Merge pull request #112 from britive/develop

v1.6.0rc3

Author: twratl

CHANGELOG.md

@@ -2,6 +2,24 @@
 
 * As of v1.4.0 release candidates will be published in an effort to get new features out faster while still allowing time for full QA testing before moving the release candidate to a full release.
 
+## v1.6.0rc3 [2023-10-31]
+#### What's New
+* None
+
+#### Enhancements
+* None
+
+#### Bug Fixes
+* Clarified language in an error message when an authentication token has been invalidated on the server side and the resulting action the user must take to clear the token.
+* More gracefully handle when a Kubernetes `certificate-authority-data` cannot be base64 decoded to a proper certificate - we will skip over that specific cluster.
+
+#### Dependencies
+* None
+
+#### Other
+* None
+
+
 ## v1.6.0rc2 [2023-10-27]
 #### What's New
 * None

setup.cfg

@@ -1,6 +1,6 @@
 [metadata]
 name = pybritive
-version = 1.6.0rc2
+version = 1.6.0rc3
 author = Britive Inc.
 author_email = support@britive.com
 description = A pure Python CLI for Britive

src/pybritive/britive_cli.py

@@ -1168,13 +1168,13 @@ def request_disposition(self, request_id, decision):
 
     def clear_cached_aws_credentials(self, profile):
         # start with the profile name that was passed in from the command
-        Cache().clear_awscredentialprocess(profile_name=profile)
+        Cache().clear_credentials(profile_name=profile)
 
         # then we can try to split it into parts and clear that version of the
         # profile name as well - it will not hurt anything to try to clear
         # both versions
         parts = self._split_profile_into_parts(profile)
-        Cache().clear_awscredentialprocess(profile_name=f"{parts['app']}/{parts['env']}/{parts['profile']}")
+        Cache().clear_credentials(profile_name=f"{parts['app']}/{parts['env']}/{parts['profile']}")
 
     def ssh_gcp_identity_aware_proxy(self, username, hostname, push_public_key, port_number, key_source):
         self.silent = True

src/pybritive/cli_interface.py

@@ -25,10 +25,9 @@ def safe_cli():
             sys.tracebacklimit = 0
         cli()
     except Exception as e:
-        part1 = '401 - e0000 - aws access token for subject'
-        part2 = 'not authorized by cognito'
-        if part1 in str(e).lower() and part2 in str(e).lower():
-            click.echo('You have logged out of Britive via the browser. Please run `pybritive logout` to clear your '
+        if '401 - e0000' in str(e).lower():
+            click.echo('You have logged out of Britive via the browser. Please run '
+                       '`pybritive logout [-t/--tenant <tenant>]` to clear your '
                        'token and then re-run your command.')
             return
         if debug:

src/pybritive/helpers/kube_config_builder.py

@@ -1,8 +1,10 @@
+import click
 import yaml
 from pathlib import Path
 from .config import ConfigManager
 from ..britive_cli import BritiveCli
 import os
+import base64
 
 
 def sanitize(name: str):
@@ -32,7 +34,7 @@ def check_env_var(filename, cli: BritiveCli):
         cli.print(command)
 
 
-def merge_new_with_existing(clusters, contexts, users, filename, tenant, assigned_aliases):
+def merge_new_with_existing(clusters, contexts, users, filename, tenant):
     # get the existing config, so we can pop out all
     # items related to this tenant as we will be replacing
     # them with the above created items
@@ -47,8 +49,8 @@ def merge_new_with_existing(clusters, contexts, users, filename, tenant, assigne
             clusters.append(cluster)
 
     for context in existing_kubeconfig.get('contexts', []):
-        name = context.get('name', '')
-        if not name.startswith(prefix) and name not in assigned_aliases:
+        cluster_name = context.get('context', {}).get('cluster', '')
+        if not cluster_name.startswith(prefix):
             contexts.append(context)
 
     for user in existing_kubeconfig.get('users', []):
@@ -94,7 +96,20 @@ def parse_profiles(profiles, aliases):
     return [cluster_names, assigned_aliases]
 
 
-def build_tenant_config(tenant, cluster_names, username):
+def valid_cert(cert: str, profile: str, cli: BritiveCli):
+    try:
+        decoded_cert = base64.b64decode(cert).decode('utf-8')
+        if not decoded_cert.startswith('-----BEGIN CERTIFICATE-----'):
+            raise ValueError()
+        if not decoded_cert.strip().endswith('-----END CERTIFICATE-----'):
+            raise ValueError()
+        return True
+    except Exception:
+        cli.print(f'could not properly decode certificate authority data for profile {profile} - skipping this cluster')
+        return False
+
+
+def build_tenant_config(tenant, cluster_names, username, cli: BritiveCli):
     users = [
         {
             'name': username,
@@ -125,6 +140,9 @@ def build_tenant_config(tenant, cluster_names, username):
         cert = details['cert']
         url = details['url']
 
+        if not valid_cert(cert=cert, profile=details['profile'], cli=cli):
+            continue
+
         for name in names:
             clusters.append(
                 {
@@ -173,7 +191,8 @@ def build_kube_config(profiles: list, config: ConfigManager, username: str, cli:
     clusters, contexts, users = build_tenant_config(
         tenant=tenant,
         cluster_names=cluster_names,
-        username=username
+        username=username,
+        cli=cli
     )
 
     # calculate the path for the config
@@ -188,8 +207,7 @@ def build_kube_config(profiles: list, config: ConfigManager, username: str, cli:
         contexts=contexts,
         users=users,
         tenant=tenant,
-        filename=filename,
-        assigned_aliases=assigned_aliases
+        filename=filename
     )
 
     # if required ensure we tell the user they need to modify their KUBECONFIG env var