KubeSphere CI Bot
@@ -18,6 +18,10 @@ package loginrecord
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/diff"
|
||||
@@ -29,9 +33,6 @@ import (
|
||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
|
||||
ksinformers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
@@ -228,6 +229,12 @@ func checkAction(expected, actual core.Action, t *testing.T) {
|
||||
func filterInformerActions(actions []core.Action) []core.Action {
|
||||
var ret []core.Action
|
||||
for _, action := range actions {
|
||||
if len(action.GetNamespace()) == 0 &&
|
||||
(action.Matches("list", "users") ||
|
||||
action.Matches("watch", "users") ||
|
||||
action.Matches("get", "users")) {
|
||||
continue
|
||||
}
|
||||
ret = append(ret, action)
|
||||
}
|
||||
|
||||
|
||||
@@ -18,10 +18,11 @@ package v1alpha2
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
authuser "k8s.io/apiserver/pkg/authentication/user"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
||||
"kubesphere.io/kubesphere/pkg/models/auth"
|
||||
"strings"
|
||||
|
||||
"github.com/emicklei/go-restful"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
@@ -1344,9 +1345,8 @@ func (h *iamHandler) PatchGroup(request *restful.Request, response *restful.Resp
|
||||
|
||||
func (h *iamHandler) ListGroupBindings(request *restful.Request, response *restful.Response) {
|
||||
workspaceName := request.PathParameter("workspace")
|
||||
groupName := request.PathParameter("group")
|
||||
queryParam := query.ParseQueryParameter(request)
|
||||
result, err := h.group.ListGroupBindings(workspaceName, groupName, queryParam)
|
||||
result, err := h.group.ListGroupBindings(workspaceName, queryParam)
|
||||
if err != nil {
|
||||
api.HandleError(response, request, err)
|
||||
return
|
||||
@@ -1357,20 +1357,8 @@ func (h *iamHandler) ListGroupBindings(request *restful.Request, response *restf
|
||||
|
||||
func (h *iamHandler) ListGroupRoleBindings(request *restful.Request, response *restful.Response) {
|
||||
workspaceName := request.PathParameter("workspace")
|
||||
groupName := request.PathParameter("group")
|
||||
result, err := h.am.ListGroupRoleBindings(workspaceName, groupName)
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
}
|
||||
|
||||
response.WriteEntity(result)
|
||||
}
|
||||
|
||||
func (h *iamHandler) ListGroupDevOpsRoleBindings(request *restful.Request, response *restful.Response) {
|
||||
workspaceName := request.PathParameter("workspace")
|
||||
groupName := request.PathParameter("group")
|
||||
result, err := h.am.ListGroupDevOpsRoleBindings(workspaceName, groupName)
|
||||
queryParam := query.ParseQueryParameter(request)
|
||||
result, err := h.am.ListGroupRoleBindings(workspaceName, queryParam)
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
@@ -1416,8 +1404,8 @@ func (h *iamHandler) DeleteRoleBinding(request *restful.Request, response *restf
|
||||
|
||||
func (h *iamHandler) ListGroupWorkspaceRoleBindings(request *restful.Request, response *restful.Response) {
|
||||
workspaceName := request.PathParameter("workspace")
|
||||
groupName := request.PathParameter("group")
|
||||
result, err := h.am.ListGroupWorkspaceRoleBindings(workspaceName, groupName)
|
||||
queryParam := query.ParseQueryParameter(request)
|
||||
result, err := h.am.ListGroupWorkspaceRoleBindings(workspaceName, queryParam)
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
|
||||
@@ -17,9 +17,10 @@ limitations under the License.
|
||||
package v1alpha2
|
||||
|
||||
import (
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||
"net/http"
|
||||
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||
|
||||
"github.com/emicklei/go-restful"
|
||||
restfulspec "github.com/emicklei/go-restful-openapi"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
@@ -518,7 +519,15 @@ func AddToContainer(container *restful.Container, im im.IdentityManagementInterf
|
||||
Returns(http.StatusOK, api.StatusOK, iamv1alpha2.Group{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.GroupTag}))
|
||||
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/groups/{group}/groupbindings").
|
||||
ws.Route(ws.PATCH("/workspaces/{workspace}/groups/{group}/").
|
||||
To(handler.PatchGroup).
|
||||
Param(ws.PathParameter("workspace", "workspace name")).
|
||||
Doc("Patch Group").
|
||||
Reads(iamv1alpha2.Group{}).
|
||||
Returns(http.StatusOK, api.StatusOK, iamv1alpha2.Group{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.GroupTag}))
|
||||
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/groupbindings").
|
||||
To(handler.ListGroupBindings).
|
||||
Param(ws.PathParameter("workspace", "workspace name")).
|
||||
Param(ws.PathParameter("group", "group name")).
|
||||
@@ -526,7 +535,7 @@ func AddToContainer(container *restful.Container, im im.IdentityManagementInterf
|
||||
Returns(http.StatusOK, api.StatusOK, api.ListResult{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.GroupTag}))
|
||||
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/groups/{group}/rolebindings").
