Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Server panics when bearer token with invalid JWT format is passed #420

Closed
sayan-biswas opened this issue Mar 29, 2023 · 1 comment · Fixed by #421
Closed

API Server panics when bearer token with invalid JWT format is passed #420

sayan-biswas opened this issue Mar 29, 2023 · 1 comment · Fixed by #421
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@sayan-biswas
Copy link
Contributor

sayan-biswas commented Mar 29, 2023

Expected Behaviour

The bearer token passed can have invalid format and still the API server should respond with "Access denied", logging the invalid token error. But should not restart or panic.

Actual Behaviour

API Server panics and restarts.

Steps to Reproduce the Problem

  1. Run the API server
  2. Send a request with a bearer token that doesn't have a correct JWT format.

Additional Info

2023/03/29 16:52:12 maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
{"level":"info","ts":1680108732.9567654,"caller":"api/main.go:96","msg":"Starting server with Kubernetes RBAC authorization check enabled"}
{"level":"info","ts":1680108733.6832585,"caller":"api/main.go:159","msg":"Prometheus server listening on: 9090"}
{"level":"info","ts":1680108733.6833947,"caller":"api/main.go:171","msg":"gRPC server listening on: 50051"}
{"level":"info","ts":1680108733.683645,"caller":"api/main.go:203","msg":"REST server Listening on: 8080"}
2023/03/29 16:54:53 http: TLS handshake error from 127.0.0.1:50554: EOF
{"level":"info","ts":1680108906.7054365,"caller":"zap/options.go:212","msg":"finished unary call with code OK","grpc.auth_disabled":false,"grpc.start_time":"2023-03-29T16:55:06Z","system":"grpc","span.kind":"server","grpc.service":"tekton.results.v1alpha2.Results","grpc.method":"ListResults","peer.address":"127.0.0.1:39774","grpc.user":"system:serviceaccount:default:all-namespaces-read-access","grpc.issuer":"https://kubernetes.default.svc.cluster.local","grpc.code":"OK","grpc.time_duration_in_ms":16}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x175b870]

goroutine 57 [running]:
main.determineAuth({0x20864d8, 0x400083bce0})
	github.com/tektoncd/results/cmd/api/main.go:231 +0x100
github.com/grpc-ecosystem/go-grpc-middleware/auth.UnaryServerInterceptor.func1({0x20864d8, 0x400083bce0}, {0x1bb4ca0, 0x400047f420}, 0x4000540200, 0x4000540220)
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/auth/auth.go:42 +0x90
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x20864d8?, 0x400083bce0?}, {0x1bb4ca0?, 0x400047f420?})
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25 +0x3c
github.com/grpc-ecosystem/go-grpc-middleware/logging/zap.UnaryServerInterceptor.func1({0x20864d8, 0x400083bc80}, {0x1bb4ca0, 0x400047f420}, 0x4000540200, 0x4000540240)
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/logging/zap/server_interceptors.go:31 +0xbc
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x20864d8?, 0x400083bc80?}, {0x1bb4ca0?, 0x400047f420?})
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25 +0x3c
github.com/grpc-ecosystem/go-grpc-middleware/tags.UnaryServerInterceptor.func1({0x20864d8?, 0x400083bb00?}, {0x1bb4ca0, 0x400047f420}, 0x4000540200, 0x4000540260)
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/tags/interceptors.go:23 +0x84
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1({0x20864d8?, 0x400083bb00?}, {0x1bb4ca0?, 0x400047f420?})
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:25 +0x3c
github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1({0x20864d8, 0x400083bb00}, {0x1bb4ca0, 0x400047f420}, 0x40001279f8?, 0xfa86d8?)
	github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0/chain.go:34 +0xb8
github.com/tektoncd/results/proto/v1alpha2/results_go_proto._Results_ListResults_Handler({0x1c70d20?, 0x40005f3c40}, {0x20864d8, 0x400083bb00}, 0x400047f3b0, 0x400080ed20)
	github.com/tektoncd/results/proto/v1alpha2/results_go_proto/api_grpc.pb.go:287 +0x134
google.golang.org/grpc.(*Server).processUnaryRPC(0x4000641680, {0x2090800, 0x40001cbd40}, 0x4000232c60, 0x400080eea0, 0x3193b40, 0x0)
	google.golang.org/grpc@v1.53.0/server.go:1336 +0xb68
google.golang.org/grpc.(*Server).handleStream(0x4000641680, {0x2090800, 0x40001cbd40}, 0x4000232c60, 0x0)
	google.golang.org/grpc@v1.53.0/server.go:1704 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/grpc@v1.53.0/server.go:965 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/grpc@v1.53.0/server.go:963 +0x294

The auth module is able to handle this, but the custom interceptor which logs user details has missing a return statement

results/cmd/api/main.go

Lines 224 to 229 in ffe0be3

token, _, err := new(jwt.Parser).ParseUnverified(tokenString, jwt.MapClaims{})
if err != nil {
ctxzap.AddFields(ctx,
zap.String("grpc.user", "unknown"),
)
}

@sayan-biswas sayan-biswas added the kind/bug Categorizes issue or PR as related to a bug. label Mar 29, 2023
@sayan-biswas sayan-biswas changed the title API Server panics/restarts when invalid bearer token is passed API Server panics when bearer token with invalid JWT format is passed Mar 30, 2023
@sayan-biswas
Copy link
Contributor Author

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
1 participant