p/a/path: fail on broken pattern early, add tests #250
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ibihim
force-pushed
the
path-authorizer-fix-test
branch
5 times, most recently
from
b3ed530
to
aaf2a62
Compare
s-urbaniak
approved these changes
Jul 12, 2023
stlaz
requested changes
Jul 18, 2023
stlaz
requested changes
Aug 17, 2023
ibihim
force-pushed
the
path-authorizer-fix-test
branch
from
e035a1d
to
39e0223
Compare
stlaz
reviewed
Nov 3, 2023
docs/path.md
Outdated
| Paths that are provided by `--ignore-path` won't be rejected. | ||
| It is only possible to define one of both. | ||
|
|
||
| ## Change |
There was a problem hiding this comment.
Should we have a separate section for changes to previous kube-rbac-versions?
There was a problem hiding this comment.
Do you mean in addition to the CHANGELOG.md?
docs/path.md
Outdated
| E.g. `--allow-path="/api/v1/*/values"` will cause kube-rbac-proxy fail to start. | ||
| E.g. `--ignore-path="/api/v1/*/values"` will cause kube-rbac-proxy fail to start. | ||
|
|
||
| Previously `*` would count as a wildcard in between `/`. |
There was a problem hiding this comment.
Wasn't it a single-path-segment wildcard?
pkg/authorization/path/path.go
Outdated
Comment on lines
27
to
40
| type pathAuthorizer struct { | ||
| matchDecision, noMatchDecision authorizer.Decision | ||
|
|
||
| paths sets.String | ||
| pathPatterns []string | ||
| } | ||
|
|
||
| func newPathAuthorizer(onMatch, onNoMatch authorizer.Decision, inputPaths []string) *pathAuthorizer { | ||
| var patterns []string | ||
| paths := sets.NewString() // faster than trying to match every pattern every time | ||
| for _, p := range inputPaths { | ||
| p = strings.TrimPrefix(p, "/") | ||
| if len(p) == 0 { | ||
| // matches "/" | ||
| paths.Insert(p) | ||
| continue | ||
| } | ||
| if strings.ContainsRune(p, '*') { | ||
| patterns = append(patterns, p) | ||
| } else { | ||
| paths.Insert(p) | ||
| } | ||
| } | ||
|
|
||
| return &pathAuthorizer{ | ||
| matchDecision: onMatch, | ||
| noMatchDecision: onNoMatch, | ||
| paths: paths, | ||
| pathPatterns: patterns, | ||
| } | ||
| delegatedPathAuthorizer authorizer.Authorizer | ||
| } | ||
|
|
||
| func (a *pathAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) { | ||
| pth := strings.TrimPrefix(attr.GetPath(), "/") | ||
| if a.paths.Has(pth) { | ||
| return a.matchDecision, "", nil | ||
| } | ||
| decision, reason, err := a.delegatedPathAuthorizer.Authorize(ctx, attr) | ||
|
|
||
| for _, pattern := range a.pathPatterns { | ||
| if found, err := path.Match(pattern, pth); err != nil { | ||
| return authorizer.DecisionNoOpinion, "Error", err | ||
| } else if found { | ||
| return a.matchDecision, "", nil | ||
| } | ||
| // There is a match on the path, so we have no opinion and let subsequent | ||
| // authorizers in a union decide. | ||
| if err == nil && decision == authorizer.DecisionAllow { | ||
| return authorizer.DecisionNoOpinion, reason, nil | ||
| } | ||
|
|
||
| return a.noMatchDecision, "", nil | ||
| return authorizer.DecisionDeny, fmt.Sprintf("NOT(%s)", reason), err |
There was a problem hiding this comment.
We don't need a new type for the allowedPathsAuthorizer - inline as
// pseudocode
func NewAllowedPathsAuthorizer(allowPaths []string) (authorizer.Authorizer, error) {
pathAuthorizer = NewAuthorizer()
return authorizer.AuthorizerFunc(func() {
// Authorize() logic here
})
}
ibihim
force-pushed
the
path-authorizer-fix-test
branch
from
873b303
to
86110c5
Compare
stlaz
reviewed
Nov 6, 2023
docs/path.md
Outdated
|
|
||
| Previously `*` would count as a single-path-segment wildcard ([path.Match](https://pkg.go.dev/path#Match)). | ||
| Now the wildcard is matching any string, even if it contains `/`. | ||
| E.g. `--allow-path="/api/v1/*"` would have rejected `/api/v1/label/values`, not it evaluated. |
There was a problem hiding this comment.
not it evaluated <- that sentence appears to be missing something
docs/path.md
Outdated
| Previously `*` would count as a single-path-segment wildcard ([path.Match](https://pkg.go.dev/path#Match)). | ||
| Now the wildcard is matching any string, even if it contains `/`. | ||
| E.g. `--allow-path="/api/v1/*"` would have rejected `/api/v1/label/values`, not it evaluated. | ||
| E.g. `--ignore-path="/api/v1/*"` would have evaluated `/api/v1/label/values`, now it is passed through. |
There was a problem hiding this comment.
Suggested change
| E.g. `--ignore-path="/api/v1/*"` would have evaluated `/api/v1/label/values`, now it is passed through. | |
| E.g. `--ignore-path="/api/v1/*"` would have matched `/api/v1/label/values`, now it is passed through. |
docs/path.md
Outdated
| @@ -0,0 +1,44 @@ | |||
| # Allow Path and Ignore Path | |||
There was a problem hiding this comment.
you may want to create a separate docs/migration folder for these files
ibihim
force-pushed
the
path-authorizer-fix-test
branch
2 times, most recently
from
fd06738
to
b42539e
Compare
stlaz
approved these changes
Nov 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Why