From 529a72a2bf4901d40e7551c4acaf8219609dcfb9 Mon Sep 17 00:00:00 2001 From: Ben Picolo Date: Mon, 30 Jul 2018 14:23:18 -0400 Subject: [PATCH 1/4] Fix base64 padding for kube config --- config/kube_config.py | 6 ++++-- config/kube_config_test.py | 10 ++++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config/kube_config.py b/config/kube_config.py index ddd3d02b..3691a18b 100644 --- a/config/kube_config.py +++ b/config/kube_config.py @@ -257,13 +257,15 @@ def _load_oid_token(self, provider): if len(parts) != 3: # Not a valid JWT return None + padding = (4 - len(parts[1]) % 4) * '=' + if PY3: jwt_attributes = json.loads( - base64.b64decode(parts[1]).decode('utf-8') + base64.b64decode(parts[1] + padding).decode('utf-8') ) else: jwt_attributes = json.loads( - base64.b64decode(parts[1] + "==") + base64.b64decode(parts[1] + padding) ) expire = jwt_attributes.get('exp') diff --git a/config/kube_config_test.py b/config/kube_config_test.py index a79efb9a..12d6916d 100644 --- a/config/kube_config_test.py +++ b/config/kube_config_test.py @@ -43,6 +43,10 @@ def _base64(string): return base64.encodestring(string.encode()).decode() +def _unpadded_base64(string): + return base64.b64encode(string.encode()).decode().rstrip('=') + + def _format_expiry_datetime(dt): return dt.strftime(EXPIRY_DATETIME_FORMAT) @@ -87,11 +91,13 @@ def _raise_exception(st): TEST_OIDC_TOKEN = "test-oidc-token" TEST_OIDC_INFO = "{\"name\": \"test\"}" -TEST_OIDC_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_INFO) +TEST_OIDC_BASE = _unpadded_base64( + TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO) TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}" -TEST_OIDC_EXP_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_EXP) +TEST_OIDC_EXP_BASE = _unpadded_base64( + TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP) TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH) From 297e1e610a7f8d8a70c57798c6cd0fb08fd6b634 Mon Sep 17 00:00:00 2001 From: Idi Eradiri Date: Thu, 20 Sep 2018 22:19:35 -0400 Subject: [PATCH 2/4] fix: base64 padding --- config/kube_config.py | 2 +- config/kube_config_test.py | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config/kube_config.py b/config/kube_config.py index 3691a18b..ded2ea1b 100644 --- a/config/kube_config.py +++ b/config/kube_config.py @@ -261,7 +261,7 @@ def _load_oid_token(self, provider): if PY3: jwt_attributes = json.loads( - base64.b64decode(parts[1] + padding).decode('utf-8') + base64.urlsafe_b64decode(parts[1] + padding).decode('utf-8') ) else: jwt_attributes = json.loads( diff --git a/config/kube_config_test.py b/config/kube_config_test.py index 12d6916d..2a5ae789 100644 --- a/config/kube_config_test.py +++ b/config/kube_config_test.py @@ -46,6 +46,8 @@ def _base64(string): def _unpadded_base64(string): return base64.b64encode(string.encode()).decode().rstrip('=') +def _unpadded_base64_urlsafe(string): + return base64.urlsafe_b64encode(string.encode()).decode().restrip('=') def _format_expiry_datetime(dt): return dt.strftime(EXPIRY_DATETIME_FORMAT) @@ -86,7 +88,7 @@ def _raise_exception(st): TEST_CLIENT_KEY = "client-key" TEST_CLIENT_KEY_BASE64 = _base64(TEST_CLIENT_KEY) TEST_CLIENT_CERT = "client-cert" -TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT) +TEST_CLIENT_CERT_BASE64 = _unpadded_base64_urlsafe(TEST_CLIENT_CERT) TEST_OIDC_TOKEN = "test-oidc-token" From 4fdcc1b856f438c962a1f345b5ca9db10a05e5c4 Mon Sep 17 00:00:00 2001 From: Idi Eradiri Date: Mon, 24 Sep 2018 13:14:45 -0400 Subject: [PATCH 3/4] chore: no url reserved chars in JWT --- config/kube_config.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/kube_config.py b/config/kube_config.py index ded2ea1b..c7715161 100644 --- a/config/kube_config.py +++ b/config/kube_config.py @@ -253,8 +253,9 @@ def _load_oid_token(self, provider): return parts = provider['config']['id-token'].split('.') - - if len(parts) != 3: # Not a valid JWT + # check for invalid JWT + url_chars = '=+/' + if len(parts) != 3 or any(x in url_chars for x in parts): return None padding = (4 - len(parts[1]) % 4) * '=' From df226ce4d195d1513d97224e31e58111053daaef Mon Sep 17 00:00:00 2001 From: Idi Eradiri Date: Mon, 24 Sep 2018 15:14:08 -0400 Subject: [PATCH 4/4] fix: typo --- config/kube_config_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/kube_config_test.py b/config/kube_config_test.py index 2a5ae789..b88bc0d6 100644 --- a/config/kube_config_test.py +++ b/config/kube_config_test.py @@ -47,7 +47,7 @@ def _unpadded_base64(string): return base64.b64encode(string.encode()).decode().rstrip('=') def _unpadded_base64_urlsafe(string): - return base64.urlsafe_b64encode(string.encode()).decode().restrip('=') + return base64.urlsafe_b64encode(string.encode()).decode().rstrip('=') def _format_expiry_datetime(dt): return dt.strftime(EXPIRY_DATETIME_FORMAT)