Add vendor folder to git

vendor/k8s.io/client-go/plugin/pkg/client/auth/BUILD

@@ -0,0 +1,18 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["plugins.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp:go_default_library",
+        "//vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc:go_default_library",
+    ],
+)

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/BUILD

@@ -0,0 +1,32 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["gcp_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = ["//vendor/golang.org/x/oauth2:go_default_library"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["gcp.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/golang.org/x/net/context:go_default_library",
+        "//vendor/golang.org/x/oauth2:go_default_library",
+        "//vendor/golang.org/x/oauth2/google:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/util/jsonpath:go_default_library",
+    ],
+)

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- cjcullen
+- jlowdermilk
+reviewers:
+- cjcullen
+- jlowdermilk

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp.go

@@ -0,0 +1,286 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os/exec"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+	"golang.org/x/net/context"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/util/jsonpath"
+)
+
+func init() {
+	if err := restclient.RegisterAuthProviderPlugin("gcp", newGCPAuthProvider); err != nil {
+		glog.Fatalf("Failed to register gcp auth plugin: %v", err)
+	}
+}
+
+// Stubbable for testing
+var execCommand = exec.Command
+
+// gcpAuthProvider is an auth provider plugin that uses GCP credentials to provide
+// tokens for kubectl to authenticate itself to the apiserver. A sample json config
+// is provided below with all recognized options described.
+//
+// {
+//   'auth-provider': {
+//     # Required
+//     "name": "gcp",
+//
+//     'config': {
+//       # Caching options
+//
+//       # Raw string data representing cached access token.
+//       "access-token": "ya29.CjWdA4GiBPTt",
+//       # RFC3339Nano expiration timestamp for cached access token.
+//       "expiry": "2016-10-31 22:31:9.123",
+//
+//       # Command execution options
+//       # These options direct the plugin to execute a specified command and parse
+//       # token and expiry time from the output of the command.
+//
+//       # Command to execute for access token. Command output will be parsed as JSON.
+//       # If "cmd-args" is not present, this value will be split on whitespace, with
+//       # the first element interpreted as the command, remaining elements as args.
+//       "cmd-path": "/usr/bin/gcloud",
+//
+//       # Arguments to pass to command to execute for access token.
+//       "cmd-args": "config config-helper --output=json"
+//
+//       # JSONPath to the string field that represents the access token in
+//       # command output. If omitted, defaults to "{.access_token}".
+//       "token-key": "{.credential.access_token}",
+//
+//       # JSONPath to the string field that represents expiration timestamp
+//       # of the access token in the command output. If omitted, defaults to
+//       # "{.token_expiry}"
+//       "expiry-key": ""{.credential.token_expiry}",
+//
+//       # golang reference time in the format that the expiration timestamp uses.
+//       # If omitted, defaults to time.RFC3339Nano
+//       "time-fmt": "2006-01-02 15:04:05.999999999"
+//     }
+//   }
+// }
+//
+type gcpAuthProvider struct {
+	tokenSource oauth2.TokenSource
+	persister   restclient.AuthProviderConfigPersister
+}
+
+func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
+	var ts oauth2.TokenSource
+	var err error
+	if cmd, useCmd := gcpConfig["cmd-path"]; useCmd {
+		if len(cmd) == 0 {
+			return nil, fmt.Errorf("missing access token cmd")
+		}
+		var args []string
+		if cmdArgs, ok := gcpConfig["cmd-args"]; ok {
+			args = strings.Fields(cmdArgs)
+		} else {
+			fields := strings.Fields(cmd)
+			cmd = fields[0]
+			args = fields[1:]
+		}
+		ts = newCmdTokenSource(cmd, args, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"])
+	} else {
+		ts, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
+	}
+	if err != nil {
+		return nil, err
+	}
+	cts, err := newCachedTokenSource(gcpConfig["access-token"], gcpConfig["expiry"], persister, ts, gcpConfig)
+	if err != nil {
