fix: Don't treat generic exec plugin as OIDC (kyma-project#4651)

* fix: dont treat generic exec plugin treat as OIDC

* adjust translation

Author: chriskari

public/i18n/en.yaml

@@ -141,13 +141,16 @@ clusters:
       inMemory: In memory
       localStorage: Local storage
       sessionStorage: Session storage
+    oidc-memory-warning: Memory storage is not compatible with browser-based OIDC login. After the authentication redirect, cluster data stored in memory is lost. Use session or local storage instead.
     storage-preference: Storage preference
     title: Storage Type
   token: Token
   wizard:
     auth:
       client-id: Client ID
       client-secret: Client Secret
+      exec-command: Command
+      exec-info: Run the above command to obtain a token, then paste it in the Token field.
       issuer-url: Issuer URL
       scopes: Scopes
       token: Token

src/components/Clusters/components/AddClusterWizard.jsx

@@ -1,5 +1,10 @@
 import { useState } from 'react';
-import { Title, Wizard, WizardStep } from '@ui5/webcomponents-react';
+import {
+  MessageStrip,
+  Title,
+  Wizard,
+  WizardStep,
+} from '@ui5/webcomponents-react';
 import { useTranslation } from 'react-i18next';
 import { useAtomValue, useSetAtom } from 'jotai';
 
@@ -14,6 +19,7 @@ import { isFormOpenAtom } from 'state/formOpenAtom';
 import { checkAuthRequiredInputs } from '../helper';
 
 import { addByContext, getUser, hasKubeconfigAuth } from '../shared';
+import { isOIDCExec } from './oidc-params';
 import { AuthForm } from './AuthForm';
 import { KubeconfigUpload } from './KubeconfigUpload/KubeconfigUpload';
 import { ContextChooser } from './ContextChooser/ContextChooser';
@@ -237,6 +243,16 @@ export function AddClusterWizard({ config = {} }) {
               setStorage={setStorage}
               hideLabel
             />
+            {isOIDCExec(getUser(kubeconfig)?.exec) &&
+              storage === 'inMemory' && (
+                <MessageStrip
+                  design="Critical"
+                  hideCloseButton
+                  className="sap-margin-top-small"
+                >
+                  {t('clusters.storage.oidc-memory-warning')}
+                </MessageStrip>
+              )}
           </div>
         </WizardStep>
         <WizardStep

src/components/Clusters/components/AuthForm.jsx

@@ -2,7 +2,11 @@ import { useState, useEffect } from 'react';
 import { useTranslation } from 'react-i18next';
 import { MessageStrip, Switch, Title } from '@ui5/webcomponents-react';
 import jp from 'jsonpath';
-import { createLoginCommand, tryParseOIDCparams } from './oidc-params';
+import {
+  createLoginCommand,
+  isOIDCExec,
+  tryParseOIDCparams,
+} from './oidc-params';
 
 import { ResourceForm } from 'shared/ResourceForm';
 import * as Inputs from 'shared/ResourceForm/inputs';
@@ -70,23 +74,43 @@ const OIDCform = ({ resource, ...props }) => {
   );
 };
 
-const TokenForm = ({ resource, ...props }) => {
+const TokenForm = ({ resource, setResource, onChange, ...props }) => {
   const { t } = useTranslation();
   const userIndex = getUserIndex(resource);
+  const exec = resource?.users?.[userIndex]?.user?.exec;
+  const isGenericExec = !!exec && !isOIDCExec(exec);
   const [token, setToken] = useState(resource?.users?.[userIndex]?.user?.token);
 
   return (
-    <ResourceForm.Wrapper resource={resource} {...props}>
+    <ResourceForm.Wrapper
+      resource={resource}
+      setResource={setResource}
+      {...props}
+    >
+      {isGenericExec && exec?.command && (
+        <ResourceForm.FormField
+          label={t('clusters.wizard.auth.exec-command')}
+          input={Inputs.Text}
+          value={exec.command}
+          readOnly
+        />
+      )}
       <ResourceForm.FormField
         required
         value={token}
         setValue={(val) => {
           setToken(val);
           jp.value(resource, `$.users[${userIndex}].user.token`, val);
+          setResource?.({ ...resource });
+          onChange?.();
         }}
         label={t('clusters.wizard.auth.token')}
         input={Inputs.Text}
-        inputInfo={t('clusters.wizard.token-info')}
+        inputInfo={
+          isGenericExec
+            ? t('clusters.wizard.auth.exec-info')
+            : t('clusters.wizard.token-info')
+        }
       />
     </ResourceForm.Wrapper>
   );
@@ -102,7 +126,10 @@ export function AuthForm({
 }) {
   const { t } = useTranslation();
 
