Skip to content

Commit a186a18

Browse files
fix(auth): remove check restricting empty UID to handle kube:admin bootstrap user scenario (#135)
* fix(auth): allow empty UID for kube:admin bootstrap user SelfSubjectReview and the OpenShift User API return no UID for kube:admin, which is expected for the bootstrap admin. PR #134 rejected empty UIDs and broke web terminal auth on clusters where oc whoami is kube:admin. Restore pre-#134 semantics for empty UID while keeping SelfSubjectReview as the primary lookup for external authentication (WTO-399). Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: Rohan Kumar <rohaan@redhat.com> * fix(auth): prefer OpenShift User API for UID lookup with SSR fallback Resolve kube:admin via the OpenShift User API first, allowing empty UID for bootstrap users, and fall back to SelfSubjectReview only when the User API is unavailable while rejecting empty UIDs on that path. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Signed-off-by: Rohan Kumar <rohaan@redhat.com> Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 381f3ba commit a186a18

2 files changed

Lines changed: 27 additions & 29 deletions

File tree

pkg/operations/operations.go

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -117,19 +117,20 @@ func GetCurrentWorkspacePod(client kubernetes.Interface) (*corev1.Pod, error) {
117117
}
118118

119119
func GetCurrentUserUID(token string, clientProvider ClientProvider) (string, error) {
120-
uid, err := getCurrentUserUIDFromSelfSubjectReview(token, clientProvider)
120+
uid, err := getCurrentUserUIDFromOpenShiftUserAPI(token, clientProvider)
121121
if err == nil {
122122
return uid, nil
123123
}
124124

125-
// Fall back to the OpenShift User API on clusters where SelfSubjectReview is unavailable.
126-
uid, fallbackErr := getCurrentUserUIDFromOpenShiftUserAPI(token, clientProvider)
125+
// Fall back to SelfSubjectReview on clusters where the OpenShift User API is unavailable
126+
// (e.g. BYO external authentication without user.openshift.io).
127+
uid, fallbackErr := getCurrentUserUIDFromSelfSubjectReview(token, clientProvider)
127128
if fallbackErr == nil {
128129
return uid, nil
129130
}
130131

131132
return "", fmt.Errorf(
132-
"failed to get current user information: SelfSubjectReview error: %w; OpenShift User API error: %w",
133+
"failed to get current user information: OpenShift User API error: %w; SelfSubjectReview error: %w",
133134
err,
134135
fallbackErr,
135136
)
@@ -166,10 +167,7 @@ func getCurrentUserUIDFromOpenShiftUserAPI(token string, clientProvider ClientPr
166167
return "", err
167168
}
168169

169-
uid := string(userInfo.GetUID())
170-
if uid == "" {
171-
return "", fmt.Errorf("OpenShift User API returned empty UID")
172-
}
173-
174-
return uid, nil
170+
// kube:admin / kubeadmin have no Kubernetes UID; empty string is a valid identifier
171+
// when AUTHENTICATED_USER_ID is also empty (see config.AuthenticatedUserID).
172+
return string(userInfo.GetUID()), nil
175173
}

pkg/operations/operations_test.go

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -46,50 +46,50 @@ func TestGetCurrentUserUID(t *testing.T) {
4646
expectedUID string
4747
}{
4848
{
49-
name: "Should return UID from SelfSubjectReview",
49+
name: "Should return UID from OpenShift User API",
5050
provider: testUserIDClientProvider{
51-
userUID: expectedUID,
51+
userAPIUID: expectedUID,
5252
},
5353
expectedUID: expectedUID,
5454
},
5555
{
56-
name: "Should return error when client creation fails",
56+
name: "Should fall back to SelfSubjectReview when OpenShift User API is unavailable",
5757
provider: testUserIDClientProvider{
58-
returnClientError: true,
58+
returnUserAPIError: apierrors.NewNotFound(schema.GroupResource{Group: "user.openshift.io", Resource: "users"}, "~"),
59+
userUID: expectedUID,
5960
},
60-
errRegexp: "failed to create client to check user info",
61+
expectedUID: expectedUID,
6162
},
6263
{
63-
name: "Should fall back to OpenShift User API when SelfSubjectReview is unavailable",
64+
name: "Should return error when client creation fails",
6465
provider: testUserIDClientProvider{
65-
returnReviewError: apierrors.NewNotFound(schema.GroupResource{Group: "authentication.k8s.io", Resource: "selfsubjectreviews"}, "self"),
66-
userAPIUID: expectedUID,
66+
returnClientError: true,
6767
},
68-
expectedUID: expectedUID,
68+
errRegexp: "failed to create client to check user info",
6969
},
7070
{
7171
name: "Should return error when both user lookups fail",
7272
provider: testUserIDClientProvider{
73-
returnReviewError: apierrors.NewNotFound(schema.GroupResource{Group: "authentication.k8s.io", Resource: "selfsubjectreviews"}, "self"),
7473
returnUserAPIError: apierrors.NewNotFound(schema.GroupResource{Group: "user.openshift.io", Resource: "users"}, "~"),
74+
returnReviewError: apierrors.NewNotFound(schema.GroupResource{Group: "authentication.k8s.io", Resource: "selfsubjectreviews"}, "self"),
7575
},
7676
errRegexp: "failed to get current user information",
7777
},
7878
{
79-
name: "Should return error when SelfSubjectReview returns empty UID",
79+
name: "Should allow empty UID from OpenShift User API for kube:admin",
8080
provider: testUserIDClientProvider{
81-
userUID: "",
81+
userAPIUID: "",
82+
emptyUserAPIUID: true,
8283
},
83-
errRegexp: "SelfSubjectReview returned empty UID",
84+
expectedUID: "",
8485
},
8586
{
86-
name: "Should return error when OpenShift User API returns empty UID",
87+
name: "Should return error when SelfSubjectReview returns empty UID on fallback",
8788
provider: testUserIDClientProvider{
88-
returnReviewError: apierrors.NewNotFound(schema.GroupResource{Group: "authentication.k8s.io", Resource: "selfsubjectreviews"}, "self"),
89-
userAPIUID: "",
90-
emptyUserAPIUID: true,
89+
returnUserAPIError: apierrors.NewNotFound(schema.GroupResource{Group: "user.openshift.io", Resource: "users"}, "~"),
90+
userUID: "",
9191
},
92-
errRegexp: "OpenShift User API returned empty UID",
92+
errRegexp: "SelfSubjectReview returned empty UID",
9393
},
9494
}
9595

@@ -100,8 +100,8 @@ func TestGetCurrentUserUID(t *testing.T) {
100100
assert.Error(t, err)
101101
assert.Regexp(t, tt.errRegexp, err.Error())
102102
if tt.name == "Should return error when both user lookups fail" {
103-
assert.Contains(t, err.Error(), "SelfSubjectReview error:")
104103
assert.Contains(t, err.Error(), "OpenShift User API error:")
104+
assert.Contains(t, err.Error(), "SelfSubjectReview error:")
105105
}
106106
return
107107
}

0 commit comments

Comments
 (0)