mirror of
https://github.com/rancher/steve.git
synced 2025-05-05 14:37:01 +00:00
6ee8201c8d
* adding NonResourceURLs support to access_store
* added tests to AccessSet NonResourceURLs handling
* change on test script suggested by @tomleb + go mod tidy
* added nonresource to ext api authorization
* added NonResourceURLs implementation in Authorizes + test
* removed non-resource-url tests from the main test
* added new tests for non-resource-urls
* removed unused test data
* changed nonResourceKey to point to struct{}
* addressed comments from @tomleb
* addressed more comments
* fixing typo
* check for empty accessSet
72 lines
1.8 KiB
Go
72 lines
1.8 KiB
Go
package accesscontrol
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"hash"
|
|
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
)
|
|
|
|
// userGrants is a complete snapshot of all rules granted to a user, including those through groups memberships
|
|
type userGrants struct {
|
|
user subjectGrants
|
|
groups []subjectGrants
|
|
}
|
|
|
|
// subjectGrants defines role references granted to a given subject through RoleBindings and ClusterRoleBindings
|
|
type subjectGrants struct {
|
|
roleBindings []roleRef
|
|
clusterRoleBindings []roleRef
|
|
}
|
|
|
|
// roleRef contains information from a Role or ClusterRole
|
|
type roleRef struct {
|
|
namespace, roleName, resourceVersion, kind string
|
|
rules []rbacv1.PolicyRule
|
|
}
|
|
|
|
// hash calculates a unique identifier from all the grants for a user
|
|
func (u userGrants) hash() string {
|
|
d := sha256.New()
|
|
u.user.writeTo(d)
|
|
for _, group := range u.groups {
|
|
group.writeTo(d)
|
|
}
|
|
return hex.EncodeToString(d.Sum(nil))
|
|
}
|
|
|
|
// writeTo appends a subject's grants information to a given hash
|
|
func (b subjectGrants) writeTo(digest hash.Hash) {
|
|
for _, rb := range b.roleBindings {
|
|
rb.writeTo(digest)
|
|
}
|
|
for _, crb := range b.clusterRoleBindings {
|
|
crb.writeTo(digest)
|
|
}
|
|
}
|
|
|
|
// toAccessSet produces a new AccessSet from the rules in the inner roles references
|
|
func (b subjectGrants) toAccessSet() *AccessSet {
|
|
result := new(AccessSet)
|
|
|
|
for _, binding := range b.roleBindings {
|
|
addAccess(result, binding.namespace, binding)
|
|
}
|
|
|
|
for _, binding := range b.clusterRoleBindings {
|
|
addAccess(result, All, binding)
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
// writeTo appends a single role information to a given hash
|
|
func (r roleRef) writeTo(digest hash.Hash) {
|
|
digest.Write([]byte(r.roleName))
|
|
if r.namespace != "" {
|
|
digest.Write([]byte(r.namespace))
|
|
}
|
|
digest.Write([]byte(r.resourceVersion))
|
|
}
|