update

Signed-off-by: hongming <talonwan@yunify.com>
2020-03-19 22:44:05 +08:00
parent 23f6be88c6
commit 9769357005
332 changed files with 69808 additions and 4129 deletions
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -33,6 +33,7 @@ import (
 	servicemeshv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/servicemesh/metrics/v1alpha2"
 	tenantv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/tenant/v1alpha2"
 	terminalv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/terminal/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/models/iam/am"
 	"kubesphere.io/kubesphere/pkg/simple/client/cache"
 	"kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
@@ -103,8 +104,6 @@ type APIServer struct {

 	//
 	LdapClient ldap.Interface
-
-	//
 }

 func (s *APIServer) PrepareRun() error {
@@ -188,7 +187,7 @@ func (s *APIServer) buildHandlerChain() {

 	excludedPaths := []string{"/oauth/authorize", "/oauth/token"}
 	pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
-	authorizer := unionauthorizer.New(pathAuthorizer, authorizerfactory.NewOPAAuthorizer())
+	authorizer := unionauthorizer.New(pathAuthorizer, authorizerfactory.NewOPAAuthorizer(am.NewAMOperator(s.KubernetesClient.Kubernetes(), s.InformerFactory.KubernetesSharedInformerFactory())))
 	handler = filters.WithAuthorization(handler, authorizer)
 	handler = filters.WithMultipleClusterDispatcher(handler, dispatch.DefaultClusterDispatch)
 	handler = filters.WithKubeAPIServer(handler, s.KubernetesClient.Config(), &errorResponder{})
--- a/pkg/apiserver/authorization/authorizerfactory/opa.go
+++ b/pkg/apiserver/authorization/authorizerfactory/opa.go
@@ -18,15 +18,111 @@

 package authorizerfactory

-import "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+import (
+	"context"
+	"github.com/open-policy-agent/opa/rego"
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	am2 "kubesphere.io/kubesphere/pkg/models/iam/am"
+)

-type opaAuthorizer struct{}
-
-func (opaAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
-	// TODO implement.
-	return authorizer.DecisionAllow, "", nil
+type opaAuthorizer struct {
+	am am2.AccessManagementInterface
 }

-func NewOPAAuthorizer() *opaAuthorizer {
-	return new(opaAuthorizer)
+func (o *opaAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+
+	platformRole, err := o.am.GetPlatformRole(a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check platform role policy rules
+	if a, r, e := o.roleAuthorize(platformRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in cluster resource, permission denied
+	// TODO declare implicit cluster info in request Info
+	if a.GetCluster() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	clusterRole, err := o.am.GetClusterRole(a.GetCluster(), a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check cluster role policy rules
+	if a, r, e := o.roleAuthorize(clusterRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in cluster resource, permission denied
+	if a.GetWorkspace() == "" && a.GetNamespace() == "" && a.GetDevopsProject() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	workspaceRole, err := o.am.GetWorkspaceRole(a.GetWorkspace(), a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check workspace role policy rules
+	if a, r, e := o.roleAuthorize(workspaceRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in workspace resource, permission denied
+	if a.GetNamespace() == "" && a.GetDevopsProject() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	if a.GetNamespace() != "" {
+		namespaceRole, err := o.am.GetNamespaceRole(a.GetNamespace(), a.GetUser().GetName())
+		if err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		// check namespace role policy rules
+		if a, r, e := o.roleAuthorize(namespaceRole, a); a == authorizer.DecisionAllow {
+			return a, r, e
+		}
+	}
+
+	if a.GetDevopsProject() != "" {
+		devOpsRole, err := o.am.GetDevOpsRole(a.GetNamespace(), a.GetUser().GetName())
+		if err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		// check devops role policy rules
+		if a, r, e := o.roleAuthorize(devOpsRole, a); a == authorizer.DecisionAllow {
+			return a, r, e
+		}
+	}
+
+	return authorizer.DecisionDeny, "", nil
+}
+
+func (o *opaAuthorizer) roleAuthorize(role am2.Role, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+
+	query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", role.GetRego())).PrepareForEval(context.Background())
+
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	results, err := query.Eval(context.Background(), rego.EvalInput(a))
+
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	if len(results) > 0 && results[0].Expressions[0].Value == true {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	return authorizer.DecisionDeny, "permission undefined", nil
+}
+
+func NewOPAAuthorizer(am am2.AccessManagementInterface) *opaAuthorizer {
+	return &opaAuthorizer{am: am}
 }
--- a/pkg/apiserver/authorization/authorizerfactory/opa_test.go
+++ b/pkg/apiserver/authorization/authorizerfactory/opa_test.go
@@ -0,0 +1,84 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package authorizerfactory
+
+import (
+	"context"
+	"github.com/open-policy-agent/opa/rego"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	"testing"
+)
+
+func TestPlatformRole(t *testing.T) {
+
+	module := `package platform.authz
+default allow = false
+
+allow {
+    input.User.name == "admin"
+}
+
+allow {
+    is_admin
+}
+
+is_admin {
+    input.User.Groups[_] == "admin"
+}
+`
+	query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", module)).PrepareForEval(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	input := authorizer.AttributesRecord{
+		User: &user.DefaultInfo{
+			Name:   "admin",
+			UID:    "0",
+			Groups: []string{"admin"},
+			Extra:  nil,
+		},
+		Verb:              "list",
+		Cluster:           "",
+		Workspace:         "",
+		Namespace:         "",
+		DevopsProject:     "",
+		APIGroup:          "",
+		APIVersion:        "v1",
+		Resource:          "nodes",
+		Subresource:       "",
+		Name:              "",
+		KubernetesRequest: true,
+		ResourceRequest:   true,
+		Path:              "/api/v1/nodes",
+	}
+
+	results, err := query.Eval(context.Background(), rego.EvalInput(input))
+
+	if err != nil {
+		t.Log(err)
+	}
+
+	if len(results) > 0 && results[0].Expressions[0].Value == true {
+		t.Log("allowed")
+	} else {
+		t.Log("deny")
+	}
+}
--- a/pkg/apiserver/authorization/path/path_test.go
+++ b/pkg/apiserver/authorization/path/path_test.go
@@ -17,9 +17,8 @@ limitations under the License.
 package path

 import (
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
 	"testing"
-
-	"k8s.io/apiserver/pkg/authorization/authorizer"
 )

 func TestNewAuthorizer(t *testing.T) {