Add authorization control for patching workspacetemplates (#5191)

* update patch workspacetemplate for supporting patch with JsonPatchType and change the authorization processing Signed-off-by: Wenhao Zhou <wenhaozhou@yunify.com> * make goimports * Fix: Of the type is not string will lead to panic Signed-off-by: Wenhao Zhou <wenhaozhou@yunify.com> * Add jsonpatchutil for handling json patch data Signed-off-by: Wenhao Zhou <wenhaozhou@yunify.com> * Updated patch workspacetemplate to to make the code run more efficiently * fix: multiple clusterrolebindings cannot autorizate * Correct wrong spelling Signed-off-by: Wenhao Zhou <wenhaozhou@yunify.com>
2022-09-08 10:23:41 +08:00
parent 3b5fae0013
commit 95576bb827
4 changed files with 214 additions and 12 deletions
--- a/pkg/kapis/tenant/v1alpha2/handler.go
+++ b/pkg/kapis/tenant/v1alpha2/handler.go
@@ -520,33 +520,44 @@ func (h *tenantHandler) PatchNamespace(request *restful.Request, response *restf
 	response.WriteEntity(patched)
 }

-func (h *tenantHandler) PatchWorkspaceTemplate(request *restful.Request, response *restful.Response) {
-	workspaceName := request.PathParameter("workspace")
+func (h *tenantHandler) PatchWorkspaceTemplate(req *restful.Request, resp *restful.Response) {
+	workspaceName := req.PathParameter("workspace")
 	var data json.RawMessage
-	err := request.ReadEntity(&data)
+	err := req.ReadEntity(&data)
 	if err != nil {
 		klog.Error(err)
-		api.HandleBadRequest(response, request, err)
+		api.HandleBadRequest(resp, req, err)
 		return
 	}

-	patched, err := h.tenant.PatchWorkspaceTemplate(workspaceName, data)
+	requestUser, ok := request.UserFrom(req.Request.Context())
+	if !ok {
+		err := fmt.Errorf("cannot obtain user info")
+		klog.Errorln(err)
+		api.HandleForbidden(resp, req, err)
+	}
+
+	patched, err := h.tenant.PatchWorkspaceTemplate(requestUser, workspaceName, data)

 	if err != nil {
 		klog.Error(err)
 		if errors.IsNotFound(err) {
-			api.HandleNotFound(response, request, err)
+			api.HandleNotFound(resp, req, err)
 			return
 		}
 		if errors.IsBadRequest(err) {
-			api.HandleBadRequest(response, request, err)
+			api.HandleBadRequest(resp, req, err)
 			return
 		}
-		api.HandleInternalError(response, request, err)
+		if errors.IsNotFound(err) {
+			api.HandleForbidden(resp, req, err)
+			return
+		}
+		api.HandleInternalError(resp, req, err)
 		return
 	}

-	response.WriteEntity(patched)
+	resp.WriteEntity(patched)
 }

 func (h *tenantHandler) ListClusters(r *restful.Request, response *restful.Response) {