[KS-OIDC] Remove special characters form sub OIDC standard claim #5018
Conversation
|
@najib-houcine: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ks-ci-bot
added
do-not-merge/release-note-label-needed
size/XS
|
Hi @najib-houcine. Thanks for your PR. I'm waiting for a kubesphere member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@najib-houcine Thanks for your contribution. These changes seem to have some risks, removing the special characters directly would cause duplication of uid, it cannot be tolerated. It's better to use |
|
@wansir I took a look into it and base64 encoding will grantee an == at the end of orgin_uid label , which will fail any user with good or bad Sub. |
https://pkg.go.dev/encoding/base64@master#pkg-variables BTW, the length of base64-encoded uid will be limited to 63 characters, I think it can be accepted. And we should convert the uid labels after the upgrade. |
|
Thanks @wansir , I updated the PR |
|
/ok-to-test |
|
@najib-houcine Please take a look at the failed CI jobs.
|
|
@wansir , Thanks I checked and managed to fix the verification step but unit-test keep on-failing , could you check what wrong ? |
| @@ -198,7 +198,7 @@ var _ = Describe("OIDC", func() { | |||
| req := &http.Request{URL: url} | |||
| identity, err := provider.IdentityExchangeCallback(req) | |||
| Expect(err).Should(BeNil()) | |||
| Expect(identity.GetUserID()).Should(Equal("110169484474386276334")) | |||
| Expect(string(base64.URLEncoding.DecodeString(identity.GetUserID()))).Should(Equal("110169484474386276334")) | |||
There was a problem hiding this comment.
| Expect(string(base64.URLEncoding.DecodeString(identity.GetUserID()))).Should(Equal("110169484474386276334")) | |
| Expect(identity.GetUserID()).Should(Equal(base64.RawURLEncoding.EncodeToString([]byte("110169484474386276334")))) |
@najib-houcine Refer to https://prow.kubesphere.io/view/s3/prow-logs/pr-logs/pull/kubesphere_kubesphere/5018/pull-kubesphere-unit-test/1543948976712060928 |
|
Thanks @wansir for the hint , but unit test failed also https://prow.kubesphere.io/view/s3/prow-logs/pr-logs/pull/kubesphere_kubesphere/5018/pull-kubesphere-unit-test/1544265767887835136 I will investigate more into it. |
|
/retest |
|
@najib-houcine You can reformat the code using |
|
@wansir seems good now . |
|
/lgtm |
|
LGTM label has been added. Git tree hash: 98e617509679bf09756783c50bf36a6b6dd5a745
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: najib-houcine, wansir The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ks-ci-bot
added
the
approved
…aim (kubesphere#5018)" This reverts commit 45a0625.
Revert "[KS-OIDC] Remove special characters form sub OIDC standard claim (kubesphere#5018)" This reverts commit 45a0625.
…esphere#5018) * [KS-OIDC] Remove special characters form sub OIDC standard claim * [KS-OIDC] Change to base64 RawURLEncoding * [KS-OIDC] Import encoding/base64 * [KS-OIDC] Change import * [KS-OIDC] Damn Go * [KS-OIDC] Damn Spaces * [KS-OIDC] Backport to test * [KS-OIDC] Backport to test: the other way * [KS-OIDC] Backport to test: convert to string * [KS-OIDC] Backport to test: Hint from @wansir * [KS-OIDC] Backport to test: Damn Space
Revert "[KS-OIDC] Remove special characters form sub OIDC standard claim (kubesphere#5018)" This reverts commit 45a0625.
Revert "[KS-OIDC] Remove special characters form sub OIDC standard claim (kubesphere#5018)" This reverts commit 45a0625.
Issue
Users cannot login using an OIDC identity provider.
Kubesphere version
3.2.1
Error Message
Logs form ks-apiserver
{ code: 422, statusText: 'Unprocessable Entity', message: `User.iam.kubesphere.io "{UNLUCKY-USER}" is invalid: metadata.labels: Invalid value: "{UNLUCK-USER_OIDC_SUB-StartOrEnd-Special-Char}": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')\n` }Cause
The standard claim sub in OIDC specs https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims is used as label
iam.kubesphere.io/origin-uidin https://github.com/kubesphere/kubesphere/blob/master/pkg/models/auth/authenticator.go#L82 , for the case OIDC as identity provided referenced in https://github.com/kubesphere/kubesphere/blob/master/pkg/apiserver/authentication/identityprovider/oidc/oidc.go#L118Kubernetes doesn't allow special characters in start and end of labels value as for https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
Proposed Workaround
Since is OIDC claim cannot be substituted by another claim , the proposed solution is to replace any special characters at start or end with 0
Solution
Replace the label
iam.kubesphere.io/origin-uidwith unique generated UID based on combining OIDC claims while respecting Kubernetes labels standards.