mirror of
https://github.com/kubernetes/client-go.git
synced 2026-05-14 11:03:14 +00:00
Rename AllowlistEntry clientcmd.Name to Command
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com> Kubernetes-commit: 505b937babc9ab0061ed346ec0278a3a605664ac
This commit is contained in:
Peter Engelbert
committed by
Kubernetes Publisher
Kubernetes Publisher
parent
f037d681ac
commit
b840391f92
@@ -185,8 +185,8 @@ func newAuthenticator(c *cache, isTerminalFunc func(int) bool, config *api.ExecC
|
||||
|
||||
allowlistLookup := sets.New[string]()
|
||||
for _, entry := range config.PluginPolicy.Allowlist {
|
||||
if entry.Name != "" {
|
||||
allowlistLookup.Insert(entry.Name)
|
||||
if entry.Command != "" {
|
||||
allowlistLookup.Insert(entry.Command)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -641,14 +641,14 @@ func (a *Authenticator) checkAllowlistLocked(cmd *exec.Cmd) error {
|
||||
func (a *Authenticator) resolveAllowListEntriesLocked(commandHint string) {
|
||||
hintName := filepath.Base(commandHint)
|
||||
for _, entry := range a.execPluginPolicy.Allowlist {
|
||||
entryBasename := filepath.Base(entry.Name)
|
||||
entryBasename := filepath.Base(entry.Command)
|
||||
if hintName != "" && hintName != entryBasename {
|
||||
// we got a hint, and this allowlist entry does not match it
|
||||
continue
|
||||
}
|
||||
entryResolvedPath, err := exec.LookPath(entry.Name)
|
||||
entryResolvedPath, err := exec.LookPath(entry.Command)
|
||||
if err != nil {
|
||||
klog.V(5).ErrorS(err, "resolving credential plugin allowlist", "name", entry.Name)
|
||||
klog.V(5).ErrorS(err, "resolving credential plugin allowlist", "name", entry.Command)
|
||||
continue
|
||||
}
|
||||
if entryResolvedPath != "" {
|
||||
@@ -691,10 +691,10 @@ func validateAllowlist(list []api.AllowlistEntry) error {
|
||||
return fmt.Errorf("misconfigured credential plugin allowlist: empty allowlist entry #%d", i+1)
|
||||
}
|
||||
|
||||
if cleaned := filepath.Clean(item.Name); cleaned != item.Name {
|
||||
return fmt.Errorf("non-normalized file path: %q vs %q", item.Name, cleaned)
|
||||
} else if item.Name == "" {
|
||||
return fmt.Errorf("empty file path: %q", item.Name)
|
||||
if cleaned := filepath.Clean(item.Command); cleaned != item.Command {
|
||||
return fmt.Errorf("non-normalized file path: %q vs %q", item.Command, cleaned)
|
||||
} else if item.Command == "" {
|
||||
return fmt.Errorf("empty file path: %q", item.Command)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1077,7 +1077,7 @@ func (tt *pluginPolicyTest) setAllowlist(l int, existingPluginInPATHAbsolutePath
|
||||
}
|
||||
|
||||
for i := 1; i < tt.allowlistLength; i++ {
|
||||
tt.allowlist = append(tt.allowlist, api.AllowlistEntry{Name: fmt.Sprintf("foo-%d", i)})
|
||||
tt.allowlist = append(tt.allowlist, api.AllowlistEntry{Command: fmt.Sprintf("foo-%d", i)})
|
||||
}
|
||||
|
||||
// shuffle the allowlist to guarantee ordering doesn't matter
|
||||
@@ -1092,13 +1092,13 @@ func (tt *pluginPolicyTest) makeAllowlistEntry(existingPluginInPATHAbsolutePath
|
||||
|
||||
switch {
|
||||
case tt.entryExists && tt.useEntryAbsPath:
|
||||
entry.Name = existingPluginInPATHAbsolutePath
|
||||
entry.Command = existingPluginInPATHAbsolutePath
|
||||
case tt.entryExists && !tt.useEntryAbsPath:
|
||||
entry.Name = existingPluginInPATHBasename
|
||||
entry.Command = existingPluginInPATHBasename
|
||||
case !tt.entryExists && tt.useEntryAbsPath:
|
||||
entry.Name = "/this/path/does/not/exist"
|
||||
entry.Command = "/this/path/does/not/exist"
|
||||
case !tt.entryExists && !tt.useEntryAbsPath:
|
||||
entry.Name = "does not exist"
|
||||
entry.Command = "does not exist"
|
||||
}
|
||||
|
||||
return entry
|
||||
|
||||
@@ -243,10 +243,10 @@ func TestPolicyCallsMetric(t *testing.T) {
|
||||
PolicyType: api.PluginPolicyAllowlist,
|
||||
Allowlist: []api.AllowlistEntry{
|
||||
{
|
||||
Name: "foobar",
|
||||
Command: "foobar",
|
||||
},
|
||||
{
|
||||
Name: "testdata/test-plugin.sh",
|
||||
Command: "testdata/test-plugin.sh",
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -256,8 +256,8 @@ func TestPolicyCallsMetric(t *testing.T) {
|
||||
policy: api.PluginPolicy{
|
||||
PolicyType: api.PluginPolicyAllowlist,
|
||||
Allowlist: []api.AllowlistEntry{
|
||||
{Name: "foobar"},
|
||||
{Name: "baz"},
|
||||
{Command: "foobar"},
|
||||
{Command: "baz"},
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
@@ -298,12 +298,12 @@ type ExecConfig struct {
|
||||
// the logical AND of all checks corresponding to the specified fields within
|
||||
// the entry.
|
||||
type AllowlistEntry struct {
|
||||
// Name matching is performed by first resolving the absolute path of both
|
||||
// Command matching is performed by first resolving the absolute path of both
|
||||
// the plugin and the name in the allowlist entry using `exec.LookPath`. It
|
||||
// will be called on both, and the resulting strings must be equal. If
|
||||
// either call to `exec.LookPath` results in an error, the `Name` check
|
||||
// either call to `exec.LookPath` results in an error, the `Command` check
|
||||
// will be considered a failure.
|
||||
Name string `json:"-"`
|
||||
Command string `json:"-"`
|
||||
}
|
||||
|
||||
// PluginPolicy describes the policy type and allowlist (if any) for client-go
|
||||
|
||||
Reference in New Issue
Block a user