Warn on receiving a space before the token #109587
Conversation
|
Please note that we're already in Test Freeze for the |
k8s-ci-robot
added
release-note-none
|
Hi @slaskawi. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
area/apiserver
sig/api-machinery
|
/remove-sig api-machinery |
k8s-ci-robot
removed
the
sig/api-machinery
|
@aramase Could I ask you for a review? |
| @@ -48,6 +50,10 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R | |||
|
|
|||
| // Empty bearer tokens aren't valid | |||
| if len(token) == 0 { | |||
| // The space before the token case | |||
| if len(parts) == 3 { | |||
| klog.Warning("WARNING: the support for spaces before the token will be removed shortly") | |||
There was a problem hiding this comment.
A kube-apiserver log warning is not visible to the person making the request, who is the one that is likely to be confused by lack of authentication and is the one who needs to make a change. Also, we haven't decided that this type of request will turn into an error in the future, so don't include that in the message.
This should be something like this:
warning.AddWarning(req.Context(), "", "the provided Authorization header contains extra space before the bearer token, and is ignored")There was a problem hiding this comment.
Sure! I just changed the text slightly: the provided Authorization header contains extra space before the bearer token, which is ignored. I hope it's OK.
staging/src/k8s.io/apiserver/pkg/authentication/request/bearertoken/bearertoken_test.go
Show resolved
Hide resolved
slaskawi
force-pushed
the
106142-warn-on-white-characters-at-the-beginning-of-a-token-2
branch
from
7562e1b
to
2d902db
Compare
k8s-ci-robot
added
size/M
|
Thanks a lot for the review @liggitt ! I addressed all the comments according to your guidance. Please have another look once CI is happy. |
| ) | ||
|
|
||
| const ( | ||
| invalidTokenWithSpaceWarning = "the provided Authorization header contains extra space before the bearer token, which is ignored" |
There was a problem hiding this comment.
this is hard to tell whether the extra space is ignored, or the bearer token is ignored
There was a problem hiding this comment.
aaah... I see :)
Ok, I changed to the version that You suggested. Thanks again for looking into this!
slaskawi
force-pushed
the
106142-warn-on-white-characters-at-the-beginning-of-a-token-2
branch
from
2d902db
to
f0af12b
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, slaskawi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
The /retest |
|
@slaskawi: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest-required |
|
1.25, which will start merging things once 1.24 is released (target is May 3rd) |
|
Thank you @liggitt ! |
|
/triage accepted |
k8s-ci-robot
added
triage/accepted
What type of PR is this?
/kind bug
What this PR does / why we need it:
This Pull Request adds a warning when someone tries to send a request with a space before the token:
Which issue(s) this PR fixes:
xref #106142
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: