Commit aa56b20

authored

[Bugfix] Fix JWT Secret Tail characters (#1867)

1 parent 1f7f670 commit aa56b20Copy full SHA for aa56b20

File tree

29 files changed

+780

-211

lines changed

CHANGELOG.md
cmd
- admin.go
integrations/authentication/v1
- cache.go
- implementation.go
pkg
- api
- deployment
- handlers/backup
  - arango_client_impl.go
- replication
  - sync_client.go
- util
  - arangod
    - client.go
  - k8sutil
    - secrets.go
  - mod.go
  - token

29 files changed

+780

-211

lines changed

`‎CHANGELOG.md‎`

Lines changed: 2 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,10 +7,8 @@`
`7`	`7`	`- (Documentation) ManualUpgrade Docs`
`8`	`8`	`- (Documentation) Add Required & Skip in Docs`
`9`	`9`	`- (Feature) (Platform) ECS Storage`
`10`		`-- (Bugfix) (Platform) Prevent NPE in case of missing Helm Release`
`11`		`-- (Feature) Unify Errors`
`12`		`-- (Documentation) Update Service Values Doc Type`
`13`		`-- (Feature) (Platform) Improve Registry Performance`
	`10`	`+- (Bugfix) (Platform) Prevent NPE in case of missing Helm Release`
	`11`	`+- (Bugfix) Align JWT Discovery`
`14`	`12`
`15`	`13`	`## [1.2.50](https://github.com/arangodb/kube-arangodb/tree/1.2.50) (2025年07月04日)`
`16`	`14`	`- (Feature) (Platform) MetaV1 Integration Service`

`‎cmd/admin.go‎`

Lines changed: 15 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,6 @@ import (`
`38`	`38`	`meta "k8s.io/apimachinery/pkg/apis/meta/v1"`
`39`	`39`
`40`	`40`	`"github.com/arangodb-helper/go-certificates"`
`41`		`- "github.com/arangodb/go-driver/jwt"`
`42`	`41`	`"github.com/arangodb/go-driver/v2/connection"`
`43`	`42`
`44`	`43`	`api "github.com/arangodb/kube-arangodb/pkg/apis/deployment/v1"`
`@@ -51,6 +50,7 @@ import (`
`51`	`50`	`"github.com/arangodb/kube-arangodb/pkg/util/k8sutil"`
`52`	`51`	`"github.com/arangodb/kube-arangodb/pkg/util/k8sutil/inspector/generic"`
`53`	`52`	`"github.com/arangodb/kube-arangodb/pkg/util/kclient"`
	`53`	`+ "github.com/arangodb/kube-arangodb/pkg/util/token"`
`54`	`54`	`)`
`55`	`55`
`56`	`56`	`const (`
`@@ -401,20 +401,31 @@ func createClient(endpoints []string, certCA *x509.CertPool, auth connection.Aut`
`401`	`401`	`}`
`402`	`402`
`403`	`403`	`// getJWTTokenFromSecrets returns token from the secret.`
`404`		`-func getJWTTokenFromSecrets(ctx context.Context, secrets generic.ReadClient[*core.Secret], name string) (connection.Authentication, error) {`
	`404`	`+func getJWTTokenFromSecrets(ctx context.Context, secrets generic.ReadClient[*core.Secret], name string, paths...string) (connection.Authentication, error) {`
`405`	`405`	`ctxChild, cancel := globals.GetGlobalTimeouts().Kubernetes().WithTimeout(ctx)`
`406`	`406`	`defer cancel()`
`407`	`407`
`408`		`- token, err := k8sutil.GetTokenSecret(ctxChild, secrets, name)`
	`408`	`+ secret, err := k8sutil.GetTokenSecret(ctxChild, secrets, name)`
`409`	`409`	`if err != nil {`
`410`	`410`	`return nil, errors.WithMessage(err, fmt.Sprintf("failed to get secret \"%s\"", name))`
`411`	`411`	`}`
`412`	`412`
`413`		`- bearerToken, err := jwt.CreateArangodJwtAuthorizationHeader(token, "kube-arangodb")`
	`413`	`+ claims := token.NewClaims().With(`
	`414`	`+ token.WithDefaultClaims(),`
	`415`	`+ token.WithServerID("kube-arangodb"),`
	`416`	`+ )`
	`417`	`+`
	`418`	`+ if len(paths) > 0 {`
	`419`	`+ claims = claims.With(token.WithAllowedPaths(paths...))`
	`420`	`+ }`
	`421`	`+`
	`422`	`+ authz, err := claims.Sign(secret)`
`414`	`423`	`if err != nil {`
`415`	`424`	`return nil, errors.WithMessage(err, fmt.Sprintf("failed to create bearer token from secret \"%s\"", name))`
`416`	`425`	`}`
`417`	`426`
	`427`	`+ bearerToken := fmt.Sprintf("bearer %s", authz)`
	`428`	`+`
`418`	`429`	`return JWTAuthentication{key: "Authorization", value: bearerToken}, nil`
`419`	`430`	`}`
`420`	`431`

