Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
0902c55c
Unverified
Commit
0902c55c
authored
Jan 04, 2017
by
Jordan Liggitt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Ensure invalid token returns 401 error
parent
ee03b9b2
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
38 additions
and
4 deletions
+38
-4
bearertoken.go
pkg/auth/authenticator/bearertoken/bearertoken.go
+17
-1
bearertoken_test.go
pkg/auth/authenticator/bearertoken/bearertoken_test.go
+20
-1
kubectl.go
test/e2e/kubectl.go
+1
-2
No files found.
pkg/auth/authenticator/bearertoken/bearertoken.go
View file @
0902c55c
...
@@ -17,6 +17,7 @@ limitations under the License.
...
@@ -17,6 +17,7 @@ limitations under the License.
package
bearertoken
package
bearertoken
import
(
import
(
"errors"
"net/http"
"net/http"
"strings"
"strings"
...
@@ -32,6 +33,8 @@ func New(auth authenticator.Token) *Authenticator {
...
@@ -32,6 +33,8 @@ func New(auth authenticator.Token) *Authenticator {
return
&
Authenticator
{
auth
}
return
&
Authenticator
{
auth
}
}
}
var
invalidToken
=
errors
.
New
(
"invalid bearer token"
)
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
func
(
a
*
Authenticator
)
AuthenticateRequest
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
auth
:=
strings
.
TrimSpace
(
req
.
Header
.
Get
(
"Authorization"
))
auth
:=
strings
.
TrimSpace
(
req
.
Header
.
Get
(
"Authorization"
))
if
auth
==
""
{
if
auth
==
""
{
...
@@ -43,5 +46,18 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
...
@@ -43,5 +46,18 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
}
}
token
:=
parts
[
1
]
token
:=
parts
[
1
]
return
a
.
auth
.
AuthenticateToken
(
token
)
// Empty bearer tokens aren't valid
if
len
(
token
)
==
0
{
return
nil
,
false
,
nil
}
user
,
ok
,
err
:=
a
.
auth
.
AuthenticateToken
(
token
)
// If the token authenticator didn't error, provide a default error
if
!
ok
&&
err
==
nil
{
err
=
invalidToken
}
return
user
,
ok
,
err
}
}
pkg/auth/authenticator/bearertoken/bearertoken_test.go
View file @
0902c55c
...
@@ -47,9 +47,28 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
...
@@ -47,9 +47,28 @@ func TestAuthenticateRequestTokenInvalid(t *testing.T) {
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
})
})
if
ok
||
user
!=
nil
||
err
!=
nil
{
if
ok
||
user
!=
nil
{
t
.
Errorf
(
"expected not authenticated user"
)
t
.
Errorf
(
"expected not authenticated user"
)
}
}
if
err
!=
invalidToken
{
t
.
Errorf
(
"expected invalidToken error, got %v"
,
err
)
}
}
func
TestAuthenticateRequestTokenInvalidCustomError
(
t
*
testing
.
T
)
{
customError
:=
errors
.
New
(
"custom"
)
auth
:=
New
(
authenticator
.
TokenFunc
(
func
(
token
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
customError
}))
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
&
http
.
Request
{
Header
:
http
.
Header
{
"Authorization"
:
[]
string
{
"Bearer token"
}},
})
if
ok
||
user
!=
nil
{
t
.
Errorf
(
"expected not authenticated user"
)
}
if
err
!=
customError
{
t
.
Errorf
(
"expected custom error, got %v"
,
err
)
}
}
}
func
TestAuthenticateRequestTokenError
(
t
*
testing
.
T
)
{
func
TestAuthenticateRequestTokenError
(
t
*
testing
.
T
)
{
...
...
test/e2e/kubectl.go
View file @
0902c55c
...
@@ -599,8 +599,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
...
@@ -599,8 +599,7 @@ var _ = framework.KubeDescribe("Kubectl client", func() {
Expect
(
err
)
.
To
(
ContainSubstring
(
"Using in-cluster namespace"
))
Expect
(
err
)
.
To
(
ContainSubstring
(
"Using in-cluster namespace"
))
Expect
(
err
)
.
To
(
ContainSubstring
(
"Using in-cluster configuration"
))
Expect
(
err
)
.
To
(
ContainSubstring
(
"Using in-cluster configuration"
))
Expect
(
err
)
.
To
(
ContainSubstring
(
"Authorization: Bearer invalid"
))
Expect
(
err
)
.
To
(
ContainSubstring
(
"Authorization: Bearer invalid"
))
// TODO(kubernetes/kubernetes#39267): We should only see a 401 from an invalid bearer token.
Expect
(
err
)
.
To
(
ContainSubstring
(
"Response Status: 401 Unauthorized"
))
Expect
(
err
)
.
To
(
Or
(
ContainSubstring
(
"Response Status: 403 Forbidden"
),
ContainSubstring
(
"Response Status: 401 Unauthorized"
)))
By
(
"trying to use kubectl with invalid server"
)
By
(
"trying to use kubectl with invalid server"
)
_
,
err
=
framework
.
RunHostCmd
(
ns
,
simplePodName
,
"/kubectl get pods --server=invalid --v=6 2>&1"
)
_
,
err
=
framework
.
RunHostCmd
(
ns
,
simplePodName
,
"/kubectl get pods --server=invalid --v=6 2>&1"
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment