Add OIDC TokenProvider (#3618)

* Update fabric8 kubernetes dependency * Add TokenProvider * Fix possible nullpointerexception
knative-extensions · Jan 24, 2024 · f5c8332 · f5c8332
1 parent e2bd457
commit f5c8332
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 8 deletions.
diff --git a/data-plane/THIRD-PARTY.txt b/data-plane/THIRD-PARTY.txt
@@ -47,9 +47,9 @@ Lists of 230 third-party dependencies.
      (Apache Software License 2.0) Debezium API (io.debezium:debezium-api:1.9.6.Final - https://debezium.io/debezium-parent/debezium-api)
      (Apache Software License 2.0) Debezium Core (io.debezium:debezium-core:1.9.6.Final - https://debezium.io/debezium-parent/debezium-core)
      (Apache License 2.0) Metrics Core (io.dropwizard.metrics:metrics-core:4.1.12.1 - https://metrics.dropwizard.io/metrics-core)
-     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: Java Client (io.fabric8:kubernetes-client:6.7.2 - http://fabric8.io/kubernetes-client/)
-     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: Java Client API (io.fabric8:kubernetes-client-api:6.7.2 - http://fabric8.io/kubernetes-client-api/)
-     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: HttpClient :: JDK (io.fabric8:kubernetes-httpclient-jdk:6.7.2 - http://fabric8.io/kubernetes-httpclient-jdk/)
+     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: Java Client (io.fabric8:kubernetes-client:6.10.0 - https://github.com/fabric8io/kubernetes-client/kubernetes-client)
+     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: Java Client API (io.fabric8:kubernetes-client-api:6.10.0 - https://github.com/fabric8io/kubernetes-client/kubernetes-client-api)
+     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: HttpClient :: JDK (io.fabric8:kubernetes-httpclient-jdk:6.10.0 - https://github.com/fabric8io/kubernetes-client/kubernetes-httpclient-jdk)
      (Apache License, Version 2.0) Fabric8 :: Kubernetes Model :: Admission Registration, Authentication and Authorization (io.fabric8:kubernetes-model-admissionregistration:6.7.2 - http://fabric8.io/kubernetes-model-generator/kubernetes-model-admissionregistration/)
      (Apache License, Version 2.0) Fabric8 :: Kubernetes Model :: API Extensions (io.fabric8:kubernetes-model-apiextensions:6.7.2 - http://fabric8.io/kubernetes-model-generator/kubernetes-model-apiextensions/)
      (Apache License, Version 2.0) Fabric8 :: Kubernetes Model :: Apps (io.fabric8:kubernetes-model-apps:6.7.2 - http://fabric8.io/kubernetes-model-generator/kubernetes-model-apps/)
@@ -72,8 +72,8 @@ Lists of 230 third-party dependencies.
      (Apache License, Version 2.0) Fabric8 :: Kubernetes Model :: Resource (io.fabric8:kubernetes-model-resource:6.7.2 - http://fabric8.io/kubernetes-model-generator/kubernetes-model-resource/)
      (Apache License, Version 2.0) Fabric8 :: Kubernetes Model :: Scheduling (io.fabric8:kubernetes-model-scheduling:6.7.2 - http://fabric8.io/kubernetes-model-generator/kubernetes-model-scheduling/)
      (Apache License, Version 2.0) Fabric8 :: Kubernetes Model :: Storage Class (io.fabric8:kubernetes-model-storageclass:6.7.2 - http://fabric8.io/kubernetes-model-generator/kubernetes-model-storageclass/)
-     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: JUnit :: Server Mock (io.fabric8:kubernetes-server-mock:6.7.2 - http://fabric8.io/junit/kubernetes-server-mock/)
-     (Apache License, Version 2.0) Fabric8 :: Mock Web Server (io.fabric8:mockwebserver:0.2.2 - http://fabric8.io/)
+     (Apache License, Version 2.0) Fabric8 :: Kubernetes :: JUnit :: Server Mock (io.fabric8:kubernetes-server-mock:6.10.0 - https://github.com/fabric8io/kubernetes-client/junit/kubernetes-server-mock)
+     (Apache License, Version 2.0) Fabric8 :: Mock Web Server (io.fabric8:mockwebserver:6.10.0 - https://github.com/fabric8io/kubernetes-client/junit/mockwebserver)
      (Apache License, Version 2.0) Fabric8 :: Service Catalog :: Client (io.fabric8:servicecatalog-client:6.7.2 - http://fabric8.io/kubernetes-extensions/service-catalog/servicecatalog-client/)
      (Apache License, Version 2.0) Fabric8 :: Service Catalog :: Model (io.fabric8:servicecatalog-model:6.7.2 - http://fabric8.io/kubernetes-extensions/service-catalog/servicecatalog-model/)
      (The Apache Software License, Version 2.0) zjsonpatch (io.fabric8:zjsonpatch:0.3.0 - https://github.com/fabric8io/zjsonpatch/)
@@ -226,7 +226,7 @@ Lists of 230 third-party dependencies.
      (Apache-2.0) scala-collection-compat (org.scala-lang.modules:scala-collection-compat_2.12:2.6.0 - http://www.scala-lang.org/)
      (Apache-2.0) scala-java8-compat (org.scala-lang.modules:scala-java8-compat_2.12:1.0.2 - http://www.scala-lang.org/)
      (MIT License) SLF4J API Module (org.slf4j:slf4j-api:2.0.9 - http://www.slf4j.org)
-     (Apache License, Version 2.0) SnakeYAML Engine (org.snakeyaml:snakeyaml-engine:2.6 - https://bitbucket.org/snakeyaml/snakeyaml-engine)
+     (Apache License, Version 2.0) SnakeYAML Engine (org.snakeyaml:snakeyaml-engine:2.7 - https://bitbucket.org/snakeyaml/snakeyaml-engine)
      (Apache License 2.0) wildfly-common (org.wildfly.common:wildfly-common:1.5.4.Final-format-001 - http://www.jboss.org/wildfly-common)
      (Apache-2.0) snappy-java (org.xerial.snappy:snappy-java:1.1.10.5 - https://github.com/xerial/snappy-java)
      (Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:2.0 - https://bitbucket.org/snakeyaml/snakeyaml)
diff --git a/data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/NamespacedName.java b/data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/NamespacedName.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright © 2018 Knative Authors (knative-dev@googlegroups.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.knative.eventing.kafka.broker.core;
+
+/**
+ * NamespacedName comprises a resource name, with a namespace,
+ * rendered as "<namespace>/<name>".
+ * @param namespace
+ * @param name
+ */
+public record NamespacedName(String namespace, String name) {
+    @Override
+    public String toString() {
+        return namespace + "/" + name;
+    }
+}
diff --git a/data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/oidc/TokenProvider.java b/data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/oidc/TokenProvider.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright © 2018 Knative Authors (knative-dev@googlegroups.com)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.knative.eventing.kafka.broker.core.oidc;
+
+import dev.knative.eventing.kafka.broker.core.NamespacedName;
+import io.fabric8.kubernetes.api.model.authentication.TokenRequest;
+import io.fabric8.kubernetes.api.model.authentication.TokenRequestBuilder;
+import io.fabric8.kubernetes.client.Config;
+import io.fabric8.kubernetes.client.ConfigBuilder;
+import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
+
+public class TokenProvider {
+
+    private final KubernetesClient kubernetesClient;
+
+    public TokenProvider() {
+        Config clientConfig = new ConfigBuilder().build();
+
+        kubernetesClient =
+                new KubernetesClientBuilder().withConfig(clientConfig).build();
+    }
+
+    public String requestToken(NamespacedName serviceAccount, String audience) {
+        TokenRequest tokenRequest = new TokenRequestBuilder()
+                .withNewSpec()
+                .withAudiences(audience)
+                .withExpirationSeconds(3600L)
+                .endSpec()
+                .build();
+
+        tokenRequest = kubernetesClient
+                .serviceAccounts()
+                .inNamespace(serviceAccount.namespace())
+                .withName(serviceAccount.name())
+                .tokenRequest(tokenRequest);
+
+        if (tokenRequest != null && tokenRequest.getStatus() != null) {
+            return tokenRequest.getStatus().getToken();
+        } else {
+            return null;
+        }
+    }
+}
diff --git a/data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/oidc/TokenVerifier.java b/data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/oidc/TokenVerifier.java
@@ -61,7 +61,7 @@ public Future<JwtClaims> verify(String token, String expectedAudience) {
 
