github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

prevent illegal verb/name combinations in default policy rules

pull/6/head
deads2k 2017-05-24 14:59:01 -04:00
parent 6f7eac63c2
commit 5539a6721d
3 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/apis/rbac/helpers.go
View File

@ -190,6 +190,22 @@ func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
// this a common bug
return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule)
}
// if resource names are set, then the verb must not be list, watch, create, or deletecollection
// since verbs are largely opaque, we don't want to accidentally prevent things like "impersonate", so
// we will backlist common mistakes, not whitelist acceptable options.
if len(r.PolicyRule.ResourceNames) != 0 {
illegalVerbs := []string{}
for _, verb := range r.PolicyRule.Verbs {
switch verb {
case "list", "watch", "create", "deletecollection":
illegalVerbs = append(illegalVerbs, verb)
}
}
if len(illegalVerbs) > 0 {
return PolicyRule{}, fmt.Errorf("verbs %v do not have names available: %#v", illegalVerbs, r.PolicyRule)
}
}
default:
return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule)
}

2
staging/src/k8s.io/client-go/Godeps/Godeps.json generated
View File

@ -1,6 +1,6 @@
{
"ImportPath": "k8s.io/client-go",
"GoVersion": "go1.7",
"GoVersion": "go1.8",
"GodepVersion": "v79",
"Packages": [
"./..."

16
staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go
View File

@ -189,6 +189,22 @@ func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
// this a common bug
return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule)
}
// if resource names are set, then the verb must not be list, watch, create, or deletecollection
// since verbs are largely opaque, we don't want to accidentally prevent things like "impersonate", so
// we will backlist common mistakes, not whitelist acceptable options.
if len(r.PolicyRule.ResourceNames) != 0 {
illegalVerbs := []string{}
for _, verb := range r.PolicyRule.Verbs {
switch verb {
case "list", "watch", "create", "deletecollection":
illegalVerbs = append(illegalVerbs, verb)
}
}
if len(illegalVerbs) > 0 {
return PolicyRule{}, fmt.Errorf("verbs %v do not have names available: %#v", illegalVerbs, r.PolicyRule)
}
}
default:
return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule)
}