Add additional checks + test case fixes

2019-02-18 11:16:07 -05:00 · 2019-02-18 11:16:07 -05:00 · 4750aa9d36
commit 4750aa9d36
parent d54efa7568
2 changed files with 28 additions and 9 deletions
--- a/config/kube_config.py
+++ b/config/kube_config.py
@ -252,12 +252,23 @@ class KubeConfigLoader(object):
        if 'config' not in provider:
            return

-        parts = provider['config']['id-token'].split('.')
+        reserved_characters = frozenset(["=", "+", "/"])
+        token = provider['config']['id-token']

+        if any(char in token for char in reserved_characters):
+            # Invalid jwt, as it contains url-unsafe chars
+            return None
+
+        parts = token.split('.')
        if len(parts) != 3:  # Not a valid JWT
            return None

        padding = (4 - len(parts[1]) % 4) * '='
+        if len(padding) == 3:
+            # According to spec, 3 padding characters cannot occur
+            # in a valid jwt
+            # https://tools.ietf.org/html/rfc7515#appendix-C
+            return None

        if PY3:
            jwt_attributes = json.loads(
--- a/config/kube_config_test.py
+++ b/config/kube_config_test.py
@ -43,8 +43,8 @@ def _base64(string):
    return base64.encodestring(string.encode()).decode()


-def _unpadded_base64(string):
-    return base64.b64encode(string.encode()).decode().rstrip('=')
+def _urlsafe_unpadded_b64encode(string):
+    return base64.urlsafe_b64encode(string.encode()).decode().rstrip('=')


 def _format_expiry_datetime(dt):
@ -91,14 +91,22 @@ TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT)

 TEST_OIDC_TOKEN = "test-oidc-token"
 TEST_OIDC_INFO = "{\"name\": \"test\"}"
-TEST_OIDC_BASE = _unpadded_base64(
-    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO)
-TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_BASE = ".".join([
+    _urlsafe_unpadded_b64encode(TEST_OIDC_TOKEN),
+    _urlsafe_unpadded_b64encode(TEST_OIDC_INFO)
+])
+TEST_OIDC_LOGIN = ".".join([
+    TEST_OIDC_BASE,
+    _urlsafe_unpadded_b64encode(TEST_CLIENT_CERT_BASE64)
+])
 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
 TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
-TEST_OIDC_EXP_BASE = _unpadded_base64(
-    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP)
-TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_EXP_BASE = _urlsafe_unpadded_b64encode(
+    TEST_OIDC_TOKEN) + "." + _urlsafe_unpadded_b64encode(TEST_OIDC_EXP)
+TEST_OIDC_EXPIRED_LOGIN = ".".join([
+    TEST_OIDC_EXP_BASE,
+    _urlsafe_unpadded_b64encode(TEST_CLIENT_CERT)
+])
 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)