implement kubeconfig login --idp flow

Author: MichaelEischer

docs/stackit_ske_kubeconfig_login.md

@@ -5,8 +5,8 @@ Login plugin for kubernetes clients
 ### Synopsis
 
 Login plugin for kubernetes clients, that creates short-lived credentials to authenticate against a STACKIT Kubernetes Engine (SKE) cluster.
-First you need to obtain a kubeconfig for use with the login command (first example).
-Secondly you use the kubeconfig with your chosen Kubernetes client (second example), the client will automatically retrieve the credentials via the STACKIT CLI.
+First you need to obtain a kubeconfig for use with the login command (first or second example).
+Secondly you use the kubeconfig with your chosen Kubernetes client (third example), the client will automatically retrieve the credentials via the STACKIT CLI.
 
 ```
 stackit ske kubeconfig login [flags]
@@ -15,9 +15,12 @@ stackit ske kubeconfig login [flags]
 ### Examples
 
 ```
-  Get a login kubeconfig for the SKE cluster with name "my-cluster". This kubeconfig does not contain any credentials and instead obtains valid credentials via the `stackit ske kubeconfig login` command.
+  Get an admin, login kubeconfig for the SKE cluster with name "my-cluster". This kubeconfig does not contain any credentials and instead obtains valid admin credentials via the `stackit ske kubeconfig login` command.
   $ stackit ske kubeconfig create my-cluster --login
 
+  Get an IDP kubeconfig for the SKE cluster with name "my-cluster". This kubeconfig does not contain any credentials and instead obtains valid credentials via the `stackit ske kubeconfig login` command.
+  $ stackit ske kubeconfig create my-cluster --idp
+
   Use the previously saved kubeconfig to authenticate to the SKE cluster, in this case with kubectl.
   $ kubectl cluster-info
   $ kubectl get pods
@@ -27,6 +30,7 @@ stackit ske kubeconfig login [flags]
 
 ```
   -h, --help   Help for "stackit ske kubeconfig login"
+      --idp    Use the STACKIT IdP for authentication to the cluster.
 ```
 
 ### Options inherited from parent commands

internal/cmd/ske/kubeconfig/login/login.go

@@ -8,8 +8,12 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"net/url"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -23,7 +27,9 @@ import (
 	"github.com/stackitcloud/stackit-cli/internal/pkg/args"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/cache"
+	cliErr "github.com/stackitcloud/stackit-cli/internal/pkg/errors"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/examples"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/flags"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/globalflags"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/services/ske/client"
@@ -32,8 +38,11 @@ import (
 )
 
 const (
-	expirationSeconds     = 30 * 60          // 30 min
-	refreshBeforeDuration = 15 * time.Minute // 15 min
+	expirationSeconds          = 30 * 60          // 30 min
+	refreshBeforeDuration      = 15 * time.Minute // 15 min
+	refreshTokenBeforeDuration = 5 * time.Minute  // 5 min
+
+	idpFlag = "idp"
 )
 
 func NewCmd(params *types.CmdParams) *cobra.Command {
@@ -42,15 +51,19 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 		Short: "Login plugin for kubernetes clients",
 		Long: fmt.Sprintf("%s\n%s\n%s",
 			"Login plugin for kubernetes clients, that creates short-lived credentials to authenticate against a STACKIT Kubernetes Engine (SKE) cluster.",
-			"First you need to obtain a kubeconfig for use with the login command (first example).",
-			"Secondly you use the kubeconfig with your chosen Kubernetes client (second example), the client will automatically retrieve the credentials via the STACKIT CLI.",
+			"First you need to obtain a kubeconfig for use with the login command (first or second example).",
+			"Secondly you use the kubeconfig with your chosen Kubernetes client (third example), the client will automatically retrieve the credentials via the STACKIT CLI.",
 		),
 		Args: args.NoArgs,
 		Example: examples.Build(
 			examples.NewExample(
-				`Get a login kubeconfig for the SKE cluster with name "my-cluster". `+
-					"This kubeconfig does not contain any credentials and instead obtains valid credentials via the `stackit ske kubeconfig login` command.",
+				`Get an admin, login kubeconfig for the SKE cluster with name "my-cluster". `+
+					"This kubeconfig does not contain any credentials and instead obtains valid admin credentials via the `stackit ske kubeconfig login` command.",
 				"$ stackit ske kubeconfig create my-cluster --login"),
+			examples.NewExample(
+				`Get an IDP kubeconfig for the SKE cluster with name "my-cluster". `+
+					"This kubeconfig does not contain any credentials and instead obtains valid credentials via the `stackit ske kubeconfig login` command.",
+				"$ stackit ske kubeconfig create my-cluster --idp"),
 			examples.NewExample(
 				"Use the previously saved kubeconfig to authenticate to the SKE cluster, in this case with kubectl.",
 				"$ kubectl cluster-info",
@@ -70,11 +83,25 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 					"See `stackit ske kubeconfig login --help` for detailed usage instructions.")
 			}
 
