Fix namespace access review api (#334)

Signed-off-by: Tamal Saha <[email protected]>
kubeops · Sep 12, 2024 · d7e8d56 · d7e8d56
1 parent 77c793a
commit d7e8d56
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 13 deletions.
diff --git a/cmd/objectfinder-tester/main.go b/cmd/objectfinder-tester/main.go
@@ -19,6 +19,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 
@@ -43,6 +44,7 @@ import (
 	rbacauthz "kmodules.xyz/authorizer/apiserver"
 	clustermeta "kmodules.xyz/client-go/cluster"
 	"kmodules.xyz/resource-metadata/apis/identity/v1alpha1"
+	identityapi "kmodules.xyz/resource-metadata/apis/identity/v1alpha1"
 	rsapi "kmodules.xyz/resource-metadata/apis/meta/v1alpha1"
 	"kmodules.xyz/resource-metadata/hub/resourcedescriptors"
 	"kmodules.xyz/resource-metadata/hub/resourceoutlines"
@@ -400,7 +402,7 @@ func findForPostgres() error {
 	return nil
 }
 
-func main() {
+func main_5() {
 	kc, rtc, err := NewClient()
 	if err != nil {
 		panic(err)
@@ -457,3 +459,54 @@ func main_6() {
 	}
 	fmt.Printf("%+v\n", result)
 }
+
+func main() {
+	// /Users/tamal/Downloads/rancher-spoke.yaml
+
+	kc, rtc, err := NewClient()
+	if err != nil {
+		panic(err)
+	}
+
+	s := selfsubjectnamespaceaccessreview.NewStorage(kc, rtc)
+
+	ctx := context.TODO()
+	ctx = apirequest.WithNamespace(ctx, "ace")
+	ctx = apirequest.WithUser(ctx, &user.DefaultInfo{
+		Name: "u-ct92n",
+		UID:  "",
+		Groups: []string{
+			"system:authenticated",
+			"system:cattle:authenticated",
+		},
+		Extra: map[string][]string{
+			"principalid": {"local://u-ct92n"},
+			"username":    {"tamal-project-a"},
+		},
+	})
+
+	in := &identityapi.SelfSubjectNamespaceAccessReview{
+		TypeMeta:   metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{},
+		Spec: identityapi.SelfSubjectNamespaceAccessReviewSpec{
+			ResourceAttributes: []authorization.ResourceAttributes{
+				{
+					Namespace:   "",
+					Verb:        "list",
+					Group:       "kubedb.com",
+					Version:     "*",
+					Resource:    "kafkas",
+					Subresource: "",
+					Name:        "",
+				},
+			},
+		},
+	}
+
+	result, err := s.Create(ctx, in, nil, nil)
+	if err != nil {
+		panic(err)
+	}
+	data, _ := json.MarshalIndent(result, "", "  ")
+	fmt.Printf("%+v\n", string(data))
+}
diff --git a/pkg/registry/identity/selfsubjectnamespaceaccessreview/storage.go b/pkg/registry/identity/selfsubjectnamespaceaccessreview/storage.go
@@ -107,12 +107,12 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat
 
 	// check for all namespaces
 	{
-		allowed, err := r.hasAllNamespaceResourceAccess(ctx, in)
+		allowed, err := r.hasAllNamespaceResourceAccess(ctx, in, user, extra)
 		if err != nil {
 			return nil, err
 		}
 		if allowed {
-			allowed, err = r.hasNonResourceAccess(ctx, in)
+			allowed, err = r.hasNonResourceAccess(ctx, in, user, extra)
 			if err != nil {
 				return nil, err
 			}
@@ -148,14 +148,18 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat
 	return in, nil
 }
 
-func (r *Storage) hasNonResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview) (bool, error) {
+func (r *Storage) hasNonResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview, user user.Info, extra map[string]authorization.ExtraValue) (bool, error) {
 	for _, attr := range in.Spec.NonResourceAttributes {
-		review := &authorization.SelfSubjectAccessReview{
-			Spec: authorization.SelfSubjectAccessReviewSpec{
+		review := &authorization.SubjectAccessReview{
+			Spec: authorization.SubjectAccessReviewSpec{
 				NonResourceAttributes: &attr,
+				User:                  user.GetName(),
+				Groups:                user.GetGroups(),
+				Extra:                 extra,
+				UID:                   user.GetUID(),
 			},
 		}
-		review, err := r.kc.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
+		review, err := r.kc.AuthorizationV1().SubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
 		if err != nil {
 			return false, err
 		}
@@ -166,16 +170,19 @@ func (r *Storage) hasNonResourceAccess(ctx context.Context, in *identityapi.Self
 	return true, nil
 }
 
-func (r *Storage) hasAllNamespaceResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview) (bool, error) {
+func (r *Storage) hasAllNamespaceResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview, user user.Info, extra map[string]authorization.ExtraValue) (bool, error) {
 	for _, attr := range in.Spec.ResourceAttributes {
 		attr.Namespace = ""
-		review := &authorization.SelfSubjectAccessReview{
-			Spec: authorization.SelfSubjectAccessReviewSpec{
-				ResourceAttributes:    &attr,
-				NonResourceAttributes: nil,
+		review := &authorization.SubjectAccessReview{
+			Spec: authorization.SubjectAccessReviewSpec{
+				ResourceAttributes: &attr,
+				User:               user.GetName(),
+				Groups:             user.GetGroups(),
+				Extra:              extra,
+				UID:                user.GetUID(),
 			},
 		}
-		review, err := r.kc.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
+		review, err := r.kc.AuthorizationV1().SubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
 		if err != nil {
 			return false, err
 		}