`‎integrations/authentication/v1/cache.go‎`

Lines changed: 6 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,18 +29,13 @@ import (`
`29`	`29`	`"time"`
`30`	`30`
`31`	`31`	`"github.com/arangodb/kube-arangodb/pkg/util"`
	`32`	`+ "github.com/arangodb/kube-arangodb/pkg/util/token"`
`32`	`33`	`)`
`33`	`34`
`34`	`35`	`const MaxSize = 128`
`35`	`36`
`36`		`-type tokens struct {`
`37`		`- signingToken []byte`
`38`		`-`
`39`		`- validationTokens [][]byte`
`40`		`-}`
`41`		`-`
`42`		`-func newCache(cfg Configuration) func(ctx context.Context) (*tokens, time.Duration, error) {`
`43`		`- return func(ctx context.Context) (*tokens, time.Duration, error) {`
	`37`	`+func newCache(cfg Configuration) func(ctx context.Context) (token.Secret, time.Duration, error) {`
	`38`	`+ return func(ctx context.Context) (token.Secret, time.Duration, error) {`
`44`	`39`	`files, err := os.ReadDir(cfg.Path)`
`45`	`40`	`if err != nil {`
`46`	`41`	`return nil, 0, err`
`@@ -87,9 +82,8 @@ func newCache(cfg Configuration) func(ctx context.Context) (*tokens, time.Durati`
`87`	`82`	`data[id] = ts[keys[id]]`
`88`	`83`	`}`
`89`	`84`
`90`		`- return &tokens{`
`91`		`- signingToken: ts[keys[0]],`
`92`		`- validationTokens: data,`
`93`		`- }, cfg.TTL, nil`
	`85`	`+ return token.NewSecretSet(token.NewSecret(ts[keys[0]]), util.FormatList(data, func(a []byte) token.Secret {`
	`86`	`+ return token.NewSecret(a)`
	`87`	`+ })...), cfg.TTL, nil`
`94`	`88`	`}`
`95`	`89`	`}`

