Merge pull request #588 from enj/enj/i/webhookcachefiller_ca

webhookcachefiller: be stricter about CA bundle validation
This commit is contained in:
Mo Khan 2021-04-29 07:47:06 -04:00 committed by GitHub
commit 9e4f601a3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 2 deletions

View File

@ -5,7 +5,9 @@
package authenticator package authenticator
import ( import (
"crypto/x509"
"encoding/base64" "encoding/base64"
"fmt"
auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1" auth1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
) )
@ -22,8 +24,18 @@ type Closer interface {
// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly // nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
// encoded, an error will be returned. // encoded, an error will be returned.
func CABundle(spec *auth1alpha1.TLSSpec) ([]byte, error) { func CABundle(spec *auth1alpha1.TLSSpec) ([]byte, error) {
if spec == nil { if spec == nil || len(spec.CertificateAuthorityData) == 0 {
return nil, nil return nil, nil
} }
return base64.StdEncoding.DecodeString(spec.CertificateAuthorityData)
pem, err := base64.StdEncoding.DecodeString(spec.CertificateAuthorityData)
if err != nil {
return nil, err
}
if ok := x509.NewCertPool().AppendCertsFromPEM(pem); !ok {
return nil, fmt.Errorf("certificateAuthorityData is not valid PEM")
}
return pem, nil
} }

View File

@ -135,6 +135,15 @@ func TestNewWebhookAuthenticator(t *testing.T) {
require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7") require.EqualError(t, err, "invalid TLS configuration: illegal base64 data at input byte 7")
}) })
t.Run("invalid pem data", func(t *testing.T) {
res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
Endpoint: "https://example.com",
TLS: &auth1alpha1.TLSSpec{CertificateAuthorityData: base64.StdEncoding.EncodeToString([]byte("bad data"))},
}, ioutil.TempFile, clientcmd.WriteToFile)
require.Nil(t, res)
require.EqualError(t, err, "invalid TLS configuration: certificateAuthorityData is not valid PEM")
})
t.Run("valid config with no TLS spec", func(t *testing.T) { t.Run("valid config with no TLS spec", func(t *testing.T) {
res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{ res, err := newWebhookAuthenticator(&auth1alpha1.WebhookAuthenticatorSpec{
Endpoint: "https://example.com", Endpoint: "https://example.com",