+		return nil, err
+	}
+	return &gcpAuthProvider{cts, persister}, nil
+}
+
+func (g *gcpAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
+	return &oauth2.Transport{
+		Source: g.tokenSource,
+		Base:   rt,
+	}
+}
+
+func (g *gcpAuthProvider) Login() error { return nil }
+
+type cachedTokenSource struct {
+	lk          sync.Mutex
+	source      oauth2.TokenSource
+	accessToken string
+	expiry      time.Time
+	persister   restclient.AuthProviderConfigPersister
+	cache       map[string]string
+}
+
+func newCachedTokenSource(accessToken, expiry string, persister restclient.AuthProviderConfigPersister, ts oauth2.TokenSource, cache map[string]string) (*cachedTokenSource, error) {
+	var expiryTime time.Time
+	if parsedTime, err := time.Parse(time.RFC3339Nano, expiry); err == nil {
+		expiryTime = parsedTime
+	}
+	if cache == nil {
+		cache = make(map[string]string)
+	}
+	return &cachedTokenSource{
+		source:      ts,
+		accessToken: accessToken,
+		expiry:      expiryTime,
+		persister:   persister,
+		cache:       cache,
+	}, nil
+}
+
+func (t *cachedTokenSource) Token() (*oauth2.Token, error) {
+	tok := t.cachedToken()
+	if tok.Valid() && !tok.Expiry.IsZero() {
+		return tok, nil
+	}
+	tok, err := t.source.Token()
+	if err != nil {
+		return nil, err
+	}
+	cache := t.update(tok)
+	if t.persister != nil {
+		if err := t.persister.Persist(cache); err != nil {
+			glog.V(4).Infof("Failed to persist token: %v", err)
+		}
+	}
+	return tok, nil
+}
+
+func (t *cachedTokenSource) cachedToken() *oauth2.Token {
+	t.lk.Lock()
+	defer t.lk.Unlock()
+	return &oauth2.Token{
+		AccessToken: t.accessToken,
+		TokenType:   "Bearer",
+		Expiry:      t.expiry,
+	}
+}
+
+func (t *cachedTokenSource) update(tok *oauth2.Token) map[string]string {
+	t.lk.Lock()
+	defer t.lk.Unlock()
+	t.accessToken = tok.AccessToken
+	t.expiry = tok.Expiry
+	ret := map[string]string{}
+	for k, v := range t.cache {
+		ret[k] = v
+	}
+	ret["access-token"] = t.accessToken
+	ret["expiry"] = t.expiry.Format(time.RFC3339Nano)
+	return ret
+}
+
+type commandTokenSource struct {
+	cmd       string
+	args      []string
+	tokenKey  string
+	expiryKey string
+	timeFmt   string
+}
+
+func newCmdTokenSource(cmd string, args []string, tokenKey, expiryKey, timeFmt string) *commandTokenSource {
+	if len(timeFmt) == 0 {
+		timeFmt = time.RFC3339Nano
+	}
+	if len(tokenKey) == 0 {
+		tokenKey = "{.access_token}"
+	}
+	if len(expiryKey) == 0 {
+		expiryKey = "{.token_expiry}"
+	}
+	return &commandTokenSource{
+		cmd:       cmd,
+		args:      args,
+		tokenKey:  tokenKey,
+		expiryKey: expiryKey,
+		timeFmt:   timeFmt,
+	}
+}
+
+func (c *commandTokenSource) Token() (*oauth2.Token, error) {
+	fullCmd := strings.Join(append([]string{c.cmd}, c.args...), " ")
+	cmd := execCommand(c.cmd, c.args...)
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("error executing access token command %q: err=%v output=%s", fullCmd, err, output)
+	}
+	token, err := c.parseTokenCmdOutput(output)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing output for access token command %q: %v", fullCmd, err)
+	}
+	return token, nil
+}
+
+func (c *commandTokenSource) parseTokenCmdOutput(output []byte) (*oauth2.Token, error) {
+	output, err := yaml.ToJSON(output)
+	if err != nil {
+		return nil, err
+	}
+	var data interface{}
+	if err := json.Unmarshal(output, &data); err != nil {
+		return nil, err
+	}
+
+	accessToken, err := parseJSONPath(data, "token-key", c.tokenKey)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing token-key %q from %q: %v", c.tokenKey, string(output), err)
+	}
+	expiryStr, err := parseJSONPath(data, "expiry-key", c.expiryKey)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing expiry-key %q from %q: %v", c.expiryKey, string(output), err)
+	}
+	var expiry time.Time
+	if t, err := time.Parse(c.timeFmt, expiryStr); err != nil {
+		glog.V(4).Infof("Failed to parse token expiry from %s (fmt=%s): %v", expiryStr, c.timeFmt, err)
+	} else {
+		expiry = t
+	}
+
+	return &oauth2.Token{
+		AccessToken: accessToken,
+		TokenType:   "Bearer",
+		Expiry:      expiry,
+	}, nil
+}
+
+func parseJSONPath(input interface{}, name, template string) (string, error) {
+	j := jsonpath.New(name)
+	buf := new(bytes.Buffer)
+	if err := j.Parse(template); err != nil {
+		return "", err
+	}
+	if err := j.Execute(buf, input); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
+}

vendor/k8s.io/client-go/plugin/pkg/client/auth/gcp/gcp_test.go

@@ -0,0 +1,325 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"reflect"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type fakeOutput struct {
+	args   []string
+	output string
+}
+
+var (
+	wantCmd []string
+	// Output for fakeExec, keyed by command
+	execOutputs = map[string]fakeOutput{
+		"/default/no/args": {
+			args: []string{},
+			output: `{
+  "access_token": "faketoken",
+  "token_expiry": "2016-10-31T22:31:09.123000000Z"
+}`},
+		"/default/legacy/args": {
+			args: []string{"arg1", "arg2", "arg3"},
+			output: `{
+  "access_token": "faketoken",
+  "token_expiry": "2016-10-31T22:31:09.123000000Z"
+}`},
+		"/space in path/customkeys": {
+			args: []string{"can", "haz", "auth"},
+			output: `{
+  "token": "faketoken",
+  "token_expiry": {
+    "datetime": "2016-10-31 22:31:09.123"
+  }
+}`},
+		"missing/tokenkey/noargs": {
+			args: []string{},
+			output: `{
+  "broken": "faketoken",
+  "token_expiry": {
+    "datetime": "2016-10-31 22:31:09.123000000Z"
+  }
+}`},
+		"missing/expirykey/legacyargs": {
+			args: []string{"split", "on", "whitespace"},
+			output: `{
+  "access_token": "faketoken",
+  "expires": "2016-10-31T22:31:09.123000000Z"
+}`},
+		"invalid expiry/timestamp": {
+			args: []string{"foo", "--bar", "--baz=abc,def"},
+			output: `{
+  "access_token": "faketoken",
+  "token_expiry": "sometime soon, idk"
+}`},
+		"badjson": {
+			args: []string{},
+			output: `{
+  "access_token": "faketoken",
+  "token_expiry": "sometime soon, idk"
+  ------
+`},
+	}
+)
+
+func fakeExec(command string, args ...string) *exec.Cmd {
+	cs := []string{"-test.run=TestHelperProcess", "--", command}
+	cs = append(cs, args...)
+	cmd := exec.Command(os.Args[0], cs...)
+	cmd.Env = []string{"GO_WANT_HELPER_PROCESS=1"}
+	return cmd
+}
+
+func TestHelperProcess(t *testing.T) {
+	if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
+		return
+	}
+	// Strip out the leading args used to exec into this function.
+	gotCmd := os.Args[3]
+	gotArgs := os.Args[4:]
+	output, ok := execOutputs[gotCmd]
+	if !ok {
+		fmt.Fprintf(os.Stdout, "unexpected call cmd=%q args=%v\n", gotCmd, gotArgs)
+		os.Exit(1)
+	} else if !reflect.DeepEqual(output.args, gotArgs) {
+		fmt.Fprintf(os.Stdout, "call cmd=%q got args %v, want: %v\n", gotCmd, gotArgs, output.args)
+		os.Exit(1)
+	}
+	fmt.Fprintf(os.Stdout, output.output)
+	os.Exit(0)
+}
+
+func errEquiv(got, want error) bool {
+	if got == want {
+		return true
+	}
+	if got != nil && want != nil {
+		return strings.Contains(got.Error(), want.Error())
+	}
+	return false
+}
+
+func TestCmdTokenSource(t *testing.T) {
+	execCommand = fakeExec
+	fakeExpiry := time.Date(2016, 10, 31, 22, 31, 9, 123000000, time.UTC)
+	customFmt := "2006-01-02 15:04:05.999999999"
+
+	tests := []struct {
+		name             string
+		gcpConfig        map[string]string
+		tok              *oauth2.Token
+		newErr, tokenErr error
+	}{
+		{
+			"default",
+			map[string]string{
+				"cmd-path": "/default/no/args",
+			},
+			&oauth2.Token{
+				AccessToken: "faketoken",
+				TokenType:   "Bearer",
+				Expiry:      fakeExpiry,
+			},
+			nil,
+			nil,
+		},
+		{
+			"default legacy args",
+			map[string]string{
+				"cmd-path": "/default/legacy/args arg1 arg2 arg3",
+			},
+			&oauth2.Token{
+				AccessToken: "faketoken",
+				TokenType:   "Bearer",
+				Expiry:      fakeExpiry,
+			},
+			nil,
+			nil,
+		},
+
+		{
+			"custom keys",
+			map[string]string{
+				"cmd-path":   "/space in path/customkeys",
