From 4750aa9d3691cd0652654b56f54fb6897001a4a7 Mon Sep 17 00:00:00 2001
From: Ben Picolo <be.picolo@gmail.com>
Date: Mon, 18 Feb 2019 11:16:07 -0500
Subject: [PATCH] Add additional checks + test case fixes

---
 config/kube_config.py      | 13 ++++++++++++-
 config/kube_config_test.py | 24 ++++++++++++++++--------
 2 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/config/kube_config.py b/config/kube_config.py
index 3691a18b5..b939685e6 100644
--- a/config/kube_config.py
+++ b/config/kube_config.py
@@ -252,12 +252,23 @@ class KubeConfigLoader(object):
         if 'config' not in provider:
             return
 
-        parts = provider['config']['id-token'].split('.')
+        reserved_characters = frozenset(["=", "+", "/"])
+        token = provider['config']['id-token']
 
+        if any(char in token for char in reserved_characters):
+            # Invalid jwt, as it contains url-unsafe chars
+            return None
+
+        parts = token.split('.')
         if len(parts) != 3:  # Not a valid JWT
             return None
 
         padding = (4 - len(parts[1]) % 4) * '='
+        if len(padding) == 3:
+            # According to spec, 3 padding characters cannot occur
+            # in a valid jwt
+            # https://tools.ietf.org/html/rfc7515#appendix-C
+            return None
 
         if PY3:
             jwt_attributes = json.loads(
diff --git a/config/kube_config_test.py b/config/kube_config_test.py
index 12d6916d9..faa4c417d 100644
--- a/config/kube_config_test.py
+++ b/config/kube_config_test.py
@@ -43,8 +43,8 @@ def _base64(string):
     return base64.encodestring(string.encode()).decode()
 
 
-def _unpadded_base64(string):
-    return base64.b64encode(string.encode()).decode().rstrip('=')
+def _urlsafe_unpadded_b64encode(string):
+    return base64.urlsafe_b64encode(string.encode()).decode().rstrip('=')
 
 
 def _format_expiry_datetime(dt):
@@ -91,14 +91,22 @@ TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT)
 
 TEST_OIDC_TOKEN = "test-oidc-token"
 TEST_OIDC_INFO = "{\"name\": \"test\"}"
-TEST_OIDC_BASE = _unpadded_base64(
-    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO)
-TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_BASE = ".".join([
+    _urlsafe_unpadded_b64encode(TEST_OIDC_TOKEN),
+    _urlsafe_unpadded_b64encode(TEST_OIDC_INFO)
+])
+TEST_OIDC_LOGIN = ".".join([
+    TEST_OIDC_BASE,
+    _urlsafe_unpadded_b64encode(TEST_CLIENT_CERT_BASE64)
+])
 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
 TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
-TEST_OIDC_EXP_BASE = _unpadded_base64(
-    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP)
-TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_EXP_BASE = _urlsafe_unpadded_b64encode(
+    TEST_OIDC_TOKEN) + "." + _urlsafe_unpadded_b64encode(TEST_OIDC_EXP)
+TEST_OIDC_EXPIRED_LOGIN = ".".join([
+    TEST_OIDC_EXP_BASE,
+    _urlsafe_unpadded_b64encode(TEST_CLIENT_CERT)
+])
 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)