runzexia
@@ -292,13 +292,14 @@ func ListNamespaceRules(req *restful.Request, resp *restful.Response) {
|
||||
}
|
||||
|
||||
func ListDevopsRules(req *restful.Request, resp *restful.Response) {
|
||||
|
||||
devops := req.PathParameter("devops")
|
||||
username := req.HeaderParameter(constants.UserNameHeader)
|
||||
|
||||
rules, err := iam.GetUserDevopsSimpleRules(username, devops)
|
||||
rules, err, code := tenant.GetUserDevopsSimpleRules(username, devops)
|
||||
|
||||
if err != nil {
|
||||
resp.WriteError(http.StatusInternalServerError, err)
|
||||
resp.WriteError(code, err)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@@ -35,7 +35,6 @@ import (
|
||||
"kubesphere.io/kubesphere/pkg/models/resources"
|
||||
"kubesphere.io/kubesphere/pkg/params"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/k8s"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/kubesphere"
|
||||
"kubesphere.io/kubesphere/pkg/utils/k8sutil"
|
||||
"kubesphere.io/kubesphere/pkg/utils/sliceutil"
|
||||
"sort"
|
||||
@@ -48,17 +47,6 @@ const (
|
||||
NamespaceViewerRoleBindName = "viewer"
|
||||
)
|
||||
|
||||
func GetUserDevopsSimpleRules(username, projectId string) ([]models.SimpleRule, error) {
|
||||
role, err := kubesphere.Client().GetUserDevopsRole(username, projectId)
|
||||
|
||||
if err != nil {
|
||||
glog.Errorln("get user devops role", username, projectId, err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return GetDevopsRoleSimpleRules(role), nil
|
||||
}
|
||||
|
||||
func GetDevopsRoleSimpleRules(role string) []models.SimpleRule {
|
||||
var rules []models.SimpleRule
|
||||
|
||||
|
||||
@@ -484,3 +484,70 @@ func CreateDevopsProject(username string, workspace string, req *devops.DevOpsPr
|
||||
}
|
||||
return project, nil, http.StatusOK
|
||||
}
|
||||
|
||||
func GetUserDevopsSimpleRules(username, projectId string) ([]models.SimpleRule, error, int) {
|
||||
err := CheckProjectUserInRole(username, projectId, AllRoleSlice)
|
||||
if err != nil {
|
||||
glog.Errorf("%+v", err)
|
||||
return nil, err, http.StatusForbidden
|
||||
}
|
||||
dbconn := devops_mysql.OpenDatabase()
|
||||
memberships := &devops.DevOpsProjectMembership{}
|
||||
err = dbconn.Select(devops.DevOpsProjectMembershipColumns...).
|
||||
From(devops.DevOpsProjectMembershipTableName).
|
||||
Where(db.And(
|
||||
db.Eq(devops.DevOpsProjectMembershipProjectIdColumn, projectId),
|
||||
db.Eq(devops.DevOpsProjectMembershipUsernameColumn, username))).
