github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 22:17:14 +00:00
Code Issues Projects Releases Wiki Activity

serviceaccount: handle jwt flow specific validation in seperate validator struct

Browse Source
This commit is contained in:
Mike Danese 2018-01-24 20:40:54 -08:00
parent 057b7af798
commit c89cb942cd
1 changed files with 23 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
pkg/serviceaccount/jwt.go
View File

@ -123,18 +123,23 @@ func (j *jwtTokenGenerator) GenerateToken(serviceAccount v1.ServiceAccount, secr
// If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter // If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter
func JWTTokenAuthenticator(iss string, keys []interface{}, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token { func JWTTokenAuthenticator(iss string, keys []interface{}, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token {
return &jwtTokenAuthenticator{ return &jwtTokenAuthenticator{
iss: iss, iss: iss,
keys: keys, keys: keys,
lookup: lookup, validator: &legacyValidator{
getter: getter, lookup: lookup,
getter: getter,
},
} }
} }
type jwtTokenAuthenticator struct { type jwtTokenAuthenticator struct {
iss string iss string
keys []interface{} keys []interface{}
lookup bool validator Validator
getter ServiceAccountTokenGetter }
type Validator interface {
Validate(tokenData string, public *jwt.Claims, private *privateClaims) error
} }
var errMismatchedSigningMethod = errors.New("invalid signing method") var errMismatchedSigningMethod = errors.New("invalid signing method")
@ -171,7 +176,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
// If we get here, we have a token with a recognized signature and // If we get here, we have a token with a recognized signature and
// issuer string. // issuer string.
if err := j.Validate(tokenData, public, private); err != nil { if err := j.validator.Validate(tokenData, public, private); err != nil {
return nil, false, err return nil, false, err
} }
@ -208,7 +213,12 @@ func (j *jwtTokenAuthenticator) hasCorrectIssuer(tokenData string) bool {
} }
func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, private *privateClaims) error { type legacyValidator struct {
lookup bool
getter ServiceAccountTokenGetter
}
func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, private *privateClaims) error {
// Make sure the claims we need exist // Make sure the claims we need exist
if len(public.Subject) == 0 { if len(public.Subject) == 0 {
@ -236,9 +246,9 @@ func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, p
return errors.New("sub claim is invalid") return errors.New("sub claim is invalid")
} }
if j.lookup { if v.lookup {
// Make sure token hasn't been invalidated by deletion of the secret // Make sure token hasn't been invalidated by deletion of the secret
secret, err := j.getter.GetSecret(namespace, secretName) secret, err := v.getter.GetSecret(namespace, secretName)
if err != nil { if err != nil {
glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err) glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
return errors.New("Token has been invalidated") return errors.New("Token has been invalidated")
@ -253,7 +263,7 @@ func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, p
} }
// Make sure service account still exists (name and UID) // Make sure service account still exists (name and UID)
serviceAccount, err := j.getter.GetServiceAccount(namespace, serviceAccountName) serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
if err != nil { if err != nil {
glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err) glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
return err return err