Ensure invalid token returns 401 error

This commit is contained in:
Jordan Liggitt 2017-01-04 01:29:30 -05:00
parent ee03b9b206
commit 0902c55c8b
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
3 changed files with 38 additions and 4 deletions

View File

@ -17,6 +17,7 @@ limitations under the License.
package bearertoken
import (
"errors"
"net/http"
"strings"
@ -32,6 +33,8 @@ func New(auth authenticator.Token) *Authenticator {
return &Authenticator{auth}
}
var invalidToken = errors.New("invalid bearer token")
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
auth := strings.TrimSpace(req.Header.Get("Authorization"))
if auth == "" {
@ -43,5 +46,18 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
}
token := parts[1]
return a.auth.AuthenticateToken(token)
// Empty bearer tokens aren't valid
if len(token) == 0 {
return nil, false, nil
}
user, ok, err := a.auth.AuthenticateToken(token)
// If the token authenticator didn't error, provide a default error
if !ok && err == nil {
err = invalidToken
}
return user, ok, err
}

View File

@ -47,9 +47,28 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
user, ok, err := auth.AuthenticateRequest(&http.Request{
Header: http.Header{"Authorization": []string{"Bearer token"}},
})
if ok || user != nil || err != nil {
if ok || user != nil {
t.Errorf("expected not authenticated user")
}
if err != invalidToken {
t.Errorf("expected invalidToken error, got %v", err)
}
}
func TestAuthenticateRequestTokenInvalidCustomError(t *testing.T) {
customError := errors.New("custom")
auth := New(authenticator.TokenFunc(func(token string) (user.Info, bool, error) {
return nil, false, customError
}))
user, ok, err := auth.AuthenticateRequest(&http.Request{
Header: http.Header{"Authorization": []string{"Bearer token"}},
})
if ok || user != nil {
t.Errorf("expected not authenticated user")
}
if err != customError {
t.Errorf("expected custom error, got %v", err)
}
}
func TestAuthenticateRequestTokenError(t *testing.T) {

View File

@ -599,8 +599,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
Expect(err).To(ContainSubstring("Using in-cluster namespace"))
Expect(err).To(ContainSubstring("Using in-cluster configuration"))
Expect(err).To(ContainSubstring("Authorization: Bearer invalid"))
// TODO(kubernetes/kubernetes#39267): We should only see a 401 from an invalid bearer token.
Expect(err).To(Or(ContainSubstring("Response Status: 403 Forbidden"), ContainSubstring("Response Status: 401 Unauthorized")))
Expect(err).To(ContainSubstring("Response Status: 401 Unauthorized"))
By("trying to use kubectl with invalid server")
_, err = framework.RunHostCmd(ns, simplePodName, "/kubectl get pods --server=invalid --v=6 2>&1")