|
||||
LoadOne(&memberships)
|
||||
if err != nil {
|
||||
glog.Errorf("%+v", err)
|
||||
|
||||
return nil, err, http.StatusInternalServerError
|
||||
}
|
||||
|
||||
return GetDevopsRoleSimpleRules(memberships.Role), nil, http.StatusOK
|
||||
}
|
||||
|
||||
func GetDevopsRoleSimpleRules(role string) []models.SimpleRule {
|
||||
var rules []models.SimpleRule
|
||||
|
||||
switch role {
|
||||
case "developer":
|
||||
rules = []models.SimpleRule{
|
||||
{Name: "pipelines", Actions: []string{"view", "trigger"}},
|
||||
{Name: "roles", Actions: []string{"view"}},
|
||||
{Name: "members", Actions: []string{"view"}},
|
||||
{Name: "devops", Actions: []string{"view"}},
|
||||
}
|
||||
break
|
||||
case "owner":
|
||||
rules = []models.SimpleRule{
|
||||
{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
|
||||
{Name: "roles", Actions: []string{"view"}},
|
||||
{Name: "members", Actions: []string{"create", "edit", "view", "delete"}},
|
||||
{Name: "credentials", Actions: []string{"create", "edit", "view", "delete"}},
|
||||
{Name: "devops", Actions: []string{"edit", "view", "delete"}},
|
||||
}
|
||||
break
|
||||
case "maintainer":
|
||||
rules = []models.SimpleRule{
|
||||
{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
|
||||
{Name: "roles", Actions: []string{"view"}},
|
||||
{Name: "members", Actions: []string{"view"}},
|
||||
{Name: "credentials", Actions: []string{"create", "edit", "view", "delete"}},
|
||||
{Name: "devops", Actions: []string{"view"}},
|
||||
}
|
||||
break
|
||||
case "reporter":
|
||||
fallthrough
|
||||
default:
|
||||
rules = []models.SimpleRule{
|
||||
{Name: "pipelines", Actions: []string{"view"}},
|
||||
{Name: "roles", Actions: []string{"view"}},
|
||||
{Name: "members", Actions: []string{"view"}},
|
||||
{Name: "devops", Actions: []string{"view"}},
|
||||
}
|
||||
break
|
||||
}
|
||||
return rules
|
||||
}
|
||||
|
||||
@@ -36,21 +36,6 @@ type Workspace struct {
|
||||
DevopsProjects []string `json:"devops_projects"`
|
||||
}
|
||||
|
||||
type WorkspaceDPBinding struct {
|
||||
Workspace string `gorm:"primary_key"`
|
||||
DevOpsProject string `gorm:"primary_key"`
|
||||
}
|
||||
|
||||
type DevopsProject struct {
|
||||
ProjectId string `json:"project_id,omitempty"`
|
||||
Name string `json:"name"`
|
||||
Description string `json:"description"`
|
||||
Creator string `json:"creator"`
|
||||
CreateTime *time.Time `json:"create_time,omitempty"`
|
||||
Status *string `json:"status"`
|
||||
Visibility *string `json:"visibility,omitempty"`
|
||||
}
|
||||
|
||||
type Action struct {
|
||||
Name string `json:"name"`
|
||||
Rules []v1.PolicyRule `json:"rules"`
|
||||
|
||||
@@ -1,186 +0,0 @@
|
||||
/*
|
||||
|
||||
Copyright 2019 The KubeSphere Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
*/
|
||||
package kubesphere
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"github.com/golang/glog"
|
||||
"io/ioutil"
|
||||
"kubesphere.io/kubesphere/pkg/constants"
|
||||
"kubesphere.io/kubesphere/pkg/models"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func (c client) DeleteDevopsProject(username string, projectId string) error {
|
||||
request, _ := http.NewRequest(http.MethodDelete, fmt.Sprintf("%s/api/v1alpha/projects/%s", devopsAPIServer, projectId), nil)
|
||||
if username == "" {
|
||||
username = constants.AdminUserName
|
||||
}
|
||||
request.Header.Add("X-Token-Username", username)
|
||||
|
||||
resp, err := c.client.Do(request)
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
data, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if resp.StatusCode > http.StatusOK {
|
||||
return Error{resp.StatusCode, string(data)}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c client) GetUserDevopsRole(username string, projectId string) (string, error) {
|
||||
|
||||
if username == "admin" {
|
||||
return "owner", nil
|
||||
}
|
||||
|
||||
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/api/v1alpha/projects/%s/members", devopsAPIServer, projectId), nil)
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
req.Header.Set(constants.UserNameHeader, username)
|
||||
resp, err := c.client.Do(req)
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
defer resp.Body.Close()
|
||||
