steve/pkg/schema/factory.go

package schema

import (
	"fmt"
	"net/http"
	"time"

	"github.com/rancher/apiserver/pkg/builtin"
	"github.com/rancher/apiserver/pkg/types"
	"github.com/rancher/steve/pkg/accesscontrol"
	"github.com/rancher/steve/pkg/attributes"
	"k8s.io/apiserver/pkg/authentication/user"
)

func newSchemas() (*types.APISchemas, error) {
	apiSchemas := types.EmptyAPISchemas()
	if err := apiSchemas.AddSchemas(builtin.Schemas); err != nil {
		return nil, err
	}

	return apiSchemas, nil
}

func (c *Collection) Schemas(user user.Info) (*types.APISchemas, error) {
	access := c.as.AccessFor(user)
	c.removeOldRecords(access, user)
	val, ok := c.cache.Get(access.ID)
	if ok {
		schemas, _ := val.(*types.APISchemas)
		return schemas, nil
	}

	schemas, err := c.schemasForSubject(access)
	if err != nil {
		return nil, err
	}
	c.addToCache(access, user, schemas)
	return schemas, nil
}

func (c *Collection) removeOldRecords(access *accesscontrol.AccessSet, user user.Info) {
	current, ok := c.userCache.Get(user.GetName())
	if ok {
		currentID, cOk := current.(string)
		if cOk && currentID != access.ID {
			// we only want to keep around one record per user. If our current access record is invalid, purge the
			//record of it from the cache, so we don't keep duplicates
			c.purgeUserRecords(currentID)
			c.userCache.Remove(user.GetName())
		}
	}
}

func (c *Collection) addToCache(access *accesscontrol.AccessSet, user user.Info, schemas *types.APISchemas) {
	c.cache.Add(access.ID, schemas, 24*time.Hour)
	c.userCache.Add(user.GetName(), access.ID, 24*time.Hour)
}

// PurgeUserRecords removes a record from the backing LRU cache before expiry
func (c *Collection) purgeUserRecords(id string) {
	c.cache.Remove(id)
	c.as.PurgeUserData(id)
}

func (c *Collection) schemasForSubject(access *accesscontrol.AccessSet) (*types.APISchemas, error) {
	c.lock.RLock()
	defer c.lock.RUnlock()

	result, err := newSchemas()
	if err != nil {
		return nil, err
	}

	if err := result.AddSchemas(c.baseSchema); err != nil {
		return nil, err
	}

	for _, s := range c.schemas {
		gr := attributes.GR(s)

		if gr.Resource == "" {
			if err := result.AddSchema(*s); err != nil {
				return nil, err
			}
			continue
		}

		verbs := attributes.Verbs(s)
		verbAccess := accesscontrol.AccessListByVerb{}

		for _, verb := range verbs {
			a := access.AccessListFor(verb, gr)
			if !attributes.Namespaced(s) {
				// trim out bad data where we are granted namespaced access to cluster scoped object
				result := accesscontrol.AccessList{}
				for _, access := range a {
					if access.Namespace == accesscontrol.All {
						result = append(result, access)
					}
				}
				a = result
			}
			if len(a) > 0 {
				verbAccess[verb] = a
			}
		}

		if len(verbAccess) == 0 {
			if gr.Group == "" && gr.Resource == "namespaces" {
				var accessList accesscontrol.AccessList
				for _, ns := range access.Namespaces() {
					accessList = append(accessList, accesscontrol.Access{
						Namespace:    accesscontrol.All,
						ResourceName: ns,
					})
				}
				verbAccess["get"] = accessList
				verbAccess["watch"] = accessList
				if len(accessList) == 0 {
					// always allow list
					s.CollectionMethods = append(s.CollectionMethods, http.MethodGet)
				}
			}
		}

		allowed := func(method string) string {
			if attributes.DisallowMethods(s)[method] {
				return "blocked-" + method
			}
			return method
		}

		s = s.DeepCopy()
		attributes.SetAccess(s, verbAccess)
		if verbAccess.AnyVerb("list", "get") {
			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodGet))
			s.CollectionMethods = append(s.CollectionMethods, allowed(http.MethodGet))
		}
		if verbAccess.AnyVerb("delete") {
			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodDelete))
		}
		if verbAccess.AnyVerb("update") {
			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodPut))
			s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodPatch))
		}
		if verbAccess.AnyVerb("create") {
			s.CollectionMethods = append(s.CollectionMethods, allowed(http.MethodPost))
		}

		if len(s.CollectionMethods) == 0 && len(s.ResourceMethods) == 0 {
			continue
		}

		if err := result.AddSchema(*s); err != nil {
			return nil, err
		}
	}

	result.Attributes = map[string]interface{}{
		"accessSet": access,
	}
	return result, nil
}

func (c *Collection) defaultStore() types.Store {
	templates := c.templates[""]
	if len(templates) > 0 {
		return templates[0].Store
	}
	return nil
}

func (c *Collection) applyTemplates(schema *types.APISchema) {
	c.lock.RLock()
	defer c.lock.RUnlock()

	templates := [][]*Template{
		c.templates[schema.ID],
		c.templates[fmt.Sprintf("%s/%s", attributes.Group(schema), attributes.Kind(schema))],
		c.templates[""],
	}

	for _, templates := range templates {
		for _, t := range templates {
			if t == nil {
				continue
			}
			if schema.Formatter == nil {
				schema.Formatter = t.Formatter
			} else if t.Formatter != nil {
				schema.Formatter = types.FormatterChain(t.Formatter, schema.Formatter)
			}
			if schema.Store == nil {
				if t.StoreFactory == nil {
					schema.Store = t.Store
				} else {
					schema.Store = t.StoreFactory(c.defaultStore())
				}
			}
			if t.Customize != nil {
				t.Customize(schema)
			}
		}
	}
}
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`package schema`

