Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
c89cb942
Commit
c89cb942
authored
Jan 24, 2018
by
Mike Danese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
serviceaccount: handle jwt flow specific validation in seperate validator struct
parent
057b7af7
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
17 additions
and
7 deletions
+17
-7
jwt.go
pkg/serviceaccount/jwt.go
+17
-7
No files found.
pkg/serviceaccount/jwt.go
View file @
c89cb942
...
@@ -125,16 +125,21 @@ func JWTTokenAuthenticator(iss string, keys []interface{}, lookup bool, getter S
...
@@ -125,16 +125,21 @@ func JWTTokenAuthenticator(iss string, keys []interface{}, lookup bool, getter S
return
&
jwtTokenAuthenticator
{
return
&
jwtTokenAuthenticator
{
iss
:
iss
,
iss
:
iss
,
keys
:
keys
,
keys
:
keys
,
validator
:
&
legacyValidator
{
lookup
:
lookup
,
lookup
:
lookup
,
getter
:
getter
,
getter
:
getter
,
},
}
}
}
}
type
jwtTokenAuthenticator
struct
{
type
jwtTokenAuthenticator
struct
{
iss
string
iss
string
keys
[]
interface
{}
keys
[]
interface
{}
lookup
bool
validator
Validator
getter
ServiceAccountTokenGetter
}
type
Validator
interface
{
Validate
(
tokenData
string
,
public
*
jwt
.
Claims
,
private
*
privateClaims
)
error
}
}
var
errMismatchedSigningMethod
=
errors
.
New
(
"invalid signing method"
)
var
errMismatchedSigningMethod
=
errors
.
New
(
"invalid signing method"
)
...
@@ -171,7 +176,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
...
@@ -171,7 +176,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
// If we get here, we have a token with a recognized signature and
// If we get here, we have a token with a recognized signature and
// issuer string.
// issuer string.
if
err
:=
j
.
Validate
(
tokenData
,
public
,
private
);
err
!=
nil
{
if
err
:=
j
.
validator
.
Validate
(
tokenData
,
public
,
private
);
err
!=
nil
{
return
nil
,
false
,
err
return
nil
,
false
,
err
}
}
...
@@ -208,7 +213,12 @@ func (j *jwtTokenAuthenticator) hasCorrectIssuer(tokenData string) bool {
...
@@ -208,7 +213,12 @@ func (j *jwtTokenAuthenticator) hasCorrectIssuer(tokenData string) bool {
}
}
func
(
j
*
jwtTokenAuthenticator
)
Validate
(
tokenData
string
,
public
*
jwt
.
Claims
,
private
*
privateClaims
)
error
{
type
legacyValidator
struct
{
lookup
bool
getter
ServiceAccountTokenGetter
}
func
(
v
*
legacyValidator
)
Validate
(
tokenData
string
,
public
*
jwt
.
Claims
,
private
*
privateClaims
)
error
{
// Make sure the claims we need exist
// Make sure the claims we need exist
if
len
(
public
.
Subject
)
==
0
{
if
len
(
public
.
Subject
)
==
0
{
...
@@ -236,9 +246,9 @@ func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, p
...
@@ -236,9 +246,9 @@ func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, p
return
errors
.
New
(
"sub claim is invalid"
)
return
errors
.
New
(
"sub claim is invalid"
)
}
}
if
j
.
lookup
{
if
v
.
lookup
{
// Make sure token hasn't been invalidated by deletion of the secret
// Make sure token hasn't been invalidated by deletion of the secret
secret
,
err
:=
j
.
getter
.
GetSecret
(
namespace
,
secretName
)
secret
,
err
:=
v
.
getter
.
GetSecret
(
namespace
,
secretName
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
V
(
4
)
.
Infof
(
"Could not retrieve token %s/%s for service account %s/%s: %v"
,
namespace
,
secretName
,
namespace
,
serviceAccountName
,
err
)
glog
.
V
(
4
)
.
Infof
(
"Could not retrieve token %s/%s for service account %s/%s: %v"
,
namespace
,
secretName
,
namespace
,
serviceAccountName
,
err
)
return
errors
.
New
(
"Token has been invalidated"
)
return
errors
.
New
(
"Token has been invalidated"
)
...
@@ -253,7 +263,7 @@ func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, p
...
@@ -253,7 +263,7 @@ func (j *jwtTokenAuthenticator) Validate(tokenData string, public *jwt.Claims, p
}
}
// Make sure service account still exists (name and UID)
// Make sure service account still exists (name and UID)
serviceAccount
,
err
:=
j
.
getter
.
GetServiceAccount
(
namespace
,
serviceAccountName
)
serviceAccount
,
err
:=
v
.
getter
.
GetServiceAccount
(
namespace
,
serviceAccountName
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
V
(
4
)
.
Infof
(
"Could not retrieve service account %s/%s: %v"
,
namespace
,
serviceAccountName
,
err
)
glog
.
V
(
4
)
.
Infof
(
"Could not retrieve service account %s/%s: %v"
,
namespace
,
serviceAccountName
,
err
)
return
err
return
err
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment