brancz · ibihim · May 6, 2025 · May 6, 2025 · Mar 20, 2025
diff --git a/cmd/kube-rbac-proxy/app/authorizer.go b/cmd/kube-rbac-proxy/app/authorizer.go
@@ -0,0 +1,93 @@
+/*
+Copyright 2025 the kube-rbac-proxy maintainers. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/authorization/union"
+	serverconfig "k8s.io/apiserver/pkg/server"
+
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/path"
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/static"
+	"github.com/brancz/kube-rbac-proxy/pkg/server"
+)
+
+// setupAuthorizer runs different authorization checks based on the configuration.
+func setupAuthorizer(krbInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverconfig.AuthorizationInfo) (authorizer.Authorizer, error) {
+	// authz are running after the pathAuthorizer
+	// and after the attributes have been rewritten.
+	// Default k8s authorizer
+	authz := delegatedAuthz.Authorizer
+
+	// Static authorization authorizes against a static file is ran before the SubjectAccessReview.
+	if krbInfo.Authorization.Static != nil {
+		staticAuthorizer, err := static.NewStaticAuthorizer(krbInfo.Authorization.Static)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create static authorizer: %w", err)
+		}
+
+		authz = union.New(staticAuthorizer, authz)
+	}
+
+	// Rewriting attributes such that they fit the given use-case.
+	var attrsGenerator rewrite.AttributesGenerator
+	switch {
+	case krbInfo.Authorization.ResourceAttributes != nil && krbInfo.Authorization.Rewrites == nil:
+		attrsGenerator = rewrite.NewResourceAttributesGenerator(
+			krbInfo.Authorization.ResourceAttributes,
+		)
+	case krbInfo.Authorization.ResourceAttributes != nil && krbInfo.Authorization.Rewrites != nil:
+		attrsGenerator = rewrite.NewTemplatedResourceAttributesGenerator(
+			krbInfo.Authorization.ResourceAttributes,
+		)
+	}
+
+	if attrsGenerator != nil {
+		authz = rewrite.NewRewritingAuthorizer(
+			authz,
+			attrsGenerator,
+		)
+	}
+
+	// pathAuthorizer is running before any other authorizer.
+	// It works outside of the default authorizers.
+	var pathAuthorizer authorizer.Authorizer
+	var err error
+	// AllowPaths are the only paths that are not denied.
+	// IgnorePaths bypass all authorization checks.
+	switch {
+	case len(krbInfo.AllowPaths) > 0:
+		pathAuthorizer, err = path.NewAllowedPathsAuthorizer(krbInfo.AllowPaths)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create allow path authorizer: %w", err)
+		}
+	case len(krbInfo.IgnorePaths) > 0:
+		pathAuthorizer, err = path.NewPassthroughAuthorizer(krbInfo.IgnorePaths)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create ignore path authorizer: %w", err)
+		}
+	}
+
+	if pathAuthorizer != nil {
+		return union.New(pathAuthorizer, authz), nil
+	}
+
+	return authz, nil
+}
diff --git a/cmd/kube-rbac-proxy/app/authorizer_test.go b/cmd/kube-rbac-proxy/app/authorizer_test.go
@@ -0,0 +1,185 @@
+/*
+Copyright 2025 the kube-rbac-proxy maintainers. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"context"
+	"testing"
+
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
+	serverconfig "k8s.io/apiserver/pkg/server"
+
+	authz "github.com/brancz/kube-rbac-proxy/pkg/authorization"
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
+	"github.com/brancz/kube-rbac-proxy/pkg/authorization/static"
+	"github.com/brancz/kube-rbac-proxy/pkg/server"
+)
+
+type mockAuthorizer struct {
+	decision    authorizer.Decision
+	reason      string
+	err         error
+	lastRequest authorizer.Attributes
+}
+
+func (m *mockAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
+	m.lastRequest = attrs
+	return m.decision, m.reason, m.err
+}
+
+func TestSetupAuthorizer(t *testing.T) {
+	testCases := []struct {
+		name              string
+		krbInfo           *server.KubeRBACProxyInfo
+		delegatedAuthz    *serverconfig.AuthorizationInfo
+		expectError       bool
+		checkPathAuthz    bool
+		checkStaticAuthz  bool
+		checkRewriteAuthz bool
+	}{
+		{
+			name: "with allow paths",
+			krbInfo: &server.KubeRBACProxyInfo{
+				AllowPaths: []string{"/healthz", "/metrics/*"},
+				Authorization: &authz.AuthzConfig{
+					RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{},
+				},
+			},
+			delegatedAuthz: &serverconfig.AuthorizationInfo{
+				Authorizer: &mockAuthorizer{},
+			},
+			checkPathAuthz: true,
+		},
+		{
+			name: "with ignore paths",
+			krbInfo: &server.KubeRBACProxyInfo{
+				IgnorePaths: []string{"/healthz", "/metrics/*"},
+				Authorization: &authz.AuthzConfig{
+					RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{},
+				},
+			},
+			delegatedAuthz: &serverconfig.AuthorizationInfo{
+				Authorizer: &mockAuthorizer{},
+			},
+			checkPathAuthz: true,
+		},
+		{
+			name: "with static authorizer",
+			krbInfo: &server.KubeRBACProxyInfo{
+				Authorization: &authz.AuthzConfig{
+					RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{},
+					Static: []static.StaticAuthorizationConfig{
+						{
+							User: static.UserConfig{
+								Name:   "test-user",
+								Groups: []string{"test-group"},
+							},
+							ResourceRequest: true,
+							Resource:        "pods",
+							Namespace:       "default",
+							Verb:            "get",
+						},
+					},
+				},
+			},
+			delegatedAuthz: &serverconfig.AuthorizationInfo{
+				Authorizer: &mockAuthorizer{},
+			},
+			checkStaticAuthz: true,
+		},
+		{
+			name: "with resource attributes",
+			krbInfo: &server.KubeRBACProxyInfo{
+				Authorization: &authz.AuthzConfig{
+					RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{
+						ResourceAttributes: &rewrite.ResourceAttributes{
+							Namespace:   "default",
+							Resource:    "pods",
+							Subresource: "proxy",
+						},
+					},
+				},
+			},
+			delegatedAuthz: &serverconfig.AuthorizationInfo{
+				Authorizer: authorizerfactory.NewAlwaysAllowAuthorizer(),
+			},
+			checkRewriteAuthz: true,
+		},
+		{
+			name: "with templated resource attributes",
+			krbInfo: &server.KubeRBACProxyInfo{
+				Authorization: &authz.AuthzConfig{
+					RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{
+						ResourceAttributes: &rewrite.ResourceAttributes{
+							Namespace:   "default",
+							Resource:    "pods",
+							Subresource: "proxy",
+						},
+						Rewrites: &rewrite.SubjectAccessReviewRewrites{
+							ByQueryParameter: &rewrite.QueryParameterRewriteConfig{
+								Name: "resource",
+							},
+						},
+					},
+				},
+			},
+			delegatedAuthz: &serverconfig.AuthorizationInfo{
+				Authorizer: authorizerfactory.NewAlwaysAllowAuthorizer(),
+			},
+			checkRewriteAuthz: true,
+		},
+		{
+			name: "with non-resource attributes",
+			krbInfo: &server.KubeRBACProxyInfo{
+				Authorization: &authz.AuthzConfig{
+					RewriteAttributesConfig: &rewrite.RewriteAttributesConfig{},
+				},
+			},
+			delegatedAuthz: &serverconfig.AuthorizationInfo{
+				Authorizer: authorizerfactory.NewAlwaysAllowAuthorizer(),
+			},
+			checkRewriteAuthz: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := setupAuthorizer(tc.krbInfo, tc.delegatedAuthz)
+
+			if tc.expectError {
+				if err == nil {
+					t.Fatalf("expected error but got none")
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			// Basic validation that we got an authorizer back
+			if result == nil {
+				t.Fatalf("expected non-nil authorizer")
+			}
+
+			// We won't actually invoke the authorizer since that would require
+			// setting up more test fixtures. This test just verifies that the
+			// authorizer is properly constructed based on the configuration.
