37 Star 411 Fork 76

GVPrancher/rancher

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
access_control.go 2.92 KB
一键复制 编辑 原始数据 按行查看 历史
Craig Jellick 提交于 2018-04-25 13:54 . Do auth checks on actions and links
package rbac
import (
"fmt"
"net/http"
"strings"
"github.com/rancher/norman/authorization"
"github.com/rancher/norman/httperror"
"github.com/rancher/norman/types"
"github.com/rancher/types/apis/rbac.authorization.k8s.io/v1"
)
type AccessControl struct {
authorization.AllAccess
permissionStore *ListPermissionStore
}
func NewAccessControl(rbacClient v1.Interface) *AccessControl {
permissionStore := NewListPermissionStore(rbacClient)
return &AccessControl{
permissionStore: permissionStore,
}
}
func (a *AccessControl) CanDo(apiGroup, resource, verb string, apiContext *types.APIContext, obj map[string]interface{}, schema *types.Schema) error {
permset := a.getPermissions(apiContext, apiGroup, resource, verb)
if a.canAccess(obj, permset) {
return nil
}
return httperror.NewAPIError(httperror.PermissionDenied, fmt.Sprintf("can not %v %v ", verb, schema.ID))
}
func (a *AccessControl) Filter(apiContext *types.APIContext, schema *types.Schema, obj map[string]interface{}, context map[string]string) map[string]interface{} {
apiGroup := context["apiGroup"]
resource := context["resource"]
if resource == "" {
return obj
}
permset := a.getPermissions(apiContext, apiGroup, resource, "list")
if a.canAccess(obj, permset) {
return obj
}
return nil
}
func (a *AccessControl) canAccess(obj map[string]interface{}, permset ListPermissionSet) bool {
namespace, _ := obj["namespaceId"].(string)
var id string
if obj != nil {
id, _ = obj["id"].(string)
} else {
id = "*"
}
if permset.HasAccess(namespace, "*") || permset.HasAccess("*", "*") {
return true
}
return permset.HasAccess(namespace, strings.TrimPrefix(id, namespace+":"))
}
func (a *AccessControl) FilterList(apiContext *types.APIContext, schema *types.Schema, objs []map[string]interface{}, context map[string]string) []map[string]interface{} {
apiGroup := context["apiGroup"]
resource := context["resource"]
if resource == "" {
return objs
}
permset := a.getPermissions(apiContext, apiGroup, resource, "list")
result := make([]map[string]interface{}, 0, len(objs))
all := permset.HasAccess("*", "*")
for _, obj := range objs {
if all {
result = append(result, obj)
} else if a.canAccess(obj, permset) {
result = append(result, obj)
}
}
return result
}
func (a *AccessControl) getPermissions(context *types.APIContext, apiGroup, resource, verb string) ListPermissionSet {
permset := a.permissionStore.UserPermissions(getUser(context), apiGroup, resource, verb)
if permset == nil {
permset = ListPermissionSet{}
}
for _, group := range getGroups(context) {
for k, v := range a.permissionStore.GroupPermissions(group, apiGroup, resource, verb) {
permset[k] = v
}
}
return permset
}
func getUser(apiContext *types.APIContext) string {
return apiContext.Request.Header.Get("Impersonate-User")
}
func getGroups(apiContext *types.APIContext) []string {
return apiContext.Request.Header[http.CanonicalHeaderKey("Impersonate-Group")]
}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/rancher/rancher.git
git@gitee.com:rancher/rancher.git
rancher
rancher
rancher
v2.0.1

搜索帮助

0d507c66 1850385 C8b1a773 1850385