openshift · openshift-bot · Aug 12, 2016 · Aug 5, 2016 · liggitt · Aug 10, 2016
diff --git a/pkg/authorization/authorizer/scope/converter.go b/pkg/authorization/authorizer/scope/converter.go
@@ -12,6 +12,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	"github.com/openshift/origin/pkg/authorization/authorizer"
 	"github.com/openshift/origin/pkg/client"
 	oauthapi "github.com/openshift/origin/pkg/oauth/api"
 	projectapi "github.com/openshift/origin/pkg/project/api"
@@ -48,6 +49,41 @@ func ScopesToRules(scopes []string, namespace string, clusterPolicyGetter client
 	return rules, kutilerrors.NewAggregate(errors)
 }
 
+// ScopesToVisibleNamespaces returns a list of namespaces that the provided scopes have "get" access to.
+// This exists only to support efficiently list/watch of projects (ACLed namespaces)
+func ScopesToVisibleNamespaces(scopes []string, clusterPolicyGetter client.ClusterPolicyLister) (sets.String, error) {
+	if len(scopes) == 0 {
+		return sets.NewString("*"), nil
+	}
+
+	visibleNamespaces := sets.String{}
+
+	errors := []error{}
+	for _, scope := range scopes {
+		found := false
+
+		for _, evaluator := range ScopeEvaluators {
+			if evaluator.Handles(scope) {
+				found = true
+				allowedNamespaces, err := evaluator.ResolveGettableNamespaces(scope, clusterPolicyGetter)
+				if err != nil {
+					errors = append(errors, err)
+					continue
+				}
+
+				visibleNamespaces.Insert(allowedNamespaces...)
+				break
+			}
+		}
+
+		if !found {
+			errors = append(errors, fmt.Errorf("no scope evaluator found for %q", scope))
+		}
+	}
+
+	return visibleNamespaces, kutilerrors.NewAggregate(errors)
+}
+
 const (
 	UserIndicator          = "user:"
 	ClusterRoleIndicator   = "role:"
@@ -61,6 +97,7 @@ type ScopeEvaluator interface {
 	Describe(scope string) string
 	Validate(scope string) error
 	ResolveRules(scope, namespace string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error)
+	ResolveGettableNamespaces(scope string, clusterPolicyGetter client.ClusterPolicyLister) ([]string, error)
 }
 
 // ScopeEvaluators map prefixes to a function that handles that prefix
@@ -134,7 +171,7 @@ func (userEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter c
 		}, nil
 	case UserListProject:
 		return []authorizationapi.PolicyRule{
-			{Verbs: sets.NewString("list"), APIGroups: []string{projectapi.GroupName}, Resources: sets.NewString("projects")},
+			{Verbs: sets.NewString("list", "watch"), APIGroups: []string{projectapi.GroupName}, Resources: sets.NewString("projects")},
 		}, nil
 	case UserFull:
 		return []authorizationapi.PolicyRule{
@@ -146,6 +183,15 @@ func (userEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter c
 	}
 }
 
+func (userEvaluator) ResolveGettableNamespaces(scope string, clusterPolicyGetter client.ClusterPolicyLister) ([]string, error) {
+	switch scope {
+	case UserFull:
+		return []string{"*"}, nil
+	default:
+		return []string{}, nil
+	}
+}
+
 // escalatingScopeResources are resources that are considered escalating for scope evaluation
 var escalatingScopeResources = []unversioned.GroupResource{
 	{Group: kapi.GroupName, Resource: "secrets"},
@@ -175,6 +221,12 @@ func (e clusterRoleEvaluator) parseScope(scope string) (string /*role name*/, st
 	if !e.Handles(scope) {
 		return "", "", false, fmt.Errorf("bad format for scope %v", scope)
 	}
+	return ParseClusterRoleScope(scope)
+}
+func ParseClusterRoleScope(scope string) (string /*role name*/, string /*namespace*/, bool /*escalating*/, error) {
+	if !strings.HasPrefix(scope, ClusterRoleIndicator) {
+		return "", "", false, fmt.Errorf("bad format for scope %v", scope)
+	}
 	escalating := false
 	if strings.HasSuffix(scope, ":!") {
 		escalating = true
@@ -214,7 +266,7 @@ func (e clusterRoleEvaluator) Describe(scope string) string {
 }
 
 func (e clusterRoleEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error) {
-	roleName, scopeNamespace, escalating, err := e.parseScope(scope)
+	_, scopeNamespace, _, err := e.parseScope(scope)
 	if err != nil {
 		return nil, err
 	}
@@ -224,6 +276,16 @@ func (e clusterRoleEvaluator) ResolveRules(scope, namespace string, clusterPolic
 		return []authorizationapi.PolicyRule{}, nil
 	}
 