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/rolebindings").
|
||||
To(handler.ListGroupRoleBindings).
|
||||
Param(ws.PathParameter("workspace", "workspace name")).
|
||||
Param(ws.PathParameter("group", "group name")).
|
||||
@@ -534,7 +543,7 @@ func AddToContainer(container *restful.Container, im im.IdentityManagementInterf
|
||||
Returns(http.StatusOK, api.StatusOK, api.ListResult{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.GroupTag}))
|
||||
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/groups/{group}/workspacerolebindings").
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/workspacerolebindings").
|
||||
To(handler.ListGroupWorkspaceRoleBindings).
|
||||
Param(ws.PathParameter("workspace", "workspace name")).
|
||||
Param(ws.PathParameter("group", "group name")).
|
||||
@@ -542,14 +551,6 @@ func AddToContainer(container *restful.Container, im im.IdentityManagementInterf
|
||||
Returns(http.StatusOK, api.StatusOK, api.ListResult{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.GroupTag}))
|
||||
|
||||
ws.Route(ws.GET("/workspaces/{workspace}/groups/{group}/devopsrolebindings").
|
||||
To(handler.ListGroupDevOpsRoleBindings).
|
||||
Param(ws.PathParameter("workspace", "workspace name")).
|
||||
Param(ws.PathParameter("group", "group name")).
|
||||
Doc("Retrieve group's rolebindings of all devops projects in the workspace.").
|
||||
Returns(http.StatusOK, api.StatusOK, api.ListResult{}).
|
||||
Metadata(restfulspec.KeyOpenAPITags, []string{constants.GroupTag}))
|
||||
|
||||
ws.Route(ws.DELETE("/workspaces/{workspace}/groupbindings/{groupbinding}").
|
||||
To(handler.DeleteGroupBinding).
|
||||
Param(ws.PathParameter("workspace", "workspace name")).
|
||||
|
||||
@@ -18,6 +18,7 @@ package am
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
@@ -85,11 +86,10 @@ type AccessManagementInterface interface {
|
||||
GetDevOpsControlledWorkspace(devops string) (string, error)
|
||||
PatchNamespaceRole(namespace string, role *rbacv1.Role) (*rbacv1.Role, error)
|
||||
PatchClusterRole(clusterRole *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error)
|
||||
ListGroupRoleBindings(workspace, group string) ([]*rbacv1.RoleBinding, error)
|
||||
ListGroupDevOpsRoleBindings(workspace, group string) ([]*rbacv1.RoleBinding, error)
|
||||
ListGroupRoleBindings(workspace string, query *query.Query) ([]*rbacv1.RoleBinding, error)
|
||||
CreateRoleBinding(namespace string, roleBinding *rbacv1.RoleBinding) (*rbacv1.RoleBinding, error)
|
||||
DeleteRoleBinding(namespace, name string) error
|
||||
ListGroupWorkspaceRoleBindings(group string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error)
|
||||
ListGroupWorkspaceRoleBindings(workspace string, query *query.Query) (*api.ListResult, error)
|
||||
CreateWorkspaceRoleBinding(workspace string, roleBinding *iamv1alpha2.WorkspaceRoleBinding) (*iamv1alpha2.WorkspaceRoleBinding, error)
|
||||
DeleteWorkspaceRoleBinding(workspaceName, name string) error
|
||||
}
|
||||
@@ -1017,24 +1017,17 @@ func (am *amOperator) GetNamespaceControlledWorkspace(namespace string) (string,
|
||||
return ns.Labels[tenantv1alpha1.WorkspaceLabel], nil
|
||||
}
|
||||
|
||||
func (am *amOperator) ListGroupWorkspaceRoleBindings(workspace, group string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) {
|
||||
queryParam := query.New()
|
||||
queryParam.LabelSelector = labels.FormatLabels(map[string]string{tenantv1alpha1.WorkspaceLabel: workspace})
|
||||
roleBindings, err := am.workspaceRoleBindingGetter.List("", queryParam)
|
||||
func (am *amOperator) ListGroupWorkspaceRoleBindings(workspace string, query *query.Query) (*api.ListResult, error) {
|
||||
|
||||
lableSelector, err := labels.ConvertSelectorToLabelsMap(query.LabelSelector)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
result := make([]*iamv1alpha2.WorkspaceRoleBinding, 0)
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*iamv1alpha2.WorkspaceRoleBinding)
|
||||
inSpecifiedWorkspace := workspace == "" || roleBinding.Labels[tenantv1alpha1.WorkspaceLabel] == workspace
|
||||
if containsGroup(roleBinding.Subjects, group) && inSpecifiedWorkspace {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
|
||||
return result, nil
|
||||
// workspace resources must be filtered by workspace
|
||||
wsSelector := labels.Set{tenantv1alpha1.WorkspaceLabel: workspace}
|
||||
query.LabelSelector = labels.Merge(lableSelector, wsSelector).String()
|
||||
return am.workspaceRoleBindingGetter.List("", query)
|
||||
}
|
||||
|
||||
func (am *amOperator) CreateWorkspaceRoleBinding(workspace string, roleBinding *iamv1alpha2.WorkspaceRoleBinding) (*iamv1alpha2.WorkspaceRoleBinding, error) {
|
||||
@@ -1071,14 +1064,14 @@ func (am *amOperator) DeleteWorkspaceRoleBinding(workspaceName, name string) err
|
||||
return am.ksclient.IamV1alpha2().WorkspaceRoleBindings().Delete(name, metav1.NewDeleteOptions(0))
|
||||
}
|
||||
|
||||
func (am *amOperator) ListGroupRoleBindings(workspace, group string) ([]*rbacv1.RoleBinding, error) {
|
||||
func (am *amOperator) ListGroupRoleBindings(workspace string, query *query.Query) ([]*rbacv1.RoleBinding, error) {
|
||||
namespaces, err := am.namespaceLister.List(labels.SelectorFromSet(labels.Set{tenantv1alpha1.WorkspaceLabel: workspace}))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
result := make([]*rbacv1.RoleBinding, 0)
|
||||
for _, namespace := range namespaces {
|
||||
roleBindings, err := am.roleBindingGetter.List(namespace.Name, query.New())
|
||||
roleBindings, err := am.roleBindingGetter.List(namespace.Name, query)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
@@ -1086,31 +1079,22 @@ func (am *amOperator) ListGroupRoleBindings(workspace, group string) ([]*rbacv1.
