steve/pkg/accesscontrol/access_store.go

package accesscontrol

import (
	"context"
	"crypto/sha256"
	"encoding/hex"
	"hash"
	"sort"
	"time"

	v1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/rbac/v1"
	"golang.org/x/sync/singleflight"
	rbacv1 "k8s.io/api/rbac/v1"
	"k8s.io/apimachinery/pkg/util/cache"
	"k8s.io/apiserver/pkg/authentication/user"
)

//go:generate mockgen --build_flags=--mod=mod -package fake -destination fake/AccessSetLookup.go "github.com/rancher/steve/pkg/accesscontrol" AccessSetLookup

type AccessSetLookup interface {
	AccessFor(user user.Info) *AccessSet
	PurgeUserData(id string)
}

type policyRules interface {
	get(string) *AccessSet
	getRoleBindings(string) []*rbacv1.RoleBinding
	getClusterRoleBindings(string) []*rbacv1.ClusterRoleBinding
}

type roleRevisions interface {
	roleRevision(string, string) string
}

// accessStoreCache is a subset of the methods implemented by LRUExpireCache
type accessStoreCache interface {
	Add(key interface{}, value interface{}, ttl time.Duration)
	Get(key interface{}) (interface{}, bool)
	Remove(key interface{})
}

type AccessStore struct {
	usersPolicyRules    policyRules
	groupsPolicyRules   policyRules
	roles               roleRevisions
	cache               accessStoreCache
	concurrentAccessFor *singleflight.Group
}

type roleKey struct {
	namespace string
	name      string
}

func NewAccessStore(ctx context.Context, cacheResults bool, rbac v1.Interface) *AccessStore {
	as := &AccessStore{
		usersPolicyRules:    newPolicyRuleIndex(true, rbac),
		groupsPolicyRules:   newPolicyRuleIndex(false, rbac),
		roles:               newRoleRevision(ctx, rbac),
		concurrentAccessFor: new(singleflight.Group),
	}
	if cacheResults {
		as.cache = cache.NewLRUExpireCache(50)
	}
	return as
}

func (l *AccessStore) AccessFor(user user.Info) *AccessSet {
	if l.cache == nil {
		return l.newAccessSet(user)
	}

	cacheKey := l.CacheKey(user)

	res, _, _ := l.concurrentAccessFor.Do(cacheKey, func() (interface{}, error) {
		if val, ok := l.cache.Get(cacheKey); ok {
			as, _ := val.(*AccessSet)
			return as, nil
		}

		result := l.newAccessSet(user)
		result.ID = cacheKey
		l.cache.Add(cacheKey, result, 24*time.Hour)

		return result, nil
	})
	return res.(*AccessSet)
}

func (l *AccessStore) newAccessSet(user user.Info) *AccessSet {
	result := l.usersPolicyRules.get(user.GetName())
	for _, group := range user.GetGroups() {
		result.Merge(l.groupsPolicyRules.get(group))
	}
	return result
}

func (l *AccessStore) PurgeUserData(id string) {
	l.cache.Remove(id)
}

func (l *AccessStore) CacheKey(user user.Info) string {
	d := sha256.New()

	groupBase := user.GetGroups()
	groups := make([]string, len(groupBase))
	copy(groups, groupBase)
	sort.Strings(groups)

	l.addRolesToHash(d, user.GetName(), l.usersPolicyRules)
	for _, group := range groups {
		l.addRolesToHash(d, group, l.groupsPolicyRules)
	}

	return hex.EncodeToString(d.Sum(nil))
}

func (l *AccessStore) addRolesToHash(digest hash.Hash, subjectName string, rules policyRules) {
	for _, crb := range rules.getClusterRoleBindings(subjectName) {
		digest.Write([]byte(crb.RoleRef.Name))
		digest.Write([]byte(l.roles.roleRevision("", crb.RoleRef.Name)))
	}

	for _, rb := range rules.getRoleBindings(subjectName) {
		digest.Write([]byte(rb.RoleRef.Name))
		if rb.Namespace != "" {
			digest.Write([]byte(rb.Namespace))
		}
		digest.Write([]byte(l.roles.roleRevision(rb.Namespace, rb.RoleRef.Name)))
	}
}
Initial commit 2019-08-04 17:41:32 +00:00			`package accesscontrol`

