K8s API Server audit events are no longer pointers

This commit is contained in:
Joshua Casey 2023-08-17 12:17:44 -05:00
parent ccba159639
commit 23ec91dee0
2 changed files with 16 additions and 22 deletions

View File

@ -13,6 +13,7 @@ import (
"net/http/httputil"
"net/url"
"os"
"reflect"
"regexp"
"strings"
"sync"
@ -513,7 +514,7 @@ func newImpersonationReverseProxyFunc(restConfig *rest.Config) (func(*genericapi
}
ae := audit.AuditEventFrom(r.Context())
if ae == nil {
if ae == nil || reflect.DeepEqual(*ae, auditinternal.Event{}) {
plog.Warning("aggregated API server logic did not set audit event but it is always supposed to do so",
"url", r.URL.String(),
"method", r.Method,

View File

@ -1141,14 +1141,14 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
},
{
name: "unexpected UID",
request: newRequest(t, map[string][]string{}, &user.DefaultInfo{UID: "007"}, nil, ""),
request: newRequest(t, map[string][]string{}, &user.DefaultInfo{UID: "007"}, &auditinternal.Event{User: authenticationv1.UserInfo{UID: "007"}}, ""),
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
wantHTTPStatus: http.StatusInternalServerError,
},
{
name: "authenticated user but missing audit event",
request: func() *http.Request {
req := newRequest(t, map[string][]string{
return newRequest(t, map[string][]string{
"User-Agent": {"test-user-agent"},
"Connection": {"Upgrade"},
"Upgrade": {"some-upgrade"},
@ -1158,11 +1158,6 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
Groups: testGroups,
Extra: testExtra,
}, nil, "")
ctx := audit.WithAuditContext(req.Context())
ac := audit.AuditContextFrom(ctx)
ac.Event = nil
req = req.WithContext(ctx)
return req
}(),
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: invalid audit event","reason":"InternalError","details":{"causes":[{"message":"invalid audit event"}]},"code":500}` + "\n",
wantHTTPStatus: http.StatusInternalServerError,
@ -1183,7 +1178,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
"valid-key": {"valid-value"},
"Invalid-key": {"still-valid-value"},
},
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
wantHTTPStatus: http.StatusInternalServerError,
},
@ -1203,7 +1198,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
"valid-key": {"valid-value"},
"valid-data\nInvalid-key": {"still-valid-value"},
},
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
wantHTTPStatus: http.StatusInternalServerError,
},
@ -1223,7 +1218,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
"valid-key": {"valid-value"},
"foo.impersonation-proxy.concierge.pinniped.dev": {"still-valid-value"},
},
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
wantHTTPBody: `{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Internal error occurred: unimplemented functionality - unable to act as current user","reason":"InternalError","details":{"causes":[{"message":"unimplemented functionality - unable to act as current user"}]},"code":500}` + "\n",
wantHTTPStatus: http.StatusInternalServerError,
},
@ -1393,7 +1388,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
Name: testUser,
Groups: testGroups,
Extra: testExtra,
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
wantKubeAPIServerRequestHeaders: map[string][]string{
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Extra-1": {"some", "extra", "stuff"},
@ -1482,7 +1477,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
"iam.gke.io/user-assertion": {"ABC"},
"user-assertion.cloud.google.com": {"XYZ"},
},
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: "username@company.com"}}, ""),
wantKubeAPIServerRequestHeaders: map[string][]string{
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Iam.gke.io%2fuser-Assertion": {"ABC"},
@ -1527,7 +1522,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
"alpha.kubernetes.io/identity/user/domain/id": {"domain-id"},
"alpha.kubernetes.io/identity/user/domain/name": {"domain-name"},
},
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: "kube:admin"}}, ""),
wantKubeAPIServerRequestHeaders: map[string][]string{
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Scopes.authorization.openshift.io": {"user:info", "user:full"},
@ -1566,7 +1561,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
Extra: map[string][]string{
"foo.iimpersonation-proxy.concierge.pinniped.dev": {"still-valid-value"},
},
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: "username@company.com"}}, ""),
wantKubeAPIServerRequestHeaders: map[string][]string{
"Authorization": {"Bearer some-service-account-token"},
"Impersonate-Extra-Foo.iimpersonation-Proxy.concierge.pinniped.dev": {"still-valid-value"},
@ -1787,7 +1782,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
Name: testUser,
Groups: testGroups,
Extra: testExtra,
}, nil, ""),
}, &auditinternal.Event{User: authenticationv1.UserInfo{Username: testUser}}, ""),
kubeAPIServerStatusCode: http.StatusNotFound,
wantKubeAPIServerRequestHeaders: map[string][]string{
"Accept-Encoding": {"gzip"}, // because the rest client used in this test does not disable compression
@ -1932,13 +1927,11 @@ func newRequest(t *testing.T, h http.Header, userInfo user.Info, event *auditint
ctx = request.WithUser(ctx, userInfo)
}
ae := &auditinternal.Event{Level: auditinternal.LevelMetadata}
if event != nil {
ae = event
}
ctx = audit.WithAuditContext(ctx)
if event != nil {
ac := audit.AuditContextFrom(ctx)
ac.Event = ae
ac.Event = *event
}
reqInfo := &request.RequestInfo{
IsResourceRequest: false,