mirror of
https://github.com/siderolabs/omni.git
synced 2025-08-07 18:17:00 +02:00
ed946b30a6
Fixes: https://github.com/siderolabs/omni/issues/858 Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
53 lines
1.4 KiB
Go
53 lines
1.4 KiB
Go
// Copyright (c) 2025 Sidero Labs, Inc.
|
|
//
|
|
// Use of this software is governed by the Business Source License
|
|
// included in the LICENSE file.
|
|
|
|
package k8sproxy
|
|
|
|
import (
|
|
"github.com/golang-jwt/jwt/v4"
|
|
)
|
|
|
|
// claims represents a JWT claims.
|
|
//
|
|
// Kubernetes proxy expects all three claims to be present in the token.
|
|
type claims struct {
|
|
jwt.RegisteredClaims
|
|
|
|
// Cluster is the name of the cluster.
|
|
// For legacy JWTs in which ClusterUUID is not present, this field is used as the source of truth.
|
|
// For all new JWTs issued, ClusterUUID field is used as the source of truth, and this field is solely checked if it matches with the UUID.
|
|
Cluster string `json:"cluster"`
|
|
|
|
// ClusterUUID is the UUID of the cluster.
|
|
ClusterUUID string `json:"cluster_uuid"`
|
|
|
|
// Groups are the groups the subject belongs to.
|
|
Groups []string `json:"groups"`
|
|
}
|
|
|
|
func (claims *claims) Valid() error {
|
|
if err := claims.RegisteredClaims.Valid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
if claims.ExpiresAt == nil {
|
|
return jwt.NewValidationError("expiration is empty", jwt.ValidationErrorClaimsInvalid)
|
|
}
|
|
|
|
if claims.Cluster == "" {
|
|
return jwt.NewValidationError("cluster is empty", jwt.ValidationErrorClaimsInvalid)
|
|
}
|
|
|
|
if claims.Subject == "" {
|
|
return jwt.NewValidationError("subject is empty", jwt.ValidationErrorClaimsInvalid)
|
|
}
|
|
|
|
if len(claims.Groups) == 0 {
|
|
return jwt.NewValidationError("groups is empty", jwt.ValidationErrorClaimsInvalid)
|
|
}
|
|
|
|
return nil
|
|
}
|