update

Signed-off-by: hongming <talonwan@yunify.com>
2020-03-19 22:44:05 +08:00
parent 23f6be88c6
commit 9769357005
332 changed files with 69808 additions and 4129 deletions
--- a/pkg/kapis/iam/v1alpha2/handler.go
+++ b/pkg/kapis/iam/v1alpha2/handler.go
@@ -2,19 +2,14 @@ package v1alpha2

 import (
 	"errors"
-	"fmt"
 	"github.com/emicklei/go-restful"
-	"github.com/go-ldap/ldap"
-	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/klog"
 	"kubesphere.io/kubesphere/pkg/api"
 	iamv1alpha2 "kubesphere.io/kubesphere/pkg/api/iam/v1alpha2"
-	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/informers"
-	"kubesphere.io/kubesphere/pkg/models/iam"
-	"kubesphere.io/kubesphere/pkg/models/iam/policy"
+	"kubesphere.io/kubesphere/pkg/models/iam/am"
+	"kubesphere.io/kubesphere/pkg/models/iam/im"
 	"kubesphere.io/kubesphere/pkg/models/resources/v1alpha2"
-	apierr "kubesphere.io/kubesphere/pkg/server/errors"
 	"kubesphere.io/kubesphere/pkg/server/params"
 	"kubesphere.io/kubesphere/pkg/simple/client/cache"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
@@ -30,14 +25,14 @@ const (
 )

 type iamHandler struct {
-	amOperator iam.AccessManagementInterface
-	imOperator iam.IdentityManagementInterface
+	amOperator am.AccessManagementInterface
+	imOperator im.IdentityManagementInterface
 }

 func newIAMHandler(k8sClient k8s.Client, factory informers.InformerFactory, ldapClient ldappool.Interface, cacheClient cache.Interface, options *iamapi.AuthenticationOptions) *iamHandler {
 	return &iamHandler{
-		amOperator: iam.NewAMOperator(k8sClient.Kubernetes(), factory.KubernetesSharedInformerFactory()),
-		imOperator: iam.NewIMOperator(ldapClient, cacheClient, options),
+		amOperator: am.NewAMOperator(k8sClient.Kubernetes(), factory.KubernetesSharedInformerFactory()),
+		imOperator: im.NewIMOperator(ldapClient, cacheClient, options),
 	}
 }

@@ -96,7 +91,7 @@ func (h *iamHandler) Login(req *restful.Request, resp *restful.Response) {
 	token, err := h.imOperator.Login(loginRequest.Username, loginRequest.Password, ip)

 	if err != nil {
-		if err == iam.AuthRateLimitExceeded {
+		if err == im.AuthRateLimitExceeded {
 			klog.V(4).Infoln(err)
 			resp.WriteHeaderAndEntity(http.StatusTooManyRequests, err)
 			return
@@ -110,151 +105,19 @@ func (h *iamHandler) Login(req *restful.Request, resp *restful.Response) {
 }

 func (h *iamHandler) CreateUser(req *restful.Request, resp *restful.Response) {
-	var createRequest iamv1alpha2.CreateUserRequest
-	err := req.ReadEntity(&createRequest)
-	if err != nil {
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(resp, nil, err)
-		return
-	}
-
-	if err := createRequest.Validate(); err != nil {
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(resp, nil, err)
-		return
-	}
-
-	created, err := h.imOperator.CreateUser(createRequest.User)
-
-	if err != nil {
-		if err == iam.UserAlreadyExists {
-			klog.V(4).Infoln(err)
-			resp.WriteHeaderAndEntity(http.StatusConflict, err)
-			return
-		}
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	err = h.amOperator.CreateClusterRoleBinding(created.Username, createRequest.ClusterRole)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	resp.WriteEntity(created)
+	panic("implement me")
 }

 func (h *iamHandler) DeleteUser(req *restful.Request, resp *restful.Response) {
-	username := req.PathParameter("user")
-	operator := req.HeaderParameter(constants.UserNameHeader)
-
-	if operator == username {
-		err := errors.New("cannot delete yourself")
-		klog.V(4).Infoln(err)
-		api.HandleForbidden(resp, nil, err)
-		return
-	}
-
-	err := h.amOperator.UnBindAllRoles(username)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	err = h.imOperator.DeleteUser(username)
-
-	// TODO release user resources
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	resp.WriteEntity(apierr.None)
+	panic("implement me")
 }

 func (h *iamHandler) ModifyUser(request *restful.Request, response *restful.Response) {
-
-	username := request.PathParameter("user")
-	operator := request.HeaderParameter(constants.UserNameHeader)
-	var modifyUserRequest iamv1alpha2.ModifyUserRequest
-
-	err := request.ReadEntity(&modifyUserRequest)
-
-	if err != nil {
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(response, nil, err)
-		return
-	}
-
-	if username != modifyUserRequest.Username {
-		err = fmt.Errorf("the name of user (%s) does not match the name on the URL (%s)", modifyUserRequest.Username, username)
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(response, nil, err)
-		return
-	}
-
-	if err = modifyUserRequest.Validate(); err != nil {
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(response, nil, err)
-		return
-	}
-
-	// change password by self
-	if operator == modifyUserRequest.Username && modifyUserRequest.Password != "" {
-
-	}
-
-	result, err := h.imOperator.ModifyUser(modifyUserRequest.User)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(response, nil, err)
-		return
-	}
-
-	// TODO modify cluster role
-
-	response.WriteEntity(result)
+	panic("implement me")
 }

 func (h *iamHandler) DescribeUser(req *restful.Request, resp *restful.Response) {
-	username := req.PathParameter("user")
-
-	user, err := h.imOperator.DescribeUser(username)
-
-	if err != nil {
-		if err == iam.UserNotExists {
-			klog.V(4).Infoln(err)
-			api.HandleNotFound(resp, nil, err)
-			return
-		}
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	// TODO append more user info
-	clusterRole, err := h.amOperator.GetClusterRole(username)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	result := iamv1alpha2.UserDetail{
-		User:        user,
-		ClusterRole: clusterRole.Name,
-	}
-
-	resp.WriteEntity(result)
+	panic("implement me")
 }

 func (h *iamHandler) ListUsers(req *restful.Request, resp *restful.Response) {
@@ -282,202 +145,35 @@ func (h *iamHandler) ListUsers(req *restful.Request, resp *restful.Response) {
 }

 func (h *iamHandler) ListUserRoles(req *restful.Request, resp *restful.Response) {
-
-	username := req.PathParameter("user")
-
-	roles, err := h.imOperator.GetUserRoles(username)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	resp.WriteEntity(roles)
+	panic("implement me")
 }

 func (h *iamHandler) ListRoles(req *restful.Request, resp *restful.Response) {
-	namespace := req.PathParameter("namespace")
-	limit, offset := params.ParsePaging(req)
-	orderBy := params.GetStringValueWithDefault(req, params.OrderByParam, v1alpha2.CreateTime)
-	reverse := params.GetBoolValueWithDefault(req, params.ReverseParam, true)
-	conditions, err := params.ParseConditions(req)
-
-	if err != nil {
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(resp, nil, err)
-		return
-	}
-
-	result, err := h.amOperator.ListRoles(namespace, conditions, orderBy, reverse, limit, offset)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	resp.WriteAsJson(result)
-
+	panic("implement me")
 }
 func (h *iamHandler) ListClusterRoles(req *restful.Request, resp *restful.Response) {
-	limit, offset := params.ParsePaging(req)
-	orderBy := params.GetStringValueWithDefault(req, params.OrderByParam, v1alpha2.CreateTime)
-	reverse := params.GetBoolValueWithDefault(req, params.ReverseParam, true)
-	conditions, err := params.ParseConditions(req)
-
-	if err != nil {
-		klog.V(4).Infoln(err)
-		api.HandleBadRequest(resp, nil, err)
-		return
-	}
-
-	result, err := h.amOperator.ListClusterRoles(conditions, orderBy, reverse, limit, offset)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	resp.WriteEntity(result)
-
+	panic("implement me")
 }

 func (h *iamHandler) ListRoleUsers(req *restful.Request, resp *restful.Response) {
-	role := req.PathParameter("role")
-	namespace := req.PathParameter("namespace")
-
-	roleBindings, err := h.amOperator.ListRoleBindings(namespace, role)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-	result := make([]*iamapi.User, 0)
-	for _, roleBinding := range roleBindings {
-		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == rbacv1.UserKind {
-				user, err := h.imOperator.DescribeUser(subject.Name)
-				// skip if user not exist
-				if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-					continue
-				}
-				if err != nil {
-					klog.Errorln(err)
-					api.HandleInternalError(resp, nil, err)
-					return
-				}
-				result = append(result, user)
-			}
-		}
-	}
-
-	resp.WriteEntity(result)
+	panic("implement me")
 }