-  const [useOidc, setUseOidc] = useState(!!getUser(resource)?.exec);
+  const userExec = getUser(resource)?.exec;
+  const isGenericExec = !!userExec && !isOIDCExec(userExec);
+
+  const [useOidc, setUseOidc] = useState(!isGenericExec && !!userExec);
 
   useEffect(() => {
     revalidate();
@@ -120,6 +147,11 @@ export function AuthForm({
     setUseOidc(!useOidc);
   };
 
+  const incompleteContext =
+    resource['current-context'] === '-all-'
+      ? resource.contexts[0]?.name
+      : resource['current-context'];
+
   return (
     <ResourceForm.Wrapper
       formElementRef={formElementRef}
@@ -134,30 +166,29 @@ export function AuthForm({
           hideCloseButton
           className="sap-margin-y-small"
         >
-          {t('clusters.wizard.incomplete', {
-            context:
-              resource['current-context'] === '-all-'
-                ? resource.contexts[0]?.name
-                : resource['current-context'],
-          })}
+          {t('clusters.wizard.incomplete', { context: incompleteContext })}
         </MessageStrip>
         {!useOidc && (
           <TokenForm onChange={checkRequiredInputs} resource={resource} />
         )}
-        <ResourceForm.FormField
-          label={t('clusters.wizard.auth.using-oidc')}
-          input={(props) => (
-            <Switch
-              {...props}
-              className="sap-margin-top-tiny"
-              checked={useOidc}
-              onChange={switchAuthVariant}
+        {!isGenericExec && (
+          <>
+            <ResourceForm.FormField
+              label={t('clusters.wizard.auth.using-oidc')}
+              input={(props) => (
+                <Switch
+                  {...props}
+                  className="sap-margin-top-tiny"
+                  checked={useOidc}
+                  onChange={switchAuthVariant}
+                />
+              )}
+              className="oidc-switch"
             />
-          )}
-          className="oidc-switch"
-        />
-        {useOidc && (
-          <OIDCform onChange={checkRequiredInputs} resource={resource} />
+            {useOidc && (
+              <OIDCform onChange={checkRequiredInputs} resource={resource} />
+            )}
+          </>
         )}
       </div>
     </ResourceForm.Wrapper>

src/components/Clusters/components/ClusterPreview.tsx

@@ -6,18 +6,33 @@ import {
   findInitialValues,
 } from '../views/EditCluster/EditCluster';
 import { getUserIndex } from '../shared';
+import { isOIDCExec } from './oidc-params';
 import {
   Kubeconfig,
   KubeconfigNonOIDCAuthToken,
   KubeconfigOIDCAuth,
 } from 'types';
 import { Tokens } from 'shared/components/Tokens';
 
-const TokenData = ({ token }: { token: string }) => {
+const TokenData = ({
+  token,
+  execCommand,
+}: {
+  token: string;
+  execCommand?: string;
+}) => {
   const { t } = useTranslation();
 
   return (
     <>
+      {execCommand && (
+        <>
+          <p className="cluster-preview__data-header sap-margin-top-small sap-margin-bottom-tiny">
+            {t('clusters.wizard.auth.exec-command')}:
+          </p>
+          <div>{execCommand}</div>
+        </>
+      )}
       <p className="cluster-preview__data-header sap-margin-top-small sap-margin-bottom-tiny">
         {`${t('clusters.token')}:`}
       </p>
@@ -92,11 +107,9 @@ export function ClusterPreview({
 }: ClusterPreviewProps) {
   const { t } = useTranslation();
   const userIndex = getUserIndex(kubeconfig);
-  const authenticationType = (
-    kubeconfig?.users?.[userIndex]?.user as KubeconfigOIDCAuth
-  )?.exec
-    ? 'oidc'
-    : 'token';
+  const exec = (kubeconfig?.users?.[userIndex]?.user as KubeconfigOIDCAuth)
+    ?.exec;
+  const authenticationType = exec && isOIDCExec(exec) ? 'oidc' : 'token';
 