`‎integrations/authentication/v1/implementation.go‎`

Lines changed: 14 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ type implementation struct {`
`92`	`92`	`cfg Configuration`
`93`	`93`
`94`	`94`	`userClient cache.Object[arangodb.Requests]`
`95`		`- cache cache.Object[*tokens]`
	`95`	`+ cache cache.Object[token.Secret]`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`func (i *implementation) Name() string {`
`@@ -190,16 +190,12 @@ func (i implementation) CreateToken(ctx context.Context, request pbAuthenticat`
`190`	`190`	`duration = v`
`191`	`191`	`}`
`192`	`192`
`193`		`- // Token is validated, we can continue with creation`
`194`		`- secret := cache.signingToken`
`195`		`-`
`196`		`- signedToken, err := token.New(secret,`
`197`		`- token.NewClaims().With(token.WithDefaultClaims(),`
`198`		`- token.WithCurrentIAT(),`
`199`		`- token.WithDuration(duration),`
`200`		`- token.WithUsername(user),`
`201`		`- token.WithRoles(request.GetRoles()...)),`
`202`		`- )`
	`193`	`+ signedToken, err := token.NewClaims().With(`
	`194`	`+ token.WithDefaultClaims(),`
	`195`	`+ token.WithCurrentIAT(),`
	`196`	`+ token.WithDuration(duration),`
	`197`	`+ token.WithUsername(user),`
	`198`	`+ token.WithRoles(request.GetRoles()...)).Sign(cache)`
`203`	`199`	`if err != nil {`
`204`	`200`	`return nil, err`
`205`	`201`	`}`
`@@ -344,24 +340,25 @@ func (i implementation) Logout(ctx context.Context, req pbAuthenticationV1.Log`
`344`	`340`	`return &pbSharedV1.Empty{}, nil`
`345`	`341`	`}`
`346`	`342`
`347`		`-func (i implementation) extractTokenDetails(cache tokens, t string) (string, []string, time.Duration, error) {`
	`343`	`+func (i *implementation) extractTokenDetails(cache token.Secret, t string) (string, []string, time.Duration, error) {`
`348`	`344`	`// Let's check if token is signed properly`
`349`		`-`
`350`		`- p, err := token.ParseWithAny(t, cache.validationTokens...)`
	`345`	`+ p, err := cache.Validate(t)`
`351`	`346`	`if err != nil {`
`352`	`347`	`return "", nil, 0, err`
`353`	`348`	`}`
`354`	`349`
`355`	`350`	`user := DefaultAdminUser`
`356`		`- if v, ok := p[token.ClaimPreferredUsername]; ok {`
	`351`	`+ if v, ok := p.Claims()[token.ClaimPreferredUsername]; ok {`
`357`	`352`	`if s, ok := v.(string); ok {`
`358`	`353`	`user = s`
`359`	`354`	`}`
`360`	`355`	`}`
`361`	`356`
`362`	`357`	`duration := DefaultTokenMaxTTL`
`363`	`358`
`364`		`- if v, ok := p[token.ClaimEXP]; ok {`
	`359`	`+ claims := p.Claims()`
	`360`	`+`
	`361`	`+ if v, ok := claims[token.ClaimEXP]; ok {`
`365`	`362`	`switch o := v.(type) {`
`366`	`363`	`case int64:`
`367`	`364`	`duration = time.Until(time.Unix(o, 0))`
`@@ -372,7 +369,7 @@ func (i implementation) extractTokenDetails(cache tokens, t string) (string, [`
`372`	`369`
`373`	`370`	`var roles []string`
`374`	`371`
`375`		`- if v, ok := p[token.ClaimRoles]; ok {`
	`372`	`+ if v, ok := claims[token.ClaimRoles]; ok {`
`376`	`373`	`switch o := v.(type) {`
`377`	`374`	`case []string:`
`378`	`375`	`roles = o`

`‎pkg/api/api.go‎`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

`‎pkg/api/auth.go‎`

Lines changed: 2 additions & 2 deletions

Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

`‎pkg/api/jwt.go‎`

Lines changed: 13 additions & 13 deletions

Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

`‎pkg/deployment/context_impl.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -295,7 +295,7 @@ func (d *Deployment) getJWTToken() (string, bool) {`
`295`	`295`	`func (d *Deployment) GetSyncServerClient(ctx context.Context, group api.ServerGroup, id string) (client.API, error) {`
`296`	`296`	`// Fetch monitoring token`
`297`	`297`	`secretName := d.GetSpec().Sync.Monitoring.GetTokenSecretName()`
`298`		`- monitoringToken, err := k8sutil.GetTokenSecret(ctx, d.GetCachedStatus().Secret().V1().Read(), secretName)`
	`298`	`+ monitoringToken, err := k8sutil.GetTokenSecretString(ctx, d.GetCachedStatus().Secret().V1().Read(), secretName)`
`299`	`299`	`if err != nil {`
`300`	`300`	`d.log.Err(err).Str("secret-name", secretName).Debug("Failed to get sync monitoring secret")`
`301`	`301`	`return nil, errors.WithStack(err)`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit aa56b20

File tree

29 files changed

29 files changed

`‎CHANGELOG.md‎`

`‎cmd/admin.go‎`

`‎integrations/authentication/v1/cache.go‎`

`‎integrations/authentication/v1/implementation.go‎`

`‎pkg/api/api.go‎`

`‎pkg/api/auth.go‎`

`‎pkg/api/jwt.go‎`

`‎pkg/deployment/context_impl.go‎`

0 commit comments