From a3dbb309d0bce2fe9394ebe0dd1f0047975d61ff Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Fri, 11 Sep 2020 12:06:50 -0400
Subject: [PATCH] cmd/local-user-authenticator: check for invalid TokenReview
 type meta

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 cmd/local-user-authenticator/main.go      | 12 +++++
 cmd/local-user-authenticator/main_test.go | 56 ++++++++++++++++++++++-
 2 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/cmd/local-user-authenticator/main.go b/cmd/local-user-authenticator/main.go
index cf4cfae9..2c5d57ca 100644
--- a/cmd/local-user-authenticator/main.go
+++ b/cmd/local-user-authenticator/main.go
@@ -191,6 +191,18 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques
 		return "", "", invalidRequest
 	}
 
+	if body.APIVersion != authenticationv1.SchemeGroupVersion.String() {
+		klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
+		rsp.WriteHeader(http.StatusBadRequest)
+		return "", "", invalidRequest
+	}
+
+	if body.Kind != "TokenReview" {
+		klog.InfoS("invalid TokenReview kind", "kind", body.Kind)
+		rsp.WriteHeader(http.StatusBadRequest)
+		return "", "", invalidRequest
+	}
+
 	tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
 	if len(tokenSegments) != 2 {
 		klog.InfoS("bad token format in request")
diff --git a/cmd/local-user-authenticator/main_test.go b/cmd/local-user-authenticator/main_test.go
index 92b10dcd..da174aba 100644
--- a/cmd/local-user-authenticator/main_test.go
+++ b/cmd/local-user-authenticator/main_test.go
@@ -260,6 +260,46 @@ func TestWebhook(t *testing.T) {
 			wantHeaders: map[string][]string{"Content-Type": {"application/json"}},
 			wantBody:    authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}),
 		},
+		{
+			name:    "bad TokenReview group",
+			url:     goodURL,
+			method:  http.MethodPost,
+			headers: goodRequestHeaders,
+			body: func() (io.ReadCloser, error) {
+				return newTokenReviewBody(
+					user+":"+password,
+					"wrong-group/v1",
+				)
+			},
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name:    "bad TokenReview version",
+			url:     goodURL,
+			method:  http.MethodPost,
+			headers: goodRequestHeaders,
+			body: func() (io.ReadCloser, error) {
+				return newTokenReviewBody(
+					user+":"+password,
+					"authentication.k8s.io/wrong-version",
+				)
+			},
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name:    "bad TokenReview kind",
+			url:     goodURL,
+			method:  http.MethodPost,
+			headers: goodRequestHeaders,
+			body: func() (io.ReadCloser, error) {
+				return newTokenReviewBody(
+					user+":"+password,
+					authenticationv1.SchemeGroupVersion.String(),
+					"wrong-kind",
+				)
+			},
+			wantStatus: http.StatusBadRequest,
+		},
 		{
 			name:       "bad path",
 			url:        fmt.Sprintf("https://%s/tuna", l.Addr().String()),
@@ -448,9 +488,23 @@ func newClient(caBundle []byte, serverName string) *http.Client {
 
 // newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded
 // TokenReview request.
-func newTokenReviewBody(token string) (io.ReadCloser, error) {
+func newTokenReviewBody(token string, extra ...string) (io.ReadCloser, error) {
+	v := authenticationv1.SchemeGroupVersion.String()
+	if len(extra) > 0 {
+		v = extra[0]
+	}
+
+	k := "TokenReview"
+	if len(extra) > 1 {
+		k = extra[1]
+	}
+
 	buf := bytes.NewBuffer([]byte{})
 	tr := authenticationv1.TokenReview{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: v,
+			Kind:       k,
+		},
 		Spec: authenticationv1.TokenReviewSpec{
 			Token: token,
 		},