2019-08-04 17:41:32 +00:00
|
|
|
package accesscontrol
|
|
|
|
|
|
|
|
|
|
import (
|
2020-08-11 17:59:02 +00:00
|
|
|
"fmt"
|
2020-03-02 05:23:36 +00:00
|
|
|
"hash"
|
|
|
|
|
"sort"
|
|
|
|
|
|
2024-06-04 18:52:48 +00:00
|
|
|
v1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/rbac/v1"
|
2019-08-04 17:41:32 +00:00
|
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
rbacGroup = "rbac.authorization.k8s.io"
|
2020-02-11 03:54:33 +00:00
|
|
|
All = "*"
|
2019-08-04 17:41:32 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type policyRuleIndex struct {
|
|
|
|
|
crCache v1.ClusterRoleCache
|
|
|
|
|
rCache v1.RoleCache
|
|
|
|
|
crbCache v1.ClusterRoleBindingCache
|
|
|
|
|
rbCache v1.RoleBindingCache
|
2020-03-02 05:23:36 +00:00
|
|
|
revisions *roleRevisionIndex
|
2019-08-04 17:41:32 +00:00
|
|
|
kind string
|
|
|
|
|
roleIndexKey string
|
|
|
|
|
clusterRoleIndexKey string
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-02 05:23:36 +00:00
|
|
|
func newPolicyRuleIndex(user bool, revisions *roleRevisionIndex, rbac v1.Interface) *policyRuleIndex {
|
2019-08-04 17:41:32 +00:00
|
|
|
key := "Group"
|
|
|
|
|
if user {
|
|
|
|
|
key = "User"
|
|
|
|
|
}
|
|
|
|
|
pi := &policyRuleIndex{
|
|
|
|
|
kind: key,
|
|
|
|
|
crCache: rbac.ClusterRole().Cache(),
|
|
|
|
|
rCache: rbac.Role().Cache(),
|
|
|
|
|
crbCache: rbac.ClusterRoleBinding().Cache(),
|
|
|
|
|
rbCache: rbac.RoleBinding().Cache(),
|
|
|
|
|
clusterRoleIndexKey: "crb" + key,
|
|
|
|
|
roleIndexKey: "rb" + key,
|
2020-03-02 05:23:36 +00:00
|
|
|
revisions: revisions,
|
2019-08-04 17:41:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pi.crbCache.AddIndexer(pi.clusterRoleIndexKey, pi.clusterRoleBindingBySubjectIndexer)
|
|
|
|
|
pi.rbCache.AddIndexer(pi.roleIndexKey, pi.roleBindingBySubject)
|
|
|
|
|
|
|
|
|
|
return pi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *policyRuleIndex) clusterRoleBindingBySubjectIndexer(crb *rbacv1.ClusterRoleBinding) (result []string, err error) {
|
|
|
|
|
for _, subject := range crb.Subjects {
|
2020-02-08 20:03:57 +00:00
|
|
|
if subject.APIGroup == rbacGroup && subject.Kind == p.kind && crb.RoleRef.Kind == "ClusterRole" {
|
2019-08-04 17:41:32 +00:00
|
|
|
result = append(result, subject.Name)
|
2020-08-11 17:59:02 +00:00
|
|
|
} else if subject.APIGroup == "" && p.kind == "User" && subject.Kind == "ServiceAccount" && subject.Namespace != "" && crb.RoleRef.Kind == "ClusterRole" {
|
|
|
|
|
// Index is for Users and this references a service account
|
|
|
|
|
result = append(result, fmt.Sprintf("serviceaccount:%s:%s", subject.Namespace, subject.Name))
|
2019-08-04 17:41:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-08 20:03:57 +00:00
|
|
|
func (p *policyRuleIndex) roleBindingBySubject(rb *rbacv1.RoleBinding) (result []string, err error) {
|
|
|
|
|
for _, subject := range rb.Subjects {
|
2019-08-04 17:41:32 +00:00
|
|
|
if subject.APIGroup == rbacGroup && subject.Kind == p.kind {
|
|
|
|
|
result = append(result, subject.Name)
|
2020-08-11 17:59:02 +00:00
|
|
|
} else if subject.APIGroup == "" && p.kind == "User" && subject.Kind == "ServiceAccount" && subject.Namespace != "" {
|
|
|
|
|
// Index is for Users and this references a service account
|
|
|
|
|
result = append(result, fmt.Sprintf("serviceaccount:%s:%s", subject.Namespace, subject.Name))
|
2019-08-04 17:41:32 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-02 05:23:36 +00:00
|
|
|
var null = []byte{'\x00'}
|
|
|
|
|
|
|
|
|
|
func (p *policyRuleIndex) addRolesToHash(digest hash.Hash, subjectName string) {
|
2020-02-08 20:03:57 +00:00
|
|
|
for _, crb := range p.getClusterRoleBindings(subjectName) {
|
2020-03-02 05:23:36 +00:00