+				"cmd-args":   "can haz auth",
+				"token-key":  "{.token}",
+				"expiry-key": "{.token_expiry.datetime}",
+				"time-fmt":   customFmt,
+			},
+			&oauth2.Token{
+				AccessToken: "faketoken",
+				TokenType:   "Bearer",
+				Expiry:      fakeExpiry,
+			},
+			nil,
+			nil,
+		},
+		{
+			"missing cmd",
+			map[string]string{
+				"cmd-path": "",
+			},
+			nil,
+			fmt.Errorf("missing access token cmd"),
+			nil,
+		},
+		{
+			"missing token-key",
+			map[string]string{
+				"cmd-path":  "missing/tokenkey/noargs",
+				"token-key": "{.token}",
+			},
+			nil,
+			nil,
+			fmt.Errorf("error parsing token-key %q", "{.token}"),
+		},
+
+		{
+			"missing expiry-key",
+			map[string]string{
+				"cmd-path":   "missing/expirykey/legacyargs split on whitespace",
+				"expiry-key": "{.expiry}",
+			},
+			nil,
+			nil,
+			fmt.Errorf("error parsing expiry-key %q", "{.expiry}"),
+		},
+		{
+			"invalid expiry timestamp",
+			map[string]string{
+				"cmd-path": "invalid expiry/timestamp",
+				"cmd-args": "foo --bar --baz=abc,def",
+			},
+			&oauth2.Token{
+				AccessToken: "faketoken",
+				TokenType:   "Bearer",
+				Expiry:      time.Time{},
+			},
+			nil,
+			nil,
+		},
+		{
+			"bad JSON",
+			map[string]string{
+				"cmd-path": "badjson",
+			},
+			nil,
+			nil,
+			fmt.Errorf("invalid character '-' after object key:value pair"),
+		},
+	}
+
+	for _, tc := range tests {
+		provider, err := newGCPAuthProvider("", tc.gcpConfig, nil /* persister */)
+		if !errEquiv(err, tc.newErr) {
+			t.Errorf("%q newGCPAuthProvider error: got %v, want %v", tc.name, err, tc.newErr)
+			continue
+		}
+		if err != nil {
+			continue
+		}
+		ts := provider.(*gcpAuthProvider).tokenSource.(*cachedTokenSource).source.(*commandTokenSource)
+		wantCmd = append([]string{ts.cmd}, ts.args...)
+		tok, err := ts.Token()
+		if !errEquiv(err, tc.tokenErr) {
+			t.Errorf("%q Token() error: got %v, want %v", tc.name, err, tc.tokenErr)
+		}
+		if !reflect.DeepEqual(tok, tc.tok) {
+			t.Errorf("%q Token() got %v, want %v", tc.name, tok, tc.tok)
+		}
+	}
+}
+
+type fakePersister struct {
+	lk    sync.Mutex
+	cache map[string]string
+}
+
+func (f *fakePersister) Persist(cache map[string]string) error {
+	f.lk.Lock()
+	defer f.lk.Unlock()
+	f.cache = map[string]string{}
+	for k, v := range cache {
+		f.cache[k] = v
+	}
+	return nil
+}
+
+func (f *fakePersister) read() map[string]string {
+	ret := map[string]string{}
+	f.lk.Lock()
+	defer f.lk.Unlock()
+	for k, v := range f.cache {
+		ret[k] = v
+	}
+	return ret
+}
+
+type fakeTokenSource struct {
+	token *oauth2.Token
+	err   error
+}
+
+func (f *fakeTokenSource) Token() (*oauth2.Token, error) {
+	return f.token, f.err
+}
+
+func TestCachedTokenSource(t *testing.T) {
+	tok := &oauth2.Token{AccessToken: "fakeaccesstoken"}
+	persister := &fakePersister{}
+	source := &fakeTokenSource{
+		token: tok,
+		err:   nil,
+	}
+	cache := map[string]string{
+		"foo": "bar",
+		"baz": "bazinga",
+	}
+	ts, err := newCachedTokenSource("fakeaccesstoken", "", persister, source, cache)
+	if err != nil {
+		t.Fatal(err)
+	}
+	var wg sync.WaitGroup
+	wg.Add(10)
+	for i := 0; i < 10; i++ {
+		go func() {
+			_, err := ts.Token()
+			if err != nil {
+				t.Errorf("unexpected error: %s", err)
+			}
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+	cache["access-token"] = "fakeaccesstoken"
+	cache["expiry"] = tok.Expiry.Format(time.RFC3339Nano)
+	if got := persister.read(); !reflect.DeepEqual(got, cache) {
+		t.Errorf("got cache %v, want %v", got, cache)
+	}
+}

vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/BUILD

@@ -0,0 +1,35 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["oidc_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//vendor/github.com/coreos/go-oidc/jose:go_default_library",
+        "//vendor/github.com/coreos/go-oidc/key:go_default_library",
+        "//vendor/github.com/coreos/go-oidc/oauth2:go_default_library",
+        "//vendor/k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing:go_default_library",
+    ],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["oidc.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//vendor/github.com/coreos/go-oidc/jose:go_default_library",
+        "//vendor/github.com/coreos/go-oidc/oauth2:go_default_library",
+        "//vendor/github.com/coreos/go-oidc/oidc:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+    ],
+)

vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/OWNERS

@@ -0,0 +1,4 @@
+approvers:
+- ericchiang
+reviewers:
+- ericchiang

vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go

@@ -0,0 +1,336 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oidc
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/oauth2"
+	"github.com/coreos/go-oidc/oidc"
+	"github.com/golang/glog"
+
+	restclient "k8s.io/client-go/rest"
+)
+
+const (
+	cfgIssuerUrl                = "idp-issuer-url"
+	cfgClientID                 = "client-id"
+	cfgClientSecret             = "client-secret"
+	cfgCertificateAuthority     = "idp-certificate-authority"
+	cfgCertificateAuthorityData = "idp-certificate-authority-data"
+	cfgExtraScopes              = "extra-scopes"
+	cfgIDToken                  = "id-token"
+	cfgRefreshToken             = "refresh-token"
+)
+
+func init() {
+	if err := restclient.RegisterAuthProviderPlugin("oidc", newOIDCAuthProvider); err != nil {
+		glog.Fatalf("Failed to register oidc auth plugin: %v", err)
+	}
+}
+
+// expiryDelta determines how earlier a token should be considered
+// expired than its actual expiration time. It is used to avoid late
+// expirations due to client-server time mismatches.
+//
+// NOTE(ericchiang): this is take from golang.org/x/oauth2
+const expiryDelta = 10 * time.Second
+
+var cache = newClientCache()
+
+// Like TLS transports, keep a cache of OIDC clients indexed by issuer URL.
+type clientCache struct {
+	mu    sync.RWMutex
+	cache map[cacheKey]*oidcAuthProvider
+}
+
+func newClientCache() *clientCache {
+	return &clientCache{cache: make(map[cacheKey]*oidcAuthProvider)}
+}
+
+type cacheKey struct {
+	// Canonical issuer URL string of the provider.
+	issuerURL string
+
+	clientID     string
+	clientSecret string
+
+	// Don't use CA as cache key because we only add a cache entry if we can connect
+	// to the issuer in the first place. A valid CA is a prerequisite.
+}
+
+func (c *clientCache) getClient(issuer, clientID, clientSecret string) (*oidcAuthProvider, bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	client, ok := c.cache[cacheKey{issuer, clientID, clientSecret}]
+	return client, ok
+}
+
+// setClient attempts to put the client in the cache but may return any clients
+// with the same keys set before. This is so there's only ever one client for a provider.
+func (c *clientCache) setClient(issuer, clientID, clientSecret string, client *oidcAuthProvider) *oidcAuthProvider {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	key := cacheKey{issuer, clientID, clientSecret}
+
+	// If another client has already initialized a client for the given provider we want
+	// to use that client instead of the one we're trying to set. This is so all transports
+	// share a client and can coordinate around the same mutex when refreshing and writing
+	// to the kubeconfig.
+	if oldClient, ok := c.cache[key]; ok {
+		return oldClient
+	}
+
+	c.cache[key] = client
+	return client
+}
+
+func newOIDCAuthProvider(_ string, cfg map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
+	issuer := cfg[cfgIssuerUrl]
+	if issuer == "" {
+		return nil, fmt.Errorf("Must provide %s", cfgIssuerUrl)
+	}
+
+	clientID := cfg[cfgClientID]
+	if clientID == "" {
+		return nil, fmt.Errorf("Must provide %s", cfgClientID)
+	}
+
+	clientSecret := cfg[cfgClientSecret]
+	if clientSecret == "" {
+		return nil, fmt.Errorf("Must provide %s", cfgClientSecret)
+	}
+
+	// Check cache for existing provider.
+	if provider, ok := cache.getClient(issuer, clientID, clientSecret); ok {
+		return provider, nil
+	}
+
+	var certAuthData []byte
+	var err error
+	if cfg[cfgCertificateAuthorityData] != "" {
+		certAuthData, err = base64.StdEncoding.DecodeString(cfg[cfgCertificateAuthorityData])
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	clientConfig := restclient.Config{
+		TLSClientConfig: restclient.TLSClientConfig{
+			CAFile: cfg[cfgCertificateAuthority],
+			CAData: certAuthData,
+		},
+	}
+
+	trans, err := restclient.TransportFor(&clientConfig)
