admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor iam module.

Browse Source
This commit is contained in:
hongming
2018-06-26 13:46:54 +08:00
parent 479ef78f67
commit 6071095e24
15 changed files with 478 additions and 425 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/apis/v1alpha/iam/iam_handler.go
View File

@@ -28,9 +28,19 @@ import (
"kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/filter/route"
"kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/iam"
)
type roleList struct {
ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"`
Roles []v1.Role `json:"roles" protobuf:"bytes,2,rep,name=roles"`
}
type userRuleList struct {
ClusterRules []iam.Rule `json:"clusterRules"`
Rules map[string][]iam.Rule `json:"rules"`
}
func Register(ws *restful.WebService) {
//roles
ws.Route(ws.GET("/users/{username}/roles").To(userRolesHandler).Filter(route.RouteLogging)).Produces(restful.MIME_JSON)
@@ -53,14 +63,14 @@ func userRolesHandler(req *restful.Request, resp *restful.Response) {
username := req.PathParameter("username")
roles, err := models.GetRoles(username)
roles, err := iam.GetRoles(username)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
return
}
clusterRoles, err := models.GetClusterRoles(username)
clusterRoles, err := iam.GetClusterRoles(username)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
@@ -79,7 +89,7 @@ func roleUsersHandler(req *restful.Request, resp *restful.Response) {
name := req.PathParameter("name")
namespace := req.PathParameter("namespace")
roleBindings, err := models.GetRoleBindings(namespace, name)
roleBindings, err := iam.GetRoleBindings(namespace, name)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
@@ -105,7 +115,7 @@ func roleUsersHandler(req *restful.Request, resp *restful.Response) {
func clusterRoleUsersHandler(req *restful.Request, resp *restful.Response) {
name := req.PathParameter("name")
roleBindings, err := models.GetClusterRoleBindings(name)
roleBindings, err := iam.GetClusterRoleBindings(name)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
@@ -138,14 +148,14 @@ func usersRulesHandler(req *restful.Request, resp *restful.Response) {
userRuleList := userRuleList{}
clusterRules, err := getUserClusterRules(username)
clusterRules, err := iam.GetUserClusterRules(username)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
return
}
rules, err := getUserRules(username)
rules, err := iam.GetUserRules(username)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
@@ -168,14 +178,14 @@ func userRulesHandler(req *restful.Request, resp *restful.Response) {
userRuleList := userRuleList{}
clusterRules, err := getUserClusterRules(username)
clusterRules, err := iam.GetUserClusterRules(username)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
return
}
rules, err := getUserRules(username)
rules, err := iam.GetUserRules(username)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
@@ -193,13 +203,13 @@ func clusterRoleRulesHandler(req *restful.Request, resp *restful.Response) {
name := req.PathParameter("name")
var rules []rule
var rules []iam.Rule
if name == "" {
rules = clusterRoleRuleGroup
rules = iam.ClusterRoleRuleGroup
} else {
var err error
rules, err = getClusterRoleRules(name)
rules, err = iam.GetClusterRoleRules(name)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
return
@@ -214,13 +224,13 @@ func roleRulesHandler(req *restful.Request, resp *restful.Response) {
name := req.PathParameter("name")
namespace := req.PathParameter("namespace")
var rules []rule
var rules []iam.Rule
if namespace == "" && name == "" {
rules = roleRuleGroup
rules = iam.RoleRuleGroup
} else {
var err error
rules, err = getRoleRules(namespace, name)
rules, err = iam.GetRoleRules(namespace, name)
if err != nil {
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
return

