From 8f00e918d84a76ea43d76a8d5b96c3f2535afa99 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 9 Apr 2021 09:33:46 -0400 Subject: [PATCH] authorizer func: pass through context Signed-off-by: Monis Khan --- pkg/registry/rbac/clusterrole/policybased/storage_test.go | 2 +- pkg/registry/rbac/role/policybased/storage_test.go | 2 +- .../apiserver/pkg/authorization/authorizer/interfaces.go | 4 ++-- staging/src/k8s.io/apiserver/pkg/authorization/path/path.go | 3 ++- test/integration/serviceaccount/service_account_test.go | 2 +- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/registry/rbac/clusterrole/policybased/storage_test.go b/pkg/registry/rbac/clusterrole/policybased/storage_test.go index a7f80a71091..036d15ef8aa 100644 --- a/pkg/registry/rbac/clusterrole/policybased/storage_test.go +++ b/pkg/registry/rbac/clusterrole/policybased/storage_test.go @@ -58,7 +58,7 @@ func TestEscalation(t *testing.T) { authzCalled := 0 fakeStorage := &fakeStorage{} - fakeAuthorizer := authorizer.AuthorizerFunc(func(attr authorizer.Attributes) (authorizer.Decision, string, error) { + fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) { authzCalled++ if attr.GetUser().GetName() == "steve" { return authorizer.DecisionAllow, "", nil diff --git a/pkg/registry/rbac/role/policybased/storage_test.go b/pkg/registry/rbac/role/policybased/storage_test.go index 33959f27052..498fa7c64a6 100644 --- a/pkg/registry/rbac/role/policybased/storage_test.go +++ b/pkg/registry/rbac/role/policybased/storage_test.go @@ -60,7 +60,7 @@ func TestEscalation(t *testing.T) { authzCalled := 0 fakeStorage := &fakeStorage{} - fakeAuthorizer := authorizer.AuthorizerFunc(func(attr authorizer.Attributes) (authorizer.Decision, string, error) { + fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) { authzCalled++ if attr.GetUser().GetName() == "steve" { return authorizer.DecisionAllow, "", nil diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go index ce70710fa3b..2a826981cfd 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go @@ -71,10 +71,10 @@ type Authorizer interface { Authorize(ctx context.Context, a Attributes) (authorized Decision, reason string, err error) } -type AuthorizerFunc func(a Attributes) (Decision, string, error) +type AuthorizerFunc func(ctx context.Context, a Attributes) (Decision, string, error) func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, string, error) { - return f(a) + return f(ctx, a) } // RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. diff --git a/staging/src/k8s.io/apiserver/pkg/authorization/path/path.go b/staging/src/k8s.io/apiserver/pkg/authorization/path/path.go index 03f524b38cf..0e1ec233873 100644 --- a/staging/src/k8s.io/apiserver/pkg/authorization/path/path.go +++ b/staging/src/k8s.io/apiserver/pkg/authorization/path/path.go @@ -17,6 +17,7 @@ limitations under the License. package path import ( + "context" "fmt" "strings" @@ -46,7 +47,7 @@ func NewAuthorizer(alwaysAllowPaths []string) (authorizer.Authorizer, error) { } } - return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) { + return authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) { if a.IsResourceRequest() { return authorizer.DecisionNoOpinion, "", nil } diff --git a/test/integration/serviceaccount/service_account_test.go b/test/integration/serviceaccount/service_account_test.go index 30a6fc14a4f..4167dc8e235 100644 --- a/test/integration/serviceaccount/service_account_test.go +++ b/test/integration/serviceaccount/service_account_test.go @@ -405,7 +405,7 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie // 1. The "root" user is allowed to do anything // 2. ServiceAccounts named "ro" are allowed read-only operations in their namespace // 3. ServiceAccounts named "rw" are allowed any operation in their namespace - authorizer := authorizer.AuthorizerFunc(func(attrs authorizer.Attributes) (authorizer.Decision, string, error) { + authorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) { username := "" if user := attrs.GetUser(); user != nil { username = user.GetName()