Merge pull request #38720 from deads2k/api-51-fix-impersonation

Automatic merge from submit-queue prevent audit filter from panic-ing on missing user info master version of https://github.com/kubernetes/kubernetes/pull/38717
2025-07-23 11:50:44 +00:00 · 2016-12-14 05:36:27 -08:00 · 2016-12-14 05:36:27 -08:00 · 11c1cd876b
commit 11c1cd876b
parent 9705bb728e 9676fe9948
2 changed files with 35 additions and 3 deletions
--- a/pkg/apiserver/filters/audit.go
+++ b/pkg/apiserver/filters/audit.go
@ -104,9 +104,13 @@ func WithAudit(handler http.Handler, requestContextMapper api.RequestContextMapp
 			return
 		}

+		username := "<none>"
 		groups := "<none>"
-		if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 {
-			groups = auditStringSlice(userGroups)
+		if attribs.GetUser() != nil {
+			username = attribs.GetUser().GetName()
+			if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 {
+				groups = auditStringSlice(userGroups)
+			}
 		}
 		asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader)
 		if len(asuser) == 0 {
@ -124,7 +128,7 @@ func WithAudit(handler http.Handler, requestContextMapper api.RequestContextMapp
 		id := uuid.NewRandom().String()

 		line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q\n",
-			time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), groups, asuser, asgroups, namespace, req.URL)
+			time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, username, groups, asuser, asgroups, namespace, req.URL)
 		if _, err := fmt.Fprint(out, line); err != nil {
 			glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err)
 		}
--- a/pkg/apiserver/filters/audit_test.go
+++ b/pkg/apiserver/filters/audit_test.go
@ -123,3 +123,31 @@ func (m *fakeRequestContextMapper) Get(req *http.Request) (api.Context, bool) {
 func (*fakeRequestContextMapper) Update(req *http.Request, context api.Context) error {
 	return nil
 }
+
+func TestAuditNoPanicOnNilUser(t *testing.T) {
+	var buf bytes.Buffer
+
+	handler := WithAudit(&fakeHTTPHandler{}, &fakeRequestContextMapper{}, &buf)
+
+	req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
+	req.RemoteAddr = "127.0.0.1"
+	handler.ServeHTTP(httptest.NewRecorder(), req)
+	line := strings.Split(strings.TrimSpace(buf.String()), "\n")
+	if len(line) != 2 {
+		t.Fatalf("Unexpected amount of lines in audit log: %d", len(line))
+	}
+	match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="<none>" groups="<none>" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0])
+	if err != nil {
+		t.Errorf("Unexpected error matching first line: %v", err)
+	}
+	if !match {
+		t.Errorf("Unexpected first line of audit: %s", line[0])
+	}
+	match, err = regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" response="200"`, line[1])
+	if err != nil {
+		t.Errorf("Unexpected error matching second line: %v", err)
+	}
+	if !match {
+		t.Errorf("Unexpected second line of audit: %s", line[1])
+	}
+}