Fix base64 padding for kube config

[bpicolo]

Fixes #65 (pulled in / updated another open PR to get this fix moving + tweaked tests)

JWT spec requires tokens be de-padded base64 (so that they're URLsafe), but they need to be re-padded to properly decode.

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[codecov-io]

Codecov Report

Merging #79 into master will increase coverage by 0.02%.
The diff coverage is 97.56%.

@@            Coverage Diff             @@
##           master      #79      +/-   ##
==========================================
+ Coverage   92.11%   92.13%   +0.02%     
==========================================
  Files          13       13              
  Lines        1217     1234      +17     
==========================================
+ Hits         1121     1137      +16     
- Misses         96       97       +1

Impacted Files	Coverage Δ
config/kube_config_test.py	94.55% <100%> (+0.13%)	⬆️
config/kube_config.py	83.9% <91.66%> (+0.04%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e077f88...e1a1d3d. Read the comment docs.

[zybjcdl]

@bpicolo When could we get this fix? We need to run with python 3.6.5

[bpicolo]

/assign @roycaihw . (as recommended by mrsbot)

[roycaihw]

JWT requires base64.urlsafe_b64decode instead of base64.b64decode (and for encoding as well), as + and / are not url safe

[micw523]

It might be still worthwhile to do safe decode here?

[roycaihw]

The signature (TEST_CLIENT_CERT_BASE64) should also be url safe (base64url encoded and padding omitted).

[roycaihw]

Could you add a check to make sure the JWT doesn't contain url reserved characters (=, + and /)?

[roycaihw]

Thanks for sending this PR :) I left some comments.

[roycaihw]

After more reading, I'm thinking if the previous padding implementation (padding with "==") was intended.

According to base64 encoding and JWS doc, base64 (also apply to base64url) padding can only have three cases:

• no padding
• two "=" padding characters
• one "=" padding character

Having three "=" padding characters is illegal.

According to https://gist.github.com/perrygeo/ee7c65bb1541ff6ac770 and python binascii_a2b_base64 implementation, extra paddings after previous quad are ignored. Therefore for a valid base64-encoded string with padding stripped, adding "==" would guarantee it can be safely decoded, and for an illegal string (e.g. "A===" being "A" when stripped) adding "==" would raise error.

In Python 3.7 the implementation distinguishes illegal string ("A==") from incorrect padding ("AQ="): https://github.com/python/cpython/blob/3.7/Modules/binascii.c#L513-L521. Prior 3.7 the error messages are the same "Incorrect padding".

#65 had this issue because we didn't implement padding for python 3. The padding implementation for python 2 was correct (probably intended?) but it didn't distinguish illegal string from incorrect padding. I suggest we could add illegal base64url string check like https://tools.ietf.org/html/rfc7515#appendix-C

cc @ltamaster who implemented oidc auth
cc @hanikesn @joppa27 who also contributed on this fix

[bpicolo]

@roycaihw fair - I didn't notice the addendum in the JWS RFC. What's the optimal path forward?

[roycaihw]

@bpicolo I think your fix is fine for both Python 2 and 3. I'd suggest that we can add a check and raise error if len(padding) == 3, so that the versions prior 3.7 can better distinguish malformed token and incorrect padding.

Please also fix the decoding and testcases around oidc id-token (JWT) to use base64url-encoding/decoding.

[micw523]

Hi @bpicolo -
It looks like that your tests are somewhat incomplete and decreased the code coverage for the bot. It is possible for you to add some tests that you mentioned, e.g. if padding length is 3, etc?

[bpicolo]

@micw523 Done.

Where is code coverage report now? Last one I see in this thread ran in July on an entirely different branch

[micw523]

I think the bot refreshes its comment every once a while - it should refresh itself.

Otherwise, the CI says your coverage is 92%.

[bpicolo]

Ahhh I see that now, gotcha.

Side note - these tests are super tough to get running locally (And the latest kubernetes/ seems to have a dependency glitch with adal so I had to edit the ./run_tox script to target a specific branch locally), and because they run in a bash subprocess they're even harder to debug. It's probably worth adding some documentation to help people get started here.

That said, looks like coveragebot is happy now?

[micw523]

Are you running into import problems with adal? I think part of the reason might be that you opened this PR a long time ago and the python repo has ditched adal as an absolute requirement. It was a recent change. Fast forwarding to the master branch might help?

I agree on the difficulty on running the tests. The documentation for this library is quite sparse in its current state.

The bot has indeed updated itself.

[micw523]

It looks like that in the original code a single return is used. Is it possible if we make the return statements consistent?

[micw523]

It might be still worthwhile to do safe decode here?

[bpicolo]

@micw523 cleaned up the return. re: safe decode (can't reply to that comment), we're breaking above if there are url-unsafe characters, so it should be safe as is.

In theory, this is ready, but I no longer have a setup locally to be able to try it live. Apologies for the delay here - pretty far out of my mind at this point, heh.

Not sure what's up with those new test errors ... doesn't seem code related?

[stevenmanton]

Just pinging this thread to see if there are updates. This bug still blocks our development without manually editing the offending line. Is this PR just awaiting lgtm?

[roycaihw]

Sorry for the delay in review. I will do another pass this week

[carlescere]

Any news on this?

[roycaihw]

my apologies.. I was busy with k/k 1.15 freeze. It looks like my comments were addressed a long time ago :)

re: safe decode (can't reply to that comment), we're breaking above if there are url-unsafe characters, so it should be safe as is.

Fair enough. I re-ran the travis CI and the test_create_apiservice_from_yaml_with_conflict failure looks unrelated. I tend to merge this. Thanks for the fix!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bpicolo, roycaihw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [roycaihw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rcurrie]

Just installed released 10.0.0 fresh from pip and tested against the Pacific Research Platform k8s cluster using python3 and it works now! Thank You!