// List returns the set of namespace names the user has access to view
func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) {
keys := util.StringSet{}
user := userInfo.GetName()
groups := userInfo.GetGroups()
obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
for _, group := range groups {
obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group)
if exists {
subjectRecord := obj.(*subjectRecord)
keys.Insert(subjectRecord.namespaces.List()...)
}
}
namespaceList := &kapi.NamespaceList{}
for key := range keys {
namespace, exists, err := ac.namespaceStore.GetByKey(key)
if err != nil {
return nil, err
}
if exists {
namespaceList.Items = append(namespaceList.Items, *namespace.(*kapi.Namespace))
}
}
return namespaceList, nil
}
func (a *Authenticator) AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error) {
session, err := a.store.Get(req, a.name)
if err != nil {
return false, err
}
values := session.Values()
values[UserNameKey] = user.GetName()