From 782b943987774f25349b47fe4865d820dd67c00b Mon Sep 17 00:00:00 2001 From: Troy Connor Date: Sat, 10 Oct 2020 11:25:59 -0400 Subject: [PATCH] [auth]Check verbs for nonresourceurls and resources --- pkg/kubectl/cmd/auth/BUILD | 1 + pkg/kubectl/cmd/auth/cani.go | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/pkg/kubectl/cmd/auth/BUILD b/pkg/kubectl/cmd/auth/BUILD index d92dcd07b40..97bac484632 100644 --- a/pkg/kubectl/cmd/auth/BUILD +++ b/pkg/kubectl/cmd/auth/BUILD @@ -26,6 +26,7 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/cli-runtime/pkg/genericclioptions:go_default_library", "//staging/src/k8s.io/cli-runtime/pkg/printers:go_default_library", "//staging/src/k8s.io/cli-runtime/pkg/resource:go_default_library", diff --git a/pkg/kubectl/cmd/auth/cani.go b/pkg/kubectl/cmd/auth/cani.go index 0fd4c1e9552..ca7899cfb44 100644 --- a/pkg/kubectl/cmd/auth/cani.go +++ b/pkg/kubectl/cmd/auth/cani.go @@ -34,6 +34,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/cli-runtime/pkg/genericclioptions" "k8s.io/cli-runtime/pkg/printers" discovery "k8s.io/client-go/discovery" @@ -94,6 +95,9 @@ var ( # List all allowed actions in namespace "foo" kubectl auth can-i --list --namespace=foo`) + + resourceVerbs = sets.NewString("get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "use", "bind", "impersonate", "*") + nonResourceURLVerbs = sets.NewString("get", "put", "post", "head", "options", "delete", "patch", "*") ) // NewCmdCanI returns an initialized Command for 'auth can-i' sub command @@ -201,6 +205,9 @@ func (o *CanIOptions) Validate() error { if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" { return fmt.Errorf("NonResourceURL and ResourceName can not specified together") } + if !isKnownNonResourceVerb(o.Verb) { + fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb) + } } else if !o.Resource.Empty() && !o.AllNamespaces && o.DiscoveryClient != nil { if namespaced, err := isNamespaced(o.Resource, o.DiscoveryClient); err == nil && !namespaced { if len(o.Resource.Group) == 0 { @@ -209,6 +216,10 @@ func (o *CanIOptions) Validate() error { fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped in group '%s'\n", o.Resource.Resource, o.Resource.Group) } } + if !isKnownResourceVerb(o.Verb) { + fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb) + } + } if o.NoHeaders { @@ -263,7 +274,6 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) { if err != nil { return false, err } - if response.Status.Allowed { fmt.Fprintln(o.Out, "yes") } else { @@ -393,3 +403,11 @@ func isNamespaced(gvr schema.GroupVersionResource, discoveryClient discovery.Dis return false, fmt.Errorf("the server doesn't have a resource type '%s' in group '%s'", gvr.Resource, gvr.Group) } + +func isKnownResourceVerb(s string) bool { + return resourceVerbs.Has(s) +} + +func isKnownNonResourceVerb(s string) bool { + return nonResourceURLVerbs.Has(s) +}