kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SSA: improve create authz error message 

Signed-off-by: Monis Khan <mok@microsoft.com>

Kubernetes-commit: 857127f7c44a029f6f8dd44b0b40364aa00aa13d
This commit is contained in:
Monis Khan 2024-08-02 17:20:53 -04:00 committed by Kubernetes Publisher
parent 25d7e88901
commit 757565c389
2 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/endpoints/handlers/responsewriters/errors.go
View File

@ -34,8 +34,13 @@ var sanitizer = strings.NewReplacer(`&`, "&amp;", `<`, "&lt;", `>`, "&gt;")
// Forbidden renders a simple forbidden error // Forbidden renders a simple forbidden error
func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) { func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) {
msg := sanitizer.Replace(forbiddenMessage(attributes))
w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Content-Type-Options", "nosniff")
gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()}
ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req)
}
func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError {
msg := sanitizer.Replace(forbiddenMessage(attributes))
var errMsg string var errMsg string
if len(reason) == 0 { if len(reason) == 0 {
@ -43,9 +48,10 @@ func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.Res
} else { } else {
errMsg = fmt.Sprintf("%s: %s", msg, reason) errMsg = fmt.Sprintf("%s: %s", msg, reason)
} }
gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()}
gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()} gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()}
ErrorNegotiated(apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)), s, gv, w, req)
return apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg))
} }
func forbiddenMessage(attributes authorizer.Attributes) string { func forbiddenMessage(attributes authorizer.Attributes) string {

9
pkg/endpoints/handlers/update.go
View File

@ -39,6 +39,7 @@ import (
"k8s.io/apiserver/pkg/endpoints/handlers/finisher" "k8s.io/apiserver/pkg/endpoints/handlers/finisher"
requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics" requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics"
"k8s.io/apiserver/pkg/endpoints/handlers/negotiation" "k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
"k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/registry/rest"
"k8s.io/apiserver/pkg/util/dryrun" "k8s.io/apiserver/pkg/util/dryrun"
@ -275,13 +276,7 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer
} }
// The user is not authorized to perform this action, so we need to build the error response // The user is not authorized to perform this action, so we need to build the error response
gr := schema.GroupResource{ return responsewriters.ForbiddenStatusError(attributes, authorizerReason)
Group: attributes.GetAPIGroup(),
Resource: attributes.GetResource(),
}
name := attributes.GetName()
err := fmt.Errorf("%v", authorizerReason)
return errors.NewForbidden(gr, name, err)
} }
} }