Merge pull request #47575 from justinsb/fix_36902

Automatic merge from submit-queue (batch tested with PRs 47915, 47856, 44086, 47575, 47475) AWS: Fix suspicious loop comparing permissions Because we only ever call it with a single UserId/GroupId, this would not have been a problem in practice, but this fixes the code. Fix #36902 ```release-note NONE ```
2026-04-22 06:39:18 -04:00 · 2017-06-23 04:06:25 -07:00 · 2017-06-23 04:06:25 -07:00 · aaa5b2b642
commit aaa5b2b642
parent b1ac562918 737607ba6b
2 changed files with 20 additions and 3 deletions
--- a/pkg/cloudprovider/providers/aws/aws.go
+++ b/pkg/cloudprovider/providers/aws/aws.go
@ -2046,17 +2046,22 @@ func ipPermissionExists(newPermission, existing *ec2.IpPermission, compareGroupU
 				break
 			}
 		}
-		if found == false {
+		if !found {
 			return false
 		}
 	}
+
 	for _, leftPair := range newPermission.UserIdGroupPairs {
+		found := false
 		for _, rightPair := range existing.UserIdGroupPairs {
 			if isEqualUserGroupPair(leftPair, rightPair, compareGroupUserIDs) {
-				return true
+				found = true
+				break
 			}
 		}
-		return false
+		if !found {
+			return false
+		}
 	}

 	return true
--- a/pkg/cloudprovider/providers/aws/aws_test.go
+++ b/pkg/cloudprovider/providers/aws/aws_test.go
@ -879,6 +879,18 @@ func TestIpPermissionExistsHandlesMultipleGroupIds(t *testing.T) {
 	if equals {
 		t.Errorf("Should have not been considered equal since first is not in the second array of groups")
 	}
+
+	// The first pair matches, but the second does not
+	newIpPermission2 := ec2.IpPermission{
+		UserIdGroupPairs: []*ec2.UserIdGroupPair{
+			{GroupId: aws.String("firstGroupId")},
+			{GroupId: aws.String("fourthGroupId")},
+		},
+	}
+	equals = ipPermissionExists(&newIpPermission2, &oldIpPermission, false)
+	if equals {
+		t.Errorf("Should have not been considered equal since first is not in the second array of groups")
+	}
 }

 func TestIpPermissionExistsHandlesRangeSubsets(t *testing.T) {