Include all user.Info data in CSR object

This commit is contained in:
Jordan Liggitt 2017-02-20 13:20:42 -05:00
parent a3c8d1405b
commit beb291d6d2
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
4 changed files with 44 additions and 6 deletions

View File

@ -37,7 +37,7 @@ type CertificateSigningRequest struct {
}
// This information is immutable after the request is created. Only the Request
// and ExtraInfo fields can be set on creation, other fields are derived by
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
@ -49,16 +49,27 @@ type CertificateSigningRequestSpec struct {
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages []KeyUsage
// Information about the requesting user (if relevant)
// See user.Info interface for details
// Information about the requesting user.
// See user.Info interface for details.
// +optional
Username string
// UID information about the requesting user.
// See user.Info interface for details.
// +optional
UID string
// Group information about the requesting user.
// See user.Info interface for details.
// +optional
Groups []string
// Extra information about the requesting user.
// See user.Info interface for details.
// +optional
Extra map[string]ExtraValue
}
// ExtraValue masks the value so protobuf can generate
type ExtraValue []string
type CertificateSigningRequestStatus struct {
// Conditions applied to the request, such as approval or denial.
// +optional

View File

@ -17,6 +17,8 @@ limitations under the License.
package v1beta1
import (
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -39,7 +41,7 @@ type CertificateSigningRequest struct {
}
// This information is immutable after the request is created. Only the Request
// and ExtraInfo fields can be set on creation, other fields are derived by
// and Usages fields can be set on creation, other fields are derived by
// Kubernetes and cannot be modified by users.
type CertificateSigningRequestSpec struct {
// Base64-encoded PKCS#10 CSR data
@ -51,14 +53,31 @@ type CertificateSigningRequestSpec struct {
// https://tools.ietf.org/html/rfc5280#section-4.2.1.12
Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"`
// Information about the requesting user (if relevant)
// See user.Info interface for details
// Information about the requesting user.
// See user.Info interface for details.
// +optional
Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
// UID information about the requesting user.
// See user.Info interface for details.
// +optional
UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
// Group information about the requesting user.
// See user.Info interface for details.
// +optional
Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
// Extra information about the requesting user.
// See user.Info interface for details.
// +optional
Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"`
}
// ExtraValue masks the value so protobuf can generate
// +protobuf.nullable=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
type ExtraValue []string
func (t ExtraValue) String() string {
return fmt.Sprintf("%v", []string(t))
}
type CertificateSigningRequestStatus struct {

View File

@ -61,11 +61,18 @@ func (csrStrategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.O
csr.Spec.Username = ""
csr.Spec.UID = ""
csr.Spec.Groups = nil
csr.Spec.Extra = nil
// Inject user.Info from request context
if user, ok := genericapirequest.UserFrom(ctx); ok {
csr.Spec.Username = user.GetName()
csr.Spec.UID = user.GetUID()
csr.Spec.Groups = user.GetGroups()
if extra := user.GetExtra(); len(extra) > 0 {
csr.Spec.Extra = map[string]certificates.ExtraValue{}
for k, v := range extra {
csr.Spec.Extra[k] = certificates.ExtraValue(v)
}
}
}
// Be explicit that users cannot create pre-approved certificate requests.

View File

@ -56,6 +56,7 @@ func TestStrategyCreate(t *testing.T) {
Username: "bob",
UID: "123",
Groups: []string{"group1"},
Extra: map[string]certapi.ExtraValue{"foo": {"bar"}},
},
Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}},
},