mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
fix serviceaccount's usage of jwt-go
update pkg/serviceaccount for v3.x jwt-go.
This commit is contained in:
parent
49d5836782
commit
db006d6e6b
@ -92,17 +92,19 @@ type jwtTokenGenerator struct {
|
|||||||
func (j *jwtTokenGenerator) GenerateToken(serviceAccount api.ServiceAccount, secret api.Secret) (string, error) {
|
func (j *jwtTokenGenerator) GenerateToken(serviceAccount api.ServiceAccount, secret api.Secret) (string, error) {
|
||||||
token := jwt.New(jwt.SigningMethodRS256)
|
token := jwt.New(jwt.SigningMethodRS256)
|
||||||
|
|
||||||
|
claims, _ := token.Claims.(jwt.MapClaims)
|
||||||
|
|
||||||
// Identify the issuer
|
// Identify the issuer
|
||||||
token.Claims[IssuerClaim] = Issuer
|
claims[IssuerClaim] = Issuer
|
||||||
|
|
||||||
// Username
|
// Username
|
||||||
token.Claims[SubjectClaim] = MakeUsername(serviceAccount.Namespace, serviceAccount.Name)
|
claims[SubjectClaim] = MakeUsername(serviceAccount.Namespace, serviceAccount.Name)
|
||||||
|
|
||||||
// Persist enough structured info for the authenticator to be able to look up the service account and secret
|
// Persist enough structured info for the authenticator to be able to look up the service account and secret
|
||||||
token.Claims[NamespaceClaim] = serviceAccount.Namespace
|
claims[NamespaceClaim] = serviceAccount.Namespace
|
||||||
token.Claims[ServiceAccountNameClaim] = serviceAccount.Name
|
claims[ServiceAccountNameClaim] = serviceAccount.Name
|
||||||
token.Claims[ServiceAccountUIDClaim] = serviceAccount.UID
|
claims[ServiceAccountUIDClaim] = serviceAccount.UID
|
||||||
token.Claims[SecretNameClaim] = secret.Name
|
claims[SecretNameClaim] = secret.Name
|
||||||
|
|
||||||
// Sign and get the complete encoded token as a string
|
// Sign and get the complete encoded token as a string
|
||||||
return token.SignedString(j.key)
|
return token.SignedString(j.key)
|
||||||
@ -133,6 +135,8 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
|
|||||||
return key, nil
|
return key, nil
|
||||||
})
|
})
|
||||||
|
|
||||||
|
claims, _ := parsedToken.Claims.(jwt.MapClaims)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
switch err := err.(type) {
|
switch err := err.(type) {
|
||||||
case *jwt.ValidationError:
|
case *jwt.ValidationError:
|
||||||
@ -157,29 +161,29 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
|
|||||||
// If we get here, we have a token with a recognized signature
|
// If we get here, we have a token with a recognized signature
|
||||||
|
|
||||||
// Make sure we issued the token
|
// Make sure we issued the token
|
||||||
iss, _ := parsedToken.Claims[IssuerClaim].(string)
|
iss, _ := claims[IssuerClaim].(string)
|
||||||
if iss != Issuer {
|
if iss != Issuer {
|
||||||
return nil, false, nil
|
return nil, false, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Make sure the claims we need exist
|
// Make sure the claims we need exist
|
||||||
sub, _ := parsedToken.Claims[SubjectClaim].(string)
|
sub, _ := claims[SubjectClaim].(string)
|
||||||
if len(sub) == 0 {
|
if len(sub) == 0 {
|
||||||
return nil, false, errors.New("sub claim is missing")
|
return nil, false, errors.New("sub claim is missing")
|
||||||
}
|
}
|
||||||
namespace, _ := parsedToken.Claims[NamespaceClaim].(string)
|
namespace, _ := claims[NamespaceClaim].(string)
|
||||||
if len(namespace) == 0 {
|
if len(namespace) == 0 {
|
||||||
return nil, false, errors.New("namespace claim is missing")
|
return nil, false, errors.New("namespace claim is missing")
|
||||||
}
|
}
|
||||||
secretName, _ := parsedToken.Claims[SecretNameClaim].(string)
|
secretName, _ := claims[SecretNameClaim].(string)
|
||||||
if len(namespace) == 0 {
|
if len(namespace) == 0 {
|
||||||
return nil, false, errors.New("secretName claim is missing")
|
return nil, false, errors.New("secretName claim is missing")
|
||||||
}
|
}
|
||||||
serviceAccountName, _ := parsedToken.Claims[ServiceAccountNameClaim].(string)
|
serviceAccountName, _ := claims[ServiceAccountNameClaim].(string)
|
||||||
if len(serviceAccountName) == 0 {
|
if len(serviceAccountName) == 0 {
|
||||||
return nil, false, errors.New("serviceAccountName claim is missing")
|
return nil, false, errors.New("serviceAccountName claim is missing")
|
||||||
}
|
}
|
||||||
serviceAccountUID, _ := parsedToken.Claims[ServiceAccountUIDClaim].(string)
|
serviceAccountUID, _ := claims[ServiceAccountUIDClaim].(string)
|
||||||
if len(serviceAccountUID) == 0 {
|
if len(serviceAccountUID) == 0 {
|
||||||
return nil, false, errors.New("serviceAccountUID claim is missing")
|
return nil, false, errors.New("serviceAccountUID claim is missing")
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user