use of org.cryptacular.StreamException in project OpenUnison by TremoloSecurity.
the class OpenShiftTarget method init.
@Override
public void init(Map<String, Attribute> cfg, ConfigManager cfgMgr, String name) throws ProvisioningException {
this.url = this.loadOption("url", cfg, false);
this.useDefaultCaPath = false;
String tmpUseToken = this.loadOptionalAttributeValue("useToken", "Use Token", cfg, null);
this.useToken = tmpUseToken != null && tmpUseToken.equalsIgnoreCase("true");
if (!useToken) {
this.userName = this.loadOption("userName", cfg, false);
this.password = this.loadOption("password", cfg, true);
} else {
String localTokenType = this.loadOptionalAttributeValue("tokenType", "tokenType", cfg, null);
if (localTokenType == null || localTokenType.trim().isEmpty()) {
localTokenType = "LEGACY";
}
this.tokenType = TokenType.valueOf(localTokenType.toUpperCase());
switch(tokenType) {
case STATIC:
this.osToken = this.loadOptionalAttributeValue("token", "Token", cfg, "***************************");
break;
case LEGACY:
try {
this.osToken = new String(Files.readAllBytes(Paths.get("/var/run/secrets/kubernetes.io/serviceaccount/token")), StandardCharsets.UTF_8);
} catch (IOException e) {
throw new ProvisioningException("Could not load token", e);
}
// check if token is projected, starting in 1.21 this is the default
int firstPeriod = this.osToken.indexOf('.');
int lastPeriod = this.osToken.lastIndexOf('.');
String json = new String(Base64.decodeBase64(this.osToken.substring(firstPeriod + 1, lastPeriod)));
try {
JSONObject claims = (JSONObject) new JSONParser().parse(json);
if (claims.containsKey("exp")) {
logger.info("Default token is projected, switching to TokenAPI");
this.tokenType = TokenType.TOKENAPI;
this.tokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token";
this.useDefaultCaPath = true;
this.checkProjectedToken();
}
} catch (ParseException e1) {
throw new ProvisioningException("Could not load token", e1);
}
break;
case TOKENAPI:
this.tokenPath = this.loadOption("tokenPath", cfg, false);
this.checkProjectedToken();
break;
case NONE:
break;
case OIDC:
this.initRemoteOidc(cfg, cfgMgr, localTokenType);
break;
}
if (this.url.isEmpty()) {
this.localToken = true;
String certAlias = this.loadOptionalAttributeValue("caCertAlias", "caCertAlias", cfg, null);
if (certAlias == null) {
certAlias = "k8s-master";
}
try {
logger.info("Cert Alias Storing - '" + certAlias + "'");
X509Certificate cert = null;
if (tokenType == TokenType.LEGACY || this.useDefaultCaPath) {
cert = CertUtil.readCertificate("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt");
} else if (tokenType == TokenType.TOKENAPI) {
// -\("/)/-
cert = CertUtil.readCertificate(this.loadOption("certPath", cfg, false));
}
logger.info("Certificate - " + cert);
cfgMgr.getKeyStore().setCertificateEntry(certAlias, cert);
} catch (KeyStoreException | EncodingException | StreamException e) {
throw new ProvisioningException("Could not load ca cert", e);
}
}
}
this.cfgMgr = cfgMgr;
this.name = name;
if (cfg.get("certificate") != null) {
String certificate = cfg.get("certificate").getValues().get(0);
try {
X509Certificate cert = this.pem2cert(certificate);
cfgMgr.getKeyStore().setCertificateEntry("k8s-certificate-" + this.name, cert);
} catch (Exception e) {
throw new ProvisioningException("Could not load certificate", e);
}
}
try {
cfgMgr.buildHttpConfig();
} catch (KeyManagementException | UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) {
throw new ProvisioningException("Could not rebuild http configuration", e);
}
this.label = this.loadOptionalAttributeValue("label", "label", cfg, null);
if (this.label == null) {
this.label = this.name;
}
this.gitUrl = this.loadOptionalAttributeValue("gitUrl", "gitUrl", cfg, null);
}
Aggregations