diff --git a/go.mod b/go.mod index ee65f3a2d..a0880f32b 100644 --- a/go.mod +++ b/go.mod @@ -45,7 +45,7 @@ require ( gopkg.in/natefinch/lumberjack.v2 v2.2.1 gopkg.in/square/go-jose.v2 v2.6.0 k8s.io/api v0.0.0-20240814140756-5b597d2ac308 - k8s.io/apimachinery v0.0.0-20240720202316-95b78024e3fe + k8s.io/apimachinery v0.0.0-20240816010351-a8a2284d318b k8s.io/client-go v0.0.0-20240814061205-690fd5274dfc k8s.io/component-base v0.0.0-20240728011147-17b34105999b k8s.io/klog/v2 v2.130.1 diff --git a/go.sum b/go.sum index ab0a1a4b5..87de1d5bd 100644 --- a/go.sum +++ b/go.sum @@ -372,8 +372,8 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.0.0-20240814140756-5b597d2ac308 h1:WNYh3lnGkkKKlE7TeskBL29ncORtzO/TqZIX4JuTHTo= k8s.io/api v0.0.0-20240814140756-5b597d2ac308/go.mod h1:ytlEzqC2wOTwYET71W7+J+k7O2V7vrDuzmNLBSpgT+k= -k8s.io/apimachinery v0.0.0-20240720202316-95b78024e3fe h1:V9MwpYUwbKlfLKVrhpVuKWiat/LBIhm1pGB9/xdHm5Q= -k8s.io/apimachinery v0.0.0-20240720202316-95b78024e3fe/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.0.0-20240816010351-a8a2284d318b h1:dyJ8CcpWQebled2TcQWRumVyI+CBO0H0F5czijmaYTQ= +k8s.io/apimachinery v0.0.0-20240816010351-a8a2284d318b/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/client-go v0.0.0-20240814061205-690fd5274dfc h1:ZuM9tPpDGZHOb7dNzUNFOADRJK3+REmRsLQ/L3hVHRQ= k8s.io/client-go v0.0.0-20240814061205-690fd5274dfc/go.mod h1:cE151YT6VfSgZltk7hYbMYFQoMrTpIZQn935vDqadm4= k8s.io/component-base v0.0.0-20240728011147-17b34105999b h1:oOYTUnYRb8KrJ+OD2Y+819wrKs4A3iie+yQ558P55F0= diff --git a/pkg/endpoints/handlers/responsewriters/errors.go b/pkg/endpoints/handlers/responsewriters/errors.go index d13bee4d2..07316e802 100644 --- a/pkg/endpoints/handlers/responsewriters/errors.go +++ b/pkg/endpoints/handlers/responsewriters/errors.go @@ -34,18 +34,24 @@ var sanitizer = strings.NewReplacer(`&`, "&", `<`, "<", `>`, ">") // Forbidden renders a simple forbidden error func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) { - msg := sanitizer.Replace(forbiddenMessage(attributes)) w.Header().Set("X-Content-Type-Options", "nosniff") - - var errMsg string - if len(reason) == 0 { - errMsg = fmt.Sprintf("%s", msg) - } else { - errMsg = fmt.Sprintf("%s: %s", msg, reason) - } gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()} + ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req) +} + +func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError { + msg := sanitizer.Replace(forbiddenMessage(attributes)) + + var errMsg error + if len(reason) == 0 { + errMsg = fmt.Errorf("%s", msg) + } else { + errMsg = fmt.Errorf("%s: %s", msg, reason) + } + gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()} - ErrorNegotiated(apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)), s, gv, w, req) + + return apierrors.NewForbidden(gr, attributes.GetName(), errMsg) } func forbiddenMessage(attributes authorizer.Attributes) string { diff --git a/pkg/endpoints/handlers/update.go b/pkg/endpoints/handlers/update.go index 4b76ef97e..ead2b94de 100644 --- a/pkg/endpoints/handlers/update.go +++ b/pkg/endpoints/handlers/update.go @@ -39,6 +39,7 @@ import ( "k8s.io/apiserver/pkg/endpoints/handlers/finisher" requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics" "k8s.io/apiserver/pkg/endpoints/handlers/negotiation" + "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/util/dryrun" @@ -275,13 +276,7 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer } // The user is not authorized to perform this action, so we need to build the error response - gr := schema.GroupResource{ - Group: attributes.GetAPIGroup(), - Resource: attributes.GetResource(), - } - name := attributes.GetName() - err := fmt.Errorf("%v", authorizerReason) - return errors.NewForbidden(gr, name, err) + return responsewriters.ForbiddenStatusError(attributes, authorizerReason) } }