Commit bddddb5d authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #49057 from ericchiang/deleted-bootstrap-token

Automatic merge from submit-queue (batch tested with PRs 49043, 49001, 49057, 49066, 48102) bootstrap token auth: don't accept deleted tokens Closes #48345 Same fix as #48343 ```release-note Previously a deleted bootstrapping token secret would be considered valid until it was reaped. Now it is invalid as soon as the deletionTimestamp is set. ``` cc @luxas @kubernetes/sig-auth-pr-reviews
parents 6507a94d f719b267
...@@ -102,6 +102,11 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e ...@@ -102,6 +102,11 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e
return nil, false, err return nil, false, err
} }
if secret.DeletionTimestamp != nil {
tokenErrorf(secret, "is deleted and awaiting removal")
return nil, false, nil
}
if string(secret.Type) != string(bootstrapapi.SecretTypeBootstrapToken) || secret.Data == nil { if string(secret.Type) != string(bootstrapapi.SecretTypeBootstrapToken) || secret.Data == nil {
tokenErrorf(secret, "has invalid type, expected %s.", bootstrapapi.SecretTypeBootstrapToken) tokenErrorf(secret, "has invalid type, expected %s.", bootstrapapi.SecretTypeBootstrapToken)
return nil, false, nil return nil, false, nil
......
...@@ -52,6 +52,8 @@ const ( ...@@ -52,6 +52,8 @@ const (
) )
func TestTokenAuthenticator(t *testing.T) { func TestTokenAuthenticator(t *testing.T) {
now := metav1.Now()
tests := []struct { tests := []struct {
name string name string
...@@ -136,6 +138,25 @@ func TestTokenAuthenticator(t *testing.T) { ...@@ -136,6 +138,25 @@ func TestTokenAuthenticator(t *testing.T) {
wantNotFound: true, wantNotFound: true,
}, },
{ {
name: "deleted token",
secrets: []*api.Secret{
{
ObjectMeta: metav1.ObjectMeta{
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
DeletionTimestamp: &now,
},
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenID),
bootstrapapi.BootstrapTokenSecretKey: []byte(tokenSecret),
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
},
Type: "bootstrap.kubernetes.io/token",
},
},
token: tokenID + "." + tokenSecret,
wantNotFound: true,
},
{
name: "expired token", name: "expired token",
secrets: []*api.Secret{ secrets: []*api.Secret{
{ {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment