SecurityContextConstraints: limit validation to provided groups.

php-coder · php-coder · commit abd601c5dabe · 2017-12-18T18:06:21.000+01:00
diff --git a/pkg/security/securitycontextconstraints/group/mustrunas.go b/pkg/security/securitycontextconstraints/group/mustrunas.go
@@ -30,13 +30,13 @@ func NewMustRunAs(ranges []securityapi.IDRange, field string) (GroupSecurityCont
 
 // Generate creates the group based on policy rules.  By default this returns the first group of the
 // first range (min val).
-func (s *mustRunAs) Generate(pod *api.Pod) ([]int64, error) {
+func (s *mustRunAs) Generate(_ *api.Pod) ([]int64, error) {
 	return []int64{s.ranges[0].Min}, nil
 }
 
 // Generate a single value to be applied.  This is used for FSGroup.  This strategy will return
 // the first group of the first range (min val).
-func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
+func (s *mustRunAs) GenerateSingle(_ *api.Pod) (*int64, error) {
 	single := new(int64)
 	*single = s.ranges[0].Min
 	return single, nil
@@ -45,14 +45,9 @@ func (s *mustRunAs) GenerateSingle(pod *api.Pod) (*int64, error) {
 // Validate ensures that the specified values fall within the range of the strategy.
 // Groups are passed in here to allow this strategy to support multiple group fields (fsgroup and
 // supplemental groups).
-func (s *mustRunAs) Validate(pod *api.Pod, groups []int64) field.ErrorList {
+func (s *mustRunAs) Validate(_ *api.Pod, groups []int64) field.ErrorList {
 	allErrs := field.ErrorList{}
 
-	if pod.Spec.SecurityContext == nil {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("securityContext"), pod.Spec.SecurityContext, "unable to validate nil security context"))
-		return allErrs
-	}
-
 	if len(groups) == 0 && len(s.ranges) > 0 {
 		allErrs = append(allErrs, field.Invalid(field.NewPath(s.field), groups, "unable to validate empty groups against required ranges"))
 	}
diff --git a/pkg/security/securitycontextconstraints/group/mustrunas_test.go b/pkg/security/securitycontextconstraints/group/mustrunas_test.go
@@ -94,66 +94,51 @@ func TestGenerate(t *testing.T) {
 }
 
 func TestValidate(t *testing.T) {
-	validPod := func() *api.Pod {
-		return &api.Pod{
-			Spec: api.PodSpec{
-				SecurityContext: &api.PodSecurityContext{},
-			},
-		}
-	}
-
 	tests := map[string]struct {
 		ranges []securityapi.IDRange
 		pod    *api.Pod
 		groups []int64
 		pass   bool
 	}{
 		"nil security context": {
-			pod: &api.Pod{},
 			ranges: []securityapi.IDRange{
 				{Min: 1, Max: 3},
 			},
 		},
 		"empty groups": {
-			pod: validPod(),
 			ranges: []securityapi.IDRange{
 				{Min: 1, Max: 3},
 			},
 		},
 		"not in range": {
-			pod:    validPod(),
 			groups: []int64{5},
 			ranges: []securityapi.IDRange{
 				{Min: 1, Max: 3},
 				{Min: 4, Max: 4},
 			},
 		},
 		"in range 1": {
-			pod:    validPod(),
 			groups: []int64{2},
 			ranges: []securityapi.IDRange{
 				{Min: 1, Max: 3},
 			},
 			pass: true,
 		},
 		"in range boundry min": {
-			pod:    validPod(),
 			groups: []int64{1},
 			ranges: []securityapi.IDRange{
 				{Min: 1, Max: 3},
 			},
 			pass: true,
 		},
 		"in range boundry max": {
-			pod:    validPod(),
 			groups: []int64{3},
 			ranges: []securityapi.IDRange{
 				{Min: 1, Max: 3},
 			},
 			pass: true,
 		},
 		"singular range": {
-			pod:    validPod(),
 			groups: []int64{4},
 			ranges: []securityapi.IDRange{
 				{Min: 4, Max: 4},
@@ -167,7 +152,7 @@ func TestValidate(t *testing.T) {
 		if err != nil {
 			t.Errorf("error creating strategy for %s: %v", k, err)
 		}
-		errs := s.Validate(v.pod, v.groups)
+		errs := s.Validate(nil, v.groups)
 		if v.pass && len(errs) > 0 {
 			t.Errorf("unexpected errors for %s: %v", k, errs)
 		}
diff --git a/pkg/security/securitycontextconstraints/group/runasany.go b/pkg/security/securitycontextconstraints/group/runasany.go
@@ -17,17 +17,17 @@ func NewRunAsAny() (GroupSecurityContextConstraintsStrategy, error) {
 }
 
 // Generate creates the group based on policy rules.  This strategy returns an empty slice.
-func (s *runAsAny) Generate(pod *api.Pod) ([]int64, error) {
+func (s *runAsAny) Generate(_ *api.Pod) ([]int64, error) {
 	return nil, nil
 }
 
 // Generate a single value to be applied.  This is used for FSGroup.  This strategy returns nil.
-func (s *runAsAny) GenerateSingle(pod *api.Pod) (*int64, error) {
+func (s *runAsAny) GenerateSingle(_ *api.Pod) (*int64, error) {
 	return nil, nil
 }
 
 // Validate ensures that the specified values fall within the range of the strategy.
-func (s *runAsAny) Validate(pod *api.Pod, groups []int64) field.ErrorList {
+func (s *runAsAny) Validate(_ *api.Pod, groups []int64) field.ErrorList {
 	return field.ErrorList{}
 
 }

Original file line number	Diff line number	Diff line change
`@@ -17,17 +17,17 @@ func NewRunAsAny() (GroupSecurityContextConstraintsStrategy, error) {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`// Generate creates the group based on policy rules. This strategy returns an empty slice.`
`20`		`-func (s runAsAny) Generate(pod api.Pod) ([]int64, error) {`
	`20`	`+func (s runAsAny) Generate(_ api.Pod) ([]int64, error) {`
`21`	`21`	`return nil, nil`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`// Generate a single value to be applied. This is used for FSGroup. This strategy returns nil.`
`25`		`-func (s runAsAny) GenerateSingle(pod api.Pod) (*int64, error) {`
	`25`	`+func (s runAsAny) GenerateSingle(_ api.Pod) (*int64, error) {`
`26`	`26`	`return nil, nil`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`// Validate ensures that the specified values fall within the range of the strategy.`
`30`		`-func (s runAsAny) Validate(pod api.Pod, groups []int64) field.ErrorList {`
	`30`	`+func (s runAsAny) Validate(_ api.Pod, groups []int64) field.ErrorList {`
`31`	`31`	`return field.ErrorList{}`
`32`	`32`
`33`	`33`	`}`