improve identity provider plugin
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
@@ -1,51 +0,0 @@
|
||||
/*
|
||||
Copyright 2020 The KubeSphere Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package auth
|
||||
|
||||
import "fmt"
|
||||
|
||||
const (
|
||||
KindTokenReview = "TokenReview"
|
||||
)
|
||||
|
||||
type Spec struct {
|
||||
Token string `json:"token" description:"access token"`
|
||||
}
|
||||
|
||||
type Status struct {
|
||||
Authenticated bool `json:"authenticated" description:"is authenticated"`
|
||||
User map[string]interface{} `json:"user,omitempty" description:"user info"`
|
||||
}
|
||||
|
||||
type TokenReview struct {
|
||||
APIVersion string `json:"apiVersion" description:"Kubernetes API version"`
|
||||
Kind string `json:"kind" description:"kind of the API object"`
|
||||
Spec *Spec `json:"spec,omitempty"`
|
||||
Status *Status `json:"status,omitempty" description:"token review status"`
|
||||
}
|
||||
|
||||
type LoginRequest struct {
|
||||
Username string `json:"username" description:"username"`
|
||||
Password string `json:"password" description:"password"`
|
||||
}
|
||||
|
||||
func (request *TokenReview) Validate() error {
|
||||
if request.Spec == nil || request.Spec.Token == "" {
|
||||
return fmt.Errorf("token must not be null")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -1,22 +0,0 @@
|
||||
/*
|
||||
Copyright 2020 The KubeSphere Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package iam
|
||||
|
||||
type PasswordReset struct {
|
||||
CurrentPassword string `json:"currentPassword"`
|
||||
Password string `json:"password"`
|
||||
}
|
||||
@@ -1,179 +0,0 @@
|
||||
/*
|
||||
Copyright 2018 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package v1
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
func RoleRefGroupKind(roleRef rbacv1.RoleRef) schema.GroupKind {
|
||||
return schema.GroupKind{Group: roleRef.APIGroup, Kind: roleRef.Kind}
|
||||
}
|
||||
|
||||
func VerbMatches(rule *rbacv1.PolicyRule, requestedVerb string) bool {
|
||||
for _, ruleVerb := range rule.Verbs {
|
||||
if ruleVerb == rbacv1.VerbAll {
|
||||
return true
|
||||
}
|
||||
if ruleVerb == requestedVerb {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func APIGroupMatches(rule *rbacv1.PolicyRule, requestedGroup string) bool {
|
||||
for _, ruleGroup := range rule.APIGroups {
|
||||
if ruleGroup == rbacv1.APIGroupAll {
|
||||
return true
|
||||
}
|
||||
if ruleGroup == requestedGroup {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func ResourceMatches(rule *rbacv1.PolicyRule, combinedRequestedResource, requestedSubresource string) bool {
|
||||
for _, ruleResource := range rule.Resources {
|
||||
// if everything is allowed, we match
|
||||
if ruleResource == rbacv1.ResourceAll {
|
||||
return true
|
||||
}
|
||||
// if we have an exact match, we match
|
||||
if ruleResource == combinedRequestedResource {
|
||||
return true
|
||||
}
|
||||
|
||||
// We can also match a */subresource.
|
||||
// if there isn't a subresource, then continue
|
||||
if len(requestedSubresource) == 0 {
|
||||
continue
|
||||
}
|
||||
// if the rule isn't in the format */subresource, then we don't match, continue
|
||||
if len(ruleResource) == len(requestedSubresource)+2 &&
|
||||
strings.HasPrefix(ruleResource, "*/") &&
|
||||
strings.HasSuffix(ruleResource, requestedSubresource) {
|
||||
return true
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func ResourceNameMatches(rule *rbacv1.PolicyRule, requestedName string) bool {
|
||||
if len(rule.ResourceNames) == 0 {
|
||||
return true
|
||||
}
|
||||
|
||||
for _, ruleName := range rule.ResourceNames {
|
||||
if ruleName == requestedName {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func NonResourceURLMatches(rule *rbacv1.PolicyRule, requestedURL string) bool {
|
||||
for _, ruleURL := range rule.NonResourceURLs {
|
||||
if ruleURL == rbacv1.NonResourceAll {
|
||||
return true
|
||||
}
|
||||
if ruleURL == requestedURL {
|
||||
return true
|
||||
}
|
||||
if strings.HasSuffix(ruleURL, "*") && strings.HasPrefix(requestedURL, strings.TrimRight(ruleURL, "*")) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// subjectsStrings returns users, groups, serviceaccounts, unknown for display purposes.
