mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Check for valid serviceaccount JWT token before inspecting claims
This commit is contained in:
parent
751a93b858
commit
cce67724a9
@ -135,8 +135,6 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
|
||||
return key, nil
|
||||
})
|
||||
|
||||
claims, _ := parsedToken.Claims.(jwt.MapClaims)
|
||||
|
||||
if err != nil {
|
||||
switch err := err.(type) {
|
||||
case *jwt.ValidationError:
|
||||
@ -160,6 +158,8 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
|
||||
|
||||
// If we get here, we have a token with a recognized signature
|
||||
|
||||
claims, _ := parsedToken.Claims.(jwt.MapClaims)
|
||||
|
||||
// Make sure we issued the token
|
||||
iss, _ := claims[IssuerClaim].(string)
|
||||
if iss != Issuer {
|
||||
|
@ -225,6 +225,12 @@ func TestTokenGenerateAndValidate(t *testing.T) {
|
||||
getter := serviceaccountcontroller.NewGetterFromClient(tc.Client)
|
||||
authenticator := serviceaccount.JWTTokenAuthenticator(tc.Keys, tc.Client != nil, getter)
|
||||
|
||||
// An invalid, non-JWT token should always fail
|
||||
if _, ok, err := authenticator.AuthenticateToken("invalid token"); err != nil || ok {
|
||||
t.Errorf("%s: Expected err=nil, ok=false for non-JWT token", k)
|
||||
continue
|
||||
}
|
||||
|
||||
user, ok, err := authenticator.AuthenticateToken(token)
|
||||
if (err != nil) != tc.ExpectedErr {
|
||||
t.Errorf("%s: Expected error=%v, got %v", k, tc.ExpectedErr, err)
|
||||
|
Loading…
Reference in New Issue
Block a user