthConfig_thenUseCertFileFromConfig(@TempDir File temporaryFolder)
+      throws Exception {
+    try (MockedStatic<SSLUtils> sslUtilsMockedStatic = mockStatic(SSLUtils.class)) {
+      // Given
+      File caCertFile = new File(temporaryFolder, "ca.crt");
+      Files.write(caCertFile.toPath(), "cert".getBytes(StandardCharsets.UTF_8));
+      Map<String, String> currentAuthProviderConfig = new HashMap<>();
+      currentAuthProviderConfig.put(CLIENT_ID_KUBECONFIG, "client-id");
+      currentAuthProviderConfig.put(CLIENT_SECRET_KUBECONFIG, "client-secret");
+      currentAuthProviderConfig.put(ID_TOKEN_KUBECONFIG, "id-token");
+      currentAuthProviderConfig.put(REFRESH_TOKEN_KUBECONFIG, "refresh-token");
+      currentAuthProviderConfig.put(ISSUER_KUBECONFIG, "https://iam.cloud.example.com/identity");
+      Config config = new ConfigBuilder(Config.empty()).withCaCertFile(caCertFile.getAbsolutePath()).build();
+      HttpClient.Builder builder = mock(HttpClient.Builder.class);
+      HttpClient httpClient = mock(HttpClient.class, RETURNS_DEEP_STUBS);
+      when(builder.build()).thenReturn(httpClient);
+
+      // When
+      OpenIDConnectionUtils.resolveOIDCTokenFromAuthConfig(config, currentAuthProviderConfig, builder).get();
+
+      // Then
+      sslUtilsMockedStatic.verify(() -> SSLUtils.trustManagers(eq("cert"), isNull(), anyBoolean(), isNull(), isNull()));
+      sslUtilsMockedStatic.verify(
+          () -> SSLUtils.keyManagers(eq("cert"), isNull(), isNull(), isNull(), isNull(), isNull(), isNull(), isNull()));
+    }
+  }
+
   @Test
   void testgetParametersFromDiscoveryResponse() {
     // Given