code refactor (#1786)

* implement LDAP mock client Signed-off-by: hongming <talonwan@yunify.com> * update Signed-off-by: hongming <talonwan@yunify.com> * update Signed-off-by: hongming <talonwan@yunify.com> * resolve conflict Signed-off-by: hongming <talonwan@yunify.com>
2020-02-24 15:39:36 +08:00
parent 96aee0e60b
commit abf9fee845
39 changed files with 1338 additions and 2467 deletions
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -18,8 +18,6 @@
 package iam

 import (
-	"fmt"
-	"github.com/go-ldap/ldap"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -38,9 +36,6 @@ import (
 	"kubesphere.io/kubesphere/pkg/server/params"
 	"kubesphere.io/kubesphere/pkg/simple/client"
 	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
-	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
-	"sort"
-	"strings"
 )

 const (
@@ -50,9 +45,21 @@ const (
 )

 type AccessManagementInterface interface {
-	GetDevopsRoleSimpleRules(role string) []SimpleRule
+	GetClusterRole(username string) (*rbacv1.ClusterRole, error)
+	UnBindAllRoles(username string) error
 	ListRoleBindings(namespace string, role string) ([]*rbacv1.RoleBinding, error)
 	CreateClusterRoleBinding(username string, clusterRole string) error
+	ListRoles(namespace string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
+	ListClusterRoles(conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
+	ListClusterRoleBindings(clusterRole string) ([]*rbacv1.ClusterRoleBinding, error)
+	GetClusterRoleSimpleRules(clusterRole string) ([]SimpleRule, error)
+	GetRoleSimpleRules(namespace string, role string) ([]SimpleRule, error)
+	GetRoles(namespace, username string) ([]*rbacv1.Role, error)
+	GetClusterPolicyRules(username string) ([]rbacv1.PolicyRule, error)
+	GetPolicyRules(namespace, username string) ([]rbacv1.PolicyRule, error)
+	GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule
+	GetWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error)
+	GetWorkspaceRoleMap(username string) (map[string]string, error)
 }

 type amOperator struct {
@@ -60,7 +67,31 @@ type amOperator struct {
 	resources resource.ResourceGetter
 }

-func newAMOperator(informers informers.SharedInformerFactory) AccessManagementInterface {
+func (am *amOperator) ListClusterRoleBindings(clusterRole string) ([]*rbacv1.ClusterRoleBinding, error) {
+	panic("implement me")
+}
+
+func (am *amOperator) GetRoles(namespace, username string) ([]*rbacv1.Role, error) {
+	panic("implement me")
+}
+
+func (am *amOperator) GetClusterPolicyRules(username string) ([]rbacv1.PolicyRule, error) {
+	panic("implement me")
+}
+
+func (am *amOperator) GetPolicyRules(namespace, username string) ([]rbacv1.PolicyRule, error) {
+	panic("implement me")
+}
+
+func (am *amOperator) GetWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error) {
+	panic("implement me")
+}
+
+func (am *amOperator) UnBindAllRoles(username string) error {
+	panic("implement me")
+}
+
+func NewAMOperator(informers informers.SharedInformerFactory) *amOperator {
 	resourceGetter := resource.ResourceGetter{}
 	resourceGetter.Add(v1alpha2.Role, role.NewRoleSearcher(informers))
 	resourceGetter.Add(v1alpha2.ClusterRoles, clusterrole.NewClusterRoleSearcher(informers))
@@ -198,7 +229,7 @@ func (am *amOperator) GetUserClusterRoles(username string) (*rbacv1.ClusterRole,
 	return userFacingClusterRole, clusterRoles, nil
 }

-func (am *amOperator) GetUserClusterRole(username string) (*rbacv1.ClusterRole, error) {
+func (am *amOperator) GetClusterRole(username string) (*rbacv1.ClusterRole, error) {
 	userFacingClusterRole, _, err := am.GetUserClusterRoles(username)
 	if err != nil {
 		return nil, err
@@ -256,15 +287,15 @@ func (am *amOperator) GetWorkspaceRoleBindings(workspace string) ([]*rbacv1.Clus
 	return result, nil
 }

-func (am *amOperator) GetWorkspaceRole(workspace, role string) (*rbacv1.ClusterRole, error) {
-	if !sliceutil.HasString(constants.WorkSpaceRoles, role) {
-		return nil, apierrors.NewNotFound(schema.GroupResource{Resource: "workspace role"}, role)
-	}
-	role = fmt.Sprintf("workspace:%s:%s", workspace, strings.TrimPrefix(role, "workspace-"))
-	return am.informers.Rbac().V1().ClusterRoles().Lister().Get(role)
-}
+//func (am *amOperator) GetWorkspaceRole(workspace, role string) (*rbacv1.ClusterRole, error) {
+//	if !sliceutil.HasString(constants.WorkSpaceRoles, role) {
+//		return nil, apierrors.NewNotFound(schema.GroupResource{Resource: "workspace role"}, role)
+//	}
+//	role = fmt.Sprintf("workspace:%s:%s", workspace, strings.TrimPrefix(role, "workspace-"))
+//	return am.informers.Rbac().V1().ClusterRoles().Lister().Get(role)
+//}

-func (am *amOperator) GetUserWorkspaceRoleMap(username string) (map[string]string, error) {
+func (am *amOperator) GetWorkspaceRoleMap(username string) (map[string]string, error) {

 	clusterRoleBindings, err := am.informers.Rbac().V1().ClusterRoleBindings().Lister().List(labels.Everything())

