-
Notifications
You must be signed in to change notification settings - Fork 4.7k
/
storage.go
79 lines (65 loc) · 2.73 KB
/
storage.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package selfsubjectrulesreview
import (
"fmt"
kapierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
kutilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/user"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
"github.com/openshift/origin/pkg/authorization/apis/authorization/rbacconversion"
"github.com/openshift/origin/pkg/authorization/registry/subjectrulesreview"
)
type REST struct {
ruleResolver rbacregistryvalidation.AuthorizationRuleResolver
clusterRoleGetter rbaclisters.ClusterRoleLister
}
var _ rest.Creater = &REST{}
func NewREST(ruleResolver rbacregistryvalidation.AuthorizationRuleResolver, clusterRoleGetter rbaclisters.ClusterRoleLister) *REST {
return &REST{ruleResolver: ruleResolver, clusterRoleGetter: clusterRoleGetter}
}
func (r *REST) New() runtime.Object {
return &authorizationapi.SelfSubjectRulesReview{}
}
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, _ bool) (runtime.Object, error) {
rulesReview, ok := obj.(*authorizationapi.SelfSubjectRulesReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectRulesReview: %#v", obj))
}
namespace := apirequest.NamespaceValue(ctx)
if len(namespace) == 0 {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("namespace is required on this type: %v", namespace))
}
callingUser, exists := apirequest.UserFrom(ctx)
if !exists {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("user missing from context"))
}
// copy the user to avoid mutating the original extra map
userToCheck := &user.DefaultInfo{
Name: callingUser.GetName(),
Groups: callingUser.GetGroups(),
Extra: map[string][]string{},
}
switch {
case rulesReview.Spec.Scopes == nil:
for k, v := range callingUser.GetExtra() {
userToCheck.Extra[k] = v
}
case len(rulesReview.Spec.Scopes) > 0:
userToCheck.Extra[authorizationapi.ScopesKey] = rulesReview.Spec.Scopes
}
rules, errors := subjectrulesreview.GetEffectivePolicyRules(apirequest.WithUser(ctx, userToCheck), r.ruleResolver, r.clusterRoleGetter)
ret := &authorizationapi.SelfSubjectRulesReview{
Status: authorizationapi.SubjectRulesReviewStatus{
Rules: rbacconversion.Convert_rbac_PolicyRules_To_authorization_PolicyRules(rules), //TODO can we fix this ?
},
}
if len(errors) != 0 {
ret.Status.EvaluationError = kutilerrors.NewAggregate(errors).Error()
}
return ret, nil
}