rancher/steve
1
0
Fork 0
mirror of https://github.com/rancher/steve.git synced 2025-05-11 17:34:24 +00:00
Code Issues Projects Releases Wiki Activity

Refactor to add links instead of bool for resourcePermissions, updated tests accordingly.

Browse Source
This commit is contained in:
Chad Roberts 2025-04-23 12:36:55 -04:00
parent eed59ebf8a
commit 5fa7be534a
No known key found for this signature in database
GPG Key ID: 1F6B1A7A4D54C39A
2 changed files with 101 additions and 66 deletions
pkg/resources/common
formatter.goformatter_test.go

70
pkg/resources/common/formatter.go
View File

@ -42,15 +42,20 @@ func DefaultTemplateForStore(store types.Store,
}
func selfLink(gvr schema2.GroupVersionResource, meta metav1.Object) (prefix string) {
return buildBasePath(gvr, meta.GetNamespace(), meta.GetName())
}
func buildBasePath(gvr schema2.GroupVersionResource, namespace string, includeName string) string {
buf := &strings.Builder{}
if gvr.Group == "management.cattle.io" && gvr.Version == "v3" {
buf.WriteString("/v1/")
buf.WriteString(gvr.Group)
buf.WriteString(".")
buf.WriteString(gvr.Resource)
if meta.GetNamespace() != "" {
if namespace != "" {
buf.WriteString("/")
buf.WriteString(meta.GetNamespace())
buf.WriteString(namespace)
}
} else {
if gvr.Group == "" {
@ -62,15 +67,19 @@ func selfLink(gvr schema2.GroupVersionResource, meta metav1.Object) (prefix stri
buf.WriteString(gvr.Version)
buf.WriteString("/")
}
if meta.GetNamespace() != "" {
if namespace != "" {
buf.WriteString("namespaces/")
buf.WriteString(meta.GetNamespace())
buf.WriteString(namespace)
buf.WriteString("/")
}
buf.WriteString(gvr.Resource)
}
buf.WriteString("/")
buf.WriteString(meta.GetName())
if includeName != "" {
buf.WriteString("/")
buf.WriteString(includeName)
}
return buf.String()
}
@ -148,16 +157,23 @@ func formatter(summarycache common.SummaryCache, asl accesscontrol.AccessSetLook
}
if permsQuery := request.Query.Get("checkPermissions"); permsQuery != "" {
id := resource.APIObject.ID
ns := getNamespaceFromResource(id)
gvr := attributes.GVR(resource.Schema)
permissions := map[string]map[string]bool{}
ns := getNamespaceFromResource(resource.APIObject)
permissions := map[string]map[string]string{}
for _, res := range strings.Split(permsQuery, ",") {
perms := map[string]bool{}
s := request.Schemas.LookupSchema(res)
if s == nil {
continue
}
gvr := attributes.GVR(s)
gr := schema2.GroupResource{Group: gvr.Group, Resource: gvr.Resource}
perms := map[string]string{}
for _, verb := range []string{"create", "update", "delete", "list", "get", "watch", "patch"} {
allowed := accessSet.Grants(verb, schema2.GroupResource{Group: gvr.Group, Resource: res}, ns, "")
// TODO maybe add links rather than true/false
perms[verb] = allowed
if accessSet.Grants(verb, gr, ns, "") {
url := request.URLBuilder.RelativeToRoot(buildBasePath(gvr, ns, ""))
perms[verb] = url
}
}
permissions[res] = perms
}
@ -205,10 +221,26 @@ func excludeValues(request *types.APIRequest, unstr *unstructured.Unstructured)
}
}
func getNamespaceFromResource(resourceID string) string {
parts := strings.SplitN(resourceID, "/", 2)
if len(parts) == 2 {
return parts[1]
func getNamespaceFromResource(obj types.APIObject) string {
unstr, ok := obj.Object.(*unstructured.Unstructured)
if !ok {
return ""
}
return resourceID
// If we have a backingNamespace, use that
if statusRaw, ok := unstr.Object["status"]; ok {
if statusMap, ok := statusRaw.(map[string]interface{}); ok {
if backingNamespace, ok := statusMap["backingNamespace"].(string); ok && backingNamespace != "" {
return backingNamespace
}
}
}
// Otherwise, if the id has a slash, we will interpret that
parts := strings.SplitN(obj.ID, "/", 2)
if len(parts) == 2 {
return parts[0] + "-" + parts[1]
}
return obj.ID
}

