K8s API Server audit events are no longer pointers

2023-08-17 12:17:44 -05:00 · 2023-08-17 12:17:44 -05:00 · 23ec91dee0
commit 23ec91dee0
parent ccba159639
2 changed files with 16 additions and 22 deletions
--- a/internal/concierge/impersonator/impersonator.go
+++ b/internal/concierge/impersonator/impersonator.go
@ -13,6 +13,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"os"
 	"reflect"
 	"regexp"
 	"strings"
 	"sync"
@ -513,7 +514,7 @@ func newImpersonationReverseProxyFunc(restConfig *rest.Config) (func(*genericapi
 			}
 			ae := audit.AuditEventFrom(r.Context())
-			if ae == nil {
+			if ae == nil || reflect.DeepEqual(*ae, auditinternal.Event{}) {
 				plog.Warning("aggregated API server logic did not set audit event but it is always supposed to do so",
 					"url", r.URL.String(),
 					"method", r.Method,
--- a/internal/concierge/impersonator/impersonator_test.go
+++ b/internal/concierge/impersonator/impersonator_test.go
@ -1141,14 +1141,14 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 		},
 		{
 			name:           "unexpected UID",
-			request:        newRequest(t, map[string][]string{}, &user.DefaultInfo{UID: "007"}, nil, ""),
+			request:        newRequest(t, map[string][]string{}, &user.DefaultInfo{UID: "007"}, &auditinternal.Event{User: authenticationv1.UserInfo{UID: "007"}}, ""),
 			wantHTTPBody:   `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
 			wantHTTPStatus: http.StatusInternalServerError,
 		},
 		{
 			name: "authenticated user but missing audit event",
 			request: func() *http.Request {
-				req := newRequest(t, map[string][]string{
+				return newRequest(t, map[string][]string{
 					"User-Agent":   {"test-user-agent"},
 					"Connection":   {"Upgrade"},
 					"Upgrade":      {"some-upgrade"},
@ -1158,11 +1158,6 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 					Groups: testGroups,
 					Extra:  testExtra,
 				}, nil, "")
 				ctx := audit.WithAuditContext(req.Context())
 				ac := audit.AuditContextFrom(ctx)
 				ac.Event = nil
 				req = req.WithContext(ctx)
 				return req
 			}(),
 			wantHTTPBody:   `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid audit event","reason":"InternalError","details":{"causes":[{"message":"invalid audit event"}]},"code":500}` + "\n",
 			wantHTTPStatus: http.StatusInternalServerError,
@ -1183,7 +1178,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 					"valid-key":   {"valid-value"},
 					"Invalid-key": {"still-valid-value"},
 				},
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
 			wantHTTPBody:   `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
 			wantHTTPStatus: http.StatusInternalServerError,
 		},
@ -1203,7 +1198,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 					"valid-key":               {"valid-value"},
 					"valid-data\nInvalid-key": {"still-valid-value"},
 				},
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
 			wantHTTPBody:   `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
 			wantHTTPStatus: http.StatusInternalServerError,
 		},
@ -1223,7 +1218,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 					"valid-key": {"valid-value"},
 					"foo.impersonation-proxy.concierge.pinniped.dev": {"still-valid-value"},
 				},
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
 			wantHTTPBody:   `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
 			wantHTTPStatus: http.StatusInternalServerError,
 		},
@ -1393,7 +1388,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 				Name:   testUser,
 				Groups: testGroups,
 				Extra:  testExtra,
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
 			wantKubeAPIServerRequestHeaders: map[string][]string{
 				"Authorization":             {"Bearer some-service-account-token"},
 				"Impersonate-Extra-Extra-1": {"some", "extra", "stuff"},
@ -1482,7 +1477,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 					"iam.gke.io/user-assertion":       {"ABC"},
 					"user-assertion.cloud.google.com": {"XYZ"},
 				},
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: "username@company.com"}}, ""),
 			wantKubeAPIServerRequestHeaders: map[string][]string{
 				"Authorization": {"Bearer some-service-account-token"},
 				"Impersonate-Extra-Iam.gke.io%2fuser-Assertion":     {"ABC"},
@ -1527,7 +1522,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 					"alpha.kubernetes.io/identity/user/domain/id":   {"domain-id"},
 					"alpha.kubernetes.io/identity/user/domain/name": {"domain-name"},
 				},
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: "kube:admin"}}, ""),
 			wantKubeAPIServerRequestHeaders: map[string][]string{
 				"Authorization": {"Bearer some-service-account-token"},
 				"Impersonate-Extra-Scopes.authorization.openshift.io":                     {"user:info", "user:full"},
@ -1566,7 +1561,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 				Extra: map[string][]string{
 					"foo.iimpersonation-proxy.concierge.pinniped.dev": {"still-valid-value"},
 				},
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: "username@company.com"}}, ""),
 			wantKubeAPIServerRequestHeaders: map[string][]string{
 				"Authorization": {"Bearer some-service-account-token"},
 				"Impersonate-Extra-Foo.iimpersonation-Proxy.concierge.pinniped.dev": {"still-valid-value"},
@ -1787,7 +1782,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 				Name:   testUser,
 				Groups: testGroups,
 				Extra:  testExtra,
-			}, nil, ""),
+			}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
 			kubeAPIServerStatusCode: http.StatusNotFound,
 			wantKubeAPIServerRequestHeaders: map[string][]string{
 				"Accept-Encoding":           {"gzip"}, // because the rest client used in this test does not disable compression
@ -1932,13 +1927,11 @@ func newRequest(t *testing.T, h http.Header, userInfo user.Info, event *auditint
 		ctx = request.WithUser(ctx, userInfo)
 	}
 	ae := &auditinternal.Event{Level: auditinternal.LevelMetadata}
 	if event != nil {
 		ae = event
 	}
 	ctx = audit.WithAuditContext(ctx)
-	ac := audit.AuditContextFrom(ctx)
+	if event != nil {
-	ac.Event = ae
+		ac := audit.AuditContextFrom(ctx)
 		ac.Event = *event
 	}
 	reqInfo := &request.RequestInfo{
 		IsResourceRequest: false,