forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
grouplister.go
223 lines (185 loc) · 6.64 KB
/
grouplister.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
package syncgroups
import (
"fmt"
"net"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/sets"
"github.com/openshift/origin/pkg/oauthserver/ldaputil"
"github.com/openshift/origin/pkg/oc/admin/groups/sync/interfaces"
ouserapi "github.com/openshift/origin/pkg/user/apis/user"
usertypedclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
)
// NewAllOpenShiftGroupLister returns a new allOpenShiftGroupLister
func NewAllOpenShiftGroupLister(blacklist []string, ldapURL string, groupClient usertypedclient.GroupInterface) interfaces.LDAPGroupListerNameMapper {
return &allOpenShiftGroupLister{
blacklist: sets.NewString(blacklist...),
client: groupClient,
ldapURL: ldapURL,
ldapGroupUIDToOpenShiftGroupName: map[string]string{},
}
}
// allOpenShiftGroupLister lists unique identifiers for LDAP lookup of all local OpenShift Groups that
// have been marked with an LDAP URL annotation as a result of a previous sync.
type allOpenShiftGroupLister struct {
blacklist sets.String
client usertypedclient.GroupInterface
ldapURL string
ldapGroupUIDToOpenShiftGroupName map[string]string
}
func (l *allOpenShiftGroupLister) ListGroups() ([]string, error) {
host, _, err := net.SplitHostPort(l.ldapURL)
if err != nil {
return nil, err
}
hostSelector := labels.Set(map[string]string{ldaputil.LDAPHostLabel: host}).AsSelector()
allGroups, err := l.client.List(metav1.ListOptions{LabelSelector: hostSelector.String()})
if err != nil {
return nil, err
}
var ldapGroupUIDs []string
for _, group := range allGroups.Items {
if l.blacklist.Has(group.Name) {
continue
}
matches, err := validateGroupAnnotations(l.ldapURL, group)
if err != nil {
return nil, err
}
if !matches {
continue
}
ldapGroupUID := group.Annotations[ldaputil.LDAPUIDAnnotation]
l.ldapGroupUIDToOpenShiftGroupName[ldapGroupUID] = group.Name
ldapGroupUIDs = append(ldapGroupUIDs, ldapGroupUID)
}
return ldapGroupUIDs, nil
}
func (l *allOpenShiftGroupLister) GroupNameFor(ldapGroupUID string) (string, error) {
// we probabably haven't been initialized. This would be really weird
if len(l.ldapGroupUIDToOpenShiftGroupName) == 0 {
_, err := l.ListGroups()
if err != nil {
return "", err
}
}
openshiftGroupName, exists := l.ldapGroupUIDToOpenShiftGroupName[ldapGroupUID]
if !exists {
return "", fmt.Errorf("no mapping found for %q", ldapGroupUID)
}
return openshiftGroupName, nil
}
// validateGroupAnnotations determines if the group matches and errors if the annotations are missing
func validateGroupAnnotations(ldapURL string, group ouserapi.Group) (bool, error) {
if actualURL, exists := group.Annotations[ldaputil.LDAPURLAnnotation]; !exists {
return false, fmt.Errorf("group %q marked as having been synced did not have an %s annotation", group.Name, ldaputil.LDAPURLAnnotation)
} else if actualURL != ldapURL {
return false, nil
}
if _, exists := group.Annotations[ldaputil.LDAPUIDAnnotation]; !exists {
return false, fmt.Errorf("group %q marked as having been synced did not have an %s annotation", group.Name, ldaputil.LDAPUIDAnnotation)
}
return true, nil
}
// NewOpenShiftGroupLister returns a new openshiftGroupLister that divulges the LDAP group unique identifier for
// each entry in the given whitelist of OpenShift Group names
func NewOpenShiftGroupLister(whitelist, blacklist []string, ldapURL string, client usertypedclient.GroupInterface) interfaces.LDAPGroupListerNameMapper {
return &openshiftGroupLister{
whitelist: whitelist,
blacklist: sets.NewString(blacklist...),
client: client,
ldapURL: ldapURL,
ldapGroupUIDToOpenShiftGroupName: map[string]string{},
}
}
// openshiftGroupLister lists unique identifiers for LDAP lookup of all local OpenShift groups that have
// been given to it upon creation.
type openshiftGroupLister struct {
whitelist []string
blacklist sets.String
client usertypedclient.GroupInterface
ldapURL string
ldapGroupUIDToOpenShiftGroupName map[string]string
}
func (l *openshiftGroupLister) ListGroups() ([]string, error) {
var groups []ouserapi.Group
for _, name := range l.whitelist {
if l.blacklist.Has(name) {
continue
}
group, err := l.client.Get(name, metav1.GetOptions{})
if err != nil {
return nil, err
}
groups = append(groups, *group)
}
var ldapGroupUIDs []string
for _, group := range groups {
matches, err := validateGroupAnnotations(l.ldapURL, group)
if err != nil {
return nil, err
}
if !matches {
return nil, fmt.Errorf("group %q was not synchronized from: %s", group.Name, l.ldapURL)
}
ldapGroupUID := group.Annotations[ldaputil.LDAPUIDAnnotation]
l.ldapGroupUIDToOpenShiftGroupName[ldapGroupUID] = group.Name
ldapGroupUIDs = append(ldapGroupUIDs, ldapGroupUID)
}
return ldapGroupUIDs, nil
}
func (l *openshiftGroupLister) GroupNameFor(ldapGroupUID string) (string, error) {
// we probabably haven't been initialized. This would be really weird
if len(l.ldapGroupUIDToOpenShiftGroupName) == 0 {
_, err := l.ListGroups()
if err != nil {
return "", err
}
}
openshiftGroupName, exists := l.ldapGroupUIDToOpenShiftGroupName[ldapGroupUID]
if !exists {
return "", fmt.Errorf("no mapping found for %q", ldapGroupUID)
}
return openshiftGroupName, nil
}
// NewLDAPWhitelistGroupLister returns a new whitelistLDAPGroupLister that divulges the given whitelist
// of LDAP group unique identifiers
func NewLDAPWhitelistGroupLister(whitelist []string) interfaces.LDAPGroupLister {
return &whitelistLDAPGroupLister{
ldapGroupUIDs: whitelist,
}
}
// LDAPGroupLister lists LDAP groups unique group identifiers given to it upon creation.
type whitelistLDAPGroupLister struct {
ldapGroupUIDs []string
}
func (l *whitelistLDAPGroupLister) ListGroups() ([]string, error) {
return l.ldapGroupUIDs, nil
}
// NewLDAPBlacklistGroupLister filters out the blacklisted names from the base lister
func NewLDAPBlacklistGroupLister(blacklist []string, baseLister interfaces.LDAPGroupLister) interfaces.LDAPGroupLister {
return &blacklistLDAPGroupLister{
blacklist: sets.NewString(blacklist...),
baseLister: baseLister,
}
}
// LDAPGroupLister lists LDAP groups unique group identifiers given to it upon creation.
type blacklistLDAPGroupLister struct {
blacklist sets.String
baseLister interfaces.LDAPGroupLister
}
func (l *blacklistLDAPGroupLister) ListGroups() ([]string, error) {
allNames, err := l.baseLister.ListGroups()
if err != nil {
return nil, err
}
// iterate through instead of "Difference" to preserve ordering
ret := []string{}
for _, name := range allNames {
if l.blacklist.Has(name) {
continue
}
ret = append(ret, name)
}
return ret, nil
}