/
authorizer.go
78 lines (69 loc) · 2.34 KB
/
authorizer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
package auth
import (
"context"
log "github.com/sirupsen/logrus"
authorizationv1 "k8s.io/api/authorization/v1"
"github.com/argoproj/argo/pkg/apis/workflow"
)
func CanI(ctx context.Context, verb, resource, namespace, name string) (bool, error) {
kubeClientset := GetKubeClient(ctx)
logCtx := log.WithFields(log.Fields{"verb": verb, "resource": resource, "namespace": namespace, "name": name})
logCtx.Debug("CanI")
review, err := kubeClientset.AuthorizationV1().SelfSubjectAccessReviews().Create(&authorizationv1.SelfSubjectAccessReview{
Spec: authorizationv1.SelfSubjectAccessReviewSpec{
ResourceAttributes: &authorizationv1.ResourceAttributes{
Namespace: namespace,
Verb: verb,
Group: "argoproj.io",
Resource: resource,
Name: name,
},
},
})
if err != nil {
return false, err
}
logCtx.WithField("status", review.Status).Debug("CanI")
return review.Status.Allowed, nil
}
type Authorizer struct {
ctx context.Context
status map[string]authorizationv1.SubjectRulesReviewStatus
}
func (a Authorizer) CanI(verb, resource, namespace, name string) (bool, error) {
logCtx := log.WithFields(log.Fields{"verb": verb, "resource": resource, "namespace": namespace, "name": name})
_, ok := a.status[namespace]
if !ok {
kubeClientset := GetKubeClient(a.ctx)
review, err := kubeClientset.AuthorizationV1().SelfSubjectRulesReviews().Create(&authorizationv1.SelfSubjectRulesReview{Spec: authorizationv1.SelfSubjectRulesReviewSpec{Namespace: namespace}})
if err != nil {
return false, err
}
a.status[namespace] = review.Status
}
for _, rule := range a.status[namespace].ResourceRules {
if allowed(rule.Verbs, verb) &&
allowed(rule.Resources, resource) &&
allowed(rule.APIGroups, workflow.Group) &&
allowed(rule.ResourceNames, name) {
logCtx.WithFields(log.Fields{"rule": rule, "allowed": true}).Debug("CanI")
return true, nil
}
}
logCtx.WithField("allowed", false).Debug("CanI")
return false, nil
}
func NewAuthorizer(ctx context.Context) *Authorizer {
return &Authorizer{ctx, map[string]authorizationv1.SubjectRulesReviewStatus{}}
}
func allowed(values []string, value string) bool {
return len(values) == 0 || contains(values, "*") || contains(values, value)
}
func contains(values []string, value string) bool {
for _, s := range values {
if value == s {
return true
}
}
return false
}