-
Notifications
You must be signed in to change notification settings - Fork 0
/
sar.go
96 lines (83 loc) · 2.89 KB
/
sar.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package sar
import (
"net/http"
"github.com/rancher/rancher/pkg/clustermanager"
"github.com/rancher/rancher/pkg/clusterrouter"
"github.com/rancher/types/config"
"github.com/sirupsen/logrus"
authV1 "k8s.io/api/authorization/v1"
)
// SubjectAccessReview checks if a user can impersonate as another user or group
type SubjectAccessReview interface {
// UserCanImpersonateUser checks if user can impersonate as impUser
UserCanImpersonateUser(req *http.Request, user, impUser string) (bool, error)
// UserCanImpersonateGroups checks if user can impersonate as the groups
UserCanImpersonateGroups(req *http.Request, user string, groups []string) (bool, error)
}
type subjectAccessReview struct {
clusterManager *clustermanager.Manager
}
func NewSubjectAccessReview(clusterManager *clustermanager.Manager) SubjectAccessReview {
return subjectAccessReview{
clusterManager: clusterManager,
}
}
func (sar subjectAccessReview) UserCanImpersonateUser(req *http.Request, user, impUser string) (bool, error) {
userContext, err := sar.getUserContextFromRequest(req)
if err != nil {
return false, err
}
return sar.checkUserCanImpersonateUser(userContext, user, impUser)
}
func (sar subjectAccessReview) UserCanImpersonateGroups(req *http.Request, user string, groups []string) (bool, error) {
userContext, err := sar.getUserContextFromRequest(req)
if err != nil {
return false, err
}
return sar.checkUserCanImpersonateGroup(userContext, user, groups)
}
func (sar subjectAccessReview) getUserContextFromRequest(req *http.Request) (*config.UserContext, error) {
clusterID := clusterrouter.GetClusterID(req)
return sar.clusterManager.UserContext(clusterID)
}
func (sar subjectAccessReview) checkUserCanImpersonateUser(userContext *config.UserContext, user, impUser string) (bool, error) {
review := authV1.SubjectAccessReview{
Spec: authV1.SubjectAccessReviewSpec{
User: user,
ResourceAttributes: &authV1.ResourceAttributes{
Verb: "impersonate",
Resource: "users",
Name: impUser,
},
},
}
result, err := userContext.K8sClient.AuthorizationV1().SubjectAccessReviews().Create(&review)
if err != nil {
return false, err
}
logrus.Debugf("Impersonate check result: %v", result)
return result.Status.Allowed, nil
}
func (sar subjectAccessReview) checkUserCanImpersonateGroup(userContext *config.UserContext, user string, groups []string) (bool, error) {
for _, group := range groups {
review := authV1.SubjectAccessReview{
Spec: authV1.SubjectAccessReviewSpec{
User: user,
ResourceAttributes: &authV1.ResourceAttributes{
Verb: "impersonate",
Resource: "groups",
Name: group,
},
},
}
result, err := userContext.K8sClient.AuthorizationV1().SubjectAccessReviews().Create(&review)
if err != nil {
return false, err
}
logrus.Debugf("Impersonate check result: %v", result)
if !result.Status.Allowed {
return false, nil
}
}
return true, nil
}