AuthenticationRefresher wrapper solution

raykrueger · raykrueger · commit b71fba4d9185 · 2024-05-16T08:43:18.000-05:00
This commit introduces the AuthenticationRefresher as an implementation of Authentication. It's purpose is to warp another Authentication instance and refresh it very n seconds by calling `provide` on the wrapped Authentication object. This code is intedned to be used a solution to issue #2438. Any Authentication object that provides credentials, that must be refreshed, to the ApiClient do not have a way to do so. There are two ways to use the AuthenticationRefresher with ClientBuilder. The first option is to use the ClientBuilder.setAuthentication(...) method. An Authentication instance can be wrapped in an AuthenticationRefresher and passed into the setAuthentication method. For example, ``` ClientBuilder.standard().setAuthentication( //wrap an auth and refresh it every 15 minutes (900s) new Authentication(someDelegateAuthenticationInstace, 900) ); ``` This is integrated up into the ClientBuilder.build() method by adding a new authenticationRefreshSeconds field and getter/setter pair. If a refresh interval is set, the Authentication object used by ClientBuilder will be wrapped with an AuthenticationRefresher.
diff --git a/util/src/main/java/io/kubernetes/client/util/ClientBuilder.java b/util/src/main/java/io/kubernetes/client/util/ClientBuilder.java
@@ -21,16 +21,6 @@
 import static io.kubernetes.client.util.KubeConfig.KUBECONFIG;
 import static io.kubernetes.client.util.KubeConfig.KUBEDIR;
 
-import io.kubernetes.client.openapi.ApiClient;
-import io.kubernetes.client.openapi.ApiException;
-import io.kubernetes.client.openapi.models.V1CertificateSigningRequest;
-import io.kubernetes.client.persister.FilePersister;
-import io.kubernetes.client.util.credentials.AccessTokenAuthentication;
-import io.kubernetes.client.util.credentials.Authentication;
-import io.kubernetes.client.util.credentials.ClientCertificateAuthentication;
-import io.kubernetes.client.util.credentials.KubeconfigAuthentication;
-import io.kubernetes.client.util.credentials.TokenFileAuthentication;
-import io.kubernetes.client.util.exception.CSRNotApprovedException;
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.File;
@@ -49,12 +39,25 @@
 import java.time.Duration;
 import java.util.Arrays;
 import java.util.List;
-import okhttp3.Protocol;
+
 import org.apache.commons.compress.utils.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import io.kubernetes.client.openapi.ApiClient;
+import io.kubernetes.client.openapi.ApiException;
+import io.kubernetes.client.openapi.models.V1CertificateSigningRequest;
+import io.kubernetes.client.persister.FilePersister;
+import io.kubernetes.client.util.credentials.AccessTokenAuthentication;
+import io.kubernetes.client.util.credentials.Authentication;
+import io.kubernetes.client.util.credentials.AuthenticationRefresher;
+import io.kubernetes.client.util.credentials.ClientCertificateAuthentication;
+import io.kubernetes.client.util.credentials.KubeconfigAuthentication;
+import io.kubernetes.client.util.credentials.TokenFileAuthentication;
+import io.kubernetes.client.util.exception.CSRNotApprovedException;
+import okhttp3.Protocol;
+
 /** A Builder which allows the construction of {@link ApiClient}s in a fluent fashion. */
 public class ClientBuilder {
   private static final Logger log = LoggerFactory.getLogger(ClientBuilder.class);
@@ -71,6 +74,8 @@ public class ClientBuilder {
   // default health check is once a minute
   private Duration pingInterval = Duration.ofMinutes(1);
 
+  private Duration authenticationRefreshSeconds;
+
   /**
    * Creates an {@link ApiClient} by calling {@link #standard()} and {@link #build()}.
    *
@@ -418,6 +423,15 @@ public ClientBuilder setKeyStorePassphrase(String keyStorePassphrase) {
     return this;
   }
 
+  public Duration getAuthenticationRefreshSeconds() {
+    return authenticationRefreshSeconds;
+  }
+
+  public ClientBuilder setAuthenticationRefreshSeconds(Duration authenticationRefreshSeconds) {
+    this.authenticationRefreshSeconds = authenticationRefreshSeconds;
+    return this;
+  }
+
   public ApiClient build() {
     final ApiClient client = new ApiClient();
 
