fix invalid match rules for advanced audit policy

When users or groups are set in a rule, this rule should not match attribute with unauthorized request where user and group are nil. Kubernetes-commit: 9a7acaae1d5015886cc7c3bc46fc3d973045dc2a
2018-02-06 14:05:57 +08:00 · 2018-02-06 14:05:57 +08:00 · 01b15f1056
parent 43a9f1d3a4
commit 01b15f1056
2 changed files with 22 additions and 4 deletions
--- a/pkg/audit/policy/checker.go
+++ b/pkg/audit/policy/checker.go
@ -76,14 +76,18 @@ func (p *policyChecker) LevelAndStages(attrs authorizer.Attributes) (audit.Level

 // Check whether the rule matches the request attrs.
 func ruleMatches(r *audit.PolicyRule, attrs authorizer.Attributes) bool {
-	if len(r.Users) > 0 && attrs.GetUser() != nil {
-		if !hasString(r.Users, attrs.GetUser().GetName()) {
+	user := attrs.GetUser()
+	if len(r.Users) > 0 {
+		if user == nil || !hasString(r.Users, user.GetName()) {
 			return false
 		}
 	}
-	if len(r.UserGroups) > 0 && attrs.GetUser() != nil {
+	if len(r.UserGroups) > 0 {
+		if user == nil {
+			return false
+		}
 		matched := false
-		for _, group := range attrs.GetUser().GetGroups() {
+		for _, group := range user.GetGroups() {
 			if hasString(r.UserGroups, group) {
 				matched = true
 				break
--- a/pkg/audit/policy/checker_test.go
+++ b/pkg/audit/policy/checker_test.go
@ -73,6 +73,16 @@ var (
 			ResourceRequest: true,
 			Path:            "/api/v1/namespaces/default/pods/busybox",
 		},
+		"Unauthorized": &authorizer.AttributesRecord{
+			Verb:            "get",
+			Namespace:       "default",
+			APIGroup:        "", // Core
+			APIVersion:      "v1",
+			Resource:        "pods",
+			Name:            "busybox",
+			ResourceRequest: true,
+			Path:            "/api/v1/namespaces/default/pods/busybox",
+		},
 	}

 	rules = map[string]audit.PolicyRule{
@ -227,6 +237,10 @@ func testAuditLevel(t *testing.T, stages []audit.Stage) {
 	test(t, "subresource", audit.LevelRequest, stages, stages, "getPodResourceWildcardMatching")
 	test(t, "subresource", audit.LevelRequest, stages, stages, "getPodSubResourceWildcardMatching")

+	test(t, "Unauthorized", audit.LevelNone, stages, stages, "tims")
+	test(t, "Unauthorized", audit.LevelMetadata, stages, stages, "tims", "default")
+	test(t, "Unauthorized", audit.LevelNone, stages, stages, "humans")
+	test(t, "Unauthorized", audit.LevelMetadata, stages, stages, "humans", "default")
 }

 func TestChecker(t *testing.T) {