Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
641b8387
Commit
641b8387
authored
May 02, 2017
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
remove bearer token from headers after we consume it
parent
8f6df267
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
97 additions
and
0 deletions
+97
-0
bearertoken.go
...ver/pkg/authentication/request/bearertoken/bearertoken.go
+5
-0
bearertoken_test.go
...kg/authentication/request/bearertoken/bearertoken_test.go
+92
-0
No files found.
staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken.go
View file @
641b8387
...
...
@@ -53,6 +53,11 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
}
user
,
ok
,
err
:=
a
.
auth
.
AuthenticateToken
(
token
)
// if we authenticated successfully, go ahead and remove the bearer token so that no one
// is ever tempted to use it inside of the API server
if
ok
{
req
.
Header
.
Del
(
"Authorization"
)
}
// If the token authenticator didn't error, provide a default error
if
!
ok
&&
err
==
nil
{
...
...
staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go
View file @
641b8387
...
...
@@ -19,6 +19,7 @@ package bearertoken
import
(
"errors"
"net/http"
"reflect"
"testing"
"k8s.io/apiserver/pkg/authentication/authenticator"
...
...
@@ -103,3 +104,94 @@ func TestAuthenticateRequestBadValue(t *testing.T) {
}
}
}
func
TestBearerToken
(
t
*
testing
.
T
)
{
tests
:=
map
[
string
]
struct
{
AuthorizationHeaders
[]
string
TokenAuth
authenticator
.
Token
ExpectedUserName
string
ExpectedOK
bool
ExpectedErr
bool
ExpectedAuthorizationHeaders
[]
string
}{
"no header"
:
{
AuthorizationHeaders
:
nil
,
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedErr
:
false
,
ExpectedAuthorizationHeaders
:
nil
,
},
"empty header"
:
{
AuthorizationHeaders
:
[]
string
{
""
},
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedErr
:
false
,
ExpectedAuthorizationHeaders
:
[]
string
{
""
},
},
"non-bearer header"
:
{
AuthorizationHeaders
:
[]
string
{
"Basic 123"
},
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedErr
:
false
,
ExpectedAuthorizationHeaders
:
[]
string
{
"Basic 123"
},
},
"empty bearer token"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer "
},
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedErr
:
false
,
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer "
},
},
"valid bearer token removing header"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
"myuser"
},
true
,
nil
}),
ExpectedUserName
:
"myuser"
,
ExpectedOK
:
true
,
ExpectedErr
:
false
,
ExpectedAuthorizationHeaders
:
nil
,
},
"invalid bearer token"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
nil
}),
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedErr
:
true
,
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
},
"error bearer token"
:
{
AuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
TokenAuth
:
authenticator
.
TokenFunc
(
func
(
t
string
)
(
user
.
Info
,
bool
,
error
)
{
return
nil
,
false
,
errors
.
New
(
"error"
)
}),
ExpectedUserName
:
""
,
ExpectedOK
:
false
,
ExpectedErr
:
true
,
ExpectedAuthorizationHeaders
:
[]
string
{
"Bearer 123"
},
},
}
for
k
,
tc
:=
range
tests
{
req
,
_
:=
http
.
NewRequest
(
"GET"
,
"/"
,
nil
)
for
_
,
h
:=
range
tc
.
AuthorizationHeaders
{
req
.
Header
.
Add
(
"Authorization"
,
h
)
}
bearerAuth
:=
New
(
tc
.
TokenAuth
)
u
,
ok
,
err
:=
bearerAuth
.
AuthenticateRequest
(
req
)
if
tc
.
ExpectedErr
!=
(
err
!=
nil
)
{
t
.
Errorf
(
"%s: Expected err=%v, got %v"
,
k
,
tc
.
ExpectedErr
,
err
)
continue
}
if
ok
!=
tc
.
ExpectedOK
{
t
.
Errorf
(
"%s: Expected ok=%v, got %v"
,
k
,
tc
.
ExpectedOK
,
ok
)
continue
}
if
ok
&&
u
.
GetName
()
!=
tc
.
ExpectedUserName
{
t
.
Errorf
(
"%s: Expected username=%v, got %v"
,
k
,
tc
.
ExpectedUserName
,
u
.
GetName
())
continue
}
if
!
reflect
.
DeepEqual
(
req
.
Header
[
"Authorization"
],
tc
.
ExpectedAuthorizationHeaders
)
{
t
.
Errorf
(
"%s: Expected headers=%#v, got %#v"
,
k
,
tc
.
ExpectedAuthorizationHeaders
,
req
.
Header
[
"Authorization"
])
continue
}
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment