Merge pull request #100963 from enj/enj/i/authz_func_ctx

authorizer func: pass through context
2025-07-23 11:50:44 +00:00 · 2021-04-16 12:56:22 -07:00 · 2021-04-16 12:56:22 -07:00 · f1c1379def
commit f1c1379def
parent 356a647172 8f00e918d8
5 changed files with 7 additions and 6 deletions
--- a/pkg/registry/rbac/clusterrole/policybased/storage_test.go
+++ b/pkg/registry/rbac/clusterrole/policybased/storage_test.go
@ -58,7 +58,7 @@ func TestEscalation(t *testing.T) {

 	authzCalled := 0
 	fakeStorage := &fakeStorage{}
-	fakeAuthorizer := authorizer.AuthorizerFunc(func(attr authorizer.Attributes) (authorizer.Decision, string, error) {
+	fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
 		authzCalled++
 		if attr.GetUser().GetName() == "steve" {
 			return authorizer.DecisionAllow, "", nil
--- a/pkg/registry/rbac/role/policybased/storage_test.go
+++ b/pkg/registry/rbac/role/policybased/storage_test.go
@ -60,7 +60,7 @@ func TestEscalation(t *testing.T) {

 	authzCalled := 0
 	fakeStorage := &fakeStorage{}
-	fakeAuthorizer := authorizer.AuthorizerFunc(func(attr authorizer.Attributes) (authorizer.Decision, string, error) {
+	fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
 		authzCalled++
 		if attr.GetUser().GetName() == "steve" {
 			return authorizer.DecisionAllow, "", nil
--- a/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
@ -71,10 +71,10 @@ type Authorizer interface {
 	Authorize(ctx context.Context, a Attributes) (authorized Decision, reason string, err error)
 }

-type AuthorizerFunc func(a Attributes) (Decision, string, error)
+type AuthorizerFunc func(ctx context.Context, a Attributes) (Decision, string, error)

 func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, string, error) {
-	return f(a)
+	return f(ctx, a)
 }

 // RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace.
--- a/staging/src/k8s.io/apiserver/pkg/authorization/path/path.go
+++ b/staging/src/k8s.io/apiserver/pkg/authorization/path/path.go
@ -17,6 +17,7 @@ limitations under the License.
 package path

 import (
+	"context"
 	"fmt"
 	"strings"

@ -46,7 +47,7 @@ func NewAuthorizer(alwaysAllowPaths []string) (authorizer.Authorizer, error) {
 		}
 	}

-	return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) {
+	return authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
 		if a.IsResourceRequest() {
 			return authorizer.DecisionNoOpinion, "", nil
 		}
--- a/test/integration/serviceaccount/service_account_test.go
+++ b/test/integration/serviceaccount/service_account_test.go
@ -405,7 +405,7 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
 	// 1. The "root" user is allowed to do anything
 	// 2. ServiceAccounts named "ro" are allowed read-only operations in their namespace
 	// 3. ServiceAccounts named "rw" are allowed any operation in their namespace
-	authorizer := authorizer.AuthorizerFunc(func(attrs authorizer.Attributes) (authorizer.Decision, string, error) {
+	authorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
 		username := ""
 		if user := attrs.GetUser(); user != nil {
 			username = user.GetName()