Revert "Merge pull request #2267 from eirini-forks/add-auth-to-logs"

This reverts commit 891592c.
cloudfoundry · May 17, 2022 · c4303e7 · c4303e7
1 parent 7e5ae94
commit c4303e7
Show file tree

Hide file tree

Showing 16 changed files with 120 additions and 967 deletions.
diff --git a/api/cloudcontroller/wrapper/kubernetes_authentication.go b/api/cloudcontroller/wrapper/kubernetes_authentication.go
@@ -1,12 +1,25 @@
 package wrapper
 
 import (
+	"bytes"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
 	"net/http"
 
 	"code.cloudfoundry.org/cli/actor/v7action"
 	"code.cloudfoundry.org/cli/api/cloudcontroller"
-	"code.cloudfoundry.org/cli/api/shared"
 	"code.cloudfoundry.org/cli/command"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/clientcmd/api"
+	"k8s.io/client-go/transport"
+
+	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 )
 
 type KubernetesAuthentication struct {
@@ -27,16 +40,87 @@ func NewKubernetesAuthentication(
 }
 
 func (a *KubernetesAuthentication) Make(request *cloudcontroller.Request, passedResponse *cloudcontroller.Response) error {
-	roundTripper, err := shared.WrapForCFOnK8sAuth(a.config, a.k8sConfigGetter, connectionRoundTripper{
-		connection: a.connection,
-		ccRequest:  request,
-		ccResponse: passedResponse,
-	})
+	username, err := a.config.CurrentUserName()
 	if err != nil {
 		return err
 	}
+	if username == "" {
+		return errors.New("current user not set")
+	}
+
+	k8sConfig, err := a.k8sConfigGetter.Get()
+	if err != nil {
+		return err
+	}
+
+	restConfig, err := clientcmd.NewDefaultClientConfig(
+		*k8sConfig,
+		&clientcmd.ConfigOverrides{
+			Context: api.Context{AuthInfo: username},
+		}).ClientConfig()
+	if err != nil {
+		return err
+	}
+
+	tlsConfig, err := rest.TLSConfigFor(restConfig)
+	if err != nil {
+		return fmt.Errorf("failed to get tls config: %w", err)
+	}
+
+	if tlsConfig != nil && tlsConfig.GetClientCertificate != nil {
+		cert, err := tlsConfig.GetClientCertificate(nil)
+		if err != nil {
+			return fmt.Errorf("failed to get client certificate: %w", err)
+		}
+
+		if len(cert.Certificate) > 0 && cert.PrivateKey != nil {
+			var buf bytes.Buffer
+
+			if err := pem.Encode(&buf, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Certificate[0]}); err != nil {
+				return fmt.Errorf("could not convert certificate to PEM format: %w", err)
+			}
+
+			key, err := x509.MarshalPKCS8PrivateKey(cert.PrivateKey)
+			if err != nil {
+				return fmt.Errorf("could not marshal private key: %w", err)
+			}
+
+			if err := pem.Encode(&buf, &pem.Block{Type: "PRIVATE KEY", Bytes: key}); err != nil {
+				return fmt.Errorf("could not convert key to PEM format: %w", err)
+			}
+
+			auth := "ClientCert " + base64.StdEncoding.EncodeToString(buf.Bytes())
+			request.Header.Set("Authorization", auth)
+
+			return a.connection.Make(request, passedResponse)
+		}
+	}
+
+	transportConfig, err := restConfig.TransportConfig()
+	if err != nil {
+		return fmt.Errorf("failed to get transport config: %w", err)
+	}
+
+	var roundtripper http.RoundTripper
+	if transportConfig.WrapTransport == nil {
+		// i.e. not auth-provider or exec plugin
+		roundtripper, err = transport.HTTPWrappersForConfig(transportConfig, connectionRoundTripper{
+			connection: a.connection,
+			ccRequest:  request,
+			ccResponse: passedResponse,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create new transport: %w", err)
+		}
+	} else {
+		roundtripper = transportConfig.WrapTransport(connectionRoundTripper{
+			connection: a.connection,
+			ccRequest:  request,
+			ccResponse: passedResponse,
+		})
+	}
 
-	_, err = roundTripper.RoundTrip(request.Request)
+	_, err = roundtripper.RoundTrip(request.Request)
 
 	return err
 }

diff --git a/api/cloudcontroller/wrapper/kubernetes_authentication_test.go b/api/cloudcontroller/wrapper/kubernetes_authentication_test.go
@@ -119,7 +119,7 @@ var _ = Describe("KubernetesAuthentication", func() {
 		})
 	})
 
-	When("the chosen kubernetes auth info is not present in kubeconfig", func() {
+	When("the chosen kubeernetes auth info is not present in kubeconfig", func() {
 		BeforeEach(func() {
 			config.CurrentUserNameReturns("not-present", nil)
 		})

diff --git a/api/shared/shared_suite_test.go b/api/shared/shared_suite_test.go
diff --git a/api/shared/sharedfakes/fake_round_tripper.go b/api/shared/sharedfakes/fake_round_tripper.go
diff --git a/api/shared/wrap_for_cf_on_k8s.go b/api/shared/wrap_for_cf_on_k8s.go