From bf70084dea2bb5bdf3fcbb840ae6ce5f93d824ac Mon Sep 17 00:00:00 2001
From: Cao Shufeng <caosf.fnst@cn.fujitsu.com>
Date: Tue, 21 Feb 2017 05:13:11 -0500
Subject: [PATCH] Ensure invalid username/password returns 401 error, not 403

If a user attempts to use basic auth, and the username/password combination
is rejected, the authenticator should return an error. This distinguishes
requests that did not provide username/passwrod (and are unauthenticated
without error) from ones that attempted to, and failed.

Kubernetes-commit: 0ec585c1395a6e380ca36fb33c6842b7aca0ea4b
---
 .../authenticator/request/basicauth/basicauth.go    | 13 ++++++++++++-
 .../request/basicauth/basicauth_test.go             |  2 ++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/plugin/pkg/authenticator/request/basicauth/basicauth.go b/plugin/pkg/authenticator/request/basicauth/basicauth.go
index 50ce3ac3b..d5b39ce17 100644
--- a/plugin/pkg/authenticator/request/basicauth/basicauth.go
+++ b/plugin/pkg/authenticator/request/basicauth/basicauth.go
@@ -17,6 +17,7 @@ limitations under the License.
 package basicauth
 
 import (
+	"errors"
 	"net/http"
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
@@ -33,11 +34,21 @@ func New(auth authenticator.Password) *Authenticator {
 	return &Authenticator{auth}
 }
 
+var errInvalidAuth = errors.New("invalid username/password combination")
+
 // AuthenticateRequest authenticates the request using the "Authorization: Basic" header in the request
 func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
 	username, password, found := req.BasicAuth()
 	if !found {
 		return nil, false, nil
 	}
-	return a.auth.AuthenticatePassword(username, password)
+
+	user, ok, err := a.auth.AuthenticatePassword(username, password)
+
+	// If the password authenticator didn't error, provide a default error
+	if !ok && err == nil {
+		err = errInvalidAuth
+	}
+
+	return user, ok, err
 }
diff --git a/plugin/pkg/authenticator/request/basicauth/basicauth_test.go b/plugin/pkg/authenticator/request/basicauth/basicauth_test.go
index 70a0ba345..2d59e0ede 100644
--- a/plugin/pkg/authenticator/request/basicauth/basicauth_test.go
+++ b/plugin/pkg/authenticator/request/basicauth/basicauth_test.go
@@ -60,11 +60,13 @@ func TestBasicAuth(t *testing.T) {
 			ExpectedCalled:   true,
 			ExpectedUsername: "user_with_empty_password",
 			ExpectedPassword: "",
+			ExpectedErr:      true,
 		},
 		"valid basic header": {
 			ExpectedCalled:   true,
 			ExpectedUsername: "myuser",
 			ExpectedPassword: "mypassword:withcolon",
+			ExpectedErr:      true,
 		},
 		"password auth returned user": {
 			Password:         testPassword{User: &user.DefaultInfo{Name: "returneduser"}, OK: true},