Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
9a7acaae
Commit
9a7acaae
authored
Feb 06, 2018
by
Cao Shufeng
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
fix invalid match rules for advanced audit policy
When users or groups are set in a rule, this rule should not match attribute with unauthorized request where user and group are nil.
parent
69f8b155
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
22 additions
and
4 deletions
+22
-4
checker.go
staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go
+8
-4
checker_test.go
...ing/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go
+14
-0
No files found.
staging/src/k8s.io/apiserver/pkg/audit/policy/checker.go
View file @
9a7acaae
...
@@ -76,14 +76,18 @@ func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level
...
@@ -76,14 +76,18 @@ func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level
// Check whether the rule matches the request attrs.
// Check whether the rule matches the request attrs.
func
ruleMatches
(
r
*
audit
.
PolicyRule
,
attrs
authorizer
.
Attributes
)
bool
{
func
ruleMatches
(
r
*
audit
.
PolicyRule
,
attrs
authorizer
.
Attributes
)
bool
{
if
len
(
r
.
Users
)
>
0
&&
attrs
.
GetUser
()
!=
nil
{
user
:=
attrs
.
GetUser
()
if
!
hasString
(
r
.
Users
,
attrs
.
GetUser
()
.
GetName
())
{
if
len
(
r
.
Users
)
>
0
{
if
user
==
nil
||
!
hasString
(
r
.
Users
,
user
.
GetName
())
{
return
false
return
false
}
}
}
}
if
len
(
r
.
UserGroups
)
>
0
&&
attrs
.
GetUser
()
!=
nil
{
if
len
(
r
.
UserGroups
)
>
0
{
if
user
==
nil
{
return
false
}
matched
:=
false
matched
:=
false
for
_
,
group
:=
range
attrs
.
GetUser
()
.
GetGroups
()
{
for
_
,
group
:=
range
user
.
GetGroups
()
{
if
hasString
(
r
.
UserGroups
,
group
)
{
if
hasString
(
r
.
UserGroups
,
group
)
{
matched
=
true
matched
=
true
break
break
...
...
staging/src/k8s.io/apiserver/pkg/audit/policy/checker_test.go
View file @
9a7acaae
...
@@ -73,6 +73,16 @@ var (
...
@@ -73,6 +73,16 @@ var (
ResourceRequest
:
true
,
ResourceRequest
:
true
,
Path
:
"/api/v1/namespaces/default/pods/busybox"
,
Path
:
"/api/v1/namespaces/default/pods/busybox"
,
},
},
"Unauthorized"
:
&
authorizer
.
AttributesRecord
{
Verb
:
"get"
,
Namespace
:
"default"
,
APIGroup
:
""
,
// Core
APIVersion
:
"v1"
,
Resource
:
"pods"
,
Name
:
"busybox"
,
ResourceRequest
:
true
,
Path
:
"/api/v1/namespaces/default/pods/busybox"
,
},
}
}
rules
=
map
[
string
]
audit
.
PolicyRule
{
rules
=
map
[
string
]
audit
.
PolicyRule
{
...
@@ -209,6 +219,10 @@ func testAuditLevel(t *testing.T, stages []audit.Stage) {
...
@@ -209,6 +219,10 @@ func testAuditLevel(t *testing.T, stages []audit.Stage) {
test
(
t
,
"subresource"
,
audit
.
LevelRequest
,
stages
,
stages
,
"getPodLogs"
,
"getPods"
)
test
(
t
,
"subresource"
,
audit
.
LevelRequest
,
stages
,
stages
,
"getPodLogs"
,
"getPods"
)
test
(
t
,
"Unauthorized"
,
audit
.
LevelNone
,
stages
,
stages
,
"tims"
)
test
(
t
,
"Unauthorized"
,
audit
.
LevelMetadata
,
stages
,
stages
,
"tims"
,
"default"
)
test
(
t
,
"Unauthorized"
,
audit
.
LevelNone
,
stages
,
stages
,
"humans"
)
test
(
t
,
"Unauthorized"
,
audit
.
LevelMetadata
,
stages
,
stages
,
"humans"
,
"default"
)
}
}
func
TestChecker
(
t
*
testing
.
T
)
{
func
TestChecker
(
t
*
testing
.
T
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment