steve/pkg/ext/apiserver_authorization.go

package ext

import (
	"context"

	"github.com/rancher/steve/pkg/accesscontrol"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apiserver/pkg/authorization/authorizer"
)

var _ authorizer.Authorizer = (*AccessSetAuthorizer)(nil)

type AccessSetAuthorizer struct {
	asl accesscontrol.AccessSetLookup
}

func NewAccessSetAuthorizer(asl accesscontrol.AccessSetLookup) *AccessSetAuthorizer {
	return &AccessSetAuthorizer{
		asl: asl,
	}
}

// Authorize implements [authorizer.Authorizer].
func (a *AccessSetAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
	verb := attrs.GetVerb()
	path := attrs.GetPath()
	accessSet := a.asl.AccessFor(attrs.GetUser())

	if !attrs.IsResourceRequest() {
		if accessSet.GrantsNonResource(verb, path) {
			return authorizer.DecisionAllow, "", nil
		}

		// An empty string reason will still provide enough information such as:
		//
		//    forbidden: User "unknown-user" cannot post path /openapi/v3
		return authorizer.DecisionDeny, "", nil
	}

	namespace := attrs.GetNamespace()
	name := attrs.GetName()
	gr := schema.GroupResource{
		Group:    attrs.GetAPIGroup(),
		Resource: attrs.GetResource(),
	}

	if accessSet.Grants(verb, gr, namespace, name) {
		return authorizer.DecisionAllow, "", nil
	}

	// An empty string reason will still provide enough information such as:
	//
	//     testtypes.ext.cattle.io is forbidden: User "unknown-user" cannot list resource "testtypes" in API group "ext.cattle.io" at the cluster scope
	return authorizer.DecisionDeny, "", nil
}
Implement /ext in Steve for Imperative API (#287) This implements the Imperative API that is served at /ext with Steve. The imperative API is compatible with Kubernetes' API server and will be used as an extension API server. 2024-10-11 19:19:27 +00:00			`package ext`

			`import (`
			`"context"`

			`"github.com/rancher/steve/pkg/accesscontrol"`
			`"k8s.io/apimachinery/pkg/runtime/schema"`
			`"k8s.io/apiserver/pkg/authorization/authorizer"`
			`)`

			`var _ authorizer.Authorizer = (*AccessSetAuthorizer)(nil)`

			`type AccessSetAuthorizer struct {`
			`asl accesscontrol.AccessSetLookup`
			`}`

			`func NewAccessSetAuthorizer(asl accesscontrol.AccessSetLookup) *AccessSetAuthorizer {`
			`return &AccessSetAuthorizer{`
			`asl: asl,`
			`}`
			`}`

			`// Authorize implements [authorizer.Authorizer].`
			`func (a *AccessSetAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {`
#47483 - Adding NonResourceURLs support to AccessStore (#299) * adding NonResourceURLs support to access_store * added tests to AccessSet NonResourceURLs handling * change on test script suggested by @tomleb + go mod tidy * added nonresource to ext api authorization * added NonResourceURLs implementation in Authorizes + test * removed non-resource-url tests from the main test * added new tests for non-resource-urls * removed unused test data * changed nonResourceKey to point to struct{} * addressed comments from @tomleb * addressed more comments * fixing typo * check for empty accessSet 2024-11-05 02:47:48 +00:00			`verb := attrs.GetVerb()`
			`path := attrs.GetPath()`
			`accessSet := a.asl.AccessFor(attrs.GetUser())`

Implement /ext in Steve for Imperative API (#287) This implements the Imperative API that is served at /ext with Steve. The imperative API is compatible with Kubernetes' API server and will be used as an extension API server. 2024-10-11 19:19:27 +00:00			`if !attrs.IsResourceRequest() {`
#47483 - Adding NonResourceURLs support to AccessStore (#299) * adding NonResourceURLs support to access_store * added tests to AccessSet NonResourceURLs handling * change on test script suggested by @tomleb + go mod tidy * added nonresource to ext api authorization * added NonResourceURLs implementation in Authorizes + test * removed non-resource-url tests from the main test * added new tests for non-resource-urls * removed unused test data * changed nonResourceKey to point to struct{} * addressed comments from @tomleb * addressed more comments * fixing typo * check for empty accessSet 2024-11-05 02:47:48 +00:00			`if accessSet.GrantsNonResource(verb, path) {`
			`return authorizer.DecisionAllow, "", nil`
			`}`

			`// An empty string reason will still provide enough information such as:`
			`//`
			`// forbidden: User "unknown-user" cannot post path /openapi/v3`
			`return authorizer.DecisionDeny, "", nil`
Implement /ext in Steve for Imperative API (#287) This implements the Imperative API that is served at /ext with Steve. The imperative API is compatible with Kubernetes' API server and will be used as an extension API server. 2024-10-11 19:19:27 +00:00			`}`

			`namespace := attrs.GetNamespace()`
			`name := attrs.GetName()`
			`gr := schema.GroupResource{`
			`Group: attrs.GetAPIGroup(),`
			`Resource: attrs.GetResource(),`
			`}`

			`if accessSet.Grants(verb, gr, namespace, name) {`
			`return authorizer.DecisionAllow, "", nil`
			`}`

			`// An empty string reason will still provide enough information such as:`
			`//`
			`// testtypes.ext.cattle.io is forbidden: User "unknown-user" cannot list resource "testtypes" in API group "ext.cattle.io" at the cluster scope`
			`return authorizer.DecisionDeny, "", nil`
			`}`