arrikto · Jason-CKY · Mar 6, 2023
diff --git a/README.md b/README.md
@@ -148,7 +148,7 @@ settings are related to authorization:
 
 | Setting | Default | Description |
 | - | - | - |
-| `GROUPS_ALLOWLIST` | "*" | List of groups that are allowed to pass authorization. By default, all groups are allowed. If you change this option, you may want to include the `system:serviceaccounts` group explicitly, if you need the AuthService to accept ServiceAccountTokens. |
+| `GROUPS_ALLOWLIST` | "*" | List of groups that are allowed to pass authorization. By default, all groups are allowed. If you change this option, you may want to include the `system:serviceaccounts` group explicitly, if you need the AuthService to accept ServiceAccountTokens. Supports wildcard matching. |
 | `EXTERNAL_AUTHZ_URL` | "" | Use an external authorization service. This option is disabled by default, to enable set the value to the target external authorization service (e.g. `EXTERNAL_AUTHZ_URL=http://authorizer/auth`). If you have enabled this option then for a request to be authorized, **both** the group and the external authorization service will have to allow the request. |
 
 ## Usage

diff --git a/authorizer_groups.go b/authorizer_groups.go
@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"net/http"
+	"regexp"
 	"strings"
 
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -20,30 +21,60 @@ type Authorizer interface {
 }
 
 type groupsAuthorizer struct {
-	allowed map[string]bool
+	allowAll  bool
+	allowlist []string
+}
+
+// wildCardToRegexp converts a wildcard pattern to a regular expression pattern.
+func wildCardToRegexp(pattern string) string {
+	components := strings.Split(pattern, "*")
+	if len(components) == 1 {
+		// if len is 1, there are no *'s, return exact match pattern
+		return "^" + pattern + "$"
+	}
+	var result strings.Builder
+	for i, literal := range components {
+
+		// Replace * with .*
+		if i > 0 {
+			result.WriteString(".*")
+		}
+
+		// Quote any regular expression meta characters in the
+		// literal text.
+		result.WriteString(regexp.QuoteMeta(literal))
+	}
+	return "^" + result.String() + "$"
+}
+
+func match(pattern string, value string) bool {
+	result, _ := regexp.MatchString(wildCardToRegexp(pattern), value)
+	return result
 }
 
 func newGroupsAuthorizer(allowlist []string) Authorizer {
-	allowed := map[string]bool{}
+	allowAll := false
 	for _, g := range allowlist {
 		if g == wildcardMatcher {
-			allowed = map[string]bool{g: true}
+			allowAll = true
 			break
 		}
-		allowed[g] = true
 	}
 	return &groupsAuthorizer{
-		allowed: allowed,
+		allowAll:  allowAll,
+		allowlist: allowlist,
 	}
 }
 
 func (ga *groupsAuthorizer) Authorize(r *http.Request, userinfo user.Info) (bool, string, error) {
-	if ga.allowed[wildcardMatcher] {
+	if ga.allowAll {
 		return true, "", nil
 	}
-	for _, g := range userinfo.GetGroups() {
-		if ga.allowed[g] {
-			return true, "", nil
+	for _, group := range userinfo.GetGroups() {
+		for _, allowedGroupPattern := range ga.allowlist {
+			if match(allowedGroupPattern, group) {
+				return true, "", nil
+			}
 		}
 	}
 	reason := fmt.Sprintf("User's groups ([%s]) are not in allowlist.",

diff --git a/authorizer_groups_test.go b/authorizer_groups_test.go
@@ -38,6 +38,96 @@ func TestGroupsAuthorizer(t *testing.T) {
 			userGroups: []string{"d", "e"},
 			allowed:    false,
 		},
+		{
+			name:       "user groups in allowlist wildcard prefix 1",
+			allowlist:  []string{"agroup*"},
+			userGroups: []string{"agroup"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups in allowlist wildcard prefix 2",
+			allowlist:  []string{"agroup*"},
+			userGroups: []string{"agroup-any-character"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups not in allowlist wildcard prefix 1",
+			allowlist:  []string{"agroup*"},
+			userGroups: []string{"any-character-agroup-any-character"},
+			allowed:    false,
+		},
+		{
+			name:       "user groups not in allowlist wildcard prefix 2",
+			allowlist:  []string{"agroup*"},
+			userGroups: []string{"any-character-agroup"},
+			allowed:    false,
+		},
+		{
+			name:       "user groups in allowlist wildcard suffix 1",
+			allowlist:  []string{"*agroup"},
+			userGroups: []string{"agroup"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups in allowlist wildcard suffix 2",
+			allowlist:  []string{"*agroup"},
+			userGroups: []string{"any-character-agroup"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups not in allowlist wildcard suffix 1",
+			allowlist:  []string{"*agroup"},
+			userGroups: []string{"agroup-any-character"},
+			allowed:    false,
+		},
+		{
+			name:       "user groups not in allowlist wildcard suffix 2",
+			allowlist:  []string{"agroup*"},
+			userGroups: []string{"any-character-agroup-any-character"},
+			allowed:    false,
+		},
+		{
+			name:       "user groups in allowlist wildcard match 1",
+			allowlist:  []string{"*agroup*"},
+			userGroups: []string{"agroup"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups in allowlist wildcard match 2",
+			allowlist:  []string{"*agroup*"},
+			userGroups: []string{"agroup-any-character"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups in allowlist wildcard match 3",
+			allowlist:  []string{"*agroup*"},
+			userGroups: []string{"any-character-agroup"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups in allowlist wildcard match 4",
+			allowlist:  []string{"*agroup*"},
+			userGroups: []string{"any-character-agroup-any-character"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups in allowlist wildcard match 5",
+			allowlist:  []string{"group/*/test"},
+			userGroups: []string{"group/2/test"},
+			allowed:    true,
+		},
+		{
+			name:       "user groups not in allowlist wildcard match 1",
+			allowlist:  []string{"group/*/test"},
+			userGroups: []string{"group/test"},
+			allowed:    false,
+		},
+		{
+			name:       "user groups not in allowlist wildcard match 2",
+			allowlist:  []string{"*agroup*"},
+			userGroups: []string{"any-character"},
+			allowed:    false,
+		},
 	}
 
 	for _, test := range tests {

diff --git a/main.go b/main.go
@@ -113,7 +113,7 @@ func main() {
 		log.Fatalf("Error getting K8s config: %v", err)
 	} else if err != nil {
 		// If Kubernetes authenticator is disabled, ignore the error.
-		log.Debugf("Error getting K8s config: %v. " +
+		log.Debugf("Error getting K8s config: %v. "+
 			"Kubernetes authenticator is disabled, skipping ...", err)
 	} else {
 		k8sAuthenticator, err = authenticators.NewKubernetesAuthenticator(
@@ -122,7 +122,7 @@ func main() {
 			log.Fatalf("Error creating K8s authenticator: %v", err)
 		} else if err != nil {
 			// If Kubernetes authenticator is disabled, ignore the error.
-			log.Debugf("Error creating K8s authenticator:: %v. " +
+			log.Debugf("Error creating K8s authenticator:: %v. "+
 				"Kubernetes authenticator is disabled, skipping ...", err)
 		}
 	}