mirror of
https://github.com/rancher/steve.git
synced 2025-09-07 18:31:13 +00:00
refactor(accesscontrol): deterministic cache key hashing (#292)
* refactor(accesscontrol): make addAccess directly accept PolicyRules * refactor(accesscontrol): add new types for encapsulating all needed data * refactor(accesscontrol): make getRules return resource version * refactor(accesscontrol): add new getRoleRefs to policyRuleIndex * refactor(accesscontrol): make accessStore use the new types and method * cleanup(accesscontrol): remove unused code * cleanup(accesscontrol): adapt tests * cleanup(accesscontrol): add some comments and remove unused function * refactor(accesscontrol): rework indexer to make it more readable and testable * Fix typo * test: consistent use of t.Error * test: refactor policyRulesMock to just use a map * misc: rename toUserInfo function * refactor: consistent sort by UID
This commit is contained in:
Alejandro Ruiz
GitHub
71
pkg/accesscontrol/user_grants.go
Normal file
71
pkg/accesscontrol/user_grants.go
Normal file
@@ -0,0 +1,71 @@
|
||||
package accesscontrol
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"hash"
|
||||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
)
|
||||
|
||||
// userGrants is a complete snapshot of all rules granted to a user, including those through groups memberships
|
||||
type userGrants struct {
|
||||
user subjectGrants
|
||||
groups []subjectGrants
|
||||
}
|
||||
|
||||
// subjectGrants defines role references granted to a given subject through RoleBindings and ClusterRoleBindings
|
||||
type subjectGrants struct {
|
||||
roleBindings []roleRef
|
||||
clusterRoleBindings []roleRef
|
||||
}
|
||||
|
||||
// roleRef contains information from a Role or ClusterRole
|
||||
type roleRef struct {
|
||||
namespace, roleName, resourceVersion string
|
||||
rules []rbacv1.PolicyRule
|
||||
}
|
||||
|
||||
// hash calculates a unique identifier from all the grants for a user
|
||||
func (u userGrants) hash() string {
|
||||
d := sha256.New()
|
||||
u.user.writeTo(d)
|
||||
for _, group := range u.groups {
|
||||
group.writeTo(d)
|
||||
}
|
||||
return hex.EncodeToString(d.Sum(nil))
|
||||
}
|
||||
|
||||
// writeTo appends a subject's grants information to a given hash
|
||||
func (b subjectGrants) writeTo(digest hash.Hash) {
|
||||
for _, rb := range b.roleBindings {
|
||||
rb.writeTo(digest)
|
||||
}
|
||||
for _, crb := range b.clusterRoleBindings {
|
||||
crb.writeTo(digest)
|
||||
}
|
||||
}
|
||||
|
||||
// toAccessSet produces a new AccessSet from the rules in the inner roles references
|
||||
func (b subjectGrants) toAccessSet() *AccessSet {
|
||||
result := new(AccessSet)
|
||||
|
||||
for _, binding := range b.roleBindings {
|
||||
addAccess(result, binding.namespace, binding.rules)
|
||||
}
|
||||
|
||||
for _, binding := range b.clusterRoleBindings {
|
||||
addAccess(result, All, binding.rules)
|
||||
}
|
||||
|
||||
return result
|
||||
}
|
||||
|
||||
// writeTo appends a single role information to a given hash
|
||||
func (r roleRef) writeTo(digest hash.Hash) {
|
||||
digest.Write([]byte(r.roleName))
|
||||
if r.namespace != "" {
|
||||
digest.Write([]byte(r.namespace))
|
||||
}
|
||||
digest.Write([]byte(r.resourceVersion))
|
||||
}
|
||||
Reference in New Issue
Block a user