diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go index 2ded9d9849f..78f8034f7f8 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -662,6 +662,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati } if authn == nil || authz == nil { // prevent nil pointer panic + return } if authn.Authenticator == nil || authz.Authorizer == nil { // authenticator or authorizer might be nil if we want to bypass authz/authn diff --git a/staging/src/k8s.io/apiserver/pkg/server/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/config_test.go index 8cef53abf71..f1ceb742c98 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config_test.go @@ -23,6 +23,7 @@ import ( "net/http" "net/http/httptest" "net/http/httputil" + "reflect" "testing" "k8s.io/apimachinery/pkg/util/sets" @@ -32,6 +33,39 @@ import ( "k8s.io/client-go/rest" ) +func TestAuthorizeClientBearerTokenNoops(t *testing.T) { + // All of these should do nothing (not panic, no side-effects) + cfgGens := []func() *rest.Config{ + func() *rest.Config { return nil }, + func() *rest.Config { return &rest.Config{} }, + func() *rest.Config { return &rest.Config{BearerToken: "mu"} }, + } + authcGens := []func() *AuthenticationInfo{ + func() *AuthenticationInfo { return nil }, + func() *AuthenticationInfo { return &AuthenticationInfo{} }, + } + authzGens := []func() *AuthorizationInfo{ + func() *AuthorizationInfo { return nil }, + func() *AuthorizationInfo { return &AuthorizationInfo{} }, + } + for _, cfgGen := range cfgGens { + for _, authcGen := range authcGens { + for _, authzGen := range authzGens { + pConfig := cfgGen() + pAuthc := authcGen() + pAuthz := authzGen() + AuthorizeClientBearerToken(pConfig, pAuthc, pAuthz) + if before, after := authcGen(), pAuthc; !reflect.DeepEqual(before, after) { + t.Errorf("AuthorizeClientBearerToken(%v, %#+v, %v) changed %#+v", pConfig, pAuthc, pAuthz, *before) + } + if before, after := authzGen(), pAuthz; !reflect.DeepEqual(before, after) { + t.Errorf("AuthorizeClientBearerToken(%v, %v, %#+v) changed %#+v", pConfig, pAuthc, pAuthz, *before) + } + } + } + } +} + func TestNewWithDelegate(t *testing.T) { delegateConfig := NewConfig(codecs) delegateConfig.ExternalAddress = "192.168.10.4:443"