This repository has been archived by the owner on Jul 18, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
attributes.go
124 lines (101 loc) · 3.94 KB
/
attributes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package adapter
import (
"strings"
kapi "k8s.io/kubernetes/pkg/api"
kauthorizer "k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer"
)
var _ = kauthorizer.Attributes(AdapterAttributes{})
// AdapterAttributes satisfies k8s authorizer.Attributes interfaces
type AdapterAttributes struct {
namespace string
user user.Info
authorizationAttributes oauthorizer.Action
}
// OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes
// Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes
func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.Action) {
// Build a context to hold the namespace and user info
ctx := kapi.NewContext()
ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())
ctx = kapi.WithUser(ctx, kattrs.GetUser())
// If we recognize the type, use the embedded type. Do NOT use it directly, because not all things that quack are ducks.
if castAdapterAttributes, ok := kattrs.(AdapterAttributes); ok {
return ctx, castAdapterAttributes.authorizationAttributes
}
// Otherwise build what we can
oattrs := &oauthorizer.DefaultAuthorizationAttributes{
Verb: kattrs.GetVerb(),
APIGroup: kattrs.GetAPIGroup(),
APIVersion: kattrs.GetAPIVersion(),
Resource: kattrs.GetResource(),
ResourceName: kattrs.GetName(),
NonResourceURL: kattrs.IsResourceRequest() == false,
URL: kattrs.GetPath(),
// TODO: add to kube authorizer attributes
// RequestAttributes interface{}
}
if len(kattrs.GetSubresource()) > 0 {
oattrs.Resource = kattrs.GetResource() + "/" + kattrs.GetSubresource()
}
return ctx, oattrs
}
// KubernetesAuthorizerAttributes adapts Origin authorization attributes to Kubernetes authorization attributes
// The returned attributes can be passed to OriginAuthorizerAttributes to access extra information from the Origin attributes interface
func KubernetesAuthorizerAttributes(namespace string, user user.Info, oattrs oauthorizer.Action) kauthorizer.Attributes {
return AdapterAttributes{
namespace: namespace,
user: user,
authorizationAttributes: oattrs,
}
}
func (a AdapterAttributes) GetVerb() string {
return a.authorizationAttributes.GetVerb()
}
func (a AdapterAttributes) GetAPIGroup() string {
return a.authorizationAttributes.GetAPIGroup()
}
func (a AdapterAttributes) GetAPIVersion() string {
return a.authorizationAttributes.GetAPIVersion()
}
// GetNamespace satisfies the kubernetes authorizer.Attributes interface
// origin gets this value from the request context
func (a AdapterAttributes) GetNamespace() string {
return a.namespace
}
func (a AdapterAttributes) GetName() string {
return a.authorizationAttributes.GetResourceName()
}
func (a AdapterAttributes) GetSubresource() string {
tokens := strings.SplitN(a.authorizationAttributes.GetResource(), "/", 2)
if len(tokens) != 2 {
return ""
}
return tokens[1]
}
func (a AdapterAttributes) GetResource() string {
tokens := strings.SplitN(a.authorizationAttributes.GetResource(), "/", 2)
if len(tokens) < 1 {
return ""
}
return tokens[0]
}
// GetUserName satisfies the kubernetes authorizer.Attributes interface
// origin gets this value from the request context
func (a AdapterAttributes) GetUser() user.Info {
return a.user
}
// IsReadOnly satisfies the kubernetes authorizer.Attributes interface based on the verb
func (a AdapterAttributes) IsReadOnly() bool {
v := a.GetVerb()
return v == "get" || v == "list" || v == "watch"
}
// IsResourceRequest satisfies the kubernetes authorizer.Attributes interface
func (a AdapterAttributes) IsResourceRequest() bool {
return !a.authorizationAttributes.IsNonResourceURL()
}
// GetPath satisfies the kubernetes authorizer.Attributes interface
func (a AdapterAttributes) GetPath() string {
return a.authorizationAttributes.GetURL()
}