mirror of
https://github.com/rancher/steve.git
synced 2025-07-04 10:36:40 +00:00
fd9a516ecb
* refactor(accesscontrol): make addAccess directly accept PolicyRules * refactor(accesscontrol): add new types for encapsulating all needed data * refactor(accesscontrol): make getRules return resource version * refactor(accesscontrol): add new getRoleRefs to policyRuleIndex * refactor(accesscontrol): make accessStore use the new types and method * cleanup(accesscontrol): remove unused code * cleanup(accesscontrol): adapt tests * cleanup(accesscontrol): add some comments and remove unused function * refactor(accesscontrol): rework indexer to make it more readable and testable * Fix typo * test: consistent use of t.Error * test: refactor policyRulesMock to just use a map * misc: rename toUserInfo function * refactor: consistent sort by UID
101 lines
2.5 KiB
Go
101 lines
2.5 KiB
Go
package accesscontrol
|
|
|
|
import (
|
|
"context"
|
|
"slices"
|
|
"sort"
|
|
"time"
|
|
|
|
v1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/rbac/v1"
|
|
"golang.org/x/sync/singleflight"
|
|
"k8s.io/apimachinery/pkg/util/cache"
|
|
"k8s.io/apiserver/pkg/authentication/user"
|
|
)
|
|
|
|
//go:generate mockgen --build_flags=--mod=mod -package fake -destination fake/AccessSetLookup.go "github.com/rancher/steve/pkg/accesscontrol" AccessSetLookup
|
|
|
|
type AccessSetLookup interface {
|
|
AccessFor(user user.Info) *AccessSet
|
|
PurgeUserData(id string)
|
|
}
|
|
|
|
type policyRules interface {
|
|
getRoleRefs(subjectName string) subjectGrants
|
|
}
|
|
|
|
// accessStoreCache is a subset of the methods implemented by LRUExpireCache
|
|
type accessStoreCache interface {
|
|
Add(key interface{}, value interface{}, ttl time.Duration)
|
|
Get(key interface{}) (interface{}, bool)
|
|
Remove(key interface{})
|
|
}
|
|
|
|
type AccessStore struct {
|
|
usersPolicyRules policyRules
|
|
groupsPolicyRules policyRules
|
|
cache accessStoreCache
|
|
concurrentAccessFor *singleflight.Group
|
|
}
|
|
|
|
func NewAccessStore(_ context.Context, cacheResults bool, rbac v1.Interface) *AccessStore {
|
|
as := &AccessStore{
|
|
usersPolicyRules: newPolicyRuleIndex(true, rbac),
|
|
groupsPolicyRules: newPolicyRuleIndex(false, rbac),
|
|
concurrentAccessFor: new(singleflight.Group),
|
|
}
|
|
if cacheResults {
|
|
as.cache = cache.NewLRUExpireCache(50)
|
|
}
|
|
return as
|
|
}
|
|
|
|
func (l *AccessStore) AccessFor(user user.Info) *AccessSet {
|
|
info := l.userGrantsFor(user)
|
|
if l.cache == nil {
|
|
return l.newAccessSet(info)
|
|
}
|
|
|
|
cacheKey := info.hash()
|
|
|
|
res, _, _ := l.concurrentAccessFor.Do(cacheKey, func() (interface{}, error) {
|
|
if val, ok := l.cache.Get(cacheKey); ok {
|
|
as, _ := val.(*AccessSet)
|
|
return as, nil
|
|
}
|
|
|
|
result := l.newAccessSet(info)
|
|
result.ID = cacheKey
|
|
l.cache.Add(cacheKey, result, 24*time.Hour)
|
|
|
|
return result, nil
|
|
})
|
|
return res.(*AccessSet)
|
|
}
|
|
|
|
func (l *AccessStore) newAccessSet(info userGrants) *AccessSet {
|
|
result := info.user.toAccessSet()
|
|
for _, group := range info.groups {
|
|
result.Merge(group.toAccessSet())
|
|
}
|
|
return result
|
|
}
|
|
|
|
func (l *AccessStore) PurgeUserData(id string) {
|
|
l.cache.Remove(id)
|
|
}
|
|
|
|
// userGrantsFor retrieves all the access information for a user
|
|
func (l *AccessStore) userGrantsFor(user user.Info) userGrants {
|
|
var res userGrants
|
|
|
|
groups := slices.Clone(user.GetGroups())
|
|
sort.Strings(groups)
|
|
|
|
res.user = l.usersPolicyRules.getRoleRefs(user.GetName())
|
|
for _, group := range groups {
|
|
res.groups = append(res.groups, l.groupsPolicyRules.getRoleRefs(group))
|
|
}
|
|
|
|
return res
|
|
}
|