...
1
16
17 package selfsubjectaccessreview
18
19 import (
20 "context"
21 "fmt"
22
23 apierrors "k8s.io/apimachinery/pkg/api/errors"
24 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
25 "k8s.io/apimachinery/pkg/runtime"
26 "k8s.io/apiserver/pkg/authorization/authorizer"
27 genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
28 "k8s.io/apiserver/pkg/registry/rest"
29 authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
30 authorizationvalidation "k8s.io/kubernetes/pkg/apis/authorization/validation"
31 authorizationutil "k8s.io/kubernetes/pkg/registry/authorization/util"
32 )
33
34 type REST struct {
35 authorizer authorizer.Authorizer
36 }
37
38 func NewREST(authorizer authorizer.Authorizer) *REST {
39 return &REST{authorizer}
40 }
41
42 func (r *REST) NamespaceScoped() bool {
43 return false
44 }
45
46 func (r *REST) New() runtime.Object {
47 return &authorizationapi.SelfSubjectAccessReview{}
48 }
49
50
51 func (r *REST) Destroy() {
52
53
54 }
55
56 var _ rest.SingularNameProvider = &REST{}
57
58 func (r *REST) GetSingularName() string {
59 return "selfsubjectaccessreview"
60 }
61
62 func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
63 selfSAR, ok := obj.(*authorizationapi.SelfSubjectAccessReview)
64 if !ok {
65 return nil, apierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectAccessReview: %#v", obj))
66 }
67 if errs := authorizationvalidation.ValidateSelfSubjectAccessReview(selfSAR); len(errs) > 0 {
68 return nil, apierrors.NewInvalid(authorizationapi.Kind(selfSAR.Kind), "", errs)
69 }
70 userToCheck, exists := genericapirequest.UserFrom(ctx)
71 if !exists {
72 return nil, apierrors.NewBadRequest("no user present on request")
73 }
74
75 if createValidation != nil {
76 if err := createValidation(ctx, obj.DeepCopyObject()); err != nil {
77 return nil, err
78 }
79 }
80
81 var authorizationAttributes authorizer.AttributesRecord
82 if selfSAR.Spec.ResourceAttributes != nil {
83 authorizationAttributes = authorizationutil.ResourceAttributesFrom(userToCheck, *selfSAR.Spec.ResourceAttributes)
84 } else {
85 authorizationAttributes = authorizationutil.NonResourceAttributesFrom(userToCheck, *selfSAR.Spec.NonResourceAttributes)
86 }
87
88 decision, reason, evaluationErr := r.authorizer.Authorize(ctx, authorizationAttributes)
89
90 selfSAR.Status = authorizationapi.SubjectAccessReviewStatus{
91 Allowed: (decision == authorizer.DecisionAllow),
92 Denied: (decision == authorizer.DecisionDeny),
93 Reason: reason,
94 }
95 if evaluationErr != nil {
96 selfSAR.Status.EvaluationError = evaluationErr.Error()
97 }
98
99 return selfSAR, nil
100 }
101
View as plain text