Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Correctly check original groups against system:masters in scope filter #3263

Merged
merged 1 commit into from
Jan 23, 2025
Merged

🐛 Correctly check original groups against system:masters in scope filter #3263

merged 1 commit into from
Jan 23, 2025

Conversation

embik
Copy link
Member

@embik embik commented Jan 23, 2025
edited
Loading

Summary

We discovered that the WithImpersonationScoping filter had a flaw: It was checking the already impersonated user identity to determine whether adding a scope should be skipped for system:masters impersonators. But this check needs to run against the original user identity, not the impersonated identity (since that will never include system:masters).

This PR stores the user identity during WithImpersonationGatekeeper in the request context to fetch it at a later stage in WithImpersonationScoping.

As a bonus, I discovered that the check for extra impersonation headers is not correct: It was checking the HTTP header values, but it should be checking the name/key of the header. So the list of extra impersonations was always empty. The tests didn't check this.

Related issue(s)

Fixes #

Release Notes

NONE

@embik embik requested review from sttts and mjudeikis January 23, 2025 12:07
@kcp-ci-bot kcp-ci-bot added release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates the PR's author has signed the DCO. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 23, 2025
@embik embik force-pushed the impersonation-gatekeeper branch from c6fd133 to 5ea1c47 Compare January 23, 2025 12:08
@kcp-ci-bot kcp-ci-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 23, 2025
@sttts
Copy link
Member

sttts commented Jan 23, 2025

/lgtm
/approve

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 23, 2025
@kcp-ci-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 3a320cf9e326e7e14c51c2dd26e45e2d0be154ee

@kcp-ci-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 23, 2025
@embik
Copy link
Member Author

embik commented Jan 23, 2025

/hold

just ... checking some things.

@kcp-ci-bot kcp-ci-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 23, 2025
@sttts
Copy link
Member

sttts commented Jan 23, 2025

/retest

@embik embik force-pushed the impersonation-gatekeeper branch from 5ea1c47 to 222d1ca Compare January 23, 2025 13:24
@kcp-ci-bot kcp-ci-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 23, 2025
@embik
Copy link
Member Author

embik commented Jan 23, 2025

/hold cancel

@kcp-ci-bot kcp-ci-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 23, 2025
@mjudeikis
Copy link
Contributor

/lgtm

@kcp-ci-bot kcp-ci-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 23, 2025
@kcp-ci-bot
Copy link
Contributor

LGTM label has been added.

Git tree hash: c45562224102853cff8bdcb68b3b2f72d2cd0f09

@kcp-ci-bot kcp-ci-bot merged commit 66d548f into kcp-dev:main Jan 23, 2025
17 checks passed
@embik embik deleted the impersonation-gatekeeper branch January 23, 2025 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts Awaiting requested review from sttts

@mjudeikis mjudeikis Awaiting requested review from mjudeikis

Assignees

@sttts sttts

@mjudeikis mjudeikis

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@embik @sttts @kcp-ci-bot @mjudeikis