+	if err != nil {
+		return nil, err
+	}
+	hc := &http.Client{Transport: trans}
+
+	providerCfg, err := oidc.FetchProviderConfig(hc, issuer)
+	if err != nil {
+		return nil, fmt.Errorf("error fetching provider config: %v", err)
+	}
+
+	scopes := strings.Split(cfg[cfgExtraScopes], ",")
+	oidcCfg := oidc.ClientConfig{
+		HTTPClient: hc,
+		Credentials: oidc.ClientCredentials{
+			ID:     clientID,
+			Secret: clientSecret,
+		},
+		ProviderConfig: providerCfg,
+		Scope:          append(scopes, oidc.DefaultScope...),
+	}
+	client, err := oidc.NewClient(oidcCfg)
+	if err != nil {
+		return nil, fmt.Errorf("error creating OIDC Client: %v", err)
+	}
+
+	provider := &oidcAuthProvider{
+		client:    &oidcClient{client},
+		cfg:       cfg,
+		persister: persister,
+		now:       time.Now,
+	}
+
+	return cache.setClient(issuer, clientID, clientSecret, provider), nil
+}
+
+type oidcAuthProvider struct {
+	// Interface rather than a raw *oidc.Client for testing.
+	client OIDCClient
+
+	// Stubbed out for testing.
+	now func() time.Time
+
+	// Mutex guards persisting to the kubeconfig file and allows synchronized
+	// updates to the in-memory config. It also ensures concurrent calls to
+	// the RoundTripper only trigger a single refresh request.
+	mu        sync.Mutex
+	cfg       map[string]string
+	persister restclient.AuthProviderConfigPersister
+}
+
+func (p *oidcAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
+	return &roundTripper{
+		wrapped:  rt,
+		provider: p,
+	}
+}
+
+func (p *oidcAuthProvider) Login() error {
+	return errors.New("not yet implemented")
+}
+
+type OIDCClient interface {
+	refreshToken(rt string) (oauth2.TokenResponse, error)
+	verifyJWT(jwt *jose.JWT) error
+}
+
+type roundTripper struct {
+	provider *oidcAuthProvider
+	wrapped  http.RoundTripper
+}
+
+func (r *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	if len(req.Header.Get("Authorization")) != 0 {
+		return r.wrapped.RoundTrip(req)
+	}
+	token, err := r.provider.idToken()
+	if err != nil {
+		return nil, err
+	}
+
+	// shallow copy of the struct
+	r2 := new(http.Request)
+	*r2 = *req
+	// deep copy of the Header so we don't modify the original
+	// request's Header (as per RoundTripper contract).
+	r2.Header = make(http.Header)
+	for k, s := range req.Header {
+		r2.Header[k] = s
+	}
+	r2.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+
+	return r.wrapped.RoundTrip(r2)
+}
+
+func (p *oidcAuthProvider) idToken() (string, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if idToken, ok := p.cfg[cfgIDToken]; ok && len(idToken) > 0 {
+		valid, err := verifyJWTExpiry(p.now(), idToken)
+		if err != nil {
+			return "", err
+		}
+		if valid {
+			// If the cached id token is still valid use it.
+			return idToken, nil
+		}
+	}
+
+	// Try to request a new token using the refresh token.
+	rt, ok := p.cfg[cfgRefreshToken]
+	if !ok || len(rt) == 0 {
+		return "", errors.New("No valid id-token, and cannot refresh without refresh-token")
+	}
+
+	tokens, err := p.client.refreshToken(rt)
+	if err != nil {
+		return "", fmt.Errorf("could not refresh token: %v", err)
+	}
+	jwt, err := jose.ParseJWT(tokens.IDToken)
+	if err != nil {
+		return "", err
+	}
+
+	if err := p.client.verifyJWT(&jwt); err != nil {
+		return "", err
+	}
+
+	// Create a new config to persist.
+	newCfg := make(map[string]string)
+	for key, val := range p.cfg {
+		newCfg[key] = val
+	}
+
+	if tokens.RefreshToken != "" && tokens.RefreshToken != rt {
+		newCfg[cfgRefreshToken] = tokens.RefreshToken
+	}
+
+	newCfg[cfgIDToken] = tokens.IDToken
+	if err = p.persister.Persist(newCfg); err != nil {
+		return "", fmt.Errorf("could not perist new tokens: %v", err)
+	}
+
+	// Update the in memory config to reflect the on disk one.
+	p.cfg = newCfg
+
+	return tokens.IDToken, nil
+}
+
+// oidcClient is the real implementation of the OIDCClient interface, which is
+// used for testing.
+type oidcClient struct {
+	client *oidc.Client
+}
+
+func (o *oidcClient) refreshToken(rt string) (oauth2.TokenResponse, error) {
+	oac, err := o.client.OAuthClient()
+	if err != nil {
+		return oauth2.TokenResponse{}, err
+	}
+
+	return oac.RequestToken(oauth2.GrantTypeRefreshToken, rt)
+}
+
+func (o *oidcClient) verifyJWT(jwt *jose.JWT) error {
+	return o.client.VerifyJWT(*jwt)
+}
+
+func verifyJWTExpiry(now time.Time, s string) (valid bool, err error) {
+	jwt, err := jose.ParseJWT(s)
+	if err != nil {
+		return false, fmt.Errorf("invalid %q", cfgIDToken)
+	}
+	claims, err := jwt.Claims()
+	if err != nil {
+		return false, err
+	}
+
+	exp, ok, err := claims.TimeClaim("exp")
+	switch {
+	case err != nil:
+		return false, fmt.Errorf("failed to parse 'exp' claim: %v", err)
+	case !ok:
+		return false, errors.New("missing required 'exp' claim")
+	case exp.After(now.Add(expiryDelta)):
+		return true, nil
+	}
+
+	return false, nil
+}

