forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
user_covers.go
63 lines (53 loc) · 2.51 KB
/
user_covers.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package rulevalidation
import (
"fmt"
"sort"
"strings"
"github.com/golang/glog"
kapi "k8s.io/kubernetes/pkg/api"
kapierrors "k8s.io/kubernetes/pkg/api/errors"
"k8s.io/kubernetes/pkg/api/unversioned"
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
authorizationinterfaces "github.com/openshift/origin/pkg/authorization/interfaces"
)
func ConfirmNoEscalation(ctx kapi.Context, resource unversioned.GroupResource, name string, ruleResolver AuthorizationRuleResolver, role authorizationinterfaces.Role) error {
ruleResolutionErrors := []error{}
ownerLocalRules, err := ruleResolver.GetEffectivePolicyRules(ctx)
if err != nil {
// do not fail in this case. Rules are purely additive, so we can continue with a coverage check based on the rules we have
user, _ := kapi.UserFrom(ctx)
glog.V(1).Infof("non-fatal error getting local rules for %v: %v", user, err)
ruleResolutionErrors = append(ruleResolutionErrors, err)
}
masterContext := kapi.WithNamespace(ctx, "")
ownerGlobalRules, err := ruleResolver.GetEffectivePolicyRules(masterContext)
if err != nil {
// do not fail in this case. Rules are purely additive, so we can continue with a coverage check based on the rules we have
user, _ := kapi.UserFrom(ctx)
glog.V(1).Infof("non-fatal error getting global rules for %v: %v", user, err)
ruleResolutionErrors = append(ruleResolutionErrors, err)
}
ownerRules := make([]authorizationapi.PolicyRule, 0, len(ownerGlobalRules)+len(ownerLocalRules))
ownerRules = append(ownerRules, ownerLocalRules...)
ownerRules = append(ownerRules, ownerGlobalRules...)
ownerRightsCover, missingRights := Covers(ownerRules, role.Rules())
if !ownerRightsCover {
if compactedMissingRights, err := CompactRules(missingRights); err == nil {
missingRights = compactedMissingRights
}
missingRightsStrings := make([]string, 0, len(missingRights))
for _, missingRight := range missingRights {
missingRightsStrings = append(missingRightsStrings, missingRight.CompactString())
}
sort.Strings(missingRightsStrings)
user, _ := kapi.UserFrom(ctx)
var internalErr error
if len(ruleResolutionErrors) > 0 {
internalErr = fmt.Errorf("user %q cannot grant extra privileges:\n%v\nrule resolution errors: %v)", user.GetName(), strings.Join(missingRightsStrings, "\n"), ruleResolutionErrors)
} else {
internalErr = fmt.Errorf("user %q cannot grant extra privileges:\n%v", user.GetName(), strings.Join(missingRightsStrings, "\n"))
}
return kapierrors.NewForbidden(resource, name, internalErr)
}
return nil
}