@@ -286,7 +317,7 @@ func (am *amOperator) GetUserWorkspaceRoleMap(username string) (map[string]strin
 }

 func (am *amOperator) GetUserWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error) {
-	workspaceRoleMap, err := am.GetUserWorkspaceRoleMap(username)
+	workspaceRoleMap, err := am.GetWorkspaceRoleMap(username)

 	if err != nil {
 		return nil, err
@@ -341,55 +372,6 @@ func (am *amOperator) GetClusterRoleBindings(clusterRoleName string) ([]*rbacv1.
 	return items, nil
 }

-func (am *amOperator) ListClusterRoleUsers(clusterRoleName string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) {
-
-	roleBindings, err := am.GetClusterRoleBindings(clusterRoleName)
-
-	if err != nil {
-		return nil, err
-	}
-	users := make([]*User, 0)
-	for _, roleBinding := range roleBindings {
-		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == rbacv1.UserKind && !k8sutil.ContainsUser(users, subject.Name) {
-				user, err := GetUserInfo(subject.Name)
-				if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-					continue
-				}
-				if err != nil {
-					klog.Errorln(err)
-					return nil, err
-				}
-				users = append(users, user)
-			}
-		}
-	}
-
-	// order & reverse
-	sort.Slice(users, func(i, j int) bool {
-		if reverse {
-			i, j = j, i
-		}
-		switch orderBy {
-		default:
-			fallthrough
-		case v1alpha2.Name:
-			return strings.Compare(users[i].Username, users[j].Username) <= 0
-		}
-	})
-
-	result := make([]interface{}, 0)
-
-	for i, d := range users {
-		if i >= offset && (limit == -1 || len(result) < limit) {
-			result = append(result, d)
-		}
-	}
-
-	return &models.PageableResponse{Items: result, TotalCount: len(users)}, nil
-
-}
-
 func (am *amOperator) ListRoles(namespace string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) {
 	return am.resources.ListResources(namespace, v1alpha2.Roles, conditions, orderBy, reverse, limit, offset)
 }
@@ -431,92 +413,6 @@ func (am *amOperator) ListClusterRoles(conditions *params.Conditions, orderBy st
 	return am.resources.ListResources("", v1alpha2.ClusterRoles, conditions, orderBy, reverse, limit, offset)
 }

-func (am *amOperator) NamespaceUsers(namespaceName string) ([]*User, error) {
-	namespace, err := am.informers.Core().V1().Namespaces().Lister().Get(namespaceName)
-	if err != nil {
-		klog.Errorln(err)
-		return nil, err
-	}
-	roleBindings, err := am.GetRoleBindings(namespaceName, "")
-
-	if err != nil {
-		return nil, err
-	}
-
-	users := make([]*User, 0)
-
-	for _, roleBinding := range roleBindings {
-		// controlled by ks-controller-manager
-		if roleBinding.Name == NamespaceViewerRoleBindName {
-			continue
-		}
-		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == rbacv1.UserKind && !k8sutil.ContainsUser(users, subject.Name) {
-
-				// show creator
-				if roleBinding.Name == NamespaceAdminRoleBindName && subject.Name != namespace.Annotations[constants.CreatorAnnotationKey] {
-					continue
-				}
-
-				user, err := GetUserInfo(subject.Name)
-
-				if err != nil {
-					if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
-						continue
-					}
-					return nil, err
-				}
-
-				user.Role = roleBinding.RoleRef.Name
-				user.RoleBindTime = &roleBinding.CreationTimestamp.Time
-				user.RoleBinding = roleBinding.Name
-				users = append(users, user)
-			}
-		}
-	}
-
-	return users, nil
-}
-
-func (am *amOperator) GetUserWorkspaceSimpleRules(workspace, username string) ([]SimpleRule, error) {
-	clusterRules, err := am.GetUserClusterRules(username)
-	if err != nil {
-		return nil, err
-	}
-
-	// cluster-admin
-	if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
-		Verbs:     []string{"*"},
-		APIGroups: []string{"*"},
-		Resources: []string{"*"},
-	}) {
-		return am.GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
-	}
-
-	workspaceRole, err := am.GetUserWorkspaceRole(workspace, username)
-
-	if err != nil {
-		if apierrors.IsNotFound(err) {
-
-			// workspaces-manager
-			if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
-				Verbs:     []string{"*"},
-				APIGroups: []string{"*"},
-				Resources: []string{"workspaces", "workspaces/*"},
-			}) {
-				return am.GetWorkspaceRoleSimpleRules(workspace, constants.WorkspacesManager), nil
-			}
-
-			return []SimpleRule{}, nil
-		}
-
-		klog.Error(err)
-		return nil, err
-	}
-
-	return am.GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil
-}
-
 func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule {

 	workspaceRules := make([]SimpleRule, 0)
@@ -583,20 +479,6 @@ func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule,
 	return getClusterSimpleRule(clusterRules), nil
 }

-func (am *amOperator) GetUserNamespaceSimpleRules(namespace, username string) ([]SimpleRule, error) {
-	clusterRules, err := am.GetUserClusterRules(username)
-	if err != nil {
-		return nil, err
-	}
-	rules, err := am.GetUserRules(namespace, username)
-	if err != nil {
-		return nil, err
-	}
-	rules = append(rules, clusterRules...)
-
-	return getSimpleRule(rules), nil
-}
-
 // Convert roles to rules
 func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]SimpleRule, error) {

@@ -608,7 +490,7 @@ func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]S
 		return nil, err
 	}

-	return getSimpleRule(role.Rules), nil
+	return ConvertToSimpleRule(role.Rules), nil
 }

 func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
@@ -629,7 +511,7 @@ func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
 	return rules
 }

-func getSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
+func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
 	simpleRules := make([]SimpleRule, 0)
 	for i := 0; i < len(policy.RoleRuleMapping); i++ {
 		rule := SimpleRule{Name: policy.RoleRuleMapping[i].Name}