steve/pkg/accesscontrol/access_control.go

package accesscontrol

import (
	apiserver "github.com/rancher/apiserver/pkg/server"
	"github.com/rancher/apiserver/pkg/types"
	"github.com/rancher/steve/pkg/attributes"
	"github.com/rancher/wrangler/v3/pkg/kv"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

type AccessControl struct {
	apiserver.SchemaBasedAccess
}

func NewAccessControl() *AccessControl {
	return &AccessControl{}
}

func (a *AccessControl) CanDo(apiOp *types.APIRequest, resource, verb, namespace, name string) error {
	apiSchema := apiOp.Schemas.LookupSchema(resource)
	if apiSchema != nil && attributes.GVK(apiSchema).Kind != "" {
		access := GetAccessListMap(apiSchema)
		if access[verb].Grants(namespace, name) {
			return nil
		}
	}
	group, resource := kv.Split(resource, "/")
	accessSet := apiOp.Schemas.Attributes["accessSet"].(*AccessSet)
	if accessSet.Grants(verb, schema.GroupResource{
		Group:    group,
		Resource: resource,
	}, namespace, name) {
		return nil
	}
	return a.SchemaBasedAccess.CanDo(apiOp, resource, verb, namespace, name)
}

func (a *AccessControl) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error {
	if attributes.GVK(schema).Kind != "" {
		access := GetAccessListMap(schema)
		if _, ok := access["watch"]; ok {
			return nil
		}
	}
	return a.SchemaBasedAccess.CanWatch(apiOp, schema)
}
Initial commit 2019-08-04 17:41:32 +00:00			`package accesscontrol`

			`import (`
cleanup: remove duplicate apiserver import Remove duplicate import and make aliasing of other apiserver imports consistent throughout steve. 2022-10-10 18:49:05 +00:00			`apiserver "github.com/rancher/apiserver/pkg/server"`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`"github.com/rancher/apiserver/pkg/types"`
			`"github.com/rancher/steve/pkg/attributes"`
updated wrangler from v2 to v3 also updated k8s dependencies to v0.30.1 2024-06-04 18:52:48 +00:00			`"github.com/rancher/wrangler/v3/pkg/kv"`
Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`"k8s.io/apimachinery/pkg/runtime/schema"`
Initial commit 2019-08-04 17:41:32 +00:00			`)`

			`type AccessControl struct {`
cleanup: remove duplicate apiserver import Remove duplicate import and make aliasing of other apiserver imports consistent throughout steve. 2022-10-10 18:49:05 +00:00			`apiserver.SchemaBasedAccess`
Initial commit 2019-08-04 17:41:32 +00:00			`}`

			`func NewAccessControl() *AccessControl {`
			`return &AccessControl{}`
			`}`

Implement generic CanDo against k8s roles 2021-05-19 05:34:46 +00:00			`func (a AccessControl) CanDo(apiOp types.APIRequest, resource, verb, namespace, name string) error {`
			`apiSchema := apiOp.Schemas.LookupSchema(resource)`
			`if apiSchema != nil && attributes.GVK(apiSchema).Kind != "" {`
			`access := GetAccessListMap(apiSchema)`
			`if access[verb].Grants(namespace, name) {`
			`return nil`
			`}`
			`}`
			`group, resource := kv.Split(resource, "/")`
			`accessSet := apiOp.Schemas.Attributes["accessSet"].(*AccessSet)`
			`if accessSet.Grants(verb, schema.GroupResource{`
			`Group: group,`
			`Resource: resource,`
			`}, namespace, name) {`
			`return nil`
			`}`
			`return a.SchemaBasedAccess.CanDo(apiOp, resource, verb, namespace, name)`
			`}`

Refactor 2020-01-31 05:37:59 +00:00			`func (a AccessControl) CanWatch(apiOp types.APIRequest, schema *types.APISchema) error {`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`if attributes.GVK(schema).Kind != "" {`
			`access := GetAccessListMap(schema)`
			`if _, ok := access["watch"]; ok {`
			`return nil`
			`}`
Initial commit 2019-08-04 17:41:32 +00:00			`}`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`return a.SchemaBasedAccess.CanWatch(apiOp, schema)`
Initial commit 2019-08-04 17:41:32 +00:00			`}`