New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1972383: openshift authorization proxy: escape header key values #217
Bug 1972383: openshift authorization proxy: escape header key values #217
Conversation
@stlaz: This pull request references Bugzilla bug 1972383, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
return !legalHeaderByte(b) || b == '%' | ||
} | ||
|
||
func headerKeyEscape(key string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we add a reference to client-go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added
The authorization.openshift.io RBAC proxy is taking values from the Extra field of a UserInfo of a user that made a request against this API. The fields of the map may generally contain values that cannot appear in an HTTP header, like '/' that's commonly separating an API annotation from the API version or resource. Copy the k8s.io header escaping function and use it in the proxy that's handling the OpenShift authorization API.
c8d7683
to
ec6cf4e
Compare
/lgtm |
/test e2e-aws |
/lgtm |
/test e2e-aws |
/test e2e-aws-upgrade |
/bugzilla refresh |
@s-urbaniak: This pull request references Bugzilla bug 1972383, which is valid. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (liyao@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.8 |
@s-urbaniak: once the present PR merges, I will cherry-pick it on top of release-4.8 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, osherdp, s-urbaniak, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws |
/test e2e-aws-upgrade |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
/retest Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@stlaz: All pull requests linked via external trackers have merged: Bugzilla bug 1972383 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@s-urbaniak: new pull request created: #219 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The authorization.openshift.io RBAC proxy is taking values from
the Extra field of a UserInfo of a user that made a request against
this API. The fields of the map may generally contain values that
cannot appear in an HTTP header, like '/' that's commonly separating
an API annotation from the API version or resource.
Copy the k8s.io header escaping function and use it in the proxy
that's handling the OpenShift authorization API.
/cc @s-urbaniak @sttts
/cherry-pick release-4.7