forked from openshift/origin
/
rest.go
79 lines (64 loc) · 2.37 KB
/
rest.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package subjectaccessreview
import (
"fmt"
kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
kerrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
kutilerrors "github.com/GoogleCloudPlatform/kubernetes/pkg/util/errors"
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
authorizationvalidation "github.com/openshift/origin/pkg/authorization/api/validation"
"github.com/openshift/origin/pkg/authorization/authorizer"
)
// REST implements the RESTStorage interface in terms of an Registry.
type REST struct {
authorizer authorizer.Authorizer
}
// NewREST creates a new REST for policies.
func NewREST(authorizer authorizer.Authorizer) *REST {
return &REST{authorizer}
}
// New creates a new ResourceAccessReview object
func (r *REST) New() runtime.Object {
return &authorizationapi.SubjectAccessReview{}
}
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kerrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if err := kutilerrors.NewAggregate(authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview)); err != nil {
return nil, err
}
var userToCheck user.Info
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kerrors.NewBadRequest("user missing from context")
}
userToCheck = ctxUser
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
}
}
namespace := kapi.NamespaceValue(ctx)
requestContext := kapi.WithUser(ctx, userToCheck)
attributes := &authorizer.DefaultAuthorizationAttributes{
Verb: subjectAccessReview.Verb,
Resource: subjectAccessReview.Resource,
}
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}