From 86623ed2414d98d6ddc7f28028b88d17d8d8f6ec Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 5 Apr 2017 00:35:09 -0400 Subject: [PATCH] Include system:authenticated group when impersonating --- .../pkg/endpoints/filters/impersonation.go | 18 ++++++- .../endpoints/filters/impersonation_test.go | 47 +++++++++++++++++-- 2 files changed, 61 insertions(+), 4 deletions(-) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go index b1ffca9045e..befda96eeef 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go @@ -60,7 +60,7 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques } // if groups are not specified, then we need to look them up differently depending on the type of user - // if they are specified, then they are the authority + // if they are specified, then they are the authority (including the inclusion of system:authenticated/system:unauthenticated groups) groupsSpecified := len(req.Header[authenticationapi.ImpersonateGroupHeader]) > 0 // make sure we're allowed to impersonate each thing we're requesting. While we're iterating through, start building username @@ -116,6 +116,22 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques } } + if !groupsSpecified && username != user.Anonymous { + // When impersonating a non-anonymous user, if no groups were specified + // if neither the system:authenticated nor system:unauthenticated groups are explicitly included, + // include the system:authenticated group in the impersonated user info + found := false + for _, group := range groups { + if group == user.AllAuthenticated || group == user.AllUnauthenticated { + found = true + break + } + } + if !found { + groups = append(groups, user.AllAuthenticated) + } + } + newUser := &user.DefaultInfo{ Name: username, Groups: groups, diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go index 29d1249d981..d41c7a04027 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go @@ -215,7 +215,7 @@ func TestImpersonationFilter(t *testing.T) { impersonationUserExtras: map[string][]string{"scopes": {"scope-a", "scope-b"}}, expectedUser: &user.DefaultInfo{ Name: "system:admin", - Groups: []string{}, + Groups: []string{"system:authenticated"}, Extra: map[string][]string{"scopes": {"scope-a", "scope-b"}}, }, expectedCode: http.StatusOK, @@ -229,7 +229,7 @@ func TestImpersonationFilter(t *testing.T) { impersonationUser: "tester", expectedUser: &user.DefaultInfo{ Name: "tester", - Groups: []string{}, + Groups: []string{"system:authenticated"}, Extra: map[string][]string{}, }, expectedCode: http.StatusOK, @@ -257,7 +257,48 @@ func TestImpersonationFilter(t *testing.T) { impersonationUser: "system:serviceaccount:foo:default", expectedUser: &user.DefaultInfo{ Name: "system:serviceaccount:foo:default", - Groups: []string{"system:serviceaccounts", "system:serviceaccounts:foo"}, + Groups: []string{"system:serviceaccounts", "system:serviceaccounts:foo", "system:authenticated"}, + Extra: map[string][]string{}, + }, + expectedCode: http.StatusOK, + }, + { + name: "anonymous-username-prevents-adding-authenticated-group", + user: &user.DefaultInfo{ + Name: "system:admin", + }, + impersonationUser: "system:anonymous", + expectedUser: &user.DefaultInfo{ + Name: "system:anonymous", + Groups: []string{}, + Extra: map[string][]string{}, + }, + expectedCode: http.StatusOK, + }, + { + name: "unauthenticated-group-prevents-adding-authenticated-group", + user: &user.DefaultInfo{ + Name: "system:admin", + }, + impersonationUser: "unknown", + impersonationGroups: []string{"system:unauthenticated"}, + expectedUser: &user.DefaultInfo{ + Name: "unknown", + Groups: []string{"system:unauthenticated"}, + Extra: map[string][]string{}, + }, + expectedCode: http.StatusOK, + }, + { + name: "unauthenticated-group-prevents-double-adding-authenticated-group", + user: &user.DefaultInfo{ + Name: "system:admin", + }, + impersonationUser: "unknown", + impersonationGroups: []string{"system:authenticated"}, + expectedUser: &user.DefaultInfo{ + Name: "unknown", + Groups: []string{"system:authenticated"}, Extra: map[string][]string{}, }, expectedCode: http.StatusOK,