From 2de636a9487f6b5363ca2f714d7f97efa8999bf6 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Mon, 2 Sep 2019 22:38:55 -0400
Subject: [PATCH] Search client auth with and without port

Kubernetes-commit: 2f5dde7672eaf90c7086f86a5a4ee190559f3bb2
---
 pkg/util/webhook/authentication.go      | 17 +++++
 pkg/util/webhook/authentication_test.go | 84 +++++++++++++++++++++++++
 2 files changed, 101 insertions(+)

diff --git a/pkg/util/webhook/authentication.go b/pkg/util/webhook/authentication.go
index dda51b60d..573bcf798 100644
--- a/pkg/util/webhook/authentication.go
+++ b/pkg/util/webhook/authentication.go
@@ -136,6 +136,23 @@ func (c *defaultAuthenticationInfoResolver) clientConfig(target string) (*rest.C
 		}
 	}
 
+	// If target included the default https port (443), search again without the port
+	if target, port, err := net.SplitHostPort(target); err == nil && port == "443" {
+		// exact match without port
+		if authConfig, ok := c.kubeconfig.AuthInfos[target]; ok {
+			return restConfigFromKubeconfig(authConfig)
+		}
+
+		// star prefixed match without port
+		serverSteps := strings.Split(target, ".")
+		for i := 1; i < len(serverSteps); i++ {
+			nickName := "*." + strings.Join(serverSteps[i:], ".")
+			if authConfig, ok := c.kubeconfig.AuthInfos[nickName]; ok {
+				return restConfigFromKubeconfig(authConfig)
+			}
+		}
+	}
+
 	// if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config
 	if target == "kubernetes.default.svc" {
 		// if we can find an in-cluster-config use that.  If we can't, fall through.
diff --git a/pkg/util/webhook/authentication_test.go b/pkg/util/webhook/authentication_test.go
index d91a428c0..d92268578 100644
--- a/pkg/util/webhook/authentication_test.go
+++ b/pkg/util/webhook/authentication_test.go
@@ -109,6 +109,90 @@ func TestAuthenticationDetection(t *testing.T) {
 			},
 			expected: rest.Config{BearerToken: "first"},
 		},
+		{
+			name:       "exact match with default https port",
+			serverName: "one.two.three.com:443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"one.two.three.com:443": {Token: "exact"},
+					"*.two.three.com":       {Token: "first"},
+					"*.three.com":           {Token: "second"},
+					"*.com":                 {Token: "third"},
+					"*":                     {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "exact"},
+		},
+		{
+			name:       "wildcard match with default https port",
+			serverName: "one.two.three.com:443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"*.two.three.com:443": {Token: "first-with-port"},
+					"*.two.three.com":     {Token: "first"},
+					"*.three.com":         {Token: "second"},
+					"*.com":               {Token: "third"},
+					"*":                   {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "first-with-port"},
+		},
+		{
+			name:       "wildcard match without default https port",
+			serverName: "one.two.three.com:443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"*.two.three.com": {Token: "first"},
+					"*.three.com":     {Token: "second"},
+					"*.com":           {Token: "third"},
+					"*":               {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "first"},
+		},
+		{
+			name:       "exact match with non-default https port",
+			serverName: "one.two.three.com:8443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"one.two.three.com:8443": {Token: "exact"},
+					"*.two.three.com":        {Token: "first"},
+					"*.three.com":            {Token: "second"},
+					"*.com":                  {Token: "third"},
+					"*":                      {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "exact"},
+		},
+		{
+			name:       "wildcard match with non-default https port",
+			serverName: "one.two.three.com:8443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"*.two.three.com:8443": {Token: "first-with-port"},
+					"one.two.three.com":    {Token: "first-without-port"},
+					"*.two.three.com":      {Token: "first"},
+					"*.three.com":          {Token: "second"},
+					"*.com":                {Token: "third"},
+					"*":                    {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "first-with-port"},
+		},
+		{
+			name:       "wildcard match without non-default https port",
+			serverName: "one.two.three.com:8443",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"one.two.three.com": {Token: "first-without-port"},
+					"*.two.three.com":   {Token: "first"},
+					"*.three.com":       {Token: "second"},
+					"*.com":             {Token: "third"},
+					"*":                 {Token: "fallback"},
+				},
+			},
+			expected: rest.Config{BearerToken: "fallback"},
+		},
 	}
 
 	for _, tc := range tests {