cmd/local-user-authenticator: check for invalid TokenReview type meta

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-09-11 12:06:50 -04:00
parent c436f84b3d
commit a3dbb309d0
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
2 changed files with 67 additions and 1 deletions

View File

@ -191,6 +191,18 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques
return "", "", invalidRequest return "", "", invalidRequest
} }
if body.APIVersion != authenticationv1.SchemeGroupVersion.String() {
klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
if body.Kind != "TokenReview" {
klog.InfoS("invalid TokenReview kind", "kind", body.Kind)
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2) tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
if len(tokenSegments) != 2 { if len(tokenSegments) != 2 {
klog.InfoS("bad token format in request") klog.InfoS("bad token format in request")

View File

@ -260,6 +260,46 @@ func TestWebhook(t *testing.T) {
wantHeaders: map[string][]string{"Content-Type": {"application/json"}}, wantHeaders: map[string][]string{"Content-Type": {"application/json"}},
wantBody: authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}), wantBody: authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}),
}, },
{
name: "bad TokenReview group",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(
user+":"+password,
"wrong-group/v1",
)
},
wantStatus: http.StatusBadRequest,
},
{
name: "bad TokenReview version",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(
user+":"+password,
"authentication.k8s.io/wrong-version",
)
},
wantStatus: http.StatusBadRequest,
},
{
name: "bad TokenReview kind",
url: goodURL,
method: http.MethodPost,
headers: goodRequestHeaders,
body: func() (io.ReadCloser, error) {
return newTokenReviewBody(
user+":"+password,
authenticationv1.SchemeGroupVersion.String(),
"wrong-kind",
)
},
wantStatus: http.StatusBadRequest,
},
{ {
name: "bad path", name: "bad path",
url: fmt.Sprintf("https://%s/tuna", l.Addr().String()), url: fmt.Sprintf("https://%s/tuna", l.Addr().String()),
@ -448,9 +488,23 @@ func newClient(caBundle []byte, serverName string) *http.Client {
// newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded // newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded
// TokenReview request. // TokenReview request.
func newTokenReviewBody(token string) (io.ReadCloser, error) { func newTokenReviewBody(token string, extra ...string) (io.ReadCloser, error) {
v := authenticationv1.SchemeGroupVersion.String()
if len(extra) > 0 {
v = extra[0]
}
k := "TokenReview"
if len(extra) > 1 {
k = extra[1]
}
buf := bytes.NewBuffer([]byte{}) buf := bytes.NewBuffer([]byte{})
tr := authenticationv1.TokenReview{ tr := authenticationv1.TokenReview{
TypeMeta: metav1.TypeMeta{
APIVersion: v,
Kind: k,
},
Spec: authenticationv1.TokenReviewSpec{ Spec: authenticationv1.TokenReviewSpec{
Token: token, Token: token,
}, },