cmd/local-user-authenticator: check for invalid TokenReview type meta
Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
c436f84b3d
commit
a3dbb309d0
@ -191,6 +191,18 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques
|
|||||||
return "", "", invalidRequest
|
return "", "", invalidRequest
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if body.APIVersion != authenticationv1.SchemeGroupVersion.String() {
|
||||||
|
klog.InfoS("invalid TokenReview apiVersion", "apiVersion", body.APIVersion)
|
||||||
|
rsp.WriteHeader(http.StatusBadRequest)
|
||||||
|
return "", "", invalidRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
if body.Kind != "TokenReview" {
|
||||||
|
klog.InfoS("invalid TokenReview kind", "kind", body.Kind)
|
||||||
|
rsp.WriteHeader(http.StatusBadRequest)
|
||||||
|
return "", "", invalidRequest
|
||||||
|
}
|
||||||
|
|
||||||
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
|
tokenSegments := strings.SplitN(body.Spec.Token, ":", 2)
|
||||||
if len(tokenSegments) != 2 {
|
if len(tokenSegments) != 2 {
|
||||||
klog.InfoS("bad token format in request")
|
klog.InfoS("bad token format in request")
|
||||||
|
@ -260,6 +260,46 @@ func TestWebhook(t *testing.T) {
|
|||||||
wantHeaders: map[string][]string{"Content-Type": {"application/json"}},
|
wantHeaders: map[string][]string{"Content-Type": {"application/json"}},
|
||||||
wantBody: authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}),
|
wantBody: authenticatedResponseJSON(colonUser, colonUID, []string{group0, group1}),
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "bad TokenReview group",
|
||||||
|
url: goodURL,
|
||||||
|
method: http.MethodPost,
|
||||||
|
headers: goodRequestHeaders,
|
||||||
|
body: func() (io.ReadCloser, error) {
|
||||||
|
return newTokenReviewBody(
|
||||||
|
user+":"+password,
|
||||||
|
"wrong-group/v1",
|
||||||
|
)
|
||||||
|
},
|
||||||
|
wantStatus: http.StatusBadRequest,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "bad TokenReview version",
|
||||||
|
url: goodURL,
|
||||||
|
method: http.MethodPost,
|
||||||
|
headers: goodRequestHeaders,
|
||||||
|
body: func() (io.ReadCloser, error) {
|
||||||
|
return newTokenReviewBody(
|
||||||
|
user+":"+password,
|
||||||
|
"authentication.k8s.io/wrong-version",
|
||||||
|
)
|
||||||
|
},
|
||||||
|
wantStatus: http.StatusBadRequest,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "bad TokenReview kind",
|
||||||
|
url: goodURL,
|
||||||
|
method: http.MethodPost,
|
||||||
|
headers: goodRequestHeaders,
|
||||||
|
body: func() (io.ReadCloser, error) {
|
||||||
|
return newTokenReviewBody(
|
||||||
|
user+":"+password,
|
||||||
|
authenticationv1.SchemeGroupVersion.String(),
|
||||||
|
"wrong-kind",
|
||||||
|
)
|
||||||
|
},
|
||||||
|
wantStatus: http.StatusBadRequest,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "bad path",
|
name: "bad path",
|
||||||
url: fmt.Sprintf("https://%s/tuna", l.Addr().String()),
|
url: fmt.Sprintf("https://%s/tuna", l.Addr().String()),
|
||||||
@ -448,9 +488,23 @@ func newClient(caBundle []byte, serverName string) *http.Client {
|
|||||||
|
|
||||||
// newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded
|
// newTokenReviewBody creates an io.ReadCloser that contains a JSON-encoded
|
||||||
// TokenReview request.
|
// TokenReview request.
|
||||||
func newTokenReviewBody(token string) (io.ReadCloser, error) {
|
func newTokenReviewBody(token string, extra ...string) (io.ReadCloser, error) {
|
||||||
|
v := authenticationv1.SchemeGroupVersion.String()
|
||||||
|
if len(extra) > 0 {
|
||||||
|
v = extra[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
k := "TokenReview"
|
||||||
|
if len(extra) > 1 {
|
||||||
|
k = extra[1]
|
||||||
|
}
|
||||||
|
|
||||||
buf := bytes.NewBuffer([]byte{})
|
buf := bytes.NewBuffer([]byte{})
|
||||||
tr := authenticationv1.TokenReview{
|
tr := authenticationv1.TokenReview{
|
||||||
|
TypeMeta: metav1.TypeMeta{
|
||||||
|
APIVersion: v,
|
||||||
|
Kind: k,
|
||||||
|
},
|
||||||
Spec: authenticationv1.TokenReviewSpec{
|
Spec: authenticationv1.TokenReviewSpec{
|
||||||
Token: token,
|
Token: token,
|
||||||
},
|
},
|
||||||
|
Loading…
Reference in New Issue
Block a user