Commit f719b267 authored by Eric Chiang's avatar Eric Chiang

bootstrap token auth: don't accept deleted tokens

parent d20414e2
......@@ -102,6 +102,11 @@ func (t *TokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, e
return nil, false, err
}
if secret.DeletionTimestamp != nil {
tokenErrorf(secret, "is deleted and awaiting removal")
return nil, false, nil
}
if string(secret.Type) != string(bootstrapapi.SecretTypeBootstrapToken) || secret.Data == nil {
tokenErrorf(secret, "has invalid type, expected %s.", bootstrapapi.SecretTypeBootstrapToken)
return nil, false, nil
......
......@@ -52,6 +52,8 @@ const (
)
func TestTokenAuthenticator(t *testing.T) {
now := metav1.Now()
tests := []struct {
name string
......@@ -136,6 +138,25 @@ func TestTokenAuthenticator(t *testing.T) {
wantNotFound: true,
},
{
name: "deleted token",
secrets: []*api.Secret{
{
ObjectMeta: metav1.ObjectMeta{
Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
DeletionTimestamp: &now,
},
Data: map[string][]byte{
bootstrapapi.BootstrapTokenIDKey: []byte(tokenID),
bootstrapapi.BootstrapTokenSecretKey: []byte(tokenSecret),
bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
},
Type: "bootstrap.kubernetes.io/token",
},
},
token: tokenID + "." + tokenSecret,
wantNotFound: true,
},
{
name: "expired token",
secrets: []*api.Secret{
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment