Merge pull request #33946 from deads2k/auth-01-fix-loopback

Automatic merge from submit-queue fix loopback authorizer Fixes the loopback authorizer to properly inspect groups. P0 for security problem. @liggitt @dims let's get this fixed.
2025-07-30 06:54:01 +00:00 · 2016-10-03 14:08:01 -07:00 · 2016-10-03 14:08:01 -07:00 · a5bf0a21b2
commit a5bf0a21b2
parent 81f5c3ca0a 8c20af79a4
3 changed files with 26 additions and 6 deletions
--- a/pkg/auth/authorizer/union/union.go
+++ b/pkg/auth/authorizer/union/union.go
@ -37,17 +37,17 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool,
 		errlist    []error
 		reasonlist []string
 	)
+
 	for _, currAuthzHandler := range authzHandler {
 		authorized, reason, err := currAuthzHandler.Authorize(a)

 		if err != nil {
 			errlist = append(errlist, err)
-			continue
+		}
+		if len(reason) != 0 {
+			reasonlist = append(reasonlist, reason)
 		}
 		if !authorized {
-			if reason != "" {
-				reasonlist = append(reasonlist, reason)
-			}
 			continue
 		}
 		return true, reason, nil
--- a/pkg/genericapiserver/authorizer/authz.go
+++ b/pkg/genericapiserver/authorizer/authz.go
@ -77,8 +77,11 @@ type privilegedGroupAuthorizer struct {
 }

 func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, error) {
-	for attr_group := range attr.GetUser().GetGroups() {
-		for priv_group := range r.groups {
+	if attr.GetUser() == nil {
+		return false, "Error", errors.New("no user on request.")
+	}
+	for _, attr_group := range attr.GetUser().GetGroups() {
+		for _, priv_group := range r.groups {
 			if priv_group == attr_group {
 				return true, "", nil
 			}
--- a/pkg/genericapiserver/authorizer/authz_test.go
+++ b/pkg/genericapiserver/authorizer/authz_test.go
@ -20,6 +20,9 @@ import (
 	"testing"

 	"k8s.io/kubernetes/pkg/genericapiserver/options"
+
+	"k8s.io/kubernetes/pkg/auth/authorizer"
+	"k8s.io/kubernetes/pkg/auth/user"
 )

 // NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
@ -115,3 +118,17 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
 		}
 	}
 }
+
+func TestPrivilegedGroupAuthorizer(t *testing.T) {
+	auth := NewPrivilegedGroups("allow-01", "allow-01")
+
+	yes := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "allow-01"}}}
+	no := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "deny-01"}}}
+
+	if authorized, _, _ := auth.Authorize(yes); !authorized {
+		t.Errorf("failed")
+	}
+	if authorized, _, _ := auth.Authorize(no); authorized {
+		t.Errorf("failed")
+	}
+}