vendor/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc_test.go

@@ -0,0 +1,384 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package oidc
+
+import (
+	"encoding/base64"
+	"errors"
+	"io/ioutil"
+	"os"
+	"path"
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/coreos/go-oidc/jose"
+	"github.com/coreos/go-oidc/key"
+	"github.com/coreos/go-oidc/oauth2"
+
+	oidctesting "k8s.io/client-go/plugin/pkg/auth/authenticator/token/oidc/testing"
+)
+
+func clearCache() {
+	cache = newClientCache()
+}
+
+type persister struct{}
+
+// we don't need to actually persist anything because there's no way for us to
+// read from a persister.
+func (p *persister) Persist(map[string]string) error { return nil }
+
+type noRefreshOIDCClient struct{}
+
+func (c *noRefreshOIDCClient) refreshToken(rt string) (oauth2.TokenResponse, error) {
+	return oauth2.TokenResponse{}, errors.New("alwaysErrOIDCClient: cannot refresh token")
+}
+
+func (c *noRefreshOIDCClient) verifyJWT(jwt *jose.JWT) error {
+	return nil
+}
+
+type mockOIDCClient struct {
+	tokenResponse oauth2.TokenResponse
+}
+
+func (c *mockOIDCClient) refreshToken(rt string) (oauth2.TokenResponse, error) {
+	return c.tokenResponse, nil
+}
+
+func (c *mockOIDCClient) verifyJWT(jwt *jose.JWT) error {
+	return nil
+}
+
+func TestNewOIDCAuthProvider(t *testing.T) {
+	tempDir, err := ioutil.TempDir(os.TempDir(), "oidc_test")
+	if err != nil {
+		t.Fatalf("Cannot make temp dir %v", err)
+	}
+	cert := path.Join(tempDir, "oidc-cert")
+	key := path.Join(tempDir, "oidc-key")
+	defer os.RemoveAll(tempDir)
+
+	oidctesting.GenerateSelfSignedCert(t, "127.0.0.1", cert, key)
+	op := oidctesting.NewOIDCProvider(t, "")
+	srv, err := op.ServeTLSWithKeyPair(cert, key)
+	if err != nil {
+		t.Fatalf("Cannot start server %v", err)
+	}
+	defer srv.Close()
+
+	certData, err := ioutil.ReadFile(cert)
+	if err != nil {
+		t.Fatalf("Could not read cert bytes %v", err)
+	}
+
+	makeToken := func(exp time.Time) *jose.JWT {
+		jwt, err := jose.NewSignedJWT(jose.Claims(map[string]interface{}{
+			"exp": exp.UTC().Unix(),
+		}), op.PrivKey.Signer())
+		if err != nil {
+			t.Fatalf("Could not create signed JWT %v", err)
+		}
+		return jwt
+	}
+
+	t0 := time.Now()
+
+	goodToken := makeToken(t0.Add(time.Hour)).Encode()
+	expiredToken := makeToken(t0.Add(-time.Hour)).Encode()
+
+	tests := []struct {
+		name string
+
+		cfg         map[string]string
+		wantInitErr bool
+
+		client       OIDCClient
+		wantCfg      map[string]string
+		wantTokenErr bool
+	}{
+		{
+			// A Valid configuration
+			name: "no id token and no refresh token",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+			},
+			wantTokenErr: true,
+		},
+		{
+			name: "valid config with an initial token",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgIDToken:              goodToken,
+			},
+			client: new(noRefreshOIDCClient),
+			wantCfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgIDToken:              goodToken,
+			},
+		},
+		{
+			name: "invalid ID token with a refresh token",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgRefreshToken:         "foo",
+				cfgIDToken:              expiredToken,
+			},
+			client: &mockOIDCClient{
+				tokenResponse: oauth2.TokenResponse{
+					IDToken: goodToken,
+				},
+			},
+			wantCfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgRefreshToken:         "foo",
+				cfgIDToken:              goodToken,
+			},
+		},
+		{
+			name: "invalid ID token with a refresh token, server returns new refresh token",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgRefreshToken:         "foo",
+				cfgIDToken:              expiredToken,
+			},
+			client: &mockOIDCClient{
+				tokenResponse: oauth2.TokenResponse{
+					IDToken:      goodToken,
+					RefreshToken: "bar",
+				},
+			},
+			wantCfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgRefreshToken:         "bar",
+				cfgIDToken:              goodToken,
+			},
+		},
+		{
+			name: "expired token and no refresh otken",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "client-secret",
+				cfgIDToken:              expiredToken,
+			},
+			wantTokenErr: true,
+		},
+		{
+			name: "valid base64d ca",
+			cfg: map[string]string{
+				cfgIssuerUrl:                srv.URL,
+				cfgCertificateAuthorityData: base64.StdEncoding.EncodeToString(certData),
