Skip to content

Commit

Permalink
fixing default shell assignment from role config (#50003)
Browse files Browse the repository at this point in the history
  • Loading branch information
@eriktate
eriktate authored Dec 10, 2024
1 parent 530fd47 commit 6f28df4
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 4 deletions.
6 changes: 2 additions & 4 deletions lib/services/access_checker.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
package services

import (
"cmp"
"context"
"fmt"
"net"
Expand Down Expand Up @@ -1064,11 +1065,8 @@ func (a *accessChecker) HostUsers(s types.Server) (*HostUsersInfo, error) {
}

hostUserShell := role.GetOptions().CreateHostUserDefaultShell
shell = cmp.Or(shell, hostUserShell)
if hostUserShell != "" {
if shell != "" {
shell = hostUserShell
}

shellToRoles[hostUserShell] = append(shellToRoles[hostUserShell], role.GetName())
}

Expand Down
46 changes: 46 additions & 0 deletions lib/services/access_checker_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -526,3 +526,49 @@ func newKubeCluster(t *testing.T, name string, labels map[string]string) types.K
func sortKubeResourceSlice(resources []types.KubernetesResource) {
sort.Slice(resources, func(i, j int) bool { return resources[i].Name < resources[j].Name })
}

func TestAccessCheckerHostUsersShell(t *testing.T) {
anyLabels := types.Labels{"*": {"*"}}
expectedShell := "bash"
secondaryShell := "zsh"
localCluster := "cluster"

roleSet := NewRoleSet(
newRole(func(rv *types.RoleV6) {
rv.SetName("any")
rv.SetOptions(types.RoleOptions{
CreateHostUserDefaultShell: expectedShell,
CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP,
})
rv.SetNodeLabels(types.Allow, anyLabels)
}),
newRole(func(rv *types.RoleV6) {
rv.SetName("any")
rv.SetOptions(types.RoleOptions{
CreateHostUserDefaultShell: secondaryShell,
CreateHostUserMode: types.CreateHostUserMode_HOST_USER_MODE_KEEP,
})
rv.SetNodeLabels(types.Allow, anyLabels)
}),
)

accessInfo := &AccessInfo{
Roles: []string{"default-shell"},
}

accessChecker := NewAccessCheckerWithRoleSet(accessInfo, localCluster, roleSet)
hui, err := accessChecker.HostUsers(serverStub{})
require.NoError(t, err)

// the first value for shell encountered while checking roles should be used, which means
// secondaryShell should never be the result here
require.Equal(t, expectedShell, hui.Shell)
}

type serverStub struct {
types.Server
}

func (serverStub) GetKind() string {
return types.KindNode
}

0 comments on commit 6f28df4

Please sign in to comment.