// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if err := kutilerrors.NewAggregate(authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview)); err != nil {
return nil, err
}
// if a namespace is present on the request, then the namespace on the on the SAR is overwritten.
// This is to support backwards compatibility. To have gotten here in this state, it means that
// the authorizer decided that a user could run an SAR against this namespace
if namespace := kapi.NamespaceValue(ctx); len(namespace) > 0 {
subjectAccessReview.Action.Namespace = namespace
} else if err := r.isAllowed(ctx, subjectAccessReview); err != nil {
// this check is mutually exclusive to the condition above. localSAR and localRAR both clear the namespace before delegating their calls
// We only need to check if the SAR is allowed **again** if the authorizer didn't already approve the request for a legacy call.
return nil, err
}
var userToCheck user.Info
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kapierrors.NewBadRequest("user missing from context")
}
userToCheck = ctxUser
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
}
}
requestContext := kapi.WithNamespace(kapi.WithUser(ctx, userToCheck), subjectAccessReview.Action.Namespace)
attributes := authorizer.ToDefaultAuthorizationAttributes(subjectAccessReview.Action)
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: subjectAccessReview.Action.Namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kerrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if err := kutilerrors.NewAggregate(authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview)); err != nil {
return nil, err
}
var userToCheck user.Info
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kerrors.NewBadRequest("user missing from context")
}
userToCheck = ctxUser
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
}
}
namespace := kapi.NamespaceValue(ctx)
requestContext := kapi.WithUser(ctx, userToCheck)
attributes := &authorizer.DefaultAuthorizationAttributes{
Verb: subjectAccessReview.Verb,
Resource: subjectAccessReview.Resource,
}
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a subjectAccessReview: %#v", obj))
}
if errs := authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview); len(errs) > 0 {
return nil, kapierrors.NewInvalid(authorizationapi.Kind(subjectAccessReview.Kind), "", errs)
}
// if a namespace is present on the request, then the namespace on the on the SAR is overwritten.
// This is to support backwards compatibility. To have gotten here in this state, it means that
// the authorizer decided that a user could run an SAR against this namespace
if namespace := kapi.NamespaceValue(ctx); len(namespace) > 0 {
subjectAccessReview.Action.Namespace = namespace
} else if err := r.isAllowed(ctx, subjectAccessReview); err != nil {
// this check is mutually exclusive to the condition above. localSAR and localRAR both clear the namespace before delegating their calls
// We only need to check if the SAR is allowed **again** if the authorizer didn't already approve the request for a legacy call.
return nil, err
}
var userToCheck *user.DefaultInfo
if (len(subjectAccessReview.User) == 0) && (len(subjectAccessReview.Groups) == 0) {
// if no user or group was specified, use the info from the context
ctxUser, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kapierrors.NewBadRequest("user missing from context")
}
// make a copy, we don't want to risk changing the original
newExtra := map[string][]string{}
for k, v := range ctxUser.GetExtra() {
if v == nil {
newExtra[k] = nil
continue
}
newSlice := make([]string, len(v), len(v))
copy(newSlice, v)
newExtra[k] = newSlice
}
userToCheck = &user.DefaultInfo{
Name: ctxUser.GetName(),
Groups: ctxUser.GetGroups(),
UID: ctxUser.GetUID(),
Extra: newExtra,
}
} else {
userToCheck = &user.DefaultInfo{
Name: subjectAccessReview.User,
Groups: subjectAccessReview.Groups.List(),
Extra: map[string][]string{},
}
}
switch {
case subjectAccessReview.Scopes == nil:
// leave the scopes alone. on a self-sar, this means "use incoming request", on regular-sar it means, "use no scope restrictions"
case len(subjectAccessReview.Scopes) == 0:
// this always means "use no scope restrictions", so delete them
delete(userToCheck.Extra, authorizationapi.ScopesKey)
case len(subjectAccessReview.Scopes) > 0:
// this always means, "use these scope restrictions", so force the value
userToCheck.Extra[authorizationapi.ScopesKey] = subjectAccessReview.Scopes
}
requestContext := kapi.WithNamespace(kapi.WithUser(ctx, userToCheck), subjectAccessReview.Action.Namespace)
attributes := authorizer.ToDefaultAuthorizationAttributes(subjectAccessReview.Action)
allowed, reason, err := r.authorizer.Authorize(requestContext, attributes)
if err != nil {
return nil, err
}
response := &authorizationapi.SubjectAccessReviewResponse{
Namespace: subjectAccessReview.Action.Namespace,
Allowed: allowed,
Reason: reason,
}
return response, nil
}
