Use the request context for Kubernetes API call (#104) (#105)

* Use the request context for kubernetes API call

* Upgrade go version

Author: briankassouf

.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2
 jobs:
   build:
     docker:
-      - image: circleci/golang:1.12
+      - image: docker.mirror.hashicorp.services/circleci/golang:1.15
     working_directory: /go/src/github.com/hashicorp/vault-plugin-auth-kubernetes
     steps:
       - checkout

path_login.go

@@ -103,7 +103,7 @@ func (b *kubeAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d
 	}
 
 	// look up the JWT token in the kubernetes API
-	err = serviceAccount.lookup(jwtStr, b.reviewFactory(config))
+	err = serviceAccount.lookup(ctx, jwtStr, b.reviewFactory(config))
 	if err != nil {
 		b.Logger().Error(`login unauthorized due to: ` + err.Error())
 		return nil, logical.ErrPermissionDenied
@@ -350,8 +350,8 @@ type projectedServiceAccountPod struct {
 
 // lookup calls the TokenReview API in kubernetes to verify the token and secret
 // still exist.
-func (s *serviceAccount) lookup(jwtStr string, tr tokenReviewer) error {
-	r, err := tr.Review(jwtStr, s.Audience)
+func (s *serviceAccount) lookup(ctx context.Context, jwtStr string, tr tokenReviewer) error {
+	r, err := tr.Review(ctx, jwtStr, s.Audience)
 	if err != nil {
 		return err
 	}

path_login_test.go

@@ -263,6 +263,33 @@ func TestLogin(t *testing.T) {
 	}
 }
 
+func TestLogin_ContextError(t *testing.T) {
+	b, storage := setupBackend(t, testDefaultPEMs, testName, testNamespace)
+
+	data := map[string]interface{}{
+		"role": "plugin-test",
+		"jwt":  jwtData,
+	}
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "login",
+		Storage:   storage,
+		Data:      data,
+		Connection: &logical.Connection{
+			RemoteAddr: "127.0.0.1",
+		},
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	_, err := b.HandleRequest(ctx, req)
+	if err != context.Canceled {
+		t.Fatalf("expected context canceled error, got: %v", err)
+	}
+}
+
 func TestLogin_ECDSA_PEM(t *testing.T) {
 	b, storage := setupBackend(t, testNoPEMs, testName, testNamespace)
 

token_review.go

@@ -2,6 +2,7 @@ package kubeauth
 
 import (
 	"bytes"
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
@@ -28,7 +29,7 @@ type tokenReviewResult struct {
 
 // This exists so we can use a mock TokenReview when running tests
 type tokenReviewer interface {
-	Review(string, []string) (*tokenReviewResult, error)
+	Review(context.Context, string, []string) (*tokenReviewResult, error)
 }
 
 type tokenReviewFactory func(*kubeConfig) tokenReviewer
@@ -44,7 +45,7 @@ func tokenReviewAPIFactory(config *kubeConfig) tokenReviewer {
 	}
 }
 
-func (t *tokenReviewAPI) Review(jwt string, aud []string) (*tokenReviewResult, error) {
+func (t *tokenReviewAPI) Review(ctx context.Context, jwt string, aud []string) (*tokenReviewResult, error) {
 
 	client := cleanhttp.DefaultClient()
 
@@ -75,7 +76,7 @@ func (t *tokenReviewAPI) Review(jwt string, aud []string) (*tokenReviewResult, e
 
 	// Build the request to the token review API
 	url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", strings.TrimSuffix(t.config.Host, "/"))
-	req, err := http.NewRequest("POST", url, bytes.NewBuffer(trJSON))
+	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewBuffer(trJSON))
 	if err != nil {
 		return nil, err
 	}
@@ -188,7 +189,11 @@ func mockTokenReviewFactory(name, namespace, UID string) tokenReviewFactory {
 	}
 }
 
-func (t *mockTokenReview) Review(jwt string, aud []string) (*tokenReviewResult, error) {
+func (t *mockTokenReview) Review(ctx context.Context, cjwt string, aud []string) (*tokenReviewResult, error) {
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
 	return &tokenReviewResult{
 		Name:      t.saName,
 		Namespace: t.saNamespace,