@@ -450,6 +464,15 @@ public ApiClient build() {
           }
         }
       }
+
+      // When authenticationRefreshSeconds is set, wrap the Authentication
+      // object in an AuthenticationRefresher. It is important that we do this
+      // after the passphrase code above is done munging around with the
+      // internals of KubeConfigAuthentication
+      if (authenticationRefreshSeconds != null) {
+        authentication = new AuthenticationRefresher(authentication, authenticationRefreshSeconds.toSeconds());
+      }
+
       authentication.provide(client);
     }
 
diff --git a/util/src/main/java/io/kubernetes/client/util/credentials/AuthenticationRefresher.java b/util/src/main/java/io/kubernetes/client/util/credentials/AuthenticationRefresher.java
@@ -0,0 +1,66 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package io.kubernetes.client.util.credentials;
+
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.kubernetes.client.openapi.ApiClient;
+
+/**
+ * Wraps an existing {@link Authentication} and refreshes it every
+ * expirationSeconds.
+ *
+ * Can be used with ClientBuilder as such:
+ *
+ * <pre>
+ * ClientBuilder.standard()
+ *         .withAuthentication(new AuthenticationRefresher(new KubeconfigAuthentication(), 60))
+ *         .build();
+ * </pre>
+ */
+public class AuthenticationRefresher implements Authentication {
+
+    private static final Logger log = LoggerFactory.getLogger(AuthenticationRefresher.class);
+
+    private final Authentication delegateAuthentication;
+    private final Long expirationSeconds;
+
+    public AuthenticationRefresher(Authentication delegateAuthentication, long expirationSeconds) {
+        this.delegateAuthentication = delegateAuthentication;
+        this.expirationSeconds = expirationSeconds;
+        log.debug("AuthenticationRefresher initialized with expirationSeconds: " + expirationSeconds);
+    }
+
+    /**
+     * Calls delegateAuthentication every expirationSeconds
+     */
+    @Override
+    public void provide(ApiClient client) {
+        ScheduledExecutorService executor = Executors.newSingleThreadScheduledExecutor();
+        executor.scheduleAtFixedRate(new Runnable() {
+            @Override
+            public void run() {
+                log.debug("Refreshing authentication");
+                delegateAuthentication.provide(client);
+            }
+        }, expirationSeconds, expirationSeconds, java.util.concurrent.TimeUnit.SECONDS);
+
+        // Run it now, synchronously.
+        log.debug("Invoking authentication");
+        delegateAuthentication.provide(client);
+    }
+}
diff --git a/util/src/test/java/io/kubernetes/client/util/ClientBuilderTest.java b/util/src/test/java/io/kubernetes/client/util/ClientBuilderTest.java
@@ -17,20 +17,24 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
-import io.kubernetes.client.Resources;
-import io.kubernetes.client.openapi.ApiClient;
-import io.kubernetes.client.util.credentials.Authentication;
-import io.kubernetes.client.util.credentials.ClientCertificateAuthentication;
-import io.kubernetes.client.util.credentials.KubeconfigAuthentication;
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.time.Duration;
+
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+
+import io.kubernetes.client.Resources;
+import io.kubernetes.client.openapi.ApiClient;
+import io.kubernetes.client.util.credentials.Authentication;
+import io.kubernetes.client.util.credentials.ClientCertificateAuthentication;
+import io.kubernetes.client.util.credentials.KubeconfigAuthentication;
 import uk.org.webcompere.systemstubs.environment.EnvironmentVariables;
 import uk.org.webcompere.systemstubs.jupiter.SystemStub;
 import uk.org.webcompere.systemstubs.jupiter.SystemStubsExtension;
@@ -218,6 +222,19 @@ void credentialProviderInvoked() throws IOException {
     verify(provider).provide(client);
   }
 
+  @Test
+  void credentialProviderWrappedWithRefresher() throws IOException, InterruptedException {
+    final Authentication provider = mock(Authentication.class);
+    final ApiClient client = ClientBuilder.standard()
+        .setAuthentication(provider)
+        .setAuthenticationRefreshSeconds(Duration.ofSeconds(2))
+        .build();
+
+    Thread.sleep(3000);
+
+    verify(provider, times(2)).provide(client);
+  }
+
   /**
    * We can't verify anything here because of how things are configured in swagger-codegen and
    * okhttp but combined with {@link #sslCertCaBad()} we have some certainty that it is being
diff --git a/util/src/test/java/io/kubernetes/client/util/credentials/AuthenticationRefresherTest.java b/util/src/test/java/io/kubernetes/client/util/credentials/AuthenticationRefresherTest.java
@@ -0,0 +1,52 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package io.kubernetes.client.util.credentials;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+
+import java.io.IOException;
+
+import org.junit.jupiter.api.Test;
+
+import io.kubernetes.client.openapi.ApiClient;
+import io.kubernetes.client.util.ClientBuilder;
+
+public class AuthenticationRefresherTest {
+
+    @Test
+    void credentialProviderWrapperInvoked() throws IOException {
+        final Authentication provider = mock(Authentication.class);
+        final Authentication wrapper = new AuthenticationRefresher(provider, 15);
+
+        final ApiClient client = ClientBuilder.standard().setAuthentication(wrapper).build();
+
+        verify(provider).provide(client);
+    }
+
+    @Test
+    void credentialProviderTimerInvoked() throws Exception {
+        final Authentication provider = mock(Authentication.class);
+        final Authentication wrapper = new AuthenticationRefresher(provider, 2);
+
+        final ApiClient client = ClientBuilder.standard().setAuthentication(wrapper).build();
+
+        Thread.sleep(3000);
+
+        // verify provider mock called 2 times
+        verify(provider, times(2)).provide(client);
+
+    }
+
+}
