Implement generic CanDo against k8s roles

2025-06-26 14:41:35 +00:00 · 2021-05-18 22:34:46 -07:00 · 2021-05-18 22:34:46 -07:00 · a1ef4004f8
commit a1ef4004f8
parent 43139e348a
2 changed files with 33 additions and 1 deletions
--- a/pkg/accesscontrol/access_control.go
+++ b/pkg/accesscontrol/access_control.go
@ -4,6 +4,8 @@ import (
 	"github.com/rancher/apiserver/pkg/server"
 	"github.com/rancher/apiserver/pkg/types"
 	"github.com/rancher/steve/pkg/attributes"
+	"github.com/rancher/wrangler/pkg/kv"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 )

 type AccessControl struct {
@ -14,6 +16,25 @@ func NewAccessControl() *AccessControl {
 	return &AccessControl{}
 }

+func (a *AccessControl) CanDo(apiOp *types.APIRequest, resource, verb, namespace, name string) error {
+	apiSchema := apiOp.Schemas.LookupSchema(resource)
+	if apiSchema != nil && attributes.GVK(apiSchema).Kind != "" {
+		access := GetAccessListMap(apiSchema)
+		if access[verb].Grants(namespace, name) {
+			return nil
+		}
+	}
+	group, resource := kv.Split(resource, "/")
+	accessSet := apiOp.Schemas.Attributes["accessSet"].(*AccessSet)
+	if accessSet.Grants(verb, schema.GroupResource{
+		Group:    group,
+		Resource: resource,
+	}, namespace, name) {
+		return nil
+	}
+	return a.SchemaBasedAccess.CanDo(apiOp, resource, verb, namespace, name)
+}
+
 func (a *AccessControl) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error {
 	if attributes.GVK(schema).Kind != "" {
 		access := GetAccessListMap(schema)
--- a/pkg/schema/factory.go
+++ b/pkg/schema/factory.go
@ -125,9 +125,20 @@ func (c *Collection) schemasForSubject(access *accesscontrol.AccessSet) (*types.
 		}
 	}

+	result.Attributes = map[string]interface{}{
+		"accessSet": access,
+	}
 	return result, nil
 }

+func (c *Collection) defaultStore() types.Store {
+	templates := c.templates[""]
+	if len(templates) > 0 {
+		return templates[0].Store
+	}
+	return nil
+}
+
 func (c *Collection) applyTemplates(schema *types.APISchema) {
 	c.lock.RLock()
 	defer c.lock.RUnlock()
@ -152,7 +163,7 @@ func (c *Collection) applyTemplates(schema *types.APISchema) {
 				if t.StoreFactory == nil {
 					schema.Store = t.Store
 				} else {
-					schema.Store = t.StoreFactory(templates[2].Store)
+					schema.Store = t.StoreFactory(c.defaultStore())
 				}
 			}
 			if t.Customize != nil {