Use ID token if auth type is OIDC (#41)

twz123 · hjacobs · commit 3efcdec51e83 · 2019-09-04T18:32:34.000+02:00
Simply use the ID token inside the Authentication header for the OIDC
case. This helps at least a bit when running locally as long as the ID
token is still valid.
diff --git a/pykube/http.py b/pykube/http.py
@@ -120,7 +120,11 @@ def send(self, request, **kwargs):
                         auth_config.get("expiry"),
                         config,
                     )
-            # @@@ support oidc
+            elif auth_provider.get("name") == "oidc":
+                auth_config = auth_provider.get("config", {})
+                # @@@ support token refresh
+                if "id-token" in auth_config:
+                    request.headers["Authorization"] = "Bearer {}".format(auth_config["id-token"])
         elif "client-certificate" in config.user:
             kwargs["cert"] = (
                 config.user["client-certificate"].filename(),
diff --git a/tests/test_config_with_oidc_auth.yaml b/tests/test_config_with_oidc_auth.yaml
@@ -0,0 +1,23 @@
+# TODO: Replace with a more realistic example
+current-context: thecluster
+clusters:
+    - name: thecluster
+      cluster: {}
+users:
+    - name: admin
+      user:
+        auth-provider:
+          config:
+            client-id: google
+            client-secret: s3cr3t
+            id-token: some-id-token
+            idp-issuer-url: https://accounts.google.com
+            refresh-token: some-refresh-token
+          name: oidc
+contexts:
+    - name: thecluster
+      context:
+        cluster: thecluster
+        user: admin
+    - name: second
+      context: secondcontext
diff --git a/tests/test_http.py b/tests/test_http.py
@@ -13,6 +13,7 @@
 
 GOOD_CONFIG_FILE_PATH = os.path.sep.join(["tests", "test_config_with_context.yaml"])
 CONFIG_WITH_INSECURE_SKIP_TLS_VERIFY = os.path.sep.join(["tests", "test_config_with_insecure_skip_tls_verify.yaml"])
+CONFIG_WITH_OIDC_AUTH = os.path.sep.join(["tests", "test_config_with_oidc_auth.yaml"])
 
 
 def test_http(monkeypatch):
@@ -62,3 +63,18 @@ def test_http_do_not_overwrite_auth(monkeypatch):
 
     mock_send.assert_called_once()
     assert mock_send.call_args[0][0].headers['Authorization'] == 'Bearer testtoken'
+
+
+def test_http_with_oidc_auth(monkeypatch):
+    cfg = KubeConfig.from_file(CONFIG_WITH_OIDC_AUTH)
+    api = HTTPClient(cfg)
+
+    mock_send = MagicMock()
+    mock_send.side_effect = Exception('MOCK HTTP')
+    monkeypatch.setattr('pykube.http.KubernetesHTTPAdapter._do_send', mock_send)
+
+    with pytest.raises(Exception):
+        api.get(url='test')
+
+    mock_send.assert_called_once()
+    assert mock_send.call_args[0][0].headers['Authorization'] == 'Bearer some-id-token'