 // List users by namespace
 func (h *iamHandler) ListNamespaceUsers(req *restful.Request, resp *restful.Response) {
-
-	namespace := req.PathParameter("namespace")
-
-	roleBindings, err := h.amOperator.ListRoleBindings(namespace, "")
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	result := make([]*iamapi.User, 0)
-	for _, roleBinding := range roleBindings {
-		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == rbacv1.UserKind {
-				user, err := h.imOperator.DescribeUser(subject.Name)
-				// skip if user not exist
-				if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-					continue
-				}
-				if err != nil {
-					klog.Errorln(err)
-					api.HandleInternalError(resp, nil, err)
-					return
-				}
-				result = append(result, user)
-			}
-		}
-	}
-
-	resp.WriteEntity(result)
+	panic("implement me")
 }

 func (h *iamHandler) ListClusterRoleUsers(req *restful.Request, resp *restful.Response) {
-	clusterRole := req.PathParameter("clusterrole")
-	clusterRoleBindings, err := h.amOperator.ListClusterRoleBindings(clusterRole)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	result := make([]*iamapi.User, 0)
-	for _, roleBinding := range clusterRoleBindings {
-		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == rbacv1.UserKind {
-				user, err := h.imOperator.DescribeUser(subject.Name)
-				// skip if user not exist
-				if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-					continue
-				}
-				if err != nil {
-					klog.Errorln(err)
-					api.HandleInternalError(resp, nil, err)
-					return
-				}
-				result = append(result, user)
-			}
-		}
-	}
-
-	resp.WriteEntity(result)
-}
-
-func (h *iamHandler) RulesMapping(req *restful.Request, resp *restful.Response) {
-	rules := policy.RoleRuleMapping
-	resp.WriteEntity(rules)
-}
-
-func (h *iamHandler) ClusterRulesMapping(req *restful.Request, resp *restful.Response) {
-	rules := policy.ClusterRoleRuleMapping
-	resp.WriteEntity(rules)
+	panic("implement me")
 }

 func (h *iamHandler) ListClusterRoleRules(req *restful.Request, resp *restful.Response) {
-	clusterRole := req.PathParameter("clusterrole")
-	rules, err := h.amOperator.GetClusterRoleSimpleRules(clusterRole)
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-	resp.WriteEntity(rules)
+	panic("implement me")
 }

 func (h *iamHandler) ListRoleRules(req *restful.Request, resp *restful.Response) {
-	namespace := req.PathParameter("namespace")
-	role := req.PathParameter("role")
-
-	rules, err := h.amOperator.GetRoleSimpleRules(namespace, role)
-
-	if err != nil {
-		klog.Errorln(err)
-		api.HandleInternalError(resp, nil, err)
-		return
-	}
-
-	resp.WriteEntity(rules)
+	panic("implement me")
 }

 func (h *iamHandler) ListWorkspaceRoles(request *restful.Request, response *restful.Response) {
--- a/pkg/kapis/iam/v1alpha2/register.go
+++ b/pkg/kapis/iam/v1alpha2/register.go
@@ -29,7 +29,6 @@ import (
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/informers"
 	"kubesphere.io/kubesphere/pkg/models"
-	"kubesphere.io/kubesphere/pkg/models/iam/policy"
 	"kubesphere.io/kubesphere/pkg/server/errors"
 	"kubesphere.io/kubesphere/pkg/simple/client/cache"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
@@ -124,29 +123,6 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, factory informer
 		Param(ws.PathParameter("clusterrole", "cluster role name")).
 		Returns(http.StatusOK, api.StatusOK, []iamv1alpha2.ListUserResponse{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
-	ws.Route(ws.GET("/clusterroles/{clusterrole}/rules").
-		To(handler.ListClusterRoleRules).
-		Doc("List all policy rules of the specified cluster role.").
-		Param(ws.PathParameter("clusterrole", "cluster role name")).
-		Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}).
-		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
-	ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules").
-		To(handler.ListRoleRules).
-		Doc("List all policy rules of the specified role in the given namespace.").
-		Param(ws.PathParameter("namespace", "kubernetes namespace")).
-		Param(ws.PathParameter("role", "role name")).
-		Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}).
-		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
-	ws.Route(ws.GET("/rulesmapping/clusterroles").
-		To(handler.ClusterRulesMapping).
-		Doc("Get the mapping relationships between cluster roles and policy rules.").
-		Returns(http.StatusOK, api.StatusOK, policy.ClusterRoleRuleMapping).
-		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
-	ws.Route(ws.GET("/rulesmapping/roles").
-		To(handler.RulesMapping).
-		Doc("Get the mapping relationships between namespaced roles and policy rules.").
-		Returns(http.StatusOK, api.StatusOK, policy.RoleRuleMapping).
-		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))

 	ws.Route(ws.GET("/workspaces/{workspace}/roles").
 		To(handler.ListWorkspaceRoles).