fix(frontend): require podnamespace for pod logs when authz is enabled (#12778)

Signed-off-by: Jeff Spahr <[email protected]>

Author: jeffspahr

frontend/server/app.test.ts

@@ -495,6 +495,13 @@ describe('UIServer apis', () => {
         .get('/k8s/pod/logs?podname=test-pod&podnamespace=test-ns')
         .expect(403, 'Access denied to namespace');
     });
+
+    it('asks for podnamespace if not provided when authorization is enabled', async () => {
+      const authRequest = requests(app.app);
+      await authRequest
+        .get('/k8s/pod/logs?podname=test-pod')
+        .expect(422, 'podnamespace argument is required');
+    });
   });
 
   describe('/apis/v1beta1/', () => {

frontend/server/app.ts

@@ -202,7 +202,13 @@ function createUIServer(options: UIConfigs) {
     registerHandler(
       app.get,
       '/k8s/pod/logs',
-      getPodLogsHandler(options.argo, options.artifacts, options.pod.logContainerName, authorizeFn),
+      getPodLogsHandler(
+        options.argo,
+        options.artifacts,
+        options.pod.logContainerName,
+        authorizeFn,
+        options.auth.enabled,
+      ),
     );
   }
 
@@ -228,7 +234,13 @@ function createUIServer(options: UIConfigs) {
     registerHandler(
       app.get,
       '/k8s/pod/logs',
-      getPodLogsHandler(options.argo, options.artifacts, options.pod.logContainerName, authorizeFn),
+      getPodLogsHandler(
+        options.argo,
+        options.artifacts,
+        options.pod.logContainerName,
+        authorizeFn,
+        options.auth.enabled,
+      ),
     );
   }
 

frontend/server/handlers/pod-logs.ts

@@ -36,6 +36,7 @@ import { AuthorizeFn } from '../helpers/auth.js';
  * @param argoOptions fallback options to retrieve log archive
  * @param artifactsOptions configs and credentials for the different artifact backend
  * @param authorizeFn function to authorize namespace access
+ * @param authEnabled whether namespace authorization checks are enabled
  */
 export function getPodLogsHandler(
   argoOptions: ArgoConfigs,
@@ -45,6 +46,7 @@ export function getPodLogsHandler(
   },
   podLogContainerName: string,
   authorizeFn: AuthorizeFn,
+  authEnabled: boolean,
 ): Handler {
   const {
     archiveLogs,
@@ -89,6 +91,12 @@ export function getPodLogsHandler(
     // Note decodeURIComponent(undefined) === 'undefined', so I cannot pass the argument directly.
     const podNamespace = decodeURIComponent((req.query.podnamespace as string) || '') || undefined;
 
+    // In multi-user mode, namespace must be explicit so authz cannot be bypassed.
+    if (authEnabled && !podNamespace) {
+      res.status(422).send('podnamespace argument is required');
+      return;
+    }
+
     // Check access to namespace if podNamespace is provided
     if (podNamespace) {
       try {