summaryrefslogtreecommitdiff
path: root/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb')
-rw-r--r--vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb52
1 files changed, 52 insertions, 0 deletions
diff --git a/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb b/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb
new file mode 100644
index 00000000000..ffdfd7e2a5d
--- /dev/null
+++ b/vendor/gems/kubeclient/lib/kubeclient/oidc_auth_provider.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Kubeclient
+ # Uses OIDC id-tokens and refreshes them if they are stale.
+ class OIDCAuthProvider
+ class OpenIDConnectDependencyError < LoadError # rubocop:disable Lint/InheritException
+ end
+
+ class << self
+ def token(provider_config)
+ begin
+ require 'openid_connect'
+ rescue LoadError => e
+ raise OpenIDConnectDependencyError,
+ 'Error requiring openid_connect gem. Kubeclient itself does not include the ' \
+ 'openid_connect gem. To support auth-provider oidc, you must include it in your ' \
+ "calling application. Failed with: #{e.message}"
+ end
+
+ issuer_url = provider_config['idp-issuer-url']
+ discovery = OpenIDConnect::Discovery::Provider::Config.discover! issuer_url
+
+ if provider_config.key? 'id-token'
+ return provider_config['id-token'] unless expired?(provider_config['id-token'], discovery)
+ end
+
+ client = OpenIDConnect::Client.new(
+ identifier: provider_config['client-id'],
+ secret: provider_config['client-secret'],
+ authorization_endpoint: discovery.authorization_endpoint,
+ token_endpoint: discovery.token_endpoint,
+ userinfo_endpoint: discovery.userinfo_endpoint
+ )
+ client.refresh_token = provider_config['refresh-token']
+ client.access_token!.id_token
+ end
+
+ def expired?(id_token, discovery)
+ decoded_token = OpenIDConnect::ResponseObject::IdToken.decode(
+ id_token,
+ discovery.jwks
+ )
+ # If token expired or expiring within 60 seconds
+ Time.now.to_i + 60 > decoded_token.exp.to_i
+ rescue JSON::JWK::Set::KidNotFound
+ # Token cannot be verified: the kid it was signed with is not available for discovery
+ # Consider it expired and fetch a new one.
+ true
+ end
+ end
+ end
+end
View Lorry Controller Status