			`import (`
RBAC caching 2020-02-08 20:03:57 +00:00			`"context"`
			`"crypto/sha256"`
			`"encoding/hex"`
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`"hash"`
RBAC caching 2020-02-08 20:03:57 +00:00			`"sort"`
			`"time"`

updated wrangler from v2 to v3 also updated k8s dependencies to v0.30.1 2024-06-04 18:52:48 +00:00			`v1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/rbac/v1"`
refactor(accesscontrol): use interface for AccessStore cache (#290) 2024-10-09 08:21:29 +00:00			`"golang.org/x/sync/singleflight"`
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`rbacv1 "k8s.io/api/rbac/v1"`
RBAC caching 2020-02-08 20:03:57 +00:00			`"k8s.io/apimachinery/pkg/util/cache"`
Initial commit 2019-08-04 17:41:32 +00:00			`"k8s.io/apiserver/pkg/authentication/user"`
			`)`

Updates Schemas watch logic. Updated logic used to decide when and what schema events are sent during a watch. 2022-10-20 04:16:01 +00:00			`//go:generate mockgen --build_flags=--mod=mod -package fake -destination fake/AccessSetLookup.go "github.com/rancher/steve/pkg/accesscontrol" AccessSetLookup`

Allow passing in access control impl to the server 2020-02-04 21:11:21 +00:00			`type AccessSetLookup interface {`
			`AccessFor(user user.Info) *AccessSet`
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`PurgeUserData(id string)`
Allow passing in access control impl to the server 2020-02-04 21:11:21 +00:00			`}`

refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`type policyRules interface {`
			`get(string) *AccessSet`
			`getRoleBindings(string) []*rbacv1.RoleBinding`
			`getClusterRoleBindings(string) []*rbacv1.ClusterRoleBinding`
			`}`

			`type roleRevisions interface {`
			`roleRevision(string, string) string`
			`}`

Add tests for concurrent AccessControl store usage (#286) * refactor(accesscontrol): use interface for AccessStore cache * refactor(accesscontrol): early return when cache is disabled * test(accesscontrol): add failing unit test * test(accesscontrol): skip failing test 2024-10-08 15:18:44 +00:00			`// accessStoreCache is a subset of the methods implemented by LRUExpireCache`
			`type accessStoreCache interface {`
			`Add(key interface{}, value interface{}, ttl time.Duration)`
			`Get(key interface{}) (interface{}, bool)`
			`Remove(key interface{})`
			`}`

Initial commit 2019-08-04 17:41:32 +00:00			`type AccessStore struct {`
refactor(accesscontrol): use interface for AccessStore cache (#290) 2024-10-09 08:21:29 +00:00			`usersPolicyRules policyRules`
			`groupsPolicyRules policyRules`
			`roles roleRevisions`
			`cache accessStoreCache`
			`concurrentAccessFor *singleflight.Group`
RBAC caching 2020-02-08 20:03:57 +00:00			`}`

			`type roleKey struct {`
			`namespace string`
			`name string`
Initial commit 2019-08-04 17:41:32 +00:00			`}`

RBAC caching 2020-02-08 20:03:57 +00:00			`func NewAccessStore(ctx context.Context, cacheResults bool, rbac v1.Interface) *AccessStore {`
			`as := &AccessStore{`
refactor(accesscontrol): use interface for AccessStore cache (#290) 2024-10-09 08:21:29 +00:00			`usersPolicyRules: newPolicyRuleIndex(true, rbac),`
			`groupsPolicyRules: newPolicyRuleIndex(false, rbac),`
			`roles: newRoleRevision(ctx, rbac),`
			`concurrentAccessFor: new(singleflight.Group),`
Initial commit 2019-08-04 17:41:32 +00:00			`}`
RBAC caching 2020-02-08 20:03:57 +00:00			`if cacheResults {`
RBAC performance improvements 2020-03-02 05:23:36 +00:00			`as.cache = cache.NewLRUExpireCache(50)`
RBAC caching 2020-02-08 20:03:57 +00:00			`}`
			`return as`
			`}`

Initial commit 2019-08-04 17:41:32 +00:00			`func (l AccessStore) AccessFor(user user.Info) AccessSet {`
Add tests for concurrent AccessControl store usage (#286) * refactor(accesscontrol): use interface for AccessStore cache * refactor(accesscontrol): early return when cache is disabled * test(accesscontrol): add failing unit test * test(accesscontrol): skip failing test 2024-10-08 15:18:44 +00:00			`if l.cache == nil {`
			`return l.newAccessSet(user)`
RBAC caching 2020-02-08 20:03:57 +00:00			`}`

