update

Signed-off-by: hongming <talonwan@yunify.com>

pkg/apiserver/authorization/authorizerfactory/opa.go

@@ -18,15 +18,111 @@
 
 package authorizerfactory
 
-import "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+import (
+	"context"
+	"github.com/open-policy-agent/opa/rego"
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	am2 "kubesphere.io/kubesphere/pkg/models/iam/am"
+)
 
-type opaAuthorizer struct{}
-
-func (opaAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
-	// TODO implement.
-	return authorizer.DecisionAllow, "", nil
+type opaAuthorizer struct {
+	am am2.AccessManagementInterface
 }
 
-func NewOPAAuthorizer() *opaAuthorizer {
-	return new(opaAuthorizer)
+func (o *opaAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+
+	platformRole, err := o.am.GetPlatformRole(a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check platform role policy rules
+	if a, r, e := o.roleAuthorize(platformRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in cluster resource, permission denied
+	// TODO declare implicit cluster info in request Info
+	if a.GetCluster() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	clusterRole, err := o.am.GetClusterRole(a.GetCluster(), a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check cluster role policy rules
+	if a, r, e := o.roleAuthorize(clusterRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in cluster resource, permission denied
+	if a.GetWorkspace() == "" && a.GetNamespace() == "" && a.GetDevopsProject() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	workspaceRole, err := o.am.GetWorkspaceRole(a.GetWorkspace(), a.GetUser().GetName())
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	// check workspace role policy rules
+	if a, r, e := o.roleAuthorize(workspaceRole, a); a == authorizer.DecisionAllow {
+		return a, r, e
+	}
+
+	// it's not in workspace resource, permission denied
+	if a.GetNamespace() == "" && a.GetDevopsProject() == "" {
+		return authorizer.DecisionDeny, "permission undefined", nil
+	}
+
+	if a.GetNamespace() != "" {
+		namespaceRole, err := o.am.GetNamespaceRole(a.GetNamespace(), a.GetUser().GetName())
+		if err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		// check namespace role policy rules
+		if a, r, e := o.roleAuthorize(namespaceRole, a); a == authorizer.DecisionAllow {
+			return a, r, e
+		}
+	}
+
+	if a.GetDevopsProject() != "" {
+		devOpsRole, err := o.am.GetDevOpsRole(a.GetNamespace(), a.GetUser().GetName())
+		if err != nil {
+			return authorizer.DecisionDeny, "", err
+		}
+		// check devops role policy rules
+		if a, r, e := o.roleAuthorize(devOpsRole, a); a == authorizer.DecisionAllow {
+			return a, r, e
+		}
+	}
+
+	return authorizer.DecisionDeny, "", nil
+}
+
+func (o *opaAuthorizer) roleAuthorize(role am2.Role, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+
+	query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", role.GetRego())).PrepareForEval(context.Background())
+
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	results, err := query.Eval(context.Background(), rego.EvalInput(a))
+
+	if err != nil {
+		return authorizer.DecisionDeny, "", err
+	}
+
+	if len(results) > 0 && results[0].Expressions[0].Value == true {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	return authorizer.DecisionDeny, "permission undefined", nil
+}
+
+func NewOPAAuthorizer(am am2.AccessManagementInterface) *opaAuthorizer {
+	return &opaAuthorizer{am: am}
 }