   const issuerUrl = findInitialValue(kubeconfig, 'oidc-issuer-url', userIndex);
   const clientId = findInitialValue(kubeconfig, 'oidc-client-id', userIndex);
@@ -149,7 +162,7 @@ export function ClusterPreview({
         <div className="cluster-preview__content sap-margin-top-small sap-margin-bottom-tiny">
           <div className="cluster-preview__auth">
             {authenticationType === 'token' ? (
-              <TokenData token={token} />
+              <TokenData token={token} execCommand={exec?.command} />
             ) : (
               <OidcData
                 issuerUrl={issuerUrl}

src/components/Clusters/components/oidc-params.ts

@@ -1,5 +1,9 @@
 import { KubeconfigOIDCAuth, LoginCommand } from 'types';
 
+export function isOIDCExec(exec: { args?: string[] } | undefined): boolean {
+  return !!exec?.args?.some((arg) => arg?.startsWith('--oidc-issuer-url='));
+}
+
 const OIDC_PARAM_NAMES = new Map([
   ['--oidc-issuer-url', 'issuerUrl'],
   ['--oidc-client-id', 'clientId'],

src/components/Clusters/components/test/oidc-params.test.js

@@ -1,4 +1,41 @@
-import { parseOIDCparams } from '../oidc-params';
+import { parseOIDCparams, isOIDCExec } from '../oidc-params';
+
+describe('isOIDCExec', () => {
+  it('returns true when exec args contain --oidc-issuer-url', () => {
+    const exec = {
+      command: 'kubectl',
+      args: [
+        'oidc-login',
+        'get-token',
+        '--oidc-issuer-url=https://example.com',
+        '--oidc-client-id=myid',
+      ],
+    };
+    expect(isOIDCExec(exec)).toBe(true);
+  });
+
+  it('returns false for a generic exec plugin without OIDC args', () => {
+    const exec = {
+      command: 'sh',
+      args: ['mock-oidc.sh'],
+    };
+    expect(isOIDCExec(exec)).toBe(false);
+  });
+
+  it('returns false when exec has empty args array', () => {
+    const exec = { command: 'my-plugin', args: [] };
+    expect(isOIDCExec(exec)).toBe(false);
+  });
+
+  it('returns false when exec has no args property', () => {
+    const exec = { command: 'my-plugin' };
+    expect(isOIDCExec(exec)).toBe(false);
+  });
+
+  it('returns false for undefined exec', () => {
+    expect(isOIDCExec(undefined)).toBe(false);
+  });
+});
 
 describe('parseOIDCparams', () => {
   it('Throw for empty data', () => {

src/components/Clusters/shared.ts

@@ -8,7 +8,7 @@ import {
   ValidKubeconfig,
 } from 'types';
 import { useClustersInfoType } from 'state/utils/getClustersInfo';
-import { tryParseOIDCparams } from './components/oidc-params';
+import { tryParseOIDCparams, isOIDCExec } from './components/oidc-params';
 import { hasNonOidcAuth, createUserManager } from 'state/authDataAtom';
 import { useNavigate } from 'react-router';
 import { useSetAtom } from 'jotai';
@@ -66,7 +66,8 @@ export function deleteCluster(
   setClusters((prev) => {
     // todo the same function when we switch cluster from oidc one
     const prevCredentials = prev?.[clusterName]?.currentContext.user.user;
-    if (!hasNonOidcAuth(prevCredentials)) {
+    const prevExec = (prevCredentials as KubeconfigOIDCAuth)?.exec;
+    if (!hasNonOidcAuth(prevCredentials) && isOIDCExec(prevExec)) {
       const userManager = createUserManager(
         parseOIDCparams(prevCredentials as KubeconfigOIDCAuth),
       );
@@ -140,6 +141,7 @@ export function hasKubeconfigAuth(kubeconfig: Kubeconfig) {
     if ('client-certificate-data' in user) {
       return user['client-certificate-data'] && !!user['client-key-data'];
     }
+
     const oidcData = tryParseOIDCparams(user as KubeconfigOIDCAuth);
 
     if (oidcData?.issuerUrl && oidcData?.clientId && oidcData?.scopes) {