Add tests for concurrent AccessControl store usage (#286) * refactor(accesscontrol): use interface for AccessStore cache * refactor(accesscontrol): early return when cache is disabled * test(accesscontrol): add failing unit test * test(accesscontrol): skip failing test 2024-10-08 15:18:44 +00:00			`cacheKey := l.CacheKey(user)`

refactor(accesscontrol): use interface for AccessStore cache (#290) 2024-10-09 08:21:29 +00:00			`res, _, _ := l.concurrentAccessFor.Do(cacheKey, func() (interface{}, error) {`
			`if val, ok := l.cache.Get(cacheKey); ok {`
			`as, _ := val.(*AccessSet)`
			`return as, nil`
			`}`
Add tests for concurrent AccessControl store usage (#286) * refactor(accesscontrol): use interface for AccessStore cache * refactor(accesscontrol): early return when cache is disabled * test(accesscontrol): add failing unit test * test(accesscontrol): skip failing test 2024-10-08 15:18:44 +00:00
refactor(accesscontrol): use interface for AccessStore cache (#290) 2024-10-09 08:21:29 +00:00			`result := l.newAccessSet(user)`
			`result.ID = cacheKey`
			`l.cache.Add(cacheKey, result, 24*time.Hour)`
Add tests for concurrent AccessControl store usage (#286) * refactor(accesscontrol): use interface for AccessStore cache * refactor(accesscontrol): early return when cache is disabled * test(accesscontrol): add failing unit test * test(accesscontrol): skip failing test 2024-10-08 15:18:44 +00:00
refactor(accesscontrol): use interface for AccessStore cache (#290) 2024-10-09 08:21:29 +00:00			`return result, nil`
			`})`
			`return res.(*AccessSet)`
Add tests for concurrent AccessControl store usage (#286) * refactor(accesscontrol): use interface for AccessStore cache * refactor(accesscontrol): early return when cache is disabled * test(accesscontrol): add failing unit test * test(accesscontrol): skip failing test 2024-10-08 15:18:44 +00:00			`}`

			`func (l AccessStore) newAccessSet(user user.Info) AccessSet {`
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`result := l.usersPolicyRules.get(user.GetName())`
Initial commit 2019-08-04 17:41:32 +00:00			`for _, group := range user.GetGroups() {`
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`result.Merge(l.groupsPolicyRules.get(group))`
Initial commit 2019-08-04 17:41:32 +00:00			`}`
			`return result`
			`}`
RBAC caching 2020-02-08 20:03:57 +00:00
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`func (l *AccessStore) PurgeUserData(id string) {`
			`l.cache.Remove(id)`
			`}`

RBAC caching 2020-02-08 20:03:57 +00:00			`func (l *AccessStore) CacheKey(user user.Info) string {`
RBAC performance improvements 2020-03-02 05:23:36 +00:00			`d := sha256.New()`
RBAC caching 2020-02-08 20:03:57 +00:00
RBAC performance improvements 2020-03-02 05:23:36 +00:00			`groupBase := user.GetGroups()`
fix(accesscontrol): CacheKey could not be stable 2024-07-18 07:54:14 +00:00			`groups := make([]string, len(groupBase))`
RBAC performance improvements 2020-03-02 05:23:36 +00:00			`copy(groups, groupBase)`
			`sort.Strings(groups)`
fix(accesscontrol): CacheKey could not be stable 2024-07-18 07:54:14 +00:00
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`l.addRolesToHash(d, user.GetName(), l.usersPolicyRules)`
fix(accesscontrol): CacheKey could not be stable 2024-07-18 07:54:14 +00:00			`for _, group := range groups {`
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00			`l.addRolesToHash(d, group, l.groupsPolicyRules)`
RBAC caching 2020-02-08 20:03:57 +00:00			`}`
RBAC performance improvements 2020-03-02 05:23:36 +00:00
Don't cache the user's schema cache key 2021-08-10 21:02:22 +00:00			`return hex.EncodeToString(d.Sum(nil))`
RBAC caching 2020-02-08 20:03:57 +00:00			`}`
refactor(accesscontrol): add unit tests for CacheKey (#245) This is a follow up to 435e220 with a small refactor to make the function easier to test, and adding unit tests for CacheKey. 2024-08-28 08:06:21 +00:00
			`func (l *AccessStore) addRolesToHash(digest hash.Hash, subjectName string, rules policyRules) {`
			`for _, crb := range rules.getClusterRoleBindings(subjectName) {`
			`digest.Write([]byte(crb.RoleRef.Name))`
			`digest.Write([]byte(l.roles.roleRevision("", crb.RoleRef.Name)))`
			`}`

			`for _, rb := range rules.getRoleBindings(subjectName) {`
			`digest.Write([]byte(rb.RoleRef.Name))`
			`if rb.Namespace != "" {`
			`digest.Write([]byte(rb.Namespace))`
			`}`
			`digest.Write([]byte(l.roles.roleRevision(rb.Namespace, rb.RoleRef.Name)))`
			`}`
			`}`