     public Future<JwtClaims> verify(HttpServerRequest request, String expectedAudience) {
         String authHeader = request.getHeader("Authorization");
-        if (authHeader.isEmpty()) {
+        if (authHeader == null || authHeader.isEmpty()) {
             return Future.failedFuture("Request didn't contain Authorization header"); // change to exception
         }
 

diff --git a/data-plane/pom.xml b/data-plane/pom.xml
@@ -58,7 +58,7 @@
     <awaitility.version>4.2.0</awaitility.version>
     <junit.jupiter.version>5.10.1</junit.jupiter.version>
     <mokito.junit.jupiter.version>5.8.0</mokito.junit.jupiter.version>
-    <fabric8.kubernetes.version>6.7.2</fabric8.kubernetes.version>
+    <fabric8.kubernetes.version>6.10.0</fabric8.kubernetes.version>
     <kafka.version>3.2.3</kafka.version>
     <debezium.version>1.9.6.Final</debezium.version>
     <jib.version>3.4.0</jib.version>
@@ -208,6 +208,11 @@
           </exclusion>
         </exclusions>
       </dependency>
+      <dependency>
+        <groupId>io.fabric8</groupId>
+        <artifactId>kubernetes-client-api</artifactId>
+        <version>${fabric8.kubernetes.version}</version>
+      </dependency>
       <dependency>
         <groupId>io.fabric8</groupId>
         <artifactId>kubernetes-httpclient-jdk</artifactId>