Skip to content

Commit

Permalink
fix: 解决 jwt 硬编码导致的 k8s 集群接管漏洞
Browse files Browse the repository at this point in the history
  • Loading branch information
zhengkunwang223 committed Jan 4, 2023
1 parent 2fb4f69 commit 3be58b8
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 10 deletions.
4 changes: 3 additions & 1 deletion conf/app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,6 @@ spec:
db:
path: /var/lib/kubepi/db/kubepi.db
session:
expires: 24
expires: 24
jwt:
key:
3 changes: 1 addition & 2 deletions internal/api/v1/session/session.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

var JwtSigKey = []byte("signature_hmac_secret_shared_key")
var jwtMaxAge = 10 * time.Minute

type Handler struct {
Expand All @@ -51,7 +50,7 @@ func NewHandler() *Handler {
roleService: role.NewService(),
rolebindingService: rolebinding.NewService(),
ldapService: ldap.NewService(),
jwtSigner: jwt.NewSigner(jwt.HS256, JwtSigKey, jwtMaxAge),
jwtSigner: jwt.NewSigner(jwt.HS256, server.Config().Spec.Jwt.Key, jwtMaxAge),
}
}

Expand Down
3 changes: 1 addition & 2 deletions internal/api/v1/v1.go
Original file line number Diff line number Diff line change
Expand Up @@ -401,8 +401,7 @@ func resourceNameInvalidHandler() iris.Handler {
}

func WarpedJwtHandler() iris.Handler {

verifier := jwt.NewVerifier(jwt.HS256, session.JwtSigKey)
verifier := jwt.NewVerifier(jwt.HS256, server.Config().Spec.Jwt.Key)
verifier.WithDefaultBlocklist()
verifyMiddleware := verifier.Verify(func() interface{} {
return new(session.UserProfile)
Expand Down
30 changes: 25 additions & 5 deletions internal/config/config.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
package config

import (
"crypto/rand"
"encoding/json"
"fmt"
"github.com/KubeOperator/kubepi/internal/model/v1/config"
"github.com/KubeOperator/kubepi/pkg/file"
"github.com/coreos/etcd/pkg/fileutil"
"github.com/spf13/viper"
"math/big"
"strconv"
)

const configNotFoundSkipErr = "config file not found in %s, skip"
Expand All @@ -17,7 +20,7 @@ var configFilePaths = []string{
"/etc/kubepi",
}

func ReadConfig(c *config.Config, path ...string) error {
func ReadConfig(c *config.Config, path ...string) error {
v := viper.New()
v.SetConfigName("app")
v.SetConfigType("yaml")
Expand All @@ -41,19 +44,36 @@ func ReadConfig(c *config.Config, path ...string) error {
if err := v.MergeInConfig(); err != nil {
fmt.Println(fmt.Sprintf(configMergeErr, configFilePaths))
}

}

var configMap map[string]interface{}
if err := v.Unmarshal(&configMap); err != nil {
return err
return err
}
str, err := json.Marshal(&configMap)
if err != nil {
return err
return err
}
if err := json.Unmarshal(str, &c); err != nil {
return nil
return nil
}
if c.Spec.Jwt.Key == "" {
v.Set("spec.jwt.key", generate(32))
if err := v.WriteConfig(); err != nil {
return err
}
}
return nil
return nil
}

func generate(length int) string {
const base = 36
size := big.NewInt(base)
n := make([]byte, length)
for i := range n {
c, _ := rand.Int(rand.Reader, size)
n[i] = strconv.FormatInt(c.Int64(), base)[0]
}
return string(n)
}
5 changes: 5 additions & 0 deletions internal/model/v1/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ type Spec struct {
DB DBConfig `json:"db"`
Session SessionConfig `json:"session"`
Logger LoggerConfig `json:"logger"`
Jwt JwtConfig `json:"jwt"`
AppId string `json:"appId"`
}

Expand Down Expand Up @@ -42,3 +43,7 @@ type DBConfig struct {
type SessionConfig struct {
Expires int `json:"expires"`
}

type JwtConfig struct {
Key string `json:"key"`
}
1 change: 1 addition & 0 deletions internal/server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,7 @@ func getDefaultConfig() *v1Config.Config {
Expires: 72,
},
Logger: v1Config.LoggerConfig{Level: "debug"},
Jwt: v1Config.JwtConfig{},
},
}
}

0 comments on commit 3be58b8

Please sign in to comment.