From beb291d6d281e93d4343c709c816c6615528519b Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 20 Feb 2017 13:20:42 -0500 Subject: [PATCH] Include all user.Info data in CSR object --- pkg/apis/certificates/types.go | 17 ++++++++++--- pkg/apis/certificates/v1beta1/types.go | 25 ++++++++++++++++--- .../certificates/certificates/strategy.go | 7 ++++++ .../certificates/strategy_test.go | 1 + 4 files changed, 44 insertions(+), 6 deletions(-) diff --git a/pkg/apis/certificates/types.go b/pkg/apis/certificates/types.go index 4aee19f2c5a..4a7884a1ea4 100644 --- a/pkg/apis/certificates/types.go +++ b/pkg/apis/certificates/types.go @@ -37,7 +37,7 @@ type CertificateSigningRequest struct { } // This information is immutable after the request is created. Only the Request -// and ExtraInfo fields can be set on creation, other fields are derived by +// and Usages fields can be set on creation, other fields are derived by // Kubernetes and cannot be modified by users. type CertificateSigningRequestSpec struct { // Base64-encoded PKCS#10 CSR data @@ -49,16 +49,27 @@ type CertificateSigningRequestSpec struct { // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Usages []KeyUsage - // Information about the requesting user (if relevant) - // See user.Info interface for details + // Information about the requesting user. + // See user.Info interface for details. // +optional Username string + // UID information about the requesting user. + // See user.Info interface for details. // +optional UID string + // Group information about the requesting user. + // See user.Info interface for details. // +optional Groups []string + // Extra information about the requesting user. + // See user.Info interface for details. + // +optional + Extra map[string]ExtraValue } +// ExtraValue masks the value so protobuf can generate +type ExtraValue []string + type CertificateSigningRequestStatus struct { // Conditions applied to the request, such as approval or denial. // +optional diff --git a/pkg/apis/certificates/v1beta1/types.go b/pkg/apis/certificates/v1beta1/types.go index bdbb6cbfcfc..a9149ba8dff 100644 --- a/pkg/apis/certificates/v1beta1/types.go +++ b/pkg/apis/certificates/v1beta1/types.go @@ -17,6 +17,8 @@ limitations under the License. package v1beta1 import ( + "fmt" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -39,7 +41,7 @@ type CertificateSigningRequest struct { } // This information is immutable after the request is created. Only the Request -// and ExtraInfo fields can be set on creation, other fields are derived by +// and Usages fields can be set on creation, other fields are derived by // Kubernetes and cannot be modified by users. type CertificateSigningRequestSpec struct { // Base64-encoded PKCS#10 CSR data @@ -51,14 +53,31 @@ type CertificateSigningRequestSpec struct { // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=keyUsage"` - // Information about the requesting user (if relevant) - // See user.Info interface for details + // Information about the requesting user. + // See user.Info interface for details. // +optional Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"` + // UID information about the requesting user. + // See user.Info interface for details. // +optional UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"` + // Group information about the requesting user. + // See user.Info interface for details. // +optional Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"` + // Extra information about the requesting user. + // See user.Info interface for details. + // +optional + Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"` +} + +// ExtraValue masks the value so protobuf can generate +// +protobuf.nullable=true +// +protobuf.options.(gogoproto.goproto_stringer)=false +type ExtraValue []string + +func (t ExtraValue) String() string { + return fmt.Sprintf("%v", []string(t)) } type CertificateSigningRequestStatus struct { diff --git a/pkg/registry/certificates/certificates/strategy.go b/pkg/registry/certificates/certificates/strategy.go index dde60fa6006..e8b625de737 100644 --- a/pkg/registry/certificates/certificates/strategy.go +++ b/pkg/registry/certificates/certificates/strategy.go @@ -61,11 +61,18 @@ func (csrStrategy) PrepareForCreate(ctx genericapirequest.Context, obj runtime.O csr.Spec.Username = "" csr.Spec.UID = "" csr.Spec.Groups = nil + csr.Spec.Extra = nil // Inject user.Info from request context if user, ok := genericapirequest.UserFrom(ctx); ok { csr.Spec.Username = user.GetName() csr.Spec.UID = user.GetUID() csr.Spec.Groups = user.GetGroups() + if extra := user.GetExtra(); len(extra) > 0 { + csr.Spec.Extra = map[string]certificates.ExtraValue{} + for k, v := range extra { + csr.Spec.Extra[k] = certificates.ExtraValue(v) + } + } } // Be explicit that users cannot create pre-approved certificate requests. diff --git a/pkg/registry/certificates/certificates/strategy_test.go b/pkg/registry/certificates/certificates/strategy_test.go index 57f2f471dac..d6d2b2c01cb 100644 --- a/pkg/registry/certificates/certificates/strategy_test.go +++ b/pkg/registry/certificates/certificates/strategy_test.go @@ -56,6 +56,7 @@ func TestStrategyCreate(t *testing.T) { Username: "bob", UID: "123", Groups: []string{"group1"}, + Extra: map[string]certapi.ExtraValue{"foo": {"bar"}}, }, Status: certapi.CertificateSigningRequestStatus{Conditions: []certapi.CertificateSigningRequestCondition{}}, },