|
||||
func SubjectsStrings(subjects []rbacv1.Subject) ([]string, []string, []string, []string) {
|
||||
users := []string{}
|
||||
groups := []string{}
|
||||
sas := []string{}
|
||||
others := []string{}
|
||||
|
||||
for _, subject := range subjects {
|
||||
switch subject.Kind {
|
||||
case rbacv1.ServiceAccountKind:
|
||||
sas = append(sas, fmt.Sprintf("%s/%s", subject.Namespace, subject.Name))
|
||||
|
||||
case rbacv1.UserKind:
|
||||
users = append(users, subject.Name)
|
||||
|
||||
case rbacv1.GroupKind:
|
||||
groups = append(groups, subject.Name)
|
||||
|
||||
default:
|
||||
others = append(others, fmt.Sprintf("%s/%s/%s", subject.Kind, subject.Namespace, subject.Name))
|
||||
}
|
||||
}
|
||||
|
||||
return users, groups, sas, others
|
||||
}
|
||||
|
||||
func String(r rbacv1.PolicyRule) string {
|
||||
return "PolicyRule" + CompactString(r)
|
||||
}
|
||||
|
||||
// CompactString exposes a compact string representation for use in escalation error messages
|
||||
func CompactString(r rbacv1.PolicyRule) string {
|
||||
formatStringParts := []string{}
|
||||
formatArgs := []interface{}{}
|
||||
if len(r.APIGroups) > 0 {
|
||||
formatStringParts = append(formatStringParts, "APIGroups:%q")
|
||||
formatArgs = append(formatArgs, r.APIGroups)
|
||||
}
|
||||
if len(r.Resources) > 0 {
|
||||
formatStringParts = append(formatStringParts, "Resources:%q")
|
||||
formatArgs = append(formatArgs, r.Resources)
|
||||
}
|
||||
if len(r.NonResourceURLs) > 0 {
|
||||
formatStringParts = append(formatStringParts, "NonResourceURLs:%q")
|
||||
formatArgs = append(formatArgs, r.NonResourceURLs)
|
||||
}
|
||||
if len(r.ResourceNames) > 0 {
|
||||
formatStringParts = append(formatStringParts, "ResourceNames:%q")
|
||||
formatArgs = append(formatArgs, r.ResourceNames)
|
||||
}
|
||||
if len(r.Verbs) > 0 {
|
||||
formatStringParts = append(formatStringParts, "Verbs:%q")
|
||||
formatArgs = append(formatArgs, r.Verbs)
|
||||
}
|
||||
formatString := "{" + strings.Join(formatStringParts, ", ") + "}"
|
||||
return fmt.Sprintf(formatString, formatArgs...)
|
||||
}
|
||||
|
||||
type SortableRuleSlice []rbacv1.PolicyRule
|
||||
|
||||
func (s SortableRuleSlice) Len() int { return len(s) }
|
||||
func (s SortableRuleSlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
|
||||
func (s SortableRuleSlice) Less(i, j int) bool {
|
||||
return strings.Compare(s[i].String(), s[j].String()) < 0
|
||||
}
|
||||
@@ -18,6 +18,7 @@ package api
|
||||
|
||||
import (
|
||||
"github.com/emicklei/go-restful"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/klog"
|
||||
"net/http"
|
||||
"runtime"
|
||||
@@ -28,32 +29,49 @@ import (
|
||||
var sanitizer = strings.NewReplacer(`&`, "&", `<`, "<", `>`, ">")
|
||||
|
||||
func HandleInternalError(response *restful.Response, req *restful.Request, err error) {
|
||||
_, fn, line, _ := runtime.Caller(1)
|
||||
klog.Errorf("%s:%d %v", fn, line, err)
|
||||
http.Error(response, sanitizer.Replace(err.Error()), http.StatusInternalServerError)
|
||||
handle(http.StatusInternalServerError, response, req, err)
|
||||
}
|
||||
|
||||
// HandleBadRequest writes http.StatusBadRequest and log error
|
||||
func HandleBadRequest(response *restful.Response, req *restful.Request, err error) {
|
||||
_, fn, line, _ := runtime.Caller(1)
|
||||
klog.Errorf("%s:%d %v", fn, line, err)
|
||||
http.Error(response, sanitizer.Replace(err.Error()), http.StatusBadRequest)
|
||||
handle(http.StatusBadRequest, response, req, err)
|
||||
}
|
||||
|
||||
func HandleNotFound(response *restful.Response, req *restful.Request, err error) {
|
||||
_, fn, line, _ := runtime.Caller(1)
|
||||
klog.Errorf("%s:%d %v", fn, line, err)
|
||||
http.Error(response, sanitizer.Replace(err.Error()), http.StatusNotFound)
|
||||
handle(http.StatusNotFound, response, req, err)
|
||||
}
|
||||
|
||||
func HandleForbidden(response *restful.Response, req *restful.Request, err error) {
|
||||
_, fn, line, _ := runtime.Caller(1)
|
||||
klog.Errorf("%s:%d %v", fn, line, err)
|
||||
http.Error(response, sanitizer.Replace(err.Error()), http.StatusForbidden)
|
||||
handle(http.StatusForbidden, response, req, err)
|
||||
}
|
||||
|
||||
func HandleUnauthorized(response *restful.Response, req *restful.Request, err error) {
|
||||
handle(http.StatusUnauthorized, response, req, err)
|
||||
}
|
||||
|
||||
func HandleTooManyRequests(response *restful.Response, req *restful.Request, err error) {
|
||||
handle(http.StatusTooManyRequests, response, req, err)
|
||||
}
|
||||
|
||||
func HandleConflict(response *restful.Response, req *restful.Request, err error) {
|
||||
_, fn, line, _ := runtime.Caller(1)
|
||||
klog.Errorf("%s:%d %v", fn, line, err)
|
||||
http.Error(response, sanitizer.Replace(err.Error()), http.StatusConflict)
|
||||
handle(http.StatusConflict, response, req, err)
|
||||
}
|
||||
|
||||
func HandleError(response *restful.Response, req *restful.Request, err error) {
|
||||
var statusCode int
|
||||
switch t := err.(type) {
|
||||
case errors.APIStatus:
|
||||
statusCode = int(t.Status().Code)
|
||||
case restful.ServiceError:
|
||||
statusCode = t.Code
|
||||
default:
|
||||
statusCode = http.StatusInternalServerError
|
||||
}
|
||||
handle(statusCode, response, req, err)
|
||||
}
|
||||
|
||||
func handle(statusCode int, response *restful.Response, req *restful.Request, err error) {
|
||||
_, fn, line, _ := runtime.Caller(2)
|
||||
klog.Errorf("%s:%d %v", fn, line, err)
|
||||
http.Error(response, sanitizer.Replace(err.Error()), statusCode)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user