+	return e.resolveRules(scope, clusterPolicyGetter)
+}
+
+// resolveRules doesn't enforce namespace checks
+func (e clusterRoleEvaluator) resolveRules(scope string, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, error) {
+	roleName, _, escalating, err := e.parseScope(scope)
+	if err != nil {
+		return nil, err
+	}
+
 	policy, err := clusterPolicyGetter.Get("default")
 	if err != nil {
 		return nil, err
@@ -252,6 +314,37 @@ func (e clusterRoleEvaluator) ResolveRules(scope, namespace string, clusterPolic
 	return rules, nil
 }
 
+func (e clusterRoleEvaluator) ResolveGettableNamespaces(scope string, clusterPolicyGetter client.ClusterPolicyLister) ([]string, error) {
+	_, scopeNamespace, _, err := e.parseScope(scope)
+	if err != nil {
+		return nil, err
+	}
+	rules, err := e.resolveRules(scope, clusterPolicyGetter)
+	if err != nil {
+		return nil, err
+	}
+
+	attributes := authorizer.DefaultAuthorizationAttributes{
+		APIGroup: kapi.GroupName,
+		Verb:     "get",
+		Resource: "namespaces",
+	}
+
+	errors := []error{}
+	for _, rule := range rules {
+		matches, err := attributes.RuleMatches(rule)
+		if err != nil {
+			errors = append(errors, err)
+			continue
+		}
+		if matches {
+			return []string{scopeNamespace}, nil
+		}
+	}
+
+	return []string{}, kutilerrors.NewAggregate(errors)
+}
+
 // TODO: direct deep copy needing a cloner is something that should be fixed upstream
 var localCloner = conversion.NewCloner()
 

diff --git a/pkg/project/auth/cache.go b/pkg/project/auth/cache.go
@@ -17,6 +17,8 @@ import (
 	utilwait "k8s.io/kubernetes/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/watch"
 
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	"github.com/openshift/origin/pkg/client"
 )
 
@@ -228,6 +230,10 @@ func (ac *AuthorizationCache) RemoveWatcher(watcher CacheWatcher) {
 	}
 }
 
+func (ac *AuthorizationCache) GetClusterPolicyLister() client.SyncedClusterPoliciesListerInterface {
+	return ac.clusterPolicyLister
+}
+
 // synchronizeNamespaces synchronizes access over each namespace and returns a set of namespace names that were looked at in last sync
 func (ac *AuthorizationCache) synchronizeNamespaces(userSubjectRecordStore cache.Store, groupSubjectRecordStore cache.Store, reviewRecordStore cache.Store) sets.String {
 	namespaceSet := sets.NewString()
@@ -430,14 +436,22 @@ func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, err
 		}
 	}
 
+	allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], ac.clusterPolicyLister.ClusterPolicies())
+	if err != nil {
+		return nil, err
+	}
+
 	namespaceList := &kapi.NamespaceList{}
 	for key := range keys {
-		namespace, exists, err := ac.namespaceStore.GetByKey(key)
+		namespaceObj, exists, err := ac.namespaceStore.GetByKey(key)
 		if err != nil {
 			return nil, err
 		}
 		if exists {
-			namespaceList.Items = append(namespaceList.Items, *namespace.(*kapi.Namespace))
+			namespace := *namespaceObj.(*kapi.Namespace)
+			if allowedNamespaces.Has("*") || allowedNamespaces.Has(namespace.Name) {
+				namespaceList.Items = append(namespaceList.Items, namespace)
+			}
 		}
 	}
 	return namespaceList, nil

diff --git a/pkg/project/auth/watch.go b/pkg/project/auth/watch.go
@@ -33,8 +33,9 @@ type WatchableCache interface {
 
 // userProjectWatcher converts a native etcd watch to a watch.Interface.
 type userProjectWatcher struct {
-	username string
-	groups   []string
+	user user.Info
+	// visibleNamespaces are the namespaces that the scopes allow
+	visibleNamespaces sets.String
 
 	// cacheIncoming is a buffered channel used for notification to watcher.  If the buffer fills up,
 	// then the watcher will be removed and the connection will be broken.
@@ -69,9 +70,8 @@ var (
 	watchChannelHWM etcd.HighWaterMark
 )
 