818
pkg/apis/v1alpha/iam/policy.go
View File

@@ -1,818 +0,0 @@
/*
Copyright 2018 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package iam
import (
"encoding/json"
"io/ioutil"
"github.com/golang/glog"
"k8s.io/api/rbac/v1"
)
const (
rulesConfigPath = "/etc/kubesphere/rules/rules.json"
clusterRulesConfigPath = "/etc/kubesphere/rules/clusterrules.json"
)
type roleList struct {
ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"`
Roles []v1.Role `json:"roles" protobuf:"bytes,2,rep,name=roles"`
}
type action struct {
Name string `json:"name"`
Rules []v1.PolicyRule `json:"rules"`
}
type rule struct {
Name string `json:"name"`
Actions []action `json:"actions"`
}
type userRuleList struct {
ClusterRules []rule `json:"clusterRules"`
Rules map[string][]rule `json:"rules"`
}
func init() {
rulesConfig, err := ioutil.ReadFile(rulesConfigPath)
if err == nil {
config := &[]rule{}
json.Unmarshal(rulesConfig, config)
if len(*config) > 0 {
roleRuleGroup = *config
glog.Info("rules config load success")
}
}
clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath)
if err == nil {
config := &[]rule{}
json.Unmarshal(clusterRulesConfig, config)
if len(*config) > 0 {
clusterRoleRuleGroup = *config
glog.Info("cluster rules config load success")
}
}
}
var (
clusterRoleRuleGroup = []rule{projects, users, roles, images,
volumes, storageclasses, nodes, appCatalog, apps, components, deployments, statefulsets, daemonsets, pods, services, routes}
roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets, pods,
services, routes, volumes}
components = rule{
Name: "components",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"kubsphere.io"},
Resources: []string{"components"},
},
},
},
},
}
projects = rule{
Name: "projects",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "members",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"},
},
},
},
{Name: "member_roles",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"},
},
},
},
},
}
project = rule{
Name: "projects",
Actions: []action{
{Name: "members",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"},
},
},
},
{Name: "member_roles",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
},
}
users = rule{
Name: "users",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"users"},
},
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterrolebindings"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"users"},
},
{
Verbs: []string{"create", "delete", "deletecollection"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterrolebindings"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"users"},
},
{
Verbs: []string{"create", "delete", "deletecollection"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterrolebindings"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"users"},
},
},
},
},
}
roles = rule{
Name: "roles",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterroles"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterroles"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterroles"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterroles"},
},
},
},
},
}
nodes = rule{
Name: "nodes",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"nodes"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{""},
Resources: []string{"nodes"},
},
},
},
{Name: "drain",
Rules: []v1.PolicyRule{
{
Verbs: []string{"*"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"nodes"},
},
},
},
},
}
volumes = rule{
Name: "volumes",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
},
},
},
}
storageclasses = rule{
Name: "storageclasses",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"},
},
},
},
},
}
images = rule{
Name: "images",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{
"secrets",
},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{""},
Resources: []string{
"secrets",
},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{""},
Resources: []string{
"secrets",
},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{""},
Resources: []string{
"secrets",
},
},
},
},
},
}
appCatalog = rule{
Name: "app_catalog",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"appcatalog"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"appcatalog"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"appcatalog"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"appcatalog"},
},
},
},
},
}
apps = rule{
Name: "apps",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"apps"},
},
},
},
},
}
statefulsets = rule{
Name: "statefulsets",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
},
},
{Name: "scale",
Rules: []v1.PolicyRule{
{
Verbs: []string{"patch"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
},
},
},
}
daemonsets = rule{
Name: "daemonsets",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"},
},
},
},
},
}
services = rule{
Name: "services",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"services"},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{""},
Resources: []string{"services"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{""},
Resources: []string{"services"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{""},
Resources: []string{"services"},
},
},
},
},
}
routes = rule{
Name: "routes",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
},
},
},
},
}
deployments = rule{
Name: "deployments",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments", "deployments/scale"},
},
{
Verbs: []string{"list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
{
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments", "deployments/rollback"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments"},
},
},
},
{Name: "scale",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create", "update", "patch", "delete"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments/scale"},
},
},
},
},
}
pods = rule{
Name: "pods",
Actions: []action{
{Name: "terminal",
Rules: []v1.PolicyRule{
{
Verbs: []string{"*"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"terminal"},
},
},
},
},
}
)