97
pkg/resources/common/formatter_test.go
View File

@ -1088,7 +1088,7 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
resourcePermissions map[string][]string
schema *types.APISchema
apiObject types.APIObject
want map[string]map[string]bool
want map[string]map[string]string
}{
{
name: "get update patch on project and get on projectroletemplatebindings",
@ -1112,15 +1112,11 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
Object: map[string]interface{}{},
},
},
want: map[string]map[string]bool{
want: map[string]map[string]string{
"projectroletemplatebindings": {
"get": true,
"list": true,
"watch": true,
"create": false,
"delete": false,
"patch": false,
"update": false,
"get": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/projectroletemplatebindings",
"list": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/projectroletemplatebindings",
"watch": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/projectroletemplatebindings",
},
},
},
@ -1147,24 +1143,16 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
Object: map[string]interface{}{},
},
},
want: map[string]map[string]bool{
want: map[string]map[string]string{
"projectroletemplatebindings": {
"get": true,
"list": true,
"watch": true,
"create": false,
"delete": false,
"patch": false,
"update": false,
"get": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/projectroletemplatebindings",
"list": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/projectroletemplatebindings",
"watch": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/projectroletemplatebindings",
},
"pods": {
"get": true,
"list": true,
"watch": true,
"create": false,
"delete": false,
"patch": false,
"update": false,
"get": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/pods",
"list": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/pods",
"watch": "/apis/management.cattle.io/v1/namespaces/clusterid-projectid/pods",
},
},
},
@ -1188,17 +1176,7 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
Object: map[string]interface{}{},
},
},
want: map[string]map[string]bool{
"unknown": {
"get": false,
"list": false,
"watch": false,
"create": false,
"delete": false,
"patch": false,
"update": false,
},
},
want: nil,
},
}
@ -1234,7 +1212,7 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
}
for _, verb := range verbs {
accessSet.Add(verb, gvr.GroupResource(), accesscontrol.Access{
Namespace: projectid,
Namespace: clusterid + "-" + projectid,
})
}
}
@ -1254,6 +1232,30 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
Query: url.Values{
"checkPermissions": {strings.Join(checkPerms, ",")},
},
Schemas: types.EmptyAPISchemas(),
}
addSchema := func(names ...string) {
for _, name := range names {
if name == "unknown" {
continue
}
req.Schemas.MustAddSchema(types.APISchema{
Schema: &schemas.Schema{
ID: name,
CollectionMethods: []string{"get"},
ResourceMethods: []string{"get"},
Attributes: map[string]interface{}{
"group": "management.cattle.io",
"resource": name,
"version": "v1",
},
},
})
}
}
for res := range test.want {
addSchema(res)
}
resource := &types.RawResource{
@ -1274,21 +1276,22 @@ func TestFormatterAddsResourcePermissions(t *testing.T) {
u, ok := resource.APIObject.Object.(*unstructured.Unstructured)
require.True(t, ok, "APIObject.Object is not Unstructured")
rawPerms, ok := u.Object["resourcePermissions"]
require.True(t, ok, "resourcePermissions field missing")
if test.want != nil {
rawPerms, ok := u.Object["resourcePermissions"]
require.True(t, ok, "resourcePermissions field missing")
permMap, ok := rawPerms.(map[string]map[string]bool)
require.True(t, ok, "resourcePermissions is not map[string]map[string]bool")
permMap, ok := rawPerms.(map[string]map[string]string)
require.True(t, ok, "resourcePermissions is not map[string]map[string]string")
got := map[string]map[string]bool{}
for res, actionMap := range permMap {
got[res] = map[string]bool{}
for action, boolVal := range actionMap {
got[res][action] = boolVal
got := map[string]map[string]string{}
for res, actionMap := range permMap {
got[res] = map[string]string{}
for action, boolVal := range actionMap {
got[res][action] = boolVal
}
}
require.Equal(t, test.want, got)
}
require.Equal(t, test.want, got)
})
}
}