github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

Ensure invalid token returns 401 error

Browse Source
This commit is contained in:
Jordan Liggitt 2017-01-04 01:29:30 -05:00
parent ee03b9b206
commit 0902c55c8b
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
3 changed files with 38 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/auth/authenticator/bearertoken/bearertoken.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package bearertoken package bearertoken
import ( import (
"errors"
"net/http" "net/http"
"strings" "strings"
@ -32,6 +33,8 @@ func New(auth authenticator.Token) *Authenticator {
return &Authenticator{auth} return &Authenticator{auth}
} }
var invalidToken = errors.New("invalid bearer token")
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
auth := strings.TrimSpace(req.Header.Get("Authorization")) auth := strings.TrimSpace(req.Header.Get("Authorization"))
if auth == "" { if auth == "" {
@ -43,5 +46,18 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
} }
token := parts[1] token := parts[1]
return a.auth.AuthenticateToken(token)
// Empty bearer tokens aren't valid
if len(token) == 0 {
return nil, false, nil
}
user, ok, err := a.auth.AuthenticateToken(token)
// If the token authenticator didn't error, provide a default error
if !ok && err == nil {
err = invalidToken
}
return user, ok, err
} }

21
pkg/auth/authenticator/bearertoken/bearertoken_test.go
View File

@ -47,9 +47,28 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
user, ok, err := auth.AuthenticateRequest(&http.Request{ user, ok, err := auth.AuthenticateRequest(&http.Request{
Header: http.Header{"Authorization": []string{"Bearer token"}}, Header: http.Header{"Authorization": []string{"Bearer token"}},
}) })
if ok || user != nil || err != nil { if ok || user != nil {
t.Errorf("expected not authenticated user") t.Errorf("expected not authenticated user")
} }
if err != invalidToken {
t.Errorf("expected invalidToken error, got %v", err)
}
}
func TestAuthenticateRequestTokenInvalidCustomError(t *testing.T) {
customError := errors.New("custom")
auth := New(authenticator.TokenFunc(func(token string) (user.Info, bool, error) {
return nil, false, customError
}))
user, ok, err := auth.AuthenticateRequest(&http.Request{
Header: http.Header{"Authorization": []string{"Bearer token"}},
})
if ok || user != nil {
t.Errorf("expected not authenticated user")
}
if err != customError {
t.Errorf("expected custom error, got %v", err)
}
} }
func TestAuthenticateRequestTokenError(t *testing.T) { func TestAuthenticateRequestTokenError(t *testing.T) {

3
test/e2e/kubectl.go
View File

@ -599,8 +599,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
Expect(err).To(ContainSubstring("Using in-cluster namespace")) Expect(err).To(ContainSubstring("Using in-cluster namespace"))
Expect(err).To(ContainSubstring("Using in-cluster configuration")) Expect(err).To(ContainSubstring("Using in-cluster configuration"))
Expect(err).To(ContainSubstring("Authorization: Bearer invalid")) Expect(err).To(ContainSubstring("Authorization: Bearer invalid"))
// TODO(kubernetes/kubernetes#39267): We should only see a 401 from an invalid bearer token. Expect(err).To(ContainSubstring("Response Status: 401 Unauthorized"))
Expect(err).To(Or(ContainSubstring("Response Status: 403 Forbidden"), ContainSubstring("Response Status: 401 Unauthorized")))
By("trying to use kubectl with invalid server") By("trying to use kubectl with invalid server")
_, err = framework.RunHostCmd(ns, simplePodName, "/kubectl get pods --server=invalid --v=6 2>&1") _, err = framework.RunHostCmd(ns, simplePodName, "/kubectl get pods --server=invalid --v=6 2>&1")