Merge pull request #95473 from troy0820/fix/validate-verb

Validate verb in auth can-i command
2025-07-23 11:50:44 +00:00 · 2020-10-26 16:23:59 -07:00 · 2020-10-26 16:23:59 -07:00 · 6c5cda5a40
commit 6c5cda5a40
parent 3d6026499b 782b943987
2 changed files with 20 additions and 1 deletions
--- a/pkg/kubectl/cmd/auth/BUILD
+++ b/pkg/kubectl/cmd/auth/BUILD
@ -26,6 +26,7 @@ go_library(
        "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//staging/src/k8s.io/cli-runtime/pkg/genericclioptions:go_default_library",
        "//staging/src/k8s.io/cli-runtime/pkg/printers:go_default_library",
        "//staging/src/k8s.io/cli-runtime/pkg/resource:go_default_library",
--- a/pkg/kubectl/cmd/auth/cani.go
+++ b/pkg/kubectl/cmd/auth/cani.go
@ -34,6 +34,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/cli-runtime/pkg/printers"
 	discovery "k8s.io/client-go/discovery"
@ -94,6 +95,9 @@ var (

 		# List all allowed actions in namespace "foo"
 		kubectl auth can-i --list --namespace=foo`)
+
+	resourceVerbs       = sets.NewString("get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "use", "bind", "impersonate", "*")
+	nonResourceURLVerbs = sets.NewString("get", "put", "post", "head", "options", "delete", "patch", "*")
 )

 // NewCmdCanI returns an initialized Command for 'auth can-i' sub command
@ -201,6 +205,9 @@ func (o *CanIOptions) Validate() error {
 		if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" {
 			return fmt.Errorf("NonResourceURL and ResourceName can not specified together")
 		}
+		if !isKnownNonResourceVerb(o.Verb) {
+			fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb)
+		}
 	} else if !o.Resource.Empty() && !o.AllNamespaces && o.DiscoveryClient != nil {
 		if namespaced, err := isNamespaced(o.Resource, o.DiscoveryClient); err == nil && !namespaced {
 			if len(o.Resource.Group) == 0 {
@ -209,6 +216,10 @@ func (o *CanIOptions) Validate() error {
 				fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped in group '%s'\n", o.Resource.Resource, o.Resource.Group)
 			}
 		}
+		if !isKnownResourceVerb(o.Verb) {
+			fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb)
+		}
+
 	}

 	if o.NoHeaders {
@ -263,7 +274,6 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
 	if err != nil {
 		return false, err
 	}
-
 	if response.Status.Allowed {
 		fmt.Fprintln(o.Out, "yes")
 	} else {
@ -393,3 +403,11 @@ func isNamespaced(gvr schema.GroupVersionResource, discoveryClient discovery.Dis

 	return false, fmt.Errorf("the server doesn't have a resource type '%s' in group '%s'", gvr.Resource, gvr.Group)
 }
+
+func isKnownResourceVerb(s string) bool {
+	return resourceVerbs.Has(s)
+}
+
+func isKnownNonResourceVerb(s string) bool {
+	return nonResourceURLVerbs.Has(s)
+}