v2.1.1-rc1

分支 (545)

标签 (1936)

管理

管理

master

main

release/v2.9

fix/v2.9/42823

release/v2.8

release/v2.7

fix/42823

v2.9.2-hotfix-tigeraoperator-conflict

v2.8.9-hotfix-test-cve-monitoring

v2.7.16-hotfix-test-cve-monitoring

v2.8-define-artifacts-to-upload

v2.9.2-hotfix-metrics-downstream-network

v2.9.2-hotfix-downstream-caches-reduction

v2.8-self-hosted-runners

v2.9.2-hotfix-transport-leak

v2.8.5-hotfix-tigeraoperator-conflict

markus/temp-remove-rsa

fix/42788-v2.9

fix/42788

backport-userretention-to-v2.8

v2.9.3-alpha4

v2.10.0-alpha2

v2.8.9-alpha9

v2.9.2-hotfix-ch-2-efe7cd186

v2.10.0-alpha1

v2.7.16-alpha3

v2.7.16-alpha4

v2.8.9-alpha8

v2.8.9-alpha7

v2.9.3-alpha3

v2.9.3-alpha2

v2.9.3-alpha1

v2.8.9-alpha6

v2.8.9-alpha5

v2.8.9-alpha4

v2.8.9-alpha3

v2.8.9-alpha2

v2.8.9-alpha1

v2.9.2-hotfix-ch-1-77f48fb9f

v2.9.2-hotfix-ch-2-3778e74e6

rancher
/
pkg
/
rbac
/
access_control.go

package rbac

import (
	"fmt"
	"net/http"
	"strings"

	"github.com/rancher/norman/authorization"
	"github.com/rancher/norman/httperror"
	"github.com/rancher/norman/types"
	"github.com/rancher/types/apis/rbac.authorization.k8s.io/v1"
)

type AccessControl struct {
	authorization.AllAccess
	permissionStore *ListPermissionStore
}

func NewAccessControl(rbacClient v1.Interface) *AccessControl {
	permissionStore := NewListPermissionStore(rbacClient)
	return &AccessControl{
		permissionStore: permissionStore,
	}
}

func (a *AccessControl) CanDo(apiGroup, resource, verb string, apiContext *types.APIContext, obj map[string]interface{}, schema *types.Schema) error {
	permset := a.getPermissions(apiContext, apiGroup, resource, verb)

	if a.canAccess(obj, permset) {
		return nil
	}
	return httperror.NewAPIError(httperror.PermissionDenied, fmt.Sprintf("can not %v %v ", verb, schema.ID))
}

func (a *AccessControl) Filter(apiContext *types.APIContext, schema *types.Schema, obj map[string]interface{}, context map[string]string) map[string]interface{} {
	apiGroup := context["apiGroup"]
	resource := context["resource"]

	if resource == "" {
		return obj
	}

	permset := a.getPermissions(apiContext, apiGroup, resource, "list")

	if a.canAccess(obj, permset) {
		return obj
	}
	return nil
}

func (a *AccessControl) canAccess(obj map[string]interface{}, permset ListPermissionSet) bool {
	var id string
	var namespace string

	if obj != nil {
		id, _ = obj["id"].(string)
		namespace, _ = obj["namespaceId"].(string)
		if namespace == "" {
			pieces := strings.Split(id, ":")
			if len(pieces) == 2 {
				namespace = pieces[0]
			}
		}
	} else {
		id = "*"
	}

	if permset.HasAccess(namespace, "*") || permset.HasAccess("*", "*") {
		return true
	}
	return permset.HasAccess(namespace, strings.TrimPrefix(id, namespace+":"))
}

func (a *AccessControl) FilterList(apiContext *types.APIContext, schema *types.Schema, objs []map[string]interface{}, context map[string]string) []map[string]interface{} {
	apiGroup := context["apiGroup"]
	resource := context["resource"]

	if resource == "" {
		return objs
	}

	permset := a.getPermissions(apiContext, apiGroup, resource, "list")

	result := make([]map[string]interface{}, 0, len(objs))

	all := permset.HasAccess("*", "*")

	for _, obj := range objs {
		if all {
			result = append(result, obj)
		} else if a.canAccess(obj, permset) {
			result = append(result, obj)
		}
	}

	return result
}

func (a *AccessControl) getPermissions(context *types.APIContext, apiGroup, resource, verb string) ListPermissionSet {
	permset := a.permissionStore.UserPermissions(getUser(context), apiGroup, resource, verb)
	if permset == nil {
		permset = ListPermissionSet{}
	}
	for _, group := range getGroups(context) {
		for k, v := range a.permissionStore.GroupPermissions(group, apiGroup, resource, verb) {
			permset[k] = v
		}
	}

	return permset
}

func getUser(apiContext *types.APIContext) string {
	return apiContext.Request.Header.Get("Impersonate-User")
}

func getGroups(apiContext *types.APIContext) []string {
	return apiContext.Request.Header[http.CanonicalHeaderKey("Impersonate-Group")]
}