From f8d98a477c22a51320d5aee8ec156cbfa60d4436 Mon Sep 17 00:00:00 2001 From: Doug Fawley Date: Fri, 16 Aug 2024 15:03:58 -0700 Subject: [PATCH] rbac: fix usage of AuthInfo (#7522) --- internal/xds/rbac/rbac_engine.go | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/internal/xds/rbac/rbac_engine.go b/internal/xds/rbac/rbac_engine.go index 33011726a6f6..344052cb04fd 100644 --- a/internal/xds/rbac/rbac_engine.go +++ b/internal/xds/rbac/rbac_engine.go @@ -237,12 +237,9 @@ func newRPCData(ctx context.Context) (*rpcData, error) { var authType string var peerCertificates []*x509.Certificate - if pi.AuthInfo != nil { - tlsInfo, ok := pi.AuthInfo.(credentials.TLSInfo) - if ok { - authType = pi.AuthInfo.AuthType() - peerCertificates = tlsInfo.State.PeerCertificates - } + if tlsInfo, ok := pi.AuthInfo.(credentials.TLSInfo); ok { + authType = pi.AuthInfo.AuthType() + peerCertificates = tlsInfo.State.PeerCertificates } return &rpcData{ @@ -281,11 +278,12 @@ func (e *engine) doAuditLogging(rpcData *rpcData, rule string, authorized bool) // In the RBAC world, we need to have a SPIFFE ID as the principal for this // to be meaningful principal := "" - if rpcData.peerInfo != nil && rpcData.peerInfo.AuthInfo != nil && rpcData.peerInfo.AuthInfo.AuthType() == "tls" { + if rpcData.peerInfo != nil { // If AuthType = tls, then we can cast AuthInfo to TLSInfo. - tlsInfo := rpcData.peerInfo.AuthInfo.(credentials.TLSInfo) - if tlsInfo.SPIFFEID != nil { - principal = tlsInfo.SPIFFEID.String() + if tlsInfo, ok := rpcData.peerInfo.AuthInfo.(credentials.TLSInfo); ok { + if tlsInfo.SPIFFEID != nil { + principal = tlsInfo.SPIFFEID.String() + } } }