Merge pull request #260 from richardmarshall/usergroupdns1123check

Remove DNS-1123 validation of usernames and groups

deploy/example.yaml

@@ -103,6 +103,15 @@ data:
         username: admin:{{SessionName}}
         groups:
         - system:masters
+      # map federated users in my "KubernetesUsers" role to users like
+      # "alice@example.com". SessionNameRaw is sourced from the same place as
+      # SessionName with the distinction that no transformation is performed
+      # on the value. For example an email addresses passed by an identity
+      # provider will not have the `@` replaced with a `-`.
+      - roleARN: arn:aws:iam::000000000000:role/KubernetesUsers
+        username: "{{SessionNameRaw}}"
+        groups:
+        - developers
       # each mapUsers entry maps an IAM role to a static username and set of groups
       mapUsers:
       # map user IAM user Alice in 000000000000 to user "alice" in "system:masters"

pkg/server/server.go

@@ -67,7 +67,6 @@ var tokenReviewDenyJSON = func() []byte {
 // Pattern to match EC2 instance IDs
 var (
 	instanceIDPattern = regexp.MustCompile("^i-(\\w{8}|\\w{17})$")
-	dns1123Pattern    = regexp.MustCompile("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*")
 )
 
 // server state (internal)
@@ -403,14 +402,9 @@ func (h *handler) renderTemplate(template string, identity *token.Identity) (str
 	}
 
 	template = strings.Replace(template, "{{AccountID}}", identity.AccountID, -1)
-
-	// usernames and groups must be a DNS-1123 hostname matching the regex
-	// "[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*"
 	sessionName := strings.Replace(identity.SessionName, "@", "-", -1)
 	template = strings.Replace(template, "{{SessionName}}", sessionName, -1)
-	if !dns1123Pattern.MatchString(template) {
-		return "", fmt.Errorf("username or group is not a DNS-1123 hostname")
-	}
+	template = strings.Replace(template, "{{SessionNameRaw}}", identity.SessionName, -1)
 
 	return template, nil
 }

pkg/server/server_test.go

@@ -723,3 +723,83 @@ func TestAuthenticateVerifierNodeMappingCRD(t *testing.T) {
 	validateMetrics(t, validateOpts{success: 1})
 
 }
+
+func TestRenderTemplate(t *testing.T) {
+	h := &handler{}
+	h.ec2Provider = newTestEC2Provider("ip-172-31-27-14")
+	cases := []struct {
+		template string
+		want     string
+		identity token.Identity
+		err      bool
+	}{
+		{
+			template: "a-{{EC2PrivateDNSName}}-b",
+			want:     "a-ip-172-31-27-14-b",
+			identity: token.Identity{
+				SessionName: "i-aaaaaaaa",
+			},
+		},
+		{
+			template: "a-{{EC2PrivateDNSName}}-b",
+			want:     "a-ip-172-31-27-14-b",
+			identity: token.Identity{
+				SessionName: "i-aaaaa",
+			},
+			err: true,
+		},
+		{
+			template: "a-{{AccountID}}-b",
+			want:     "a-123-b",
+			identity: token.Identity{
+				AccountID: "123",
+			},
+		},
+		{
+			template: "a-{{SessionName}}-b",
+			want:     "a-jdoe-b",
+			identity: token.Identity{
+				SessionName: "jdoe",
+			},
+		},
+		{
+			template: "a-{{SessionName}}-b",
+			want:     "a-jdoe-example.com-b",
+			identity: token.Identity{
+				SessionName: "jdoe@example.com",
+			},
+		},
+		{
+			template: "a-{{SessionNameRaw}}-b",
+			want:     "a-jdoe@example.com-b",
+			identity: token.Identity{
+				SessionName: "jdoe@example.com",
+			},
+		},
+		{
+			template: "a-{{AccountID}}-{{SessionName}}-{{SessionNameRaw}}-b",
+			want:     "a-123-jdoe-example.com-jdoe@example.com-b",
+			identity: token.Identity{
+				AccountID:   "123",
+				SessionName: "jdoe@example.com",
+			},
+		},
+	}
+	for _, c := range cases {
+		t.Run(c.template, func(t *testing.T) {
+			got, err := h.renderTemplate(c.template, &c.identity)
+			if err != nil {
+				if c.err {
+					return
+				}
+				t.Errorf("unexpected error: %s", err.Error())
+			} else if c.err {
+				t.Errorf("expected error")
+			}
+			if got != c.want {
+				t.Errorf("want: %v, got: %v", c.want, got)
+			}
+
+		})
+	}
+}