|
|
|
digest.Write([]byte(crb.RoleRef.Name))
|
|
|
|
|
digest.Write([]byte(p.revisions.roleRevision("", crb.RoleRef.Name)))
|
|
|
|
|
digest.Write(null)
|
2020-02-08 20:03:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, rb := range p.getRoleBindings(subjectName) {
|
|
|
|
|
switch rb.RoleRef.Kind {
|
|
|
|
|
case "Role":
|
2020-03-02 05:23:36 +00:00
|
|
|
digest.Write([]byte(rb.RoleRef.Name))
|
|
|
|
|
digest.Write([]byte(rb.Namespace))
|
|
|
|
|
digest.Write([]byte(p.revisions.roleRevision(rb.Namespace, rb.RoleRef.Name)))
|
|
|
|
|
digest.Write(null)
|
2020-02-08 20:03:57 +00:00
|
|
|
case "ClusterRole":
|
2020-03-02 05:23:36 +00:00
|
|
|
digest.Write([]byte(rb.RoleRef.Name))
|
2021-09-14 21:20:32 +00:00
|
|
|
digest.Write([]byte(p.revisions.roleRevision("", rb.RoleRef.Name)))
|
2020-03-02 05:23:36 +00:00
|
|
|
digest.Write(null)
|
2020-02-08 20:03:57 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-04 17:41:32 +00:00
|
|
|
func (p *policyRuleIndex) get(subjectName string) *AccessSet {
|
|
|
|
|
result := &AccessSet{}
|
|
|
|
|
|
|
|
|
|
for _, binding := range p.getRoleBindings(subjectName) {
|
|
|
|
|
p.addAccess(result, binding.Namespace, binding.RoleRef)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, binding := range p.getClusterRoleBindings(subjectName) {
|
2020-02-11 04:02:42 +00:00
|
|
|
p.addAccess(result, All, binding.RoleRef)
|
2019-08-04 17:41:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return result
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *policyRuleIndex) addAccess(accessSet *AccessSet, namespace string, roleRef rbacv1.RoleRef) {
|
|
|
|
|
for _, rule := range p.getRules(namespace, roleRef) {
|
|
|
|
|
for _, group := range rule.APIGroups {
|
|
|
|
|
for _, resource := range rule.Resources {
|
|
|
|
|
names := rule.ResourceNames
|
|
|
|
|
if len(names) == 0 {
|
2020-02-11 03:54:33 +00:00
|
|
|
names = []string{All}
|
2019-08-04 17:41:32 +00:00
|
|
|
}
|
|
|
|
|
for _, resourceName := range names {
|
|
|
|
|
for _, verb := range rule.Verbs {
|
|
|
|
|
accessSet.Add(verb,
|
|
|
|
|
schema.GroupResource{
|
|
|
|
|
Group: group,
|
|
|
|
|
Resource: resource,
|
|
|
|
|
}, Access{
|
|
|
|
|
Namespace: namespace,
|
|
|
|
|
ResourceName: resourceName,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *policyRuleIndex) getRules(namespace string, roleRef rbacv1.RoleRef) []rbacv1.PolicyRule {
|
|
|
|
|
switch roleRef.Kind {
|
|
|
|
|
case "ClusterRole":
|
|
|
|
|
role, err := p.crCache.Get(roleRef.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return role.Rules
|
|
|
|
|
case "Role":
|
|
|
|
|
role, err := p.rCache.Get(namespace, roleRef.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
return role.Rules
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *policyRuleIndex) getClusterRoleBindings(subjectName string) []*rbacv1.ClusterRoleBinding {
|
|
|
|
|
result, err := p.crbCache.GetByIndex(p.clusterRoleIndexKey, subjectName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-03-02 05:23:36 +00:00
|
|
|
sort.Slice(result, func(i, j int) bool {
|
|
|
|
|
return result[i].Name < result[j].Name
|
|
|
|
|
})
|
2019-08-04 17:41:32 +00:00
|
|
|
return result
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *policyRuleIndex) getRoleBindings(subjectName string) []*rbacv1.RoleBinding {
|
|
|
|
|
result, err := p.rbCache.GetByIndex(p.roleIndexKey, subjectName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-03-02 05:23:36 +00:00
|
|
|
sort.Slice(result, func(i, j int) bool {
|
2020-03-21 14:49:17 +00:00
|
|
|
return string(result[i].UID) < string(result[j].UID)
|
2020-03-02 05:23:36 +00:00
|
|
|
})
|
2019-08-04 17:41:32 +00:00
|
|
|
return result
|
|
|
|
|
}
|
