steve/pkg/accesscontrol/access_control.go

package accesscontrol

import (
	apiserver "github.com/rancher/apiserver/pkg/server"
	"github.com/rancher/apiserver/pkg/types"
	"github.com/rancher/steve/pkg/attributes"
	"github.com/rancher/wrangler/v3/pkg/kv"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

const accessSetAttribute = "accessSet"

type AccessControl struct {
	apiserver.SchemaBasedAccess
}

func NewAccessControl() *AccessControl {
	return &AccessControl{}
}

func (a *AccessControl) CanDo(apiOp *types.APIRequest, resource, verb, namespace, name string) error {
	apiSchema := apiOp.Schemas.LookupSchema(resource)
	if apiSchema != nil && attributes.GVK(apiSchema).Kind != "" {
		access := GetAccessListMap(apiSchema)
		if access[verb].Grants(namespace, name) {
			return nil
		}
	}
	group, resource := kv.Split(resource, "/")
	accessSet := AccessSetFromAPIRequest(apiOp)
	if accessSet != nil && accessSet.Grants(verb, schema.GroupResource{
		Group:    group,
		Resource: resource,
	}, namespace, name) {
		return nil
	}
	return a.SchemaBasedAccess.CanDo(apiOp, resource, verb, namespace, name)
}

func (a *AccessControl) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error {
	if attributes.GVK(schema).Kind != "" {
		access := GetAccessListMap(schema)
		if _, ok := access["watch"]; ok {
			return nil
		}
	}
	return a.SchemaBasedAccess.CanWatch(apiOp, schema)
}

// SetAccessSetAttribute stores the provided accessSet using a predefined attribute
func SetAccessSetAttribute(schemas *types.APISchemas, accessSet *AccessSet) {
	if schemas.Attributes == nil {
		schemas.Attributes = map[string]interface{}{}
	}
	schemas.Attributes[accessSetAttribute] = accessSet
}

// AccessSetFromAPIRequest retrieves an AccessSet from the APIRequest Schemas attributes, if defined.
// This attribute must have been previously set by using SetAccessSetAttribute
func AccessSetFromAPIRequest(req *types.APIRequest) *AccessSet {
	if req == nil || req.Schemas == nil {
		return nil
	}
	if v, ok := req.Schemas.Attributes[accessSetAttribute]; ok {
		return v.(*AccessSet)
	}
	return nil
}
Initial commit 2019-08-04 17:41:32 +00:00			`package accesscontrol`

			`import (`
cleanup: remove duplicate apiserver import Remove duplicate import and make aliasing of other apiserver imports consistent throughout steve. 2022-10-10 18:49:05 +00:00			`apiserver "github.com/rancher/apiserver/pkg/server"`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`"github.com/rancher/apiserver/pkg/types"`
			`"github.com/rancher/steve/pkg/attributes"`
updated wrangler from v2 to v3 also updated k8s dependencies to v0.30.1 2024-06-04 18:52:48 +00:00			`"github.com/rancher/wrangler/v3/pkg/kv"`
Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`"k8s.io/apimachinery/pkg/runtime/schema"`
Initial commit 2019-08-04 17:41:32 +00:00			`)`

Calculate AccessSets once per request instead of per resource (#647) (#659) 2025-06-03 10:46:37 +00:00			`const accessSetAttribute = "accessSet"`

Initial commit 2019-08-04 17:41:32 +00:00			`type AccessControl struct {`
cleanup: remove duplicate apiserver import Remove duplicate import and make aliasing of other apiserver imports consistent throughout steve. 2022-10-10 18:49:05 +00:00			`apiserver.SchemaBasedAccess`
Initial commit 2019-08-04 17:41:32 +00:00			`}`

			`func NewAccessControl() *AccessControl {`
			`return &AccessControl{}`
			`}`

Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`func (a AccessControl) CanDo(apiOp types.APIRequest, resource, verb, namespace, name string) error {`
			`apiSchema := apiOp.Schemas.LookupSchema(resource)`
			`if apiSchema != nil && attributes.GVK(apiSchema).Kind != "" {`
			`access := GetAccessListMap(apiSchema)`
			`if access[verb].Grants(namespace, name) {`
			`return nil`
			`}`
			`}`
			`group, resource := kv.Split(resource, "/")`
Calculate AccessSets once per request instead of per resource (#647) (#659) 2025-06-03 10:46:37 +00:00			`accessSet := AccessSetFromAPIRequest(apiOp)`
			`if accessSet != nil && accessSet.Grants(verb, schema.GroupResource{`
Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`Group: group,`
			`Resource: resource,`
			`}, namespace, name) {`
			`return nil`
			`}`
			`return a.SchemaBasedAccess.CanDo(apiOp, resource, verb, namespace, name)`
			`}`

Refactor 2020-01-31 05:37:59 +00:00			`func (a AccessControl) CanWatch(apiOp types.APIRequest, schema *types.APISchema) error {`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`if attributes.GVK(schema).Kind != "" {`
			`access := GetAccessListMap(schema)`
			`if _, ok := access["watch"]; ok {`
			`return nil`
			`}`
Initial commit 2019-08-04 17:41:32 +00:00			`}`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`return a.SchemaBasedAccess.CanWatch(apiOp, schema)`
Initial commit 2019-08-04 17:41:32 +00:00			`}`
Calculate AccessSets once per request instead of per resource (#647) (#659) 2025-06-03 10:46:37 +00:00
			`// SetAccessSetAttribute stores the provided accessSet using a predefined attribute`
			`func SetAccessSetAttribute(schemas types.APISchemas, accessSet AccessSet) {`
			`if schemas.Attributes == nil {`
			`schemas.Attributes = map[string]interface{}{}`
			`}`
			`schemas.Attributes[accessSetAttribute] = accessSet`
			`}`

			`// AccessSetFromAPIRequest retrieves an AccessSet from the APIRequest Schemas attributes, if defined.`
			`// This attribute must have been previously set by using SetAccessSetAttribute`
			`func AccessSetFromAPIRequest(req types.APIRequest) AccessSet {`
			`if req == nil \|\| req.Schemas == nil {`
			`return nil`
			`}`
			`if v, ok := req.Schemas.Attributes[accessSetAttribute]; ok {`
			`return v.(*AccessSet)`
			`}`
			`return nil`
			`}`