-			clusterConfig, err := parseClusterConfig(params.Printer, cmd)
+			idpMode := flags.FlagToBoolValue(params.Printer, cmd, idpFlag)
+			clusterConfig, err := parseClusterConfig(params.Printer, cmd, idpMode)
 			if err != nil {
 				return fmt.Errorf("parseClusterConfig: %w", err)
 			}
 
+			if idpMode {
+				accessToken, err := getAccessToken(params)
+				if err != nil {
+					return err
+				}
+				idpClient := &http.Client{}
+				token, err := retrieveTokenFromIDP(ctx, idpClient, accessToken, clusterConfig)
+				if err != nil {
+					return err
+				}
+				return outputTokenKubeconfig(params.Printer, clusterConfig.cacheKey, token)
+			}
+
 			// Configure API client
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -87,18 +114,24 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputLoginKubeconfig(params.Printer, clusterConfig.cacheKey, kubeconfig)
 		},
 	}
+	configureFlags(cmd)
 	return cmd
 }
 
+func configureFlags(cmd *cobra.Command) {
+	cmd.Flags().Bool(idpFlag, false, "Use the STACKIT IdP for authentication to the cluster.")
+}
+
 type clusterConfig struct {
 	STACKITProjectID string `json:"stackitProjectID"`
 	ClusterName      string `json:"clusterName"`
 	Region           string `json:"region"`
+	OrganizationID   string `json:"organizationID"`
 
 	cacheKey string
 }
 
-func parseClusterConfig(p *print.Printer, cmd *cobra.Command) (*clusterConfig, error) {
+func parseClusterConfig(p *print.Printer, cmd *cobra.Command, idpMode bool) (*clusterConfig, error) {
 	obj, _, err := exec.LoadExecCredentialFromEnv()
 	if err != nil {
 		return nil, fmt.Errorf("LoadExecCredentialFromEnv: %w", err)
@@ -130,8 +163,11 @@ func parseClusterConfig(p *print.Printer, cmd *cobra.Command) (*clusterConfig, e
 	if err != nil {
 		return nil, fmt.Errorf("error getting auth email: %w", err)
 	}
-
-	clusterConfig.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server+"\x00"+authEmail)))
+	idpSuffix := ""
+	if idpMode {
+		idpSuffix = "\x00idp"
+	}
+	clusterConfig.cacheKey = fmt.Sprintf("ske-login-%x", sha256.Sum256([]byte(execCredential.Spec.Cluster.Server+"\x00"+authEmail+idpSuffix)))
 
 	// NOTE: Fallback if region is not set in the kubeconfig (this was the case in the past)
 	if clusterConfig.Region == "" {
@@ -163,7 +199,6 @@ func retrieveLoginKubeconfig(ctx context.Context, apiClient *ske.APIClient, clus
 	}
 	// cert not expired, nor will it expire in the next 15min; therefore, use the cached kubeconfig
 	return cachedKubeconfig, nil
-
 }
 
