Bumping k8s dependencies to 1.13
This commit is contained in:
Cheng Xing
34
vendor/k8s.io/kubernetes/pkg/serviceaccount/legacy.go
generated
vendored
34
vendor/k8s.io/kubernetes/pkg/serviceaccount/legacy.go
generated
vendored
@@ -62,37 +62,37 @@ type legacyValidator struct {
|
||||
|
||||
var _ = Validator(&legacyValidator{})
|
||||
|
||||
func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
|
||||
func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) {
|
||||
private, ok := privateObj.(*legacyPrivateClaims)
|
||||
if !ok {
|
||||
glog.Errorf("jwt validator expected private claim of type *legacyPrivateClaims but got: %T", privateObj)
|
||||
return "", "", "", errors.New("Token could not be validated.")
|
||||
return nil, errors.New("Token could not be validated.")
|
||||
}
|
||||
|
||||
// Make sure the claims we need exist
|
||||
if len(public.Subject) == 0 {
|
||||
return "", "", "", errors.New("sub claim is missing")
|
||||
return nil, errors.New("sub claim is missing")
|
||||
}
|
||||
namespace := private.Namespace
|
||||
if len(namespace) == 0 {
|
||||
return "", "", "", errors.New("namespace claim is missing")
|
||||
return nil, errors.New("namespace claim is missing")
|
||||
}
|
||||
secretName := private.SecretName
|
||||
if len(secretName) == 0 {
|
||||
return "", "", "", errors.New("secretName claim is missing")
|
||||
return nil, errors.New("secretName claim is missing")
|
||||
}
|
||||
serviceAccountName := private.ServiceAccountName
|
||||
if len(serviceAccountName) == 0 {
|
||||
return "", "", "", errors.New("serviceAccountName claim is missing")
|
||||
return nil, errors.New("serviceAccountName claim is missing")
|
||||
}
|
||||
serviceAccountUID := private.ServiceAccountUID
|
||||
if len(serviceAccountUID) == 0 {
|
||||
return "", "", "", errors.New("serviceAccountUID claim is missing")
|
||||
return nil, errors.New("serviceAccountUID claim is missing")
|
||||
}
|
||||
|
||||
subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(public.Subject)
|
||||
if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
|
||||
return "", "", "", errors.New("sub claim is invalid")
|
||||
return nil, errors.New("sub claim is invalid")
|
||||
}
|
||||
|
||||
if v.lookup {
|
||||
@@ -100,34 +100,38 @@ func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, private
|
||||
secret, err := v.getter.GetSecret(namespace, secretName)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
|
||||
return "", "", "", errors.New("Token has been invalidated")
|
||||
return nil, errors.New("Token has been invalidated")
|
||||
}
|
||||
if secret.DeletionTimestamp != nil {
|
||||
glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
|
||||
return "", "", "", errors.New("Token has been invalidated")
|
||||
return nil, errors.New("Token has been invalidated")
|
||||
}
|
||||
if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) != 0 {
|
||||
glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
|
||||
return "", "", "", errors.New("Token does not match server's copy")
|
||||
return nil, errors.New("Token does not match server's copy")
|
||||
}
|
||||
|
||||
// Make sure service account still exists (name and UID)
|
||||
serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
|
||||
return "", "", "", err
|
||||
return nil, err
|
||||
}
|
||||
if serviceAccount.DeletionTimestamp != nil {
|
||||
glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
|
||||
return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
|
||||
return nil, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
|
||||
}
|
||||
if string(serviceAccount.UID) != serviceAccountUID {
|
||||
glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
|
||||
return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
|
||||
return nil, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
|
||||
}
|
||||
}
|
||||
|
||||
return private.Namespace, private.ServiceAccountName, private.ServiceAccountUID, nil
|
||||
return &ServiceAccountInfo{
|
||||
Namespace: private.Namespace,
|
||||
Name: private.ServiceAccountName,
|
||||
UID: private.ServiceAccountUID,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (v *legacyValidator) NewPrivateClaims() interface{} {
|
||||
|
||||
Reference in New Issue
Block a user