github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #38720 from deads2k/api-51-fix-impersonation

Browse Source 
Automatic merge from submit-queue

prevent audit filter from panic-ing on missing user info

master version of https://github.com/kubernetes/kubernetes/pull/38717
This commit is contained in:
Kubernetes Submit Queue 2016-12-14 05:36:27 -08:00 committed by GitHub
commit 11c1cd876b
2 changed files with 35 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/apiserver/filters/audit.go
View File

@ -104,9 +104,13 @@ func WithAudit(handler http.Handler, requestContextMapper api.RequestContextMapp
return return
} }
username := "<none>"
groups := "<none>" groups := "<none>"
if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 { if attribs.GetUser() != nil {
groups = auditStringSlice(userGroups) username = attribs.GetUser().GetName()
if userGroups := attribs.GetUser().GetGroups(); len(userGroups) > 0 {
groups = auditStringSlice(userGroups)
}
} }
asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader) asuser := req.Header.Get(authenticationapi.ImpersonateUserHeader)
if len(asuser) == 0 { if len(asuser) == 0 {
@ -124,7 +128,7 @@ func WithAudit(handler http.Handler, requestContextMapper api.RequestContextMapp
id := uuid.NewRandom().String() id := uuid.NewRandom().String()
line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q\n", line := fmt.Sprintf("%s AUDIT: id=%q ip=%q method=%q user=%q groups=%q as=%q asgroups=%q namespace=%q uri=%q\n",
time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, attribs.GetUser().GetName(), groups, asuser, asgroups, namespace, req.URL) time.Now().Format(time.RFC3339Nano), id, utilnet.GetClientIP(req), req.Method, username, groups, asuser, asgroups, namespace, req.URL)
if _, err := fmt.Fprint(out, line); err != nil { if _, err := fmt.Fprint(out, line); err != nil {
glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err) glog.Errorf("Unable to write audit log: %s, the error is: %v", line, err)
} }

28
pkg/apiserver/filters/audit_test.go
View File

@ -123,3 +123,31 @@ func (m *fakeRequestContextMapper) Get(req *http.Request) (api.Context, bool) {
func (*fakeRequestContextMapper) Update(req *http.Request, context api.Context) error { func (*fakeRequestContextMapper) Update(req *http.Request, context api.Context) error {
return nil return nil
} }
func TestAuditNoPanicOnNilUser(t *testing.T) {
var buf bytes.Buffer
handler := WithAudit(&fakeHTTPHandler{}, &fakeRequestContextMapper{}, &buf)
req, _ := http.NewRequest("GET", "/api/v1/namespaces/default/pods", nil)
req.RemoteAddr = "127.0.0.1"
handler.ServeHTTP(httptest.NewRecorder(), req)
line := strings.Split(strings.TrimSpace(buf.String()), "\n")
if len(line) != 2 {
t.Fatalf("Unexpected amount of lines in audit log: %d", len(line))
}
match, err := regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" ip="127.0.0.1" method="GET" user="<none>" groups="<none>" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"`, line[0])
if err != nil {
t.Errorf("Unexpected error matching first line: %v", err)
}
if !match {
t.Errorf("Unexpected first line of audit: %s", line[0])
}
match, err = regexp.MatchString(`[\d\:\-\.\+TZ]+ AUDIT: id="[\w-]+" response="200"`, line[1])
if err != nil {
t.Errorf("Unexpected error matching second line: %v", err)
}
if !match {
t.Errorf("Unexpected second line of audit: %s", line[1])
}
}