From 0939602ca65d977ce334852c229b12d3711a4233 Mon Sep 17 00:00:00 2001
From: deads2k <deads@redhat.com>
Date: Fri, 30 Jun 2017 09:19:44 -0400
Subject: [PATCH] don't accept delete tokens that are waiting to be reaped

---
 pkg/serviceaccount/jwt.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/serviceaccount/jwt.go b/pkg/serviceaccount/jwt.go
index 9135df0078..83efe5be0a 100644
--- a/pkg/serviceaccount/jwt.go
+++ b/pkg/serviceaccount/jwt.go
@@ -290,6 +290,10 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
 				glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
 				return nil, false, errors.New("Token has been invalidated")
 			}
+			if secret.DeletionTimestamp != nil {
+				glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
+				return nil, false, errors.New("Token has been invalidated")
+			}
 			if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(token)) != 0 {
 				glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
 				return nil, false, errors.New("Token does not match server's copy")
@@ -301,6 +305,10 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
 				glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
 				return nil, false, err
 			}
+			if serviceAccount.DeletionTimestamp != nil {
+				glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
+				return nil, false, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
+			}
 			if string(serviceAccount.UID) != serviceAccountUID {
 				glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
 				return nil, false, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)