update

Signed-off-by: hongming <talonwan@yunify.com>

pkg/apiserver/authorization/authorizerfactory/opa.go

@@ -18,15 +18,111 @@
 
 package authorizerfactory
 
-import "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+import (
+	"context"
+	"github.com/open-policy-agent/opa/rego"
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	am2 "kubesphere.io/kubesphere/pkg/models/iam/am"
+)
 
-type opaAuthorizer struct{}
-
-func (opaAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
-	// TODO implement.
-	return authorizer.DecisionAllow, "", nil
+type opaAuthorizer struct {
+	am am2.AccessManagementInterface
 }
 
-func NewOPAAuthorizer() *opaAuthorizer {
-	return new(opaAuthorizer)
+func (o *opaAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+
+	platformRole, err := o.am.GetPlatformRole(a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check platform role policy rules
+	if a, r, e := o.roleAuthorize(platformRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in cluster resource, permission denied
+	// TODO declare implicit cluster info in request Info
+	if a.GetCluster() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	clusterRole, err := o.am.GetClusterRole(a.GetCluster(), a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check cluster role policy rules
+	if a, r, e := o.roleAuthorize(clusterRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in cluster resource, permission denied
+	if a.GetWorkspace() == "" && a.GetNamespace() == "" && a.GetDevopsProject() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	workspaceRole, err := o.am.GetWorkspaceRole(a.GetWorkspace(), a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check workspace role policy rules
+	if a, r, e := o.roleAuthorize(workspaceRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in workspace resource, permission denied
+	if a.GetNamespace() == "" && a.GetDevopsProject() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	if a.GetNamespace() != "" {
+		namespaceRole, err := o.am.GetNamespaceRole(a.GetNamespace(), a.GetUser().GetName())
+		if err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		// check namespace role policy rules
+		if a, r, e := o.roleAuthorize(namespaceRole, a); a == authorizer.DecisionAllow {
+			return a, r, e
+		}
+	}
+
+	if a.GetDevopsProject() != "" {
+		devOpsRole, err := o.am.GetDevOpsRole(a.GetNamespace(), a.GetUser().GetName())
+		if err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		// check devops role policy rules
+		if a, r, e := o.roleAuthorize(devOpsRole, a); a == authorizer.DecisionAllow {
+			return a, r, e
+		}
+	}
+
+	return authorizer.DecisionDeny, "", nil
+}
+
+func (o *opaAuthorizer) roleAuthorize(role am2.Role, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+
+	query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", role.GetRego())).PrepareForEval(context.Background())
+
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	results, err := query.Eval(context.Background(), rego.EvalInput(a))
+
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	if len(results) > 0 && results[0].Expressions[0].Value == true {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	return authorizer.DecisionDeny, "permission undefined", nil
+}
+
+func NewOPAAuthorizer(am am2.AccessManagementInterface) *opaAuthorizer {
+	return &opaAuthorizer{am: am}
 }

pkg/apiserver/authorization/authorizerfactory/opa_test.go

@@ -0,0 +1,84 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package authorizerfactory
+
+import (
+	"context"
+	"github.com/open-policy-agent/opa/rego"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	"testing"
+)
+
+func TestPlatformRole(t *testing.T) {
+
+	module := `package platform.authz
+default allow = false
+
+allow {
+    input.User.name == "admin"
+}
+
+allow {
+    is_admin
+}
+
+is_admin {
+    input.User.Groups[_] == "admin"
+}
+`
+	query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", module)).PrepareForEval(context.Background())
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	input := authorizer.AttributesRecord{
+		User: &user.DefaultInfo{
+			Name:   "admin",
+			UID:    "0",
+			Groups: []string{"admin"},
+			Extra:  nil,
+		},
+		Verb:              "list",
+		Cluster:           "",
+		Workspace:         "",
+		Namespace:         "",
+		DevopsProject:     "",
+		APIGroup:          "",
+		APIVersion:        "v1",
+		Resource:          "nodes",
+		Subresource:       "",
+		Name:              "",
+		KubernetesRequest: true,
+		ResourceRequest:   true,
+		Path:              "/api/v1/nodes",
+	}
+
+	results, err := query.Eval(context.Background(), rego.EvalInput(input))
+
+	if err != nil {
+		t.Log(err)
+	}
+
+	if len(results) > 0 && results[0].Expressions[0].Value == true {
+		t.Log("allowed")
+	} else {
+		t.Log("deny")
+	}
+}