-
Notifications
You must be signed in to change notification settings - Fork 0
/
store.go
169 lines (156 loc) · 5.66 KB
/
store.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
package multiclusterapp
import (
"context"
"fmt"
"strings"
"github.com/rancher/norman/httperror"
"github.com/rancher/norman/store/transform"
"github.com/rancher/norman/types"
"github.com/rancher/norman/types/convert"
"github.com/rancher/norman/types/values"
"github.com/rancher/rancher/pkg/auth/providers"
"github.com/rancher/rancher/pkg/auth/requests"
v3 "github.com/rancher/types/apis/management.cattle.io/v3"
client "github.com/rancher/types/client/management/v3"
"github.com/rancher/types/config"
"github.com/sirupsen/logrus"
apierrors "k8s.io/apimachinery/pkg/api/errors"
)
func SetMemberStore(ctx context.Context, schema *types.Schema, mgmt *config.ScaledContext) {
providers.Configure(ctx, mgmt)
userLister := mgmt.Management.Users("").Controller().Lister()
t := &transform.Store{
Store: schema.Store,
Transformer: func(apiContext *types.APIContext, schema *types.Schema, data map[string]interface{}, opt *types.QueryOptions) (map[string]interface{}, error) {
membersMapSlice, found := values.GetSlice(data, "members")
if !found {
return data, nil
}
for _, m := range membersMapSlice {
if userID, ok := m["userId"].(string); ok && userID != "" {
u, err := userLister.Get("", userID)
if err != nil {
logrus.Errorf("problem retrieving user for member %v from cache during member transformation: %v", data, err)
return data, nil
}
// filtering and keeping system user accounts out of the members list
for _, pid := range u.PrincipalIDs {
if strings.HasPrefix(pid, "system://") {
if opt != nil && opt.Options["ByID"] == "true" {
return nil, httperror.NewAPIError(httperror.NotFound, "resource not found")
}
return nil, nil
}
}
}
}
return data, nil
},
}
s := &Store{
Store: t,
auth: requests.NewAuthenticator(ctx, mgmt),
crtbLister: mgmt.Management.ClusterRoleTemplateBindings("").Controller().Lister(),
prtbLister: mgmt.Management.ProjectRoleTemplateBindings("").Controller().Lister(),
grbLister: mgmt.Management.GlobalRoleBindings("").Controller().Lister(),
grLister: mgmt.Management.GlobalRoles("").Controller().Lister(),
users: mgmt.Management.Users(""),
rtLister: mgmt.Management.RoleTemplates("").Controller().Lister(),
}
schema.Store = s
}
type Store struct {
types.Store
auth requests.Authenticator
crtbLister v3.ClusterRoleTemplateBindingLister
prtbLister v3.ProjectRoleTemplateBindingLister
grbLister v3.GlobalRoleBindingLister
grLister v3.GlobalRoleLister
users v3.UserInterface
rtLister v3.RoleTemplateLister
}
func (s *Store) Create(apiContext *types.APIContext, schema *types.Schema, data map[string]interface{}) (map[string]interface{}, error) {
if err := checkDuplicateTargets(data); err != nil {
return nil, err
}
data, err := s.setDisplayName(apiContext, schema, data)
if err != nil {
return nil, err
}
if err = s.ensureRolesNotDisabled(apiContext, data); err != nil {
return nil, err
}
return s.Store.Create(apiContext, schema, data)
}
func (s *Store) Update(apiContext *types.APIContext, schema *types.Schema, data map[string]interface{}, id string) (map[string]interface{}, error) {
data, err := s.setDisplayName(apiContext, schema, data)
if err != nil {
return nil, err
}
if err = s.ensureRolesNotDisabled(apiContext, data); err != nil {
return nil, err
}
return s.Store.Update(apiContext, schema, data, id)
}
func (s *Store) setDisplayName(apiContext *types.APIContext, schema *types.Schema, data map[string]interface{}) (map[string]interface{}, error) {
membersMapSlice, found := values.GetSlice(data, client.MultiClusterAppFieldMembers)
if !found {
return data, nil
}
token, err := s.auth.TokenFromRequest(apiContext.Request)
if err != nil {
return nil, err
}
if token.AuthProvider == providers.LocalProvider {
// getPrincipal if called, will be called on local auth provider, and will not find a user with external auth principal ID
// hence returning, since the only thing this method does is setting display name by getting it from the external auth provider.
return data, nil
}
for _, m := range membersMapSlice {
if principalID, ok := m[client.MemberFieldUserPrincipalID].(string); ok && principalID != "" && !strings.HasPrefix(principalID, "local://") {
princ, err := providers.GetPrincipal(principalID, *token)
if err != nil {
return nil, err
}
if princ.DisplayName != "" {
values.PutValue(m, princ.DisplayName, "displayName")
}
}
}
return data, nil
}
func (s *Store) ensureRolesNotDisabled(apiContext *types.APIContext, data map[string]interface{}) error {
roles := convert.ToStringSlice(data[client.MultiClusterAppFieldRoles])
if len(roles) == 0 {
return httperror.NewAPIError(httperror.InvalidBodyContent, "No roles provided")
}
for _, role := range roles {
rt, err := s.rtLister.Get("", role)
if err != nil {
if apierrors.IsNotFound(err) {
errMsg := fmt.Sprintf("Provided role %v does not exist", role)
return httperror.NewAPIError(httperror.InvalidBodyContent, errMsg)
}
return err
}
if rt.Locked {
errMsg := fmt.Sprintf("Cannot assigned locked role %v to multiclusterapp", role)
return httperror.NewAPIError(httperror.InvalidBodyContent, errMsg)
}
}
return nil
}
func checkDuplicateTargets(data map[string]interface{}) error {
targets, _ := values.GetSlice(data, "targets")
projectIds := map[string]bool{}
for _, target := range targets {
id := convert.ToString(values.GetValueN(target, "projectId"))
if id != "" {
if _, ok := projectIds[id]; ok {
return httperror.NewAPIError(httperror.InvalidBodyContent, fmt.Sprintf("duplicate projects in targets %s", id))
}
projectIds[id] = true
}
}
return nil
}