Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure invalid username/password returns 401 error, not 403 #41775

Merged
merged 1 commit into from Apr 8, 2017
Merged

Ensure invalid username/password returns 401 error, not 403 #41775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion pkg/kubeapiserver/authenticator/config.go
View file
Open in desktop
Expand Up @@ -201,7 +201,8 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
authenticator = group.NewGroupAdder(authenticator, []string{user.AllAuthenticated})

if config.Anonymous {
// If the authenticator chain returns an error, return an error (don't consider a bad bearer token anonymous).
// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
// or invalid username/password combination anonymous).
authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
}

Expand Down
13 changes: 12 additions & 1 deletion staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth.go
View file
Open in desktop
Expand Up @@ -17,6 +17,7 @@ limitations under the License.
package basicauth

import (
"errors"
"net/http"

"k8s.io/apiserver/pkg/authentication/authenticator"
Expand All @@ -33,11 +34,21 @@ func New(auth authenticator.Password) *Authenticator {
return &Authenticator{auth}
}

var errInvalidAuth = errors.New("invalid username/password combination")

// AuthenticateRequest authenticates the request using the "Authorization: Basic" header in the request
func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
username, password, found := req.BasicAuth()
if !found {
return nil, false, nil
}
return a.auth.AuthenticatePassword(username, password)

user, ok, err := a.auth.AuthenticatePassword(username, password)

// If the password authenticator didn't error, provide a default error
if !ok && err == nil {
err = errInvalidAuth
}

return user, ok, err
}
2 changes: 2 additions & 0 deletions staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth_test.go
View file
Open in desktop
Expand Up @@ -60,11 +60,13 @@ func TestBasicAuth(t *testing.T) {
ExpectedCalled: true,
ExpectedUsername: "user_with_empty_password",
ExpectedPassword: "",
ExpectedErr: true,
},
"valid basic header": {
ExpectedCalled: true,
ExpectedUsername: "myuser",
ExpectedPassword: "mypassword:withcolon",
ExpectedErr: true,
},
"password auth returned user": {
Password: testPassword{User: &user.DefaultInfo{Name: "returneduser"}, OK: true},
Expand Down