feat: add oidc authentication

Author: michael12312

docs/book/src/commands/use_oidc.md

@@ -67,6 +67,7 @@ kconnect use oidc [flags]
       --oidc-use-pkce string        if use pkce
       --password string             The password to use for authentication
       --set-current                 Sets the current context in the kubeconfig to the selected cluster (default true)
+      --skip-ssl string             flag to skip ssl for calling config url
       --username string             The username used for authentication
 ```
 
@@ -94,6 +95,7 @@ Use `--idp-protocol=oidc`
       --oidc-client-secret string   oidc client secret
       --oidc-server string          oidc server url
       --oidc-use-pkce string        if use pkce
+      --skip-ssl string             flag to skip ssl for calling config url
 ```
 
 ### SEE ALSO

pkg/oidc/config.go

@@ -17,7 +17,10 @@ limitations under the License.
 package oidc
 
 import (
+	"fmt"
+
 	"github.com/fidelity/kconnect/pkg/config"
+	"github.com/fidelity/kconnect/pkg/prompt"
 )
 
 const (
@@ -39,6 +42,8 @@ const (
 	ConfigUrlConfigDescription   = "configuration endpoint"
 	CaCertConfigItem             = "ca-cert"
 	CaCertConfigDescription      = "ca cert for configuration url"
+	SkipTlsVerifyConfigItem      = "skip-ssl"
+	SkipTlsVerifyDescription     = "flag to skip ssl for calling config url"
 )
 
 // SharedConfig will return shared configuration items for OIDC based cluster and identity providers
@@ -52,6 +57,15 @@ func SharedConfig() config.ConfigurationSet {
 	cs.String(ClusterAuthConfigItem, "", ClusterAuthConfigDescription) //nolint: errcheck
 	cs.String(ConfigUrlConfigItem, "", ConfigUrlConfigDescription)     //nolint: errcheck
 	cs.String(CaCertConfigItem, "", CaCertConfigDescription)           //nolint: errcheck
+	cs.String(SkipTlsVerifyConfigItem, "", SkipTlsVerifyDescription)   //nolint: errcheck
 
 	return cs
 }
+
+func ReadUserInput(key string, msg string) (string, error) {
+	userInput, err := prompt.Input(key, msg, false)
+	if userInput == "" || err != nil {
+		return userInput, fmt.Errorf("error reading input for %s", key)
+	}
+	return userInput, nil
+}

pkg/plugins/discovery/oidc/config.go

@@ -59,7 +59,7 @@ func (p *oidcClusterProvider) GetConfig(ctx context.Context, input *discovery.Ge
 	args := []string{
 		"oidc-login",
 		"get-token",
-		"--oidc-issuer-url=oidc-server",
+		"--oidc-issuer-url=" + oidcID.OidcServer,
 		"--oidc-client-id=" + oidcID.OidcId,
 	}
 

pkg/plugins/discovery/oidc/provider.go

@@ -22,12 +22,12 @@ import (
 
 	"github.com/fidelity/kconnect/pkg/config"
 	"github.com/fidelity/kconnect/pkg/oidc"
-	"github.com/fidelity/kconnect/pkg/prompt"
 	"github.com/fidelity/kconnect/pkg/provider"
 	"github.com/fidelity/kconnect/pkg/provider/common"
 	"github.com/fidelity/kconnect/pkg/provider/discovery"
 	"github.com/fidelity/kconnect/pkg/provider/identity"
 	"github.com/fidelity/kconnect/pkg/provider/registry"
+	"github.com/fidelity/kconnect/pkg/utils"
 	"go.uber.org/zap"
 )
 
@@ -123,48 +123,24 @@ func (p *oidcClusterProvider) logParameters() {
 // For required parameter, if not exists in default config file or config url, read user input.
 func (p *oidcClusterProvider) readRequiredFields() error {
 
-	if p.identity.OidcId == "" {
-		value, err := readUserInput(oidc.OidcIdConfigItem, oidc.OidcIdConfigDescription)
-		if err != nil {
-			return err
-		}
-		p.identity.OidcId = value
-	}
-
-	if p.identity.OidcServer == "" {
-		value, err := readUserInput(oidc.OidcServerConfigItem, oidc.OidcServerConfigDescription)
-		if err != nil {
-			return err
-		}
-		p.identity.OidcServer = value
-	}
-
-	if p.identity.UsePkce != True && p.identity.OidcSecret == "" {
-		value, err := readUserInput(oidc.OidcSecretConfigItem, oidc.OidcSecretConfigDescription)
-		if err != nil {
-			return err
-		}
-		p.identity.OidcSecret = value
-	}
-
 	if p.config.ClusterUrl == "" {
-		value, err := readUserInput(oidc.ClusterUrlConfigItem, oidc.ClusterUrlConfigDescription)
+		value, err := oidc.ReadUserInput(oidc.ClusterUrlConfigItem, oidc.ClusterUrlConfigDescription)
 		if err != nil {
 			return err
 		}
 		p.config.ClusterUrl = value
 	}
 
 	if p.config.ClusterAuth == "" {
-		value, err := readUserInput(oidc.ClusterAuthConfigItem, oidc.ClusterAuthConfigDescription)
+		value, err := oidc.ReadUserInput(oidc.ClusterAuthConfigItem, oidc.ClusterAuthConfigDescription)
 		if err != nil {
 			return err
 		}
 		p.config.ClusterAuth = value
 	}
 
 	if *p.config.ClusterID == "" {
-		value, err := readUserInput(oidc.ClusterIdConfigItem, oidc.ClusterIdConfigDescription)
+		value, err := oidc.ReadUserInput(oidc.ClusterIdConfigItem, oidc.ClusterIdConfigDescription)
 		if err != nil {
 			return err
 		}
@@ -175,20 +151,12 @@ func (p *oidcClusterProvider) readRequiredFields() error {
 
 }
 
-func readUserInput(key string, msg string) (string, error) {
-	userInput, err := prompt.Input(key, msg, false)
-	if userInput == "" || err != nil {
-		return userInput, fmt.Errorf("error reading input for %s", key)
-	}
-	return userInput, nil
-}
-
 func (p *oidcClusterProvider) ListPreReqs() []*provider.PreReq {
 	return []*provider.PreReq{}
 }
 
 func (p *oidcClusterProvider) CheckPreReqs() error {
-	return nil
+	return utils.CheckKubectlOidcLoginPrereq()
 }
 
 // ConfigurationItems returns the configuration items for this provider

pkg/plugins/identity/oidc/provider.go

@@ -22,6 +22,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"os/exec"
 	"strings"
 
 	"go.uber.org/zap"
@@ -38,6 +39,7 @@ import (
 
 const (
 	ProviderName = "oidc"
+	True         = "true"
 )
 
 func init() {
@@ -95,11 +97,74 @@ func (p *oidcIdentityProvider) Authenticate(ctx context.Context, input *identity
 		UsePkce:    cfg.UsePkce,
 	}
 
+	ids, err := p.readRequiredFields(*id)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = executeOidcLogin(ids); err != nil {
+		return nil, err
+	}
+
 	return &identity.AuthenticateOutput{
-		Identity: id,
+		Identity: &ids,
 	}, nil
 }
 
+func executeOidcLogin(id oidc.Identity) error {
+
+	args := []string{
+		"oidc-login",
+		"get-token",
+		"--oidc-issuer-url=" + id.OidcServer,
+		"--oidc-client-id=" + id.OidcId,
+	}
+
+	if id.UsePkce == True {
+		args = append(args, "--oidc-use-pkce")
+	} else {
+		args = append(args, "--oidc-client-secret="+id.OidcSecret)
+	}
+	args = append(args, "--insecure-skip-tls-verify")
+
+	cmd := exec.Command("kubectl", args...)
+	_, err := cmd.Output()
+	if err != nil {
+		return fmt.Errorf("error executing kubectl oidc-login: %w", err)
+	}
+	return nil
+}
+
+func (p *oidcIdentityProvider) readRequiredFields(id oidc.Identity) (oidc.Identity, error) {
+
+	if id.OidcId == "" {
+		value, err := oidc.ReadUserInput(oidc.OidcIdConfigItem, oidc.OidcIdConfigDescription)
+		if err != nil {
+			return id, err
+		}
+		id.OidcId = value
+	}
+
+	if id.OidcServer == "" {
+		value, err := oidc.ReadUserInput(oidc.OidcServerConfigItem, oidc.OidcServerConfigDescription)
+		if err != nil {
+			return id, err
+		}
+		id.OidcServer = value
+	}
+
+	if id.UsePkce != True && id.OidcSecret == "" {
+		value, err := oidc.ReadUserInput(oidc.OidcSecretConfigItem, oidc.OidcSecretConfigDescription)
+		if err != nil {
+			return id, err
+		}
+		id.OidcSecret = value
+	}
+
+	return id, nil
+
+}
+
 func (p *oidcIdentityProvider) getConfigFromUrl(configSet config.ConfigurationSet) {
 	if configSet.Get("config-url") != nil {
 		config := configSet.Get("config-url").Value
@@ -113,13 +178,32 @@ func (p *oidcIdentityProvider) getConfigFromUrl(configSet config.ConfigurationSe
 }
 
 func readConfigs(p *oidcIdentityProvider, configSet config.ConfigurationSet, configValue string) {
-	if configSet.Get("ca-cert") != nil {
-		caCert := configSet.Get("ca-cert").Value
-		if caCert != nil {
-			SetTransport(caCert.(string))
+	skipSsl := false
+	if configSet.Get("skip-ssl") != nil {
+		skip := configSet.Get("skip-ssl").Value
+		if skip != nil {
+			if skip.(string) == True {
+				skipSsl = true
+			}
 		}
-	} else {
+	}
+	if skipSsl {
 		SetTransport("")
+	} else {
+		readCa := false
+		if configSet.Get("ca-cert") != nil {
+			caCert := configSet.Get("ca-cert").Value
+			if caCert != nil {
+				if caCert.(string) != "" {
+					readCa = true
+					SetTransport(caCert.(string))
+				}
+			}
+		}
+		if !readCa {
+			p.logger.Errorf("CA cert is required to call the config url.")
+			return
+		}
 	}
 	kclient := khttp.NewHTTPClient()
 	res, err := kclient.Get(configValue, nil)

pkg/utils/prerequisites.go

@@ -73,3 +73,13 @@ func CheckKubeloginPrereq() error {
 	}
 	return nil
 }
+
+func CheckKubectlOidcLoginPrereq() error {
+
+	cmd := exec.Command("kubectl", "oidc-login", "version")
+	_, err := cmd.Output()
+	if err != nil {
+		return fmt.Errorf("error finding kubectl oidc-login: %w", err)
+	}
+	return nil
+}