-func NewUserProjectWatcher(username string, groups []string, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool) *userProjectWatcher {
-	userInfo := &user.DefaultInfo{Name: username, Groups: groups}
-	namespaces, _ := authCache.List(userInfo)
+func NewUserProjectWatcher(user user.Info, visibleNamespaces sets.String, projectCache *projectcache.ProjectCache, authCache WatchableCache, includeAllExistingProjects bool) *userProjectWatcher {
+	namespaces, _ := authCache.List(user)
 	knownProjects := map[string]string{}
 	for _, namespace := range namespaces.Items {
 		knownProjects[namespace.Name] = namespace.ResourceVersion
@@ -84,8 +84,8 @@ func NewUserProjectWatcher(username string, groups []string, projectCache *proje
 	}
 
 	w := &userProjectWatcher{
-		username: username,
-		groups:   groups,
+		user:              user,
+		visibleNamespaces: visibleNamespaces,
 
 		cacheIncoming: make(chan watch.Event, 1000),
 		cacheError:    make(chan error, 1),
@@ -107,7 +107,12 @@ func NewUserProjectWatcher(username string, groups []string, projectCache *proje
 }
 
 func (w *userProjectWatcher) GroupMembershipChanged(namespaceName string, users, groups sets.String) {
-	hasAccess := users.Has(w.username) || groups.HasAny(w.groups...)
+	if !w.visibleNamespaces.Has("*") && !w.visibleNamespaces.Has(namespaceName) {
+		// this user is scoped to a level that shouldn't see this update
+		return
+	}
+
+	hasAccess := users.Has(w.user.GetName()) || groups.HasAny(w.user.GetGroups()...)
 	_, known := w.knownProjects[namespaceName]
 
 	switch {

diff --git a/pkg/project/auth/watch_test.go b/pkg/project/auth/watch_test.go
@@ -16,7 +16,7 @@ import (
 	projectcache "github.com/openshift/origin/pkg/project/cache"
 )
 
-func newTestWatcher(user string, groups []string, namespaces ...*kapi.Namespace) (*userProjectWatcher, *fakeAuthCache) {
+func newTestWatcher(username string, groups []string, namespaces ...*kapi.Namespace) (*userProjectWatcher, *fakeAuthCache) {
 	objects := []runtime.Object{}
 	for i := range namespaces {
 		objects = append(objects, namespaces[i])
@@ -27,7 +27,7 @@ func newTestWatcher(user string, groups []string, namespaces ...*kapi.Namespace)
 	projectCache.Run()
 	fakeAuthCache := &fakeAuthCache{}
 
-	return NewUserProjectWatcher(user, groups, projectCache, fakeAuthCache, false), fakeAuthCache
+	return NewUserProjectWatcher(&user.DefaultInfo{Name: username, Groups: groups}, sets.NewString("*"), projectCache, fakeAuthCache, false), fakeAuthCache
 }
 
 type fakeAuthCache struct {

diff --git a/pkg/project/registry/project/proxy/proxy.go b/pkg/project/registry/project/proxy/proxy.go
@@ -15,6 +15,8 @@ import (
 	"k8s.io/kubernetes/pkg/watch"
 
 	oapi "github.com/openshift/origin/pkg/api"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
+	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
 	"github.com/openshift/origin/pkg/project/api"
 	projectapi "github.com/openshift/origin/pkg/project/api"
 	projectauth "github.com/openshift/origin/pkg/project/auth"
@@ -91,7 +93,12 @@ func (s *REST) Watch(ctx kapi.Context, options *kapi.ListOptions) (watch.Interfa
 
 	includeAllExistingProjects := (options != nil) && options.ResourceVersion == "0"
 
-	watcher := projectauth.NewUserProjectWatcher(userInfo.GetName(), userInfo.GetGroups(), s.projectCache, s.authCache, includeAllExistingProjects)
+	allowedNamespaces, err := scope.ScopesToVisibleNamespaces(userInfo.GetExtra()[authorizationapi.ScopesKey], s.authCache.GetClusterPolicyLister().ClusterPolicies())
+	if err != nil {
+		return nil, err
+	}
+
+	watcher := projectauth.NewUserProjectWatcher(userInfo, allowedNamespaces, s.projectCache, s.authCache, includeAllExistingProjects)
 	s.authCache.AddWatcher(watcher)
 
 	go watcher.Watch()

diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh
@@ -40,7 +40,9 @@ os::cmd::expect_success_and_text "oc get user/~ --token='${whoamitoken}'" "${use
 os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\""
 
 listprojecttoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=listproject SCOPE=user:list-projects USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')"
-os::cmd::expect_success_and_text "oc get projects --token='${listprojecttoken}'" "${project}"
+# this token doesn't have rights to see any projects even though it can hit the list endpoint, so an empty list is correct
+# we'll add another scope that allows listing all known projects even if this token has no other powers in them.
+os::cmd::expect_success_and_not_text "oc get projects --token='${listprojecttoken}'" "${project}"
 os::cmd::expect_failure_and_text "oc get user/~ --token='${listprojecttoken}'" 'prevent this action; User "scoped-user" cannot get users at the cluster scope'
 os::cmd::expect_failure_and_text "oc get pods --token='${listprojecttoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\""