cmd/local-user-authenticator: check for invalid TokenReview type meta

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-09-11 12:06:50 -04:00 · 2020-09-11 12:06:50 -04:00 · a3dbb309d0
commit a3dbb309d0
parent c436f84b3d
2 changed files with 67 additions and 1 deletions
--- a/cmd/local-user-authenticator/main.go
+++ b/cmd/local-user-authenticator/main.go
@ -191,6 +191,18 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques
 		return "", "", invalidRequest
 	}

+	if body.APIVersion != authenticationv1.SchemeGroupVersion.String() {
+		klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
+		rsp.WriteHeader(http.StatusBadRequest)
+		return "", "", invalidRequest
+	}
+
+	if body.Kind != "TokenReview" {
+		klog.InfoS("invalid TokenReview kind", "kind", body.Kind)
+		rsp.WriteHeader(http.StatusBadRequest)
+		return "", "", invalidRequest
+	}
+
 	tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
 	if len(tokenSegments) != 2 {
 		klog.InfoS("bad token format in request")
--- a/cmd/local-user-authenticator/main_test.go
+++ b/cmd/local-user-authenticator/main_test.go
@ -260,6 +260,46 @@ func TestWebhook(t *testing.T) {
 			wantHeaders: map[string][]string{"Content-Type": {"application/json"}},
 			wantBody:    authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}),
 		},
+		{
+			name:    "bad TokenReview group",
+			url:     goodURL,
+			method:  http.MethodPost,
+			headers: goodRequestHeaders,
+			body: func() (io.ReadCloser, error) {
+				return newTokenReviewBody(
+					user+":"+password,
+					"wrong-group/v1",
+				)
+			},
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name:    "bad TokenReview version",
+			url:     goodURL,
+			method:  http.MethodPost,
+			headers: goodRequestHeaders,
+			body: func() (io.ReadCloser, error) {
+				return newTokenReviewBody(
+					user+":"+password,
+					"authentication.k8s.io/wrong-version",
+				)
+			},
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name:    "bad TokenReview kind",
+			url:     goodURL,
+			method:  http.MethodPost,
+			headers: goodRequestHeaders,
+			body: func() (io.ReadCloser, error) {
+				return newTokenReviewBody(
+					user+":"+password,
+					authenticationv1.SchemeGroupVersion.String(),
+					"wrong-kind",
+				)
+			},
+			wantStatus: http.StatusBadRequest,
+		},
 		{
 			name:       "bad path",
 			url:        fmt.Sprintf("https://%s/tuna", l.Addr().String()),
@ -448,9 +488,23 @@ func newClient(caBundle []byte, serverName string) *http.Client {

 // newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded
 // TokenReview request.
-func newTokenReviewBody(token string) (io.ReadCloser, error) {
+func newTokenReviewBody(token string, extra ...string) (io.ReadCloser, error) {
+	v := authenticationv1.SchemeGroupVersion.String()
+	if len(extra) > 0 {
+		v = extra[0]
+	}
+
+	k := "TokenReview"
+	if len(extra) > 1 {
+		k = extra[1]
+	}
+
 	buf := bytes.NewBuffer([]byte{})
 	tr := authenticationv1.TokenReview{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: v,
+			Kind:       k,
+		},
 		Spec: authenticationv1.TokenReviewSpec{
 			Token: token,
 		},