+				cfgClientID:                 "client-id",
+				cfgClientSecret:             "client-secret",
+			},
+			client:       new(noRefreshOIDCClient),
+			wantTokenErr: true,
+		},
+		{
+			name: "missing client ID",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientSecret:         "client-secret",
+			},
+			wantInitErr: true,
+		},
+		{
+			name: "missing client secret",
+			cfg: map[string]string{
+				cfgIssuerUrl:            srv.URL,
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+			},
+			wantInitErr: true,
+		},
+		{
+			name: "missing issuer URL",
+			cfg: map[string]string{
+				cfgCertificateAuthority: cert,
+				cfgClientID:             "client-id",
+				cfgClientSecret:         "secret",
+			},
+			wantInitErr: true,
+		},
+		{
+			name: "missing TLS config",
+			cfg: map[string]string{
+				cfgIssuerUrl:    srv.URL,
+				cfgClientID:     "client-id",
+				cfgClientSecret: "secret",
+			},
+			wantInitErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		clearCache()
+
+		p, err := newOIDCAuthProvider("cluster.example.com", tt.cfg, new(persister))
+		if tt.wantInitErr {
+			if err == nil {
+				t.Errorf("%s: want non-nil err", tt.name)
+			}
+			continue
+		}
+
+		if err != nil {
+			t.Errorf("%s: unexpected error on newOIDCAuthProvider: %v", tt.name, err)
+			continue
+		}
+
+		provider := p.(*oidcAuthProvider)
+		provider.client = tt.client
+		provider.now = func() time.Time { return t0 }
+
+		if _, err := provider.idToken(); err != nil {
+			if !tt.wantTokenErr {
+				t.Errorf("%s: failed to get id token: %v", tt.name, err)
+			}
+			continue
+		}
+		if tt.wantTokenErr {
+			t.Errorf("%s: expected to not get id token: %v", tt.name, err)
+			continue
+		}
+
+		if !reflect.DeepEqual(tt.wantCfg, provider.cfg) {
+			t.Errorf("%s: expected config %#v got %#v", tt.name, tt.wantCfg, provider.cfg)
+		}
+	}
+}
+
+func TestVerifyJWTExpiry(t *testing.T) {
+	privKey, err := key.GeneratePrivateKey()
+	if err != nil {
+		t.Fatalf("can't generate private key: %v", err)
+	}
+	makeToken := func(s string, exp time.Time, count int) *jose.JWT {
+		jwt, err := jose.NewSignedJWT(jose.Claims(map[string]interface{}{
+			"test":  s,
+			"exp":   exp.UTC().Unix(),
+			"count": count,
+		}), privKey.Signer())
+		if err != nil {
+			t.Fatalf("Could not create signed JWT %v", err)
+		}
+		return jwt
+	}
+
+	t0 := time.Now()
+
+	tests := []struct {
+		name        string
+		jwt         *jose.JWT
+		now         time.Time
+		wantErr     bool
+		wantExpired bool
+	}{
+		{
+			name: "valid jwt",
+			jwt:  makeToken("foo", t0.Add(time.Hour), 1),
+			now:  t0,
+		},
+		{
+			name:    "invalid jwt",
+			jwt:     &jose.JWT{},
+			now:     t0,
+			wantErr: true,
+		},
+		{
+			name:        "expired jwt",
+			jwt:         makeToken("foo", t0.Add(-time.Hour), 1),
+			now:         t0,
+			wantExpired: true,
+		},
+		{
+			name:        "jwt expires soon enough to be marked expired",
+			jwt:         makeToken("foo", t0, 1),
+			now:         t0,
+			wantExpired: true,
+		},
+	}
+
+	for _, tc := range tests {
+		func() {
+			valid, err := verifyJWTExpiry(tc.now, tc.jwt.Encode())
+			if err != nil {
+				if !tc.wantErr {
+					t.Errorf("%s: %v", tc.name, err)
+				}
+				return
+			}
+			if tc.wantErr {
+				t.Errorf("%s: expected error", tc.name)
+				return
+			}
+
+			if valid && tc.wantExpired {
+				t.Errorf("%s: expected token to be expired", tc.name)
+			}
+			if !valid && !tc.wantExpired {
+				t.Errorf("%s: expected token to be valid", tc.name)
+			}
+		}()
+	}
+}
+
+func TestClientCache(t *testing.T) {
+	cache := newClientCache()
+
+	if _, ok := cache.getClient("issuer1", "id1", "secret1"); ok {
+		t.Fatalf("got client before putting one in the cache")
+	}
+
+	cli1 := new(oidcAuthProvider)
+	cli2 := new(oidcAuthProvider)
+
+	gotcli := cache.setClient("issuer1", "id1", "secret1", cli1)
+	if cli1 != gotcli {
+		t.Fatalf("set first client and got a different one")
+	}
+
+	gotcli = cache.setClient("issuer1", "id1", "secret1", cli2)
+	if cli1 != gotcli {
+		t.Fatalf("set a second client and didn't get the first")
+	}
+}

vendor/k8s.io/client-go/plugin/pkg/client/auth/plugins.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	// Initialize all known client auth plugins.
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+)