Add additional checks + test case fixes

bpicolo · roycaihw · commit ba8b9e011f45 · 2019-07-30T13:18:49.000-07:00
diff --git a/config/kube_config.py b/config/kube_config.py
@@ -259,12 +259,23 @@ def _load_oid_token(self, provider):
         if 'config' not in provider:
             return
 
-        parts = provider['config']['id-token'].split('.')
+        reserved_characters = frozenset(["=", "+", "/"])
+        token = provider['config']['id-token']
 
+        if any(char in token for char in reserved_characters):
+            # Invalid jwt, as it contains url-unsafe chars
+            return None
+
+        parts = token.split('.')
         if len(parts) != 3:  # Not a valid JWT
             return None
 
         padding = (4 - len(parts[1]) % 4) * '='
+        if len(padding) == 3:
+            # According to spec, 3 padding characters cannot occur
+            # in a valid jwt
+            # https://tools.ietf.org/html/rfc7515#appendix-C
+            return None
 
         if PY3:
             jwt_attributes = json.loads(
diff --git a/config/kube_config_test.py b/config/kube_config_test.py
@@ -47,8 +47,8 @@ def _base64(string):
     return base64.standard_b64encode(string.encode()).decode()
 
 
-def _unpadded_base64(string):
-    return base64.b64encode(string.encode()).decode().rstrip('=')
+def _urlsafe_unpadded_b64encode(string):
+    return base64.urlsafe_b64encode(string.encode()).decode().rstrip('=')
 
 
 def _format_expiry_datetime(dt):
@@ -98,14 +98,22 @@ def _raise_exception(st):
 
 TEST_OIDC_TOKEN = "test-oidc-token"
 TEST_OIDC_INFO = "{\"name\": \"test\"}"
-TEST_OIDC_BASE = _unpadded_base64(
-    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO)
-TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_BASE = ".".join([
+    _urlsafe_unpadded_b64encode(TEST_OIDC_TOKEN),
+    _urlsafe_unpadded_b64encode(TEST_OIDC_INFO)
+])
+TEST_OIDC_LOGIN = ".".join([
+    TEST_OIDC_BASE,
+    _urlsafe_unpadded_b64encode(TEST_CLIENT_CERT_BASE64)
+])
 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
 TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
-TEST_OIDC_EXP_BASE = _unpadded_base64(
-    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP)
-TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
+TEST_OIDC_EXP_BASE = _urlsafe_unpadded_b64encode(
+    TEST_OIDC_TOKEN) + "." + _urlsafe_unpadded_b64encode(TEST_OIDC_EXP)
+TEST_OIDC_EXPIRED_LOGIN = ".".join([
+    TEST_OIDC_EXP_BASE,
+    _urlsafe_unpadded_b64encode(TEST_CLIENT_CERT)
+])
 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)
 
 
