diff --git a/pkg/endpoints/handlers/responsewriters/errors.go b/pkg/endpoints/handlers/responsewriters/errors.go index d13bee4d2..6c0babfa9 100644 --- a/pkg/endpoints/handlers/responsewriters/errors.go +++ b/pkg/endpoints/handlers/responsewriters/errors.go @@ -34,8 +34,13 @@ var sanitizer = strings.NewReplacer(`&`, "&", `<`, "<", `>`, ">") // Forbidden renders a simple forbidden error func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) { - msg := sanitizer.Replace(forbiddenMessage(attributes)) w.Header().Set("X-Content-Type-Options", "nosniff") + gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()} + ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req) +} + +func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError { + msg := sanitizer.Replace(forbiddenMessage(attributes)) var errMsg string if len(reason) == 0 { @@ -43,9 +48,10 @@ func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.Res } else { errMsg = fmt.Sprintf("%s: %s", msg, reason) } - gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()} + gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()} - ErrorNegotiated(apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)), s, gv, w, req) + + return apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)) } func forbiddenMessage(attributes authorizer.Attributes) string { diff --git a/pkg/endpoints/handlers/update.go b/pkg/endpoints/handlers/update.go index 4b76ef97e..ead2b94de 100644 --- a/pkg/endpoints/handlers/update.go +++ b/pkg/endpoints/handlers/update.go @@ -39,6 +39,7 @@ import ( "k8s.io/apiserver/pkg/endpoints/handlers/finisher" requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics" "k8s.io/apiserver/pkg/endpoints/handlers/negotiation" + "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/util/dryrun" @@ -275,13 +276,7 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer } // The user is not authorized to perform this action, so we need to build the error response - gr := schema.GroupResource{ - Group: attributes.GetAPIGroup(), - Resource: attributes.GetResource(), - } - name := attributes.GetName() - err := fmt.Errorf("%v", authorizerReason) - return errors.NewForbidden(gr, name, err) + return responsewriters.ForbiddenStatusError(attributes, authorizerReason) } }