From a3dbb309d0bce2fe9394ebe0dd1f0047975d61ff Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Fri, 11 Sep 2020 12:06:50 -0400 Subject: [PATCH] cmd/local-user-authenticator: check for invalid TokenReview type meta Signed-off-by: Andrew Keesler --- cmd/local-user-authenticator/main.go | 12 +++++ cmd/local-user-authenticator/main_test.go | 56 ++++++++++++++++++++++- 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/cmd/local-user-authenticator/main.go b/cmd/local-user-authenticator/main.go index cf4cfae9..2c5d57ca 100644 --- a/cmd/local-user-authenticator/main.go +++ b/cmd/local-user-authenticator/main.go @@ -191,6 +191,18 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques return "", "", invalidRequest } + if body.APIVersion != authenticationv1.SchemeGroupVersion.String() { + klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion) + rsp.WriteHeader(http.StatusBadRequest) + return "", "", invalidRequest + } + + if body.Kind != "TokenReview" { + klog.InfoS("invalid TokenReview kind", "kind", body.Kind) + rsp.WriteHeader(http.StatusBadRequest) + return "", "", invalidRequest + } + tokenSegments := strings.SplitN(body.Spec.Token, ":", 2) if len(tokenSegments) != 2 { klog.InfoS("bad token format in request") diff --git a/cmd/local-user-authenticator/main_test.go b/cmd/local-user-authenticator/main_test.go index 92b10dcd..da174aba 100644 --- a/cmd/local-user-authenticator/main_test.go +++ b/cmd/local-user-authenticator/main_test.go @@ -260,6 +260,46 @@ func TestWebhook(t *testing.T) { wantHeaders: map[string][]string{"Content-Type": {"application/json"}}, wantBody: authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}), }, + { + name: "bad TokenReview group", + url: goodURL, + method: http.MethodPost, + headers: goodRequestHeaders, + body: func() (io.ReadCloser, error) { + return newTokenReviewBody( + user+":"+password, + "wrong-group/v1", + ) + }, + wantStatus: http.StatusBadRequest, + }, + { + name: "bad TokenReview version", + url: goodURL, + method: http.MethodPost, + headers: goodRequestHeaders, + body: func() (io.ReadCloser, error) { + return newTokenReviewBody( + user+":"+password, + "authentication.k8s.io/wrong-version", + ) + }, + wantStatus: http.StatusBadRequest, + }, + { + name: "bad TokenReview kind", + url: goodURL, + method: http.MethodPost, + headers: goodRequestHeaders, + body: func() (io.ReadCloser, error) { + return newTokenReviewBody( + user+":"+password, + authenticationv1.SchemeGroupVersion.String(), + "wrong-kind", + ) + }, + wantStatus: http.StatusBadRequest, + }, { name: "bad path", url: fmt.Sprintf("https://%s/tuna", l.Addr().String()), @@ -448,9 +488,23 @@ func newClient(caBundle []byte, serverName string) *http.Client { // newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded // TokenReview request. -func newTokenReviewBody(token string) (io.ReadCloser, error) { +func newTokenReviewBody(token string, extra ...string) (io.ReadCloser, error) { + v := authenticationv1.SchemeGroupVersion.String() + if len(extra) > 0 { + v = extra[0] + } + + k := "TokenReview" + if len(extra) > 1 { + k = extra[1] + } + buf := bytes.NewBuffer([]byte{}) tr := authenticationv1.TokenReview{ + TypeMeta: metav1.TypeMeta{ + APIVersion: v, + Kind: k, + }, Spec: authenticationv1.TokenReviewSpec{ Token: token, },