github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Check for valid serviceaccount JWT token before inspecting claims

Browse Source
This commit is contained in:
Jordan Liggitt 2016-07-06 13:51:25 -04:00
parent 751a93b858
commit cce67724a9
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/serviceaccount/jwt.go
View File

@ -135,8 +135,6 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
return key, nil
})
claims, _ := parsedToken.Claims.(jwt.MapClaims)
if err != nil {
switch err := err.(type) {
case *jwt.ValidationError:
@ -160,6 +158,8 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
// If we get here, we have a token with a recognized signature
claims, _ := parsedToken.Claims.(jwt.MapClaims)
// Make sure we issued the token
iss, _ := claims[IssuerClaim].(string)
if iss != Issuer {

6
pkg/serviceaccount/jwt_test.go
View File

@ -225,6 +225,12 @@ func TestTokenGenerateAndValidate(t *testing.T) {
getter := serviceaccountcontroller.NewGetterFromClient(tc.Client)
authenticator := serviceaccount.JWTTokenAuthenticator(tc.Keys, tc.Client != nil, getter)
// An invalid, non-JWT token should always fail
if _, ok, err := authenticator.AuthenticateToken("invalid token"); err != nil || ok {
t.Errorf("%s: Expected err=nil, ok=false for non-JWT token", k)
continue
}
user, ok, err := authenticator.AuthenticateToken(token)
if (err != nil) != tc.ExpectedErr {
t.Errorf("%s: Expected error=%v, got %v", k, tc.ExpectedErr, err)