			`import (`
			`"fmt"`
			`"net/http"`
RBAC caching 2020-02-08 20:03:57 +00:00			`"time"`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`"github.com/rancher/apiserver/pkg/builtin"`
			`"github.com/rancher/apiserver/pkg/types"`
Steve! 2019-09-11 21:05:00 +00:00			`"github.com/rancher/steve/pkg/accesscontrol"`
			`"github.com/rancher/steve/pkg/attributes"`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`"k8s.io/apiserver/pkg/authentication/user"`
			`)`

Refactor 2020-01-31 05:37:59 +00:00			`func newSchemas() (*types.APISchemas, error) {`
			`apiSchemas := types.EmptyAPISchemas()`
			`if err := apiSchemas.AddSchemas(builtin.Schemas); err != nil {`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`return nil, err`
			`}`

Refactor 2020-01-31 05:37:59 +00:00			`return apiSchemas, nil`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`

Refactor 2020-01-31 05:37:59 +00:00			`func (c Collection) Schemas(user user.Info) (types.APISchemas, error) {`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`access := c.as.AccessFor(user)`
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`c.removeOldRecords(access, user)`
RBAC caching 2020-02-08 20:03:57 +00:00			`val, ok := c.cache.Get(access.ID)`
			`if ok {`
			`schemas, _ := val.(*types.APISchemas)`
			`return schemas, nil`
			`}`

			`schemas, err := c.schemasForSubject(access)`
			`if err != nil {`
			`return nil, err`
			`}`
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`c.addToCache(access, user, schemas)`
			`return schemas, nil`
			`}`
RBAC caching 2020-02-08 20:03:57 +00:00
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`func (c Collection) removeOldRecords(access accesscontrol.AccessSet, user user.Info) {`
			`current, ok := c.userCache.Get(user.GetName())`
			`if ok {`
Adding validate phase to the CI Adds a validate phase to the CI which runs a linter. Also fixes linter issues discovered during the initial run 2022-10-14 20:21:17 +00:00			`currentID, cOk := current.(string)`
			`if cOk && currentID != access.ID {`
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`// we only want to keep around one record per user. If our current access record is invalid, purge the`
			`//record of it from the cache, so we don't keep duplicates`
Adding validate phase to the CI Adds a validate phase to the CI which runs a linter. Also fixes linter issues discovered during the initial run 2022-10-14 20:21:17 +00:00			`c.purgeUserRecords(currentID)`
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`c.userCache.Remove(user.GetName())`
			`}`
			`}`
			`}`

			`func (c Collection) addToCache(access accesscontrol.AccessSet, user user.Info, schemas *types.APISchemas) {`
RBAC caching 2020-02-08 20:03:57 +00:00			`c.cache.Add(access.ID, schemas, 24*time.Hour)`
Adding logic to limit number of cached schemas Adds logic to ensure that only one schema/access set is cached for each user. This should improve memory consumption 2022-08-26 14:27:57 +00:00			`c.userCache.Add(user.GetName(), access.ID, 24*time.Hour)`
			`}`

			`// PurgeUserRecords removes a record from the backing LRU cache before expiry`
			`func (c *Collection) purgeUserRecords(id string) {`
			`c.cache.Remove(id)`
			`c.as.PurgeUserData(id)`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`

Refactor 2020-01-31 05:37:59 +00:00			`func (c Collection) schemasForSubject(access accesscontrol.AccessSet) (*types.APISchemas, error) {`
RBAC caching 2020-02-08 20:03:57 +00:00			`c.lock.RLock()`
			`defer c.lock.RUnlock()`

Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`result, err := newSchemas()`
			`if err != nil {`
			`return nil, err`
			`}`

Refactor 2020-01-31 05:37:59 +00:00			`if err := result.AddSchemas(c.baseSchema); err != nil {`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`return nil, err`
			`}`

			`for _, s := range c.schemas {`
			`gr := attributes.GR(s)`

			`if gr.Resource == "" {`
			`if err := result.AddSchema(*s); err != nil {`
			`return nil, err`
			`}`
			`continue`
			`}`