|
||||
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*rbacv1.RoleBinding)
|
||||
if containsGroup(roleBinding.Subjects, group) {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func (am *amOperator) ListGroupDevOpsRoleBindings(workspace, group string) ([]*rbacv1.RoleBinding, error) {
|
||||
devOpsProjects, err := am.devopsProjectLister.List(labels.SelectorFromSet(labels.Set{tenantv1alpha1.WorkspaceLabel: workspace}))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
result := make([]*rbacv1.RoleBinding, 0)
|
||||
for _, devOpsProject := range devOpsProjects {
|
||||
roleBindings, err := am.roleBindingGetter.List(devOpsProject.Name, query.New())
|
||||
roleBindings, err := am.roleBindingGetter.List(devOpsProject.Name, query)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*rbacv1.RoleBinding)
|
||||
if containsGroup(roleBinding.Subjects, group) {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
return result, nil
|
||||
@@ -1147,12 +1131,3 @@ func (am *amOperator) CreateRoleBinding(namespace string, roleBinding *rbacv1.Ro
|
||||
func (am *amOperator) DeleteRoleBinding(namespace, name string) error {
|
||||
return am.k8sclient.RbacV1().RoleBindings(namespace).Delete(name, metav1.NewDeleteOptions(0))
|
||||
}
|
||||
|
||||
func containsGroup(subjects []rbacv1.Subject, group string) bool {
|
||||
for _, subject := range subjects {
|
||||
if subject.Kind == rbacv1.GroupKind && subject.Name == group {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
@@ -45,7 +46,7 @@ type GroupOperator interface {
|
||||
PatchGroup(workspace string, group *iamv1alpha2.Group) (*iamv1alpha2.Group, error)
|
||||
DeleteGroupBinding(workspace, name string) error
|
||||
CreateGroupBinding(workspace, groupName, userName string) (*iamv1alpha2.GroupBinding, error)
|
||||
ListGroupBindings(workspace, group string, queryParam *query.Query) (*api.ListResult, error)
|
||||
ListGroupBindings(workspace string, queryParam *query.Query) (*api.ListResult, error)
|
||||
}
|
||||
|
||||
type groupOperator struct {
|
||||
@@ -200,14 +201,18 @@ func (t *groupOperator) CreateGroupBinding(workspace, groupName, userName string
|
||||
return t.ksclient.IamV1alpha2().GroupBindings().Create(&groupBinding)
|
||||
}
|
||||
|
||||
func (t *groupOperator) ListGroupBindings(workspace, group string, queryParam *query.Query) (*api.ListResult, error) {
|
||||
func (t *groupOperator) ListGroupBindings(workspace string, query *query.Query) (*api.ListResult, error) {
|
||||
|
||||
if group != "" && workspace != "" {
|
||||
// filter by group
|
||||
queryParam.Filters[query.FieldLabel] = query.Value(fmt.Sprintf("%s=%s", iamv1alpha2.GroupReferenceLabel, group))
|
||||
lableSelector, err := labels.ConvertSelectorToLabelsMap(query.LabelSelector)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
// workspace resources must be filtered by workspace
|
||||
wsSelector := labels.Set{tenantv1alpha1.WorkspaceLabel: workspace}
|
||||
query.LabelSelector = labels.Merge(lableSelector, wsSelector).String()
|
||||
|
||||
result, err := t.resourceGetter.List("groupbindings", "", queryParam)
|
||||
result, err := t.resourceGetter.List("groupbindings", "", query)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
|
||||
Reference in New Issue
Block a user