mirror of
https://github.com/rancher/steve.git
synced 2025-07-01 09:12:12 +00:00
6ee8201c8d
* adding NonResourceURLs support to access_store
* added tests to AccessSet NonResourceURLs handling
* change on test script suggested by @tomleb + go mod tidy
* added nonresource to ext api authorization
* added NonResourceURLs implementation in Authorizes + test
* removed non-resource-url tests from the main test
* added new tests for non-resource-urls
* removed unused test data
* changed nonResourceKey to point to struct{}
* addressed comments from @tomleb
* addressed more comments
* fixing typo
* check for empty accessSet
56 lines
1.5 KiB
Go
56 lines
1.5 KiB
Go
package ext
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/rancher/steve/pkg/accesscontrol"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
|
)
|
|
|
|
var _ authorizer.Authorizer = (*AccessSetAuthorizer)(nil)
|
|
|
|
type AccessSetAuthorizer struct {
|
|
asl accesscontrol.AccessSetLookup
|
|
}
|
|
|
|
func NewAccessSetAuthorizer(asl accesscontrol.AccessSetLookup) *AccessSetAuthorizer {
|
|
return &AccessSetAuthorizer{
|
|
asl: asl,
|
|
}
|
|
}
|
|
|
|
// Authorize implements [authorizer.Authorizer].
|
|
func (a *AccessSetAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
|
verb := attrs.GetVerb()
|
|
path := attrs.GetPath()
|
|
accessSet := a.asl.AccessFor(attrs.GetUser())
|
|
|
|
if !attrs.IsResourceRequest() {
|
|
if accessSet.GrantsNonResource(verb, path) {
|
|
return authorizer.DecisionAllow, "", nil
|
|
}
|
|
|
|
// An empty string reason will still provide enough information such as:
|
|
//
|
|
// forbidden: User "unknown-user" cannot post path /openapi/v3
|
|
return authorizer.DecisionDeny, "", nil
|
|
}
|
|
|
|
namespace := attrs.GetNamespace()
|
|
name := attrs.GetName()
|
|
gr := schema.GroupResource{
|
|
Group: attrs.GetAPIGroup(),
|
|
Resource: attrs.GetResource(),
|
|
}
|
|
|
|
if accessSet.Grants(verb, gr, namespace, name) {
|
|
return authorizer.DecisionAllow, "", nil
|
|
}
|
|
|
|
// An empty string reason will still provide enough information such as:
|
|
//
|
|
// testtypes.ext.cattle.io is forbidden: User "unknown-user" cannot list resource "testtypes" in API group "ext.cattle.io" at the cluster scope
|
|
return authorizer.DecisionDeny, "", nil
|
|
}
|