Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1972383: openshift authorization proxy: escape header key values #217

Merged
merged 1 commit into from Jun 17, 2021
Merged

Bug 1972383: openshift authorization proxy: escape header key values #217

merged 1 commit into from Jun 17, 2021

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Jun 16, 2021

The authorization.openshift.io RBAC proxy is taking values from
the Extra field of a UserInfo of a user that made a request against
this API. The fields of the map may generally contain values that
cannot appear in an HTTP header, like '/' that's commonly separating
an API annotation from the API version or resource.

Copy the k8s.io header escaping function and use it in the proxy
that's handling the OpenShift authorization API.

/cc @s-urbaniak @sttts

/cherry-pick release-4.7

@openshift-ci openshift-ci bot requested review from s-urbaniak and sttts June 16, 2021 08:26
@openshift-ci openshift-ci bot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Jun 16, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 16, 2021

@stlaz: This pull request references Bugzilla bug 1972383, which is invalid:

  • expected the bug to target the "4.9.0" release, but it targets "4.8.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1972383: openshift authorization proxy: escape header key values

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@s-urbaniak
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 16, 2021
s-urbaniak
s-urbaniak reviewed Jun 16, 2021
View reviewed changes
pkg/client/impersonatingclient/impersonate.go
return !legalHeaderByte(b) || b == '%'
}

func headerKeyEscape(key string) string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add a reference to client-go?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

@stlaz
openshift authorization proxy: escape header key values
ec6cf4e 
The authorization.openshift.io RBAC proxy is taking values from
the Extra field of a UserInfo of a user that made a request against
this API. The fields of the map may generally contain values that
cannot appear in an HTTP header, like '/' that's commonly separating
an API annotation from the API version or resource.

Copy the k8s.io header escaping function and use it in the proxy
that's handling the OpenShift authorization API.
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 16, 2021
@s-urbaniak
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 16, 2021
@s-urbaniak
Copy link
Contributor

/test e2e-aws

@osherdp
Copy link

osherdp commented Jun 16, 2021

/lgtm
works on my env

@osherdp
Copy link

osherdp commented Jun 16, 2021

/test e2e-aws

@osherdp
Copy link

osherdp commented Jun 16, 2021

/test e2e-aws-upgrade

@s-urbaniak
Copy link
Contributor

/bugzilla refresh

@openshift-ci openshift-ci bot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jun 16, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 16, 2021

@s-urbaniak: This pull request references Bugzilla bug 1972383, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.0) matches configured target release for branch (4.9.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Jun 16, 2021
@s-urbaniak
Copy link
Contributor

/cherry-pick release-4.8

@openshift-cherrypick-robot
Copy link

@s-urbaniak: once the present PR merges, I will cherry-pick it on top of release-4.8 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mfojtik
Copy link
Member

mfojtik commented Jun 16, 2021

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 16, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mfojtik, osherdp, s-urbaniak, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2021
@osherdp
Copy link

osherdp commented Jun 16, 2021

/test e2e-aws

@stlaz
Copy link
Member Author

stlaz commented Jun 16, 2021

/test e2e-aws-upgrade

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@wallylewis
Copy link

/retest

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit fae4a6c into openshift:master Jun 17, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 17, 2021

@stlaz: All pull requests linked via external trackers have merged:

Bugzilla bug 1972383 has been moved to the MODIFIED state.

In response to this:

Bug 1972383: openshift authorization proxy: escape header key values

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot
Copy link

@s-urbaniak: new pull request created: #219

In response to this:

/cherry-pick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jun 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@s-urbaniak s-urbaniak s-urbaniak left review comments

@sttts sttts Awaiting requested review from sttts

Assignees

@s-urbaniak s-urbaniak

@osherdp osherdp

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@stlaz @s-urbaniak @osherdp @openshift-cherrypick-robot @mfojtik @openshift-bot @wallylewis @openshift-merge-robot