#47483 - Adding NonResourceURLs support to AccessStore (#299)

* adding NonResourceURLs support to access_store * added tests to AccessSet NonResourceURLs handling * change on test script suggested by @tomleb + go mod tidy * added nonresource to ext api authorization * added NonResourceURLs implementation in Authorizes + test * removed non-resource-url tests from the main test * added new tests for non-resource-urls * removed unused test data * changed nonResourceKey to point to struct{} * addressed comments from @tomleb * addressed more comments * fixing typo * check for empty accessSet
2025-09-16 07:18:28 +00:00 · 2024-11-04 23:47:48 -03:00
parent 2175e090fe
commit 6ee8201c8d
10 changed files with 588 additions and 39 deletions
--- a/pkg/accesscontrol/policy_rule_index.go
+++ b/pkg/accesscontrol/policy_rule_index.go
@@ -16,6 +16,9 @@ const (
 	groupKind      = rbacv1.GroupKind
 	userKind       = rbacv1.UserKind
 	svcAccountKind = rbacv1.ServiceAccountKind
+
+	clusterRoleKind = "ClusterRole"
+	roleKind        = "Role"
 )

 type policyRuleIndex struct {
@@ -75,6 +78,40 @@ func indexSubjects(kind string, subjects []rbacv1.Subject) []string {
 	return result
 }

+// addAccess appends a set of PolicyRules to a given AccessSet
+func addAccess(accessSet *AccessSet, namespace string, roleRef roleRef) {
+	for _, rule := range roleRef.rules {
+		if len(rule.Resources) > 0 {
+			addResourceAccess(accessSet, namespace, rule)
+		} else if roleRef.kind == clusterRoleKind {
+			accessSet.AddNonResourceURLs(rule.Verbs, rule.NonResourceURLs)
+		}
+	}
+}
+
+func addResourceAccess(accessSet *AccessSet, namespace string, rule rbacv1.PolicyRule) {
+	for _, group := range rule.APIGroups {
+		for _, resource := range rule.Resources {
+			names := rule.ResourceNames
+			if len(names) == 0 {
+				names = []string{All}
+			}
+			for _, resourceName := range names {
+				for _, verb := range rule.Verbs {
+					accessSet.Add(verb,
+						schema.GroupResource{
+							Group:    group,
+							Resource: resource,
+						}, Access{
+							Namespace:    namespace,
+							ResourceName: resourceName,
+						})
+				}
+			}
+		}
+	}
+}
+
 func subjectIs(kind string, subject rbacv1.Subject) bool {
 	return subject.APIGroup == rbacGroup && subject.Kind == kind
 }
@@ -83,32 +120,6 @@ func subjectIsServiceAccount(subject rbacv1.Subject) bool {
 	return subject.APIGroup == "" && subject.Kind == svcAccountKind && subject.Namespace != ""
 }

-// addAccess appends a set of PolicyRules to a given AccessSet
-func addAccess(accessSet *AccessSet, namespace string, rules []rbacv1.PolicyRule) {
-	for _, rule := range rules {
-		for _, group := range rule.APIGroups {
-			for _, resource := range rule.Resources {
-				names := rule.ResourceNames
-				if len(names) == 0 {
-					names = []string{All}
-				}
-				for _, resourceName := range names {
-					for _, verb := range rule.Verbs {
-						accessSet.Add(verb,
-							schema.GroupResource{
-								Group:    group,
-								Resource: resource,
-							}, Access{
-								Namespace:    namespace,
-								ResourceName: resourceName,
-							})
-					}
-				}
-			}
-		}
-	}
-}
-
 // getRules obtain the actual Role or ClusterRole pointed at by a RoleRef, and returns PolicyRules and the resource version
 func (p *policyRuleIndex) getRules(namespace string, roleRef rbacv1.RoleRef) ([]rbacv1.PolicyRule, string) {
 	switch roleRef.Kind {
@@ -160,6 +171,7 @@ func (p *policyRuleIndex) getRoleRefs(subjectName string) subjectGrants {
 			roleName:        crb.RoleRef.Name,
 			resourceVersion: resourceVersion,
 			rules:           rules,
+			kind:            clusterRoleKind,
 		})
 	}

@@ -171,6 +183,7 @@ func (p *policyRuleIndex) getRoleRefs(subjectName string) subjectGrants {
 			namespace:       rb.Namespace,
 			resourceVersion: resourceVersion,
 			rules:           rules,
+			kind:            roleKind,
 		})
 	}