Merge pull request #588 from enj/enj/i/webhookcachefiller_ca
webhookcachefiller: be stricter about CA bundle validation
This commit is contained in:
commit
9e4f601a3f
@ -5,7 +5,9 @@
|
|||||||
package authenticator
|
package authenticator
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/x509"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
|
"fmt"
|
||||||
|
|
||||||
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
|
||||||
)
|
)
|
||||||
@ -22,8 +24,18 @@ type Closer interface {
|
|||||||
// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
|
// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
|
||||||
// encoded, an error will be returned.
|
// encoded, an error will be returned.
|
||||||
func CABundle(spec *auth1alpha1.TLSSpec) ([]byte, error) {
|
func CABundle(spec *auth1alpha1.TLSSpec) ([]byte, error) {
|
||||||
if spec == nil {
|
if spec == nil || len(spec.CertificateAuthorityData) == 0 {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
return base64.StdEncoding.DecodeString(spec.CertificateAuthorityData)
|
|
||||||
|
pem, err := base64.StdEncoding.DecodeString(spec.CertificateAuthorityData)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if ok := x509.NewCertPool().AppendCertsFromPEM(pem); !ok {
|
||||||
|
return nil, fmt.Errorf("certificateAuthorityData is not valid PEM")
|
||||||
|
}
|
||||||
|
|
||||||
|
return pem, nil
|
||||||
}
|
}
|
||||||
|
@ -135,6 +135,15 @@ func TestNewWebhookAuthenticator(t *testing.T) {
|
|||||||
require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
|
require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
|
||||||
})
|
})
|
||||||
|
|
||||||
|
t.Run("invalid pem data", func(t *testing.T) {
|
||||||
|
res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
|
||||||
|
Endpoint: "https://example.com",
|
||||||
|
TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("bad data"))},
|
||||||
|
}, ioutil.TempFile, clientcmd.WriteToFile)
|
||||||
|
require.Nil(t, res)
|
||||||
|
require.EqualError(t, err, "invalid TLS configuration: certificateAuthorityData is not valid PEM")
|
||||||
|
})
|
||||||
|
|
||||||
t.Run("valid config with no TLS spec", func(t *testing.T) {
|
t.Run("valid config with no TLS spec", func(t *testing.T) {
|
||||||
res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
|
res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
|
||||||
Endpoint: "https://example.com",
|
Endpoint: "https://example.com",
|
||||||
|
Loading…
Reference in New Issue
Block a user