// isAllowed checks to see if the current user has rights to issue a LocalSubjectAccessReview on the namespace they're attempting to access
func (r *REST) isAllowed(ctx kapi.Context, rar *authorizationapi.ResourceAccessReview) error {
localRARAttributes := authorizer.DefaultAuthorizationAttributes{
Verb: "create",
Resource: "localresourceaccessreviews",
}
allowed, reason, err := r.authorizer.Authorize(kapi.WithNamespace(ctx, rar.Action.Namespace), localRARAttributes)
if err != nil {
return kapierrors.NewForbidden(localRARAttributes.GetResource(), localRARAttributes.GetResourceName(), err)
}
if !allowed {
forbiddenError, _ := kapierrors.NewForbidden(localRARAttributes.GetResource(), localRARAttributes.GetResourceName(), errors.New("") /*discarded*/).(*kapierrors.StatusError)
forbiddenError.ErrStatus.Message = reason
return forbiddenError
}
return nil
}
func TestRoundTrip(t *testing.T) {
// Start with origin attributes
oattrs := oauthorizer.DefaultAuthorizationAttributes{
Verb: "get",
APIVersion: "av",
APIGroup: "ag",
Resource: "r",
ResourceName: "rn",
RequestAttributes: "ra",
NonResourceURL: true,
URL: "/123",
}
// Convert to kube attributes
kattrs := KubernetesAuthorizerAttributes("ns", &user.DefaultInfo{Name: "myuser", Groups: []string{"mygroup"}}, oattrs)
if kattrs.GetUser().GetName() != "myuser" {
t.Errorf("Expected %v, got %v", "myuser", kattrs.GetUser().GetName())
}
if !reflect.DeepEqual(kattrs.GetUser().GetGroups(), []string{"mygroup"}) {
t.Errorf("Expected %v, got %v", []string{"mygroup"}, kattrs.GetUser().GetGroups())
}
if kattrs.GetVerb() != "get" {
t.Errorf("Expected %v, got %v", "get", kattrs.GetVerb())
}
if kattrs.IsReadOnly() != true {
t.Errorf("Expected %v, got %v", true, kattrs.IsReadOnly())
}
if kattrs.GetNamespace() != "ns" {
t.Errorf("Expected %v, got %v", "ns", kattrs.GetNamespace())
}
if kattrs.GetResource() != "r" {
t.Errorf("Expected %v, got %v", "", kattrs.GetResource())
}
if kattrs.IsResourceRequest() != false {
t.Errorf("Expected %v, got %v", false, kattrs.IsResourceRequest())
}
if kattrs.GetPath() != "/123" {
t.Errorf("Expected %v, got %v", "/123", kattrs.GetPath())
}
// Convert back to context+origin attributes
ctx, oattrs2 := OriginAuthorizerAttributes(kattrs)
// Ensure namespace/user info is preserved
if user, ok := kapi.UserFrom(ctx); !ok {
t.Errorf("No user in context")
} else if user.GetName() != "myuser" {
t.Errorf("Expected %v, got %v", "myuser", user.GetName())
} else if !reflect.DeepEqual(user.GetGroups(), []string{"mygroup"}) {
t.Errorf("Expected %v, got %v", []string{"mygroup"}, user.GetGroups())
}
// Ensure common attribute info is preserved
if oattrs.GetVerb() != oattrs2.GetVerb() {
t.Errorf("Expected %v, got %v", oattrs.GetVerb(), oattrs2.GetVerb())
}
if oattrs.GetResource() != oattrs2.GetResource() {
t.Errorf("Expected %v, got %v", oattrs.GetResource(), oattrs2.GetResource())
}
// Ensure origin-specific info is preserved
if oattrs.GetAPIVersion() != oattrs2.GetAPIVersion() {
t.Errorf("Expected %v, got %v", oattrs.GetAPIVersion(), oattrs2.GetAPIVersion())
}
if oattrs.GetAPIGroup() != oattrs2.GetAPIGroup() {
t.Errorf("Expected %v, got %v", oattrs.GetAPIGroup(), oattrs2.GetAPIGroup())
}
if oattrs.GetResourceName() != oattrs2.GetResourceName() {
t.Errorf("Expected %v, got %v", oattrs.GetResourceName(), oattrs2.GetResourceName())
}
if oattrs.GetRequestAttributes() != oattrs2.GetRequestAttributes() {
t.Errorf("Expected %v, got %v", oattrs.GetRequestAttributes(), oattrs2.GetRequestAttributes())
}
if oattrs.IsNonResourceURL() != oattrs2.IsNonResourceURL() {
t.Errorf("Expected %v, got %v", oattrs.IsNonResourceURL(), oattrs2.IsNonResourceURL())
}
if oattrs.GetURL() != oattrs2.GetURL() {
t.Errorf("Expected %v, got %v", oattrs.GetURL(), oattrs2.GetURL())
}
}