 func getCachedKubeConfig(key string) *rest.Config {
@@ -266,3 +301,178 @@ func parseLoginKubeConfigToExecCredential(kubeconfig *rest.Config) ([]byte, erro
 	}
 	return output, nil
 }
+
+func getAccessToken(params *types.CmdParams) (string, error) {
+	userSessionExpired, err := auth.UserSessionExpired()
+	if err != nil {
+		return "", err
+	}
+	if userSessionExpired {
+		return "", &cliErr.SessionExpiredError{}
+	}
+
+	accessToken, err := auth.GetValidAccessToken(params.Printer)
+	if err != nil {
+		params.Printer.Debug(print.ErrorLevel, "get valid access token: %v", err)
+		return "", &cliErr.SessionExpiredError{}
+	}
+	return accessToken, nil
+}
+
+func retrieveTokenFromIDP(ctx context.Context, idpClient *http.Client, accessToken string, clusterConfig *clusterConfig) (string, error) {
+	tokenEndpoint, err := auth.GetAuthField(auth.IDP_TOKEN_ENDPOINT)
+	if err != nil {
+		return "", fmt.Errorf("get idp token endpoint: %w", err)
+	}
+
+	cachedToken := getCachedToken(clusterConfig.cacheKey)
+	if cachedToken == "" {
+		return exchangeToken(ctx, idpClient, tokenEndpoint, accessToken, clusterConfig)
+	}
+
+	expiry, err := auth.TokenExpirationTime(cachedToken)
+	if err != nil {
+		// token is expired or invalid, request new
+		_ = cache.DeleteObject(clusterConfig.cacheKey)
+		return exchangeToken(ctx, idpClient, tokenEndpoint, accessToken, clusterConfig)
+	} else if time.Now().Add(refreshTokenBeforeDuration).After(expiry) {
+		// token expires soon -> refresh
+		token, err := exchangeToken(ctx, idpClient, tokenEndpoint, accessToken, clusterConfig)
+		// try to get a new one but use cache on failure
+		if err != nil {
+			return cachedToken, nil
+		}
+		return token, nil
+	}
+	// cached token is valid and won't expire soon
+	return cachedToken, nil
+}
+
+func getCachedToken(key string) string {
+	token, err := cache.GetObject(key)
+	if err != nil {
+		return ""
+	}
+	return string(token)
+}
+
+func exchangeToken(ctx context.Context, idpClient *http.Client, tokenEndpoint, accessToken string, config *clusterConfig) (string, error) {
+	req, err := buildRequestToExchangeTokens(ctx, tokenEndpoint, accessToken, config)
+	if err != nil {
+		return "", fmt.Errorf("build request: %w", err)
+	}
+	resp, err := idpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("call API: %w", err)
+	}
+	defer func() {
+		tempErr := resp.Body.Close()
+		if tempErr != nil {
+			err = fmt.Errorf("close response body: %w", tempErr)
+		}
+	}()
+
+	clusterToken, err := parseTokenExchangeResponse(resp)
+	if err != nil {
+		return "", fmt.Errorf("parse API response: %w", err)
+	}
+	if err = cache.PutObject(config.cacheKey, []byte(clusterToken)); err != nil {
+		return "", fmt.Errorf("cache token: %w", err)
+	}
+	return clusterToken, err
+}
+
+func buildRequestToExchangeTokens(ctx context.Context, tokenEndpoint, accessToken string, config *clusterConfig) (*http.Request, error) {
+	idpClientID, err := auth.GetIDPClientID()
+	if err != nil {
+		return nil, err
+	}
+
+	form := url.Values{}
+	form.Set("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+	form.Set("client_id", idpClientID)
+	form.Set("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+	form.Set("requested_token_type", "urn:ietf:params:oauth:token-type:id_token")
+	form.Set("scope", "openid profile email groups")
+	form.Set("subject_token", accessToken)
+	form.Set("resource", resourceForCluster(config))
+
+	req, err := http.NewRequestWithContext(
+		ctx,
+		http.MethodPost,
+		tokenEndpoint,
+		strings.NewReader(form.Encode()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("build exchange request: %w", err)
+	}
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	return req, nil
+}
+
+func resourceForCluster(config *clusterConfig) string {
+	return fmt.Sprintf(
+		"resource://organizations/%s/projects/%s/regions/%s/ske/%s",
+		config.OrganizationID,
+		config.STACKITProjectID,
+		config.Region,
+		config.ClusterName,
+	)
+}
+
+func parseTokenExchangeResponse(resp *http.Response) (accessToken string, err error) {
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("read body: %w", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("non-OK %d status: %s", resp.StatusCode, string(respBody))
+	}
+
+	respContent := struct {
+		AccessToken string `json:"access_token"`
+	}{}
+	err = json.Unmarshal(respBody, &respContent)
+	if err != nil {
+		return "", fmt.Errorf("unmarshal body: %w", err)
+	}
+	if respContent.AccessToken == "" {
+		return "", fmt.Errorf("no access token found")
+	}
+	return respContent.AccessToken, nil
+}
+
+func outputTokenKubeconfig(p *print.Printer, cacheKey, token string) error {
+	output, err := parseTokenToExecCredential(token)
+	if err != nil {
+		_ = cache.DeleteObject(cacheKey)
+		return fmt.Errorf("convert to ExecCredential: %w", err)
+	}
+
+	p.Outputf("%s", string(output))
+	return nil
+}
+
+func parseTokenToExecCredential(clusterToken string) ([]byte, error) {
+	expiry, err := auth.TokenExpirationTime(clusterToken)
+	if err != nil {
+		return nil, fmt.Errorf("parse auth token for cluster: %w", err)
+	}
+
+	outputExecCredential := clientauthenticationv1.ExecCredential{
+		TypeMeta: v1.TypeMeta{
+			APIVersion: clientauthenticationv1.SchemeGroupVersion.String(),
+			Kind:       "ExecCredential",
+		},
+		Status: &clientauthenticationv1.ExecCredentialStatus{
+			ExpirationTimestamp: &v1.Time{Time: expiry.Add(-refreshTokenBeforeDuration)},
+			Token:               clusterToken,
+		},
+	}
+	output, err := json.Marshal(&outputExecCredential)
+	if err != nil {
+		return nil, fmt.Errorf("marshal: %w", err)
+	}
+	return output, nil
+}

internal/pkg/auth/user_login.go

@@ -70,7 +70,7 @@ func AuthorizeUser(p *print.Printer, isReauthentication bool) error {
 		return fmt.Errorf("parse IDP well-known configuration: %w", err)
 	}
 
-	idpClientID, err := getIDPClientID()
+	idpClientID, err := GetIDPClientID()
 	if err != nil {
 		return err
 	}