228
pkg/apis/v1alpha/iam/tools.go
View File

@@ -1,228 +0,0 @@
/*
Copyright 2018 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package iam
import (
"k8s.io/api/rbac/v1"
"k8s.io/kubernetes/pkg/util/slice"
"kubesphere.io/kubesphere/pkg/models"
)
func getUserRules(username string) (map[string][]rule, error) {
items := make(map[string][]rule, 0)
roles, err := models.GetRoles(username)
if err != nil {
return nil, err
}
namespaces := make([]string, 0)
for i := 0; i < len(roles); i++ {
if !slice.ContainsString(namespaces, roles[i].Namespace, nil) {
namespaces = append(namespaces, roles[i].Namespace)
}
}
for _, namespace := range namespaces {
rules := getMergeRules(namespace, roles)
if len(rules) > 0 {
items[namespace] = rules
}
}
return items, nil
}
func getMergeRules(namespace string, roles []v1.Role) []rule {
rules := make([]rule, 0)
for i := 0; i < (len(roleRuleGroup)); i++ {
rule := rule{Name: roleRuleGroup[i].Name}
rule.Actions = make([]action, 0)
for j := 0; j < (len(roleRuleGroup[i].Actions)); j++ {
permit := false
for _, role := range roles {
if role.Namespace == namespace && actionValidate(role.Rules, roleRuleGroup[i].Actions[j]) {
permit = true
break
}
}
if permit {
rule.Actions = append(rule.Actions, roleRuleGroup[i].Actions[j])
}
}
if len(rule.Actions) > 0 {
rules = append(rules, rule)
}
}
return rules
}
func getUserClusterRules(username string) ([]rule, error) {
rules := make([]rule, 0)
roles, err := models.GetClusterRoles(username)
if err != nil {
return nil, err
}
for i := 0; i < (len(clusterRoleRuleGroup)); i++ {
rule := rule{Name: clusterRoleRuleGroup[i].Name}
rule.Actions = make([]action, 0)
for j := 0; j < (len(clusterRoleRuleGroup[i].Actions)); j++ {
actionPermit := false
for _, role := range roles {
if actionValidate(role.Rules, clusterRoleRuleGroup[i].Actions[j]) {
actionPermit = true
break
}
}
if actionPermit {
rule.Actions = append(rule.Actions, clusterRoleRuleGroup[i].Actions[j])
}
}
if len(rule.Actions) > 0 {
rules = append(rules, rule)
}
}
return rules, nil
}
func getClusterRoleRules(name string) ([]rule, error) {
clusterRole, err := models.GetClusterRole(name)
if err != nil {
return nil, err
}
rules := make([]rule, 0)
for i := 0; i < len(clusterRoleRuleGroup); i++ {
rule := rule{Name: clusterRoleRuleGroup[i].Name}
rule.Actions = make([]action, 0)
for j := 0; j < (len(clusterRoleRuleGroup[i].Actions)); j++ {
if actionValidate(clusterRole.Rules, clusterRoleRuleGroup[i].Actions[j]) {
rule.Actions = append(rule.Actions, clusterRoleRuleGroup[i].Actions[j])
}
}
if len(rule.Actions) > 0 {
rules = append(rules, rule)
}
}
return rules, nil
}
func getRoleRules(namespace string, name string) ([]rule, error) {
role, err := models.GetRole(namespace, name)
if err != nil {
return nil, err
}
rules := make([]rule, 0)
for i := 0; i < len(roleRuleGroup); i++ {
rule := rule{Name: roleRuleGroup[i].Name}
rule.Actions = make([]action, 0)
for j := 0; j < len(roleRuleGroup[i].Actions); j++ {
if actionValidate(role.Rules, roleRuleGroup[i].Actions[j]) {
rule.Actions = append(rule.Actions, roleRuleGroup[i].Actions[j])
}
}
if len(rule.Actions) > 0 {
rules = append(rules, rule)
}
}
return rules, nil
}
func actionValidate(rules []v1.PolicyRule, action action) bool {
for _, rule := range action.Rules {
if !ruleValidate(rules, rule) {
return false
}
}
return true
}
func ruleValidate(rules []v1.PolicyRule, rule v1.PolicyRule) bool {
for _, apiGroup := range rule.APIGroups {
if len(rule.NonResourceURLs) == 0 {
for _, resource := range rule.Resources {
//if len(rule.ResourceNames) == 0 {
for _, verb := range rule.Verbs {
if !verbValidate(rules, apiGroup, "", resource, "", verb) {
return false
}
}
//} else {
// for _, resourceName := range rule.ResourceNames {
// for _, verb := range rule.Verbs {
// if !verbValidate(rules, apiGroup, "", resource, resourceName, verb) {
// return false
// }
// }
// }
//}
}
} else {
for _, nonResourceURL := range rule.NonResourceURLs {
for _, verb := range rule.Verbs {
if !verbValidate(rules, apiGroup, nonResourceURL, "", "", verb) {
return false
}
}
}
}
}
return true
}
func verbValidate(rules []v1.PolicyRule, apiGroup string, nonResourceURL string, resource string, resourceName string, verb string) bool {
for _, rule := range rules {
if slice.ContainsString(rule.APIGroups, apiGroup, nil) || slice.ContainsString(rule.APIGroups, v1.APIGroupAll, nil) {
if slice.ContainsString(rule.Verbs, verb, nil) || slice.ContainsString(rule.Verbs, v1.VerbAll, nil) {
if nonResourceURL == "" {
if slice.ContainsString(rule.Resources, resource, nil) || slice.ContainsString(rule.Resources, v1.ResourceAll, nil) {
if resourceName == "" {
return true
} else if slice.ContainsString(rule.ResourceNames, resourceName, nil) || slice.ContainsString(rule.Resources, v1.ResourceAll, nil) {
return true
}
}
} else if slice.ContainsString(rule.NonResourceURLs, nonResourceURL, nil) || slice.ContainsString(rule.NonResourceURLs, v1.NonResourceAll, nil) {
return true
}
}
}
}
return false
}