			`verbs := attributes.Verbs(s)`
Refactor 2020-01-31 05:37:59 +00:00			`verbAccess := accesscontrol.AccessListByVerb{}`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00
			`for _, verb := range verbs {`
			`a := access.AccessListFor(verb, gr)`
Deal with namespace bindings to cluster scoped resources 2020-02-11 03:53:45 +00:00			`if !attributes.Namespaced(s) {`
			`// trim out bad data where we are granted namespaced access to cluster scoped object`
			`result := accesscontrol.AccessList{}`
			`for _, access := range a {`
			`if access.Namespace == accesscontrol.All {`
			`result = append(result, access)`
			`}`
			`}`
			`a = result`
			`}`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`if len(a) > 0 {`
			`verbAccess[verb] = a`
			`}`
			`}`

			`if len(verbAccess) == 0 {`
Full dynamic RBAC and pagination 2020-02-10 17:18:20 +00:00			`if gr.Group == "" && gr.Resource == "namespaces" {`
			`var accessList accesscontrol.AccessList`
			`for _, ns := range access.Namespaces() {`
			`accessList = append(accessList, accesscontrol.Access{`
Rename variable 2020-02-11 03:54:33 +00:00			`Namespace: accesscontrol.All,`
Full dynamic RBAC and pagination 2020-02-10 17:18:20 +00:00			`ResourceName: ns,`
			`})`
			`}`
If no namespace access at all still include list 2020-09-19 00:19:14 +00:00			`verbAccess["get"] = accessList`
Full dynamic RBAC and pagination 2020-02-10 17:18:20 +00:00			`verbAccess["watch"] = accessList`
If no namespace access at all still include list 2020-09-19 00:19:14 +00:00			`if len(accessList) == 0 {`
			`// always allow list`
			`s.CollectionMethods = append(s.CollectionMethods, http.MethodGet)`
			`}`
Full dynamic RBAC and pagination 2020-02-10 17:18:20 +00:00			`}`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`

Add ability to disallow methods per a schema attribute 2021-08-13 18:02:38 +00:00			`allowed := func(method string) string {`
			`if attributes.DisallowMethods(s)[method] {`
			`return "blocked-" + method`
			`}`
			`return method`
			`}`

Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`s = s.DeepCopy()`
			`attributes.SetAccess(s, verbAccess)`
			`if verbAccess.AnyVerb("list", "get") {`
Add ability to disallow methods per a schema attribute 2021-08-13 18:02:38 +00:00			`s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodGet))`
			`s.CollectionMethods = append(s.CollectionMethods, allowed(http.MethodGet))`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`
			`if verbAccess.AnyVerb("delete") {`
Add ability to disallow methods per a schema attribute 2021-08-13 18:02:38 +00:00			`s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodDelete))`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`
			`if verbAccess.AnyVerb("update") {`
Add ability to disallow methods per a schema attribute 2021-08-13 18:02:38 +00:00			`s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodPut))`
			`s.ResourceMethods = append(s.ResourceMethods, allowed(http.MethodPatch))`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`
			`if verbAccess.AnyVerb("create") {`
Add ability to disallow methods per a schema attribute 2021-08-13 18:02:38 +00:00			`s.CollectionMethods = append(s.CollectionMethods, allowed(http.MethodPost))`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`

Don't drop schemas that have existing authorization 2020-10-23 00:03:41 +00:00			`if len(s.CollectionMethods) == 0 && len(s.ResourceMethods) == 0 {`
			`continue`
			`}`

Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`if err := result.AddSchema(*s); err != nil {`
			`return nil, err`
			`}`
			`}`

Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`result.Attributes = map[string]interface{}{`
			`"accessSet": access,`
			`}`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`return result, nil`
			`}`

Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`func (c *Collection) defaultStore() types.Store {`
			`templates := c.templates[""]`
			`if len(templates) > 0 {`
			`return templates[0].Store`
			`}`
			`return nil`
			`}`

RBAC caching 2020-02-08 20:03:57 +00:00			`func (c Collection) applyTemplates(schema types.APISchema) {`
			`c.lock.RLock()`
			`defer c.lock.RUnlock()`

Add ability to add multiple schematemplates per type 2021-03-02 14:30:00 +00:00			`templates := [][]*Template{`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`c.templates[schema.ID],`
			`c.templates[fmt.Sprintf("%s/%s", attributes.Group(schema), attributes.Kind(schema))],`
			`c.templates[""],`
			`}`

Add ability to add multiple schematemplates per type 2021-03-02 14:30:00 +00:00			`for _, templates := range templates {`
			`for _, t := range templates {`
			`if t == nil {`
			`continue`
			`}`
			`if schema.Formatter == nil {`
			`schema.Formatter = t.Formatter`
			`} else if t.Formatter != nil {`
			`schema.Formatter = types.FormatterChain(t.Formatter, schema.Formatter)`
			`}`
			`if schema.Store == nil {`
			`if t.StoreFactory == nil {`
			`schema.Store = t.Store`
			`} else {`
Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`schema.Store = t.StoreFactory(c.defaultStore())`
Add ability to add multiple schematemplates per type 2021-03-02 14:30:00 +00:00			`}`
			`}`
			`if t.Customize != nil {`
			`t.Customize(schema)`
Vendor 2020-01-31 05:01:21 +00:00			`}`
Add column support 2019-08-14 18:08:34 +00:00			`}`
Refactor schema IDs and paths 2019-08-13 23:36:03 +00:00			`}`
			`}`