From 757565c389084bec531e1468576c3e4794465d74 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 2 Aug 2024 17:20:53 -0400 Subject: [PATCH 1/2] SSA: improve create authz error message Signed-off-by: Monis Khan Kubernetes-commit: 857127f7c44a029f6f8dd44b0b40364aa00aa13d --- pkg/endpoints/handlers/responsewriters/errors.go | 12 +++++++++--- pkg/endpoints/handlers/update.go | 9 ++------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/endpoints/handlers/responsewriters/errors.go b/pkg/endpoints/handlers/responsewriters/errors.go index d13bee4d2..6c0babfa9 100644 --- a/pkg/endpoints/handlers/responsewriters/errors.go +++ b/pkg/endpoints/handlers/responsewriters/errors.go @@ -34,8 +34,13 @@ var sanitizer = strings.NewReplacer(`&`, "&", `<`, "<", `>`, ">") // Forbidden renders a simple forbidden error func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) { - msg := sanitizer.Replace(forbiddenMessage(attributes)) w.Header().Set("X-Content-Type-Options", "nosniff") + gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()} + ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req) +} + +func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError { + msg := sanitizer.Replace(forbiddenMessage(attributes)) var errMsg string if len(reason) == 0 { @@ -43,9 +48,10 @@ func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.Res } else { errMsg = fmt.Sprintf("%s: %s", msg, reason) } - gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()} + gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()} - ErrorNegotiated(apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)), s, gv, w, req) + + return apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)) } func forbiddenMessage(attributes authorizer.Attributes) string { diff --git a/pkg/endpoints/handlers/update.go b/pkg/endpoints/handlers/update.go index 4b76ef97e..ead2b94de 100644 --- a/pkg/endpoints/handlers/update.go +++ b/pkg/endpoints/handlers/update.go @@ -39,6 +39,7 @@ import ( "k8s.io/apiserver/pkg/endpoints/handlers/finisher" requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics" "k8s.io/apiserver/pkg/endpoints/handlers/negotiation" + "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/util/dryrun" @@ -275,13 +276,7 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer } // The user is not authorized to perform this action, so we need to build the error response - gr := schema.GroupResource{ - Group: attributes.GetAPIGroup(), - Resource: attributes.GetResource(), - } - name := attributes.GetName() - err := fmt.Errorf("%v", authorizerReason) - return errors.NewForbidden(gr, name, err) + return responsewriters.ForbiddenStatusError(attributes, authorizerReason) } } From cc8ff8f9658896ff8e619590d0015308e93239a3 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Mon, 5 Aug 2024 10:50:51 -0400 Subject: [PATCH 2/2] ForbiddenStatusError: make linter happy on error construction Signed-off-by: Monis Khan Kubernetes-commit: bff6ce4a38077c29cdf2e1ac2fce1a551082ebfe --- pkg/endpoints/handlers/responsewriters/errors.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/endpoints/handlers/responsewriters/errors.go b/pkg/endpoints/handlers/responsewriters/errors.go index 6c0babfa9..07316e802 100644 --- a/pkg/endpoints/handlers/responsewriters/errors.go +++ b/pkg/endpoints/handlers/responsewriters/errors.go @@ -42,16 +42,16 @@ func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.Res func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError { msg := sanitizer.Replace(forbiddenMessage(attributes)) - var errMsg string + var errMsg error if len(reason) == 0 { - errMsg = fmt.Sprintf("%s", msg) + errMsg = fmt.Errorf("%s", msg) } else { - errMsg = fmt.Sprintf("%s: %s", msg, reason) + errMsg = fmt.Errorf("%s: %s", msg, reason) } gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()} - return apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)) + return apierrors.NewForbidden(gr, attributes.GetName(), errMsg) } func forbiddenMessage(attributes authorizer.Attributes) string {