Warn on receiving a space before the token

This commit is contained in:
Sebastian Laskawiec 2022-04-21 09:05:33 +02:00
parent f173d01c01
commit f0af12bb9d
2 changed files with 45 additions and 1 deletions

View File

@ -22,6 +22,11 @@ import (
"strings"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/warning"
)
const (
invalidTokenWithSpaceWarning = "the provided Authorization header contains extra space before the bearer token, and is ignored"
)
type Authenticator struct {
@ -48,6 +53,10 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
// Empty bearer tokens aren't valid
if len(token) == 0 {
// The space before the token case
if len(parts) == 3 {
warning.AddWarning(req.Context(), "", invalidTokenWithSpaceWarning)
}
return nil, false, nil
}

View File

@ -25,6 +25,8 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/warning"
)
func TestAuthenticateRequest(t *testing.T) {
@ -128,6 +130,23 @@ func TestAuthenticateRequestBadValue(t *testing.T) {
}
}
type dummyRecorder struct {
agent string
text string
}
func (r *dummyRecorder) AddWarning(agent, text string) {
r.agent = agent
r.text = text
return
}
func (r *dummyRecorder) getWarning() string {
return r.text
}
var _ warning.Recorder = &dummyRecorder{}
func TestBearerToken(t *testing.T) {
tests := map[string]struct {
AuthorizationHeaders []string
@ -137,6 +156,7 @@ func TestBearerToken(t *testing.T) {
ExpectedOK bool
ExpectedErr bool
ExpectedAuthorizationHeaders []string
ExpectedRecordedWarning string
}{
"no header": {
AuthorizationHeaders: nil,
@ -184,6 +204,14 @@ func TestBearerToken(t *testing.T) {
ExpectedErr: true,
ExpectedAuthorizationHeaders: []string{"Bearer 123"},
},
"valid bearer token with a space": {
AuthorizationHeaders: []string{"Bearer token"},
ExpectedUserName: "",
ExpectedOK: false,
ExpectedErr: false,
ExpectedAuthorizationHeaders: []string{"Bearer token"},
ExpectedRecordedWarning: invalidTokenWithSpaceWarning,
},
"error bearer token": {
AuthorizationHeaders: []string{"Bearer 123"},
TokenAuth: authenticator.TokenFunc(func(ctx context.Context, t string) (*authenticator.Response, bool, error) {
@ -197,7 +225,10 @@ func TestBearerToken(t *testing.T) {
}
for k, tc := range tests {
req, _ := http.NewRequest("GET", "/", nil)
dc := dummyRecorder{agent: "", text: ""}
ctx := genericapirequest.NewDefaultContext()
ctxWithRecorder := warning.WithWarningRecorder(ctx, &dc)
req, _ := http.NewRequestWithContext(ctxWithRecorder, "GET", "/", nil)
for _, h := range tc.AuthorizationHeaders {
req.Header.Add("Authorization", h)
}
@ -216,6 +247,10 @@ func TestBearerToken(t *testing.T) {
t.Errorf("%s: Expected username=%v, got %v", k, tc.ExpectedUserName, resp.User.GetName())
continue
}
if len(tc.ExpectedRecordedWarning) > 0 && tc.ExpectedRecordedWarning != dc.getWarning() {
t.Errorf("%s: Expected recorded warning=%v, got %v", k, tc.ExpectedRecordedWarning, dc.getWarning())
continue
}
if !reflect.DeepEqual(req.Header["Authorization"], tc.ExpectedAuthorizationHeaders) {
t.Errorf("%s: Expected headers=%#v, got %#v", k, tc.ExpectedAuthorizationHeaders, req.Header["Authorization"])
continue