data, err := ioutil.ReadAll(resp.Body)
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if resp.StatusCode > http.StatusOK {
|
||||
return "", Error{resp.StatusCode, string(data)}
|
||||
}
|
||||
|
||||
var result []map[string]string
|
||||
|
||||
err = json.Unmarshal(data, &result)
|
||||
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
for _, item := range result {
|
||||
if item["username"] == username {
|
||||
return item["role"], nil
|
||||
}
|
||||
}
|
||||
|
||||
return "", nil
|
||||
}
|
||||
|
||||
func (c client) CreateDevopsProject(username string, project *models.DevopsProject) (*models.DevopsProject, error) {
|
||||
data, err := json.Marshal(project)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
request, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/api/v1alpha/projects", devopsAPIServer), bytes.NewReader(data))
|
||||
request.Header.Add("X-Token-Username", username)
|
||||
request.Header.Add("Content-Type", "application/json")
|
||||
resp, err := c.client.Do(request)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
defer resp.Body.Close()
|
||||
data, err = ioutil.ReadAll(resp.Body)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if resp.StatusCode > http.StatusOK {
|
||||
return nil, Error{resp.StatusCode, string(data)}
|
||||
}
|
||||
|
||||
var created models.DevopsProject
|
||||
|
||||
err = json.Unmarshal(data, &created)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &created, nil
|
||||
}
|
||||
|
||||
func (c client) CreateDevopsRoleBinding(projectId string, user string, role string) {
|
||||
|
||||
projects := make([]string, 0)
|
||||
projects = append(projects, projectId)
|
||||
|
||||
for _, project := range projects {
|
||||
data := []byte(fmt.Sprintf(`{"username":"%s","role":"%s"}`, user, role))
|
||||
request, _ := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/api/v1alpha/projects/%s/members", devopsAPIServer, project), bytes.NewReader(data))
|
||||
request.Header.Add("Content-Type", "application/json")
|
||||
request.Header.Add("X-Token-Username", "admin")
|
||||
resp, err := c.client.Do(request)
|
||||
if err != nil || resp.StatusCode > 200 {
|
||||
glog.Warning(fmt.Sprintf("create devops role binding failed %s,%s,%s", project, user, role))
|
||||
}
|
||||
if resp != nil {
|
||||
resp.Body.Close()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c client) ListDevopsProjects(username string) ([]models.DevopsProject, error) {
|
||||
projects := make([]models.DevopsProject, 0)
|
||||
|
||||
request, _ := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/api/v1alpha/projects", devopsAPIServer), nil)
|
||||
request.Header.Add(constants.UserNameHeader, username)
|
||||
|
||||
resp, err := c.client.Do(request)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
data, err := ioutil.ReadAll(resp.Body)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if resp.StatusCode > http.StatusOK {
|
||||
return nil, Error{resp.StatusCode, string(data)}
|
||||
}
|
||||
|
||||
err = json.Unmarshal(data, &projects)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return projects, nil
|
||||
}
|
||||
@@ -42,11 +42,6 @@ type Interface interface {
|
||||
UpdateGroup(group *models.Group) (*models.Group, error)
|
||||
DescribeGroup(name string) (*models.Group, error)
|
||||
DeleteGroup(name string) error
|
||||
DeleteDevopsProject(username string, projectId string) error
|
||||
GetUserDevopsRole(username string, projectId string) (string, error)
|
||||
CreateDevopsProject(username string, project *models.DevopsProject) (*models.DevopsProject, error)
|
||||
CreateDevopsRoleBinding(projectId string, user string, role string)
|
||||
ListDevopsProjects(username string) ([]models.DevopsProject, error)
|
||||
}
|
||||
|
||||
type client struct {
|
||||
@@ -55,7 +50,6 @@ type client struct {
|
||||
|
||||
func init() {
|
||||
flag.StringVar(&accountAPIServer, "ks-account-api-server", "http://ks-account.kubesphere-system.svc", "kubesphere account api server")
|
||||
flag.StringVar(&devopsAPIServer, "ks-devops-api-server", "http://ks-devops.kubesphere-devops-system.svc", "kubesphere devops api server")
|
||||
}
|
||||
|
||||
func Client() Interface {
|
||||
|
||||
Reference in New Issue
Block a user