v2.2.12-rc1

分支 (545)

标签 (1936)

管理

管理

master

main

release/v2.9

fix/v2.9/42823

release/v2.8

release/v2.7

fix/42823

v2.9.2-hotfix-tigeraoperator-conflict

v2.8.9-hotfix-test-cve-monitoring

v2.7.16-hotfix-test-cve-monitoring

v2.8-define-artifacts-to-upload

v2.9.2-hotfix-metrics-downstream-network

v2.9.2-hotfix-downstream-caches-reduction

v2.8-self-hosted-runners

v2.9.2-hotfix-transport-leak

v2.8.5-hotfix-tigeraoperator-conflict

markus/temp-remove-rsa

fix/42788-v2.9

fix/42788

backport-userretention-to-v2.8

v2.9.3-alpha4

v2.10.0-alpha2

v2.8.9-alpha9

v2.9.2-hotfix-ch-2-efe7cd186

v2.10.0-alpha1

v2.7.16-alpha3

v2.7.16-alpha4

v2.8.9-alpha8

v2.8.9-alpha7

v2.9.3-alpha3

v2.9.3-alpha2

v2.9.3-alpha1

v2.8.9-alpha6

v2.8.9-alpha5

v2.8.9-alpha4

v2.8.9-alpha3

v2.8.9-alpha2

v2.8.9-alpha1

v2.9.2-hotfix-ch-1-77f48fb9f

v2.9.2-hotfix-ch-2-3778e74e6

rancher
/
pkg
/
auth
/
requests
/
sar
/
sar.go

package sar

import (
	"net/http"

	"github.com/rancher/rancher/pkg/clustermanager"
	"github.com/rancher/rancher/pkg/clusterrouter"
	"github.com/rancher/types/config"
	"github.com/sirupsen/logrus"
	authV1 "k8s.io/api/authorization/v1"
)

// SubjectAccessReview checks if a user can impersonate as another user or group
type SubjectAccessReview interface {
	// UserCanImpersonateUser checks if user can impersonate as impUser
	UserCanImpersonateUser(req *http.Request, user, impUser string) (bool, error)
	// UserCanImpersonateGroups checks if user can impersonate as the groups
	UserCanImpersonateGroups(req *http.Request, user string, groups []string) (bool, error)
}

type subjectAccessReview struct {
	clusterManager *clustermanager.Manager
}

func NewSubjectAccessReview(clusterManager *clustermanager.Manager) SubjectAccessReview {
	return subjectAccessReview{
		clusterManager: clusterManager,
	}
}

func (sar subjectAccessReview) UserCanImpersonateUser(req *http.Request, user, impUser string) (bool, error) {
	userContext, err := sar.getUserContextFromRequest(req)
	if err != nil {
		return false, err
	}
	return sar.checkUserCanImpersonateUser(userContext, user, impUser)
}

func (sar subjectAccessReview) UserCanImpersonateGroups(req *http.Request, user string, groups []string) (bool, error) {
	userContext, err := sar.getUserContextFromRequest(req)
	if err != nil {
		return false, err
	}
	return sar.checkUserCanImpersonateGroup(userContext, user, groups)
}

func (sar subjectAccessReview) getUserContextFromRequest(req *http.Request) (*config.UserContext, error) {
	clusterID := clusterrouter.GetClusterID(req)
	return sar.clusterManager.UserContext(clusterID)
}

func (sar subjectAccessReview) checkUserCanImpersonateUser(userContext *config.UserContext, user, impUser string) (bool, error) {
	review := authV1.SubjectAccessReview{
		Spec: authV1.SubjectAccessReviewSpec{
			User: user,
			ResourceAttributes: &authV1.ResourceAttributes{
				Verb:     "impersonate",
				Resource: "users",
				Name:     impUser,
			},
		},
	}

	result, err := userContext.K8sClient.AuthorizationV1().SubjectAccessReviews().Create(&review)
	if err != nil {
		return false, err
	}
	logrus.Debugf("Impersonate check result: %v", result)
	return result.Status.Allowed, nil
}

func (sar subjectAccessReview) checkUserCanImpersonateGroup(userContext *config.UserContext, user string, groups []string) (bool, error) {
	for _, group := range groups {
		review := authV1.SubjectAccessReview{
			Spec: authV1.SubjectAccessReviewSpec{
				User: user,
				ResourceAttributes: &authV1.ResourceAttributes{
					Verb:     "impersonate",
					Resource: "groups",
					Name:     group,
				},
			},
		}

		result, err := userContext.K8sClient.AuthorizationV1().SubjectAccessReviews().Create(&review)
		if err != nil {
			return false, err
		}
		logrus.Debugf("Impersonate check result: %v", result)
		if !result.Status.Allowed {
			return false, nil
		}
	}

	return true, nil
}