+		})
+	}
+}
diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
@@ -32,8 +32,6 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	waitgroup "k8s.io/apimachinery/pkg/util/waitgroup"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
-	"k8s.io/apiserver/pkg/authorization/union"
 	kubefilters "k8s.io/apiserver/pkg/endpoints/filters"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	serverconfig "k8s.io/apiserver/pkg/server"
@@ -48,9 +46,7 @@ import (
 	"github.com/brancz/kube-rbac-proxy/cmd/kube-rbac-proxy/app/options"
 	"github.com/brancz/kube-rbac-proxy/pkg/authn"
 	"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
-	"github.com/brancz/kube-rbac-proxy/pkg/authorization/path"
 	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
-	"github.com/brancz/kube-rbac-proxy/pkg/authorization/static"
 	"github.com/brancz/kube-rbac-proxy/pkg/filters"
 	"github.com/brancz/kube-rbac-proxy/pkg/server"
 )
@@ -159,7 +155,6 @@ func (opts *completedProxyRunOptions) ProxyConfig() (*server.KubeRBACProxyConfig
 // Complete sets defaults for the ProxyRunOptions.
 // Should be called after the flags are parsed.
 func Complete(o *options.ProxyRunOptions) (*completedProxyRunOptions, error) {
-
 	hostname, err := os.Hostname()
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve hostname for self-signed cert: %w", err)
@@ -270,68 +265,6 @@ func Run(cfg *server.KubeRBACProxyConfig) error {
 	return nil
 }
 
-// setupAuthorizer runs different authorization checks based on the configuration.
-func setupAuthorizer(krbInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverconfig.AuthorizationInfo) (authorizer.Authorizer, error) {
-	// pathAuthorizer is running before any other authorizer.
-	// It works outside of the default authorizers.
-	var pathAuthorizer authorizer.Authorizer
-	var err error
-	// AllowPaths are the only paths that are not denied.
-	// IgnorePaths bypass all authorization checks.
-	switch {
-	case len(krbInfo.AllowPaths) > 0:
-		pathAuthorizer, err = path.NewAllowedPathsAuthorizer(krbInfo.AllowPaths)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create allow path authorizer: %w", err)
-		}
-	case len(krbInfo.IgnorePaths) > 0:
-		pathAuthorizer, err = path.NewPassthroughAuthorizer(krbInfo.IgnorePaths)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create ignore path authorizer: %w", err)
-		}
-	}
-
-	// Delegated authorizers are running after the pathAuthorizer
-	// and after the attributes have been rewritten.
-	var delegated []authorizer.Authorizer
-	// Static authorization authorizes against a static file is ran before the SubjectAccessReview.
-	if krbInfo.Authorization.Static != nil {
-		staticAuthorizer, err := static.NewStaticAuthorizer(krbInfo.Authorization.Static)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create static authorizer: %w", err)
-		}
-
-		delegated = append(delegated, staticAuthorizer)
-	}
-	delegated = append(delegated, delegatedAuthz.Authorizer)
-
-	// Rewriting attributes such that they fit the given use-case.
-	var attrsGenerator rewrite.AttributesGenerator
-	switch {
-	case krbInfo.Authorization.ResourceAttributes != nil && krbInfo.Authorization.Rewrites == nil:
-		attrsGenerator = rewrite.NewResourceAttributesGenerator(
-			krbInfo.Authorization.ResourceAttributes,
-		)
-	case krbInfo.Authorization.ResourceAttributes != nil && krbInfo.Authorization.Rewrites != nil:
-		attrsGenerator = rewrite.NewTemplatedResourceAttributesGenerator(
-			krbInfo.Authorization.ResourceAttributes,
-		)
-	default:
-		attrsGenerator = &rewrite.NonResourceAttributesGenerator{}
-	}
-
-	rewritingAuthorizer := rewrite.NewRewritingAuthorizer(
-		union.New(delegated...),
-		attrsGenerator,
-	)
-
-	if pathAuthorizer != nil {
-		return union.New(pathAuthorizer, rewritingAuthorizer), nil
-	}
-
-	return rewritingAuthorizer, nil
-}
-
 func setupProxyHandler(cfg *server.KubeRBACProxyInfo) http.Handler {
 	proxy := &httputil.ReverseProxy{
 		Rewrite: func(pr *httputil.ProxyRequest) {