From 7113923cb385adade4561bf5a02eba6f99b69de5 Mon Sep 17 00:00:00 2001
From: Alvaro Aleman <alvaroaleman@users.noreply.github.com>
Date: Tue, 6 Aug 2024 17:58:43 -0400
Subject: [PATCH] fix: check credential expiration timestamp when generating
 tokens

What this PR does / why we need it:

There are two expirations which must be considered when using a signed EKS token:

* 15 minutes after the point in time when the AWS STS request has been signed
* The underlying AWS credentials can expire at which point the token won't be accepted

The second case is particularly common when making frequent requests while using AssumeRole or AssumeRoleWithWebRequest as mentioned in #590 as the default session timeout is 1 hour.

This PR adds an additional check fetching the AWS credential expiration and using that as the returned expiration if it is before the 15 minute token expiration.
---
 pkg/token/token.go      |  8 ++++++
 pkg/token/token_test.go | 62 +++++++++++++++++++++++++++++++----------
 2 files changed, 56 insertions(+), 14 deletions(-)

diff --git a/pkg/token/token.go b/pkg/token/token.go
index 4e981f43a..6749d7c76 100644
--- a/pkg/token/token.go
+++ b/pkg/token/token.go
@@ -335,8 +335,16 @@ func (g generator) GetWithSTS(clusterID string, stsAPI stsiface.STSAPI) (Token,
 		return Token{}, err
 	}
 
+	// Fetch the timestamp when the credentials we're going to use for signing will not be valid anymore
+	// This operation is potentially racey, but the worst case is that we expire a token early
+	// Not all credential providers support this, so we ignore any returned errors
+	credentialsExpiration, _ := request.Config.Credentials.ExpiresAt()
+
 	// Set token expiration to 1 minute before the presigned URL expires for some cushion
 	tokenExpiration := g.nowFunc().Local().Add(presignedURLExpiration - 1*time.Minute)
+	if !credentialsExpiration.IsZero() && credentialsExpiration.Before(tokenExpiration) {
+		tokenExpiration = credentialsExpiration.Add(-1 * time.Minute)
+	}
 	// TODO: this may need to be a constant-time base64 encoding
 	return Token{v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString)), tokenExpiration}, nil
 }
diff --git a/pkg/token/token_test.go b/pkg/token/token_test.go
index 5a1594d77..4883c0f32 100644
--- a/pkg/token/token_test.go
+++ b/pkg/token/token_test.go
@@ -590,6 +590,10 @@ func Test_getDefaultHostNameForRegion(t *testing.T) {
 func TestGetWithSTS(t *testing.T) {
 	clusterID := "test-cluster"
 
+	// Example non-real credentials
+	decodedAkid, _ := base64.StdEncoding.DecodeString("QVNJQVIyVEc0NFY2QVMzWlpFN0M=")
+	decodedSk, _ := base64.StdEncoding.DecodeString("NEtENWNudEdjVm1MV1JkRjV3dk5SdXpOTDVReG1wNk9LVlk2RnovUQ==")
+
 	cases := []struct {
 		name    string
 		creds   *credentials.Credentials
@@ -598,23 +602,34 @@ func TestGetWithSTS(t *testing.T) {
 		wantErr error
 	}{
 		{
-			"Non-zero time",
-			// Example non-real credentials
-			func() *credentials.Credentials {
-				decodedAkid, _ := base64.StdEncoding.DecodeString("QVNJQVIyVEc0NFY2QVMzWlpFN0M=")
-				decodedSk, _ := base64.StdEncoding.DecodeString("NEtENWNudEdjVm1MV1JkRjV3dk5SdXpOTDVReG1wNk9LVlk2RnovUQ==")
-				return credentials.NewStaticCredentials(
-					string(decodedAkid),
-					string(decodedSk),
-					"",
-				)
-			}(),
-			time.Unix(1682640000, 0),
-			Token{
+			name: "Non-zero time",
+			creds: credentials.NewStaticCredentials(
+				string(decodedAkid),
+				string(decodedSk),
+				"",
+			),
+			nowTime: time.Unix(1682640000, 0),
+			want: Token{
 				Token:      "k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBUjJURzQ0VjZBUzNaWkU3QyUyRjIwMjMwNDI4JTJGdXMtd2VzdC0yJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzA0MjhUMDAwMDAwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9ZTIxMWRiYTc3YWJhOWRjNDRiMGI2YmUzOGI4ZWFhZDA5MjU5OWM1MTU3ZjYzMTQ0NDRjNWI5ZDg1NzQ3ZjVjZQ",
 				Expiration: time.Unix(1682640000, 0).Local().Add(time.Minute * 14),
 			},
-			nil,
+			wantErr: nil,
+		},
+		{
+			name: "Signing creds expire before token",
+			creds: credentials.NewCredentials(&fakeCredentialProvider{
+				value: credentials.Value{
+					AccessKeyID:     string(decodedAkid),
+					SecretAccessKey: string(decodedSk),
+				},
+				expiresAt: time.Unix(1682640000, 0).Local().Add(time.Minute * 10),
+			}),
+			nowTime: time.Unix(1682640000, 0),
+			want: Token{
+				Token:      "k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtd2VzdC0yLmFtYXpvbmF3cy5jb20vP0FjdGlvbj1HZXRDYWxsZXJJZGVudGl0eSZWZXJzaW9uPTIwMTEtMDYtMTUmWC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BU0lBUjJURzQ0VjZBUzNaWkU3QyUyRjIwMjMwNDI4JTJGdXMtd2VzdC0yJTJGc3RzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzA0MjhUMDAwMDAwWiZYLUFtei1FeHBpcmVzPTYwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCUzQngtazhzLWF3cy1pZCZYLUFtei1TaWduYXR1cmU9ZTIxMWRiYTc3YWJhOWRjNDRiMGI2YmUzOGI4ZWFhZDA5MjU5OWM1MTU3ZjYzMTQ0NDRjNWI5ZDg1NzQ3ZjVjZQ",
+				Expiration: time.Unix(1682640000, 0).Local().Add(time.Minute * 9),
+			},
+			wantErr: nil,
 		},
 	}
 
@@ -647,6 +662,25 @@ func TestGetWithSTS(t *testing.T) {
 	}
 }
 
+type fakeCredentialProvider struct {
+	value     credentials.Value
+	expiresAt time.Time
+}
+
+func (f *fakeCredentialProvider) Retrieve() (credentials.Value, error) {
+	return f.value, nil
+}
+
+func (f *fakeCredentialProvider) IsExpired() bool {
+	return false
+}
+
+var _ credentials.Expirer = (*fakeCredentialProvider)(nil)
+
+func (f *fakeCredentialProvider) ExpiresAt() time.Time {
+	return f.expiresAt
+}
+
 func TestGetStsRegion(t *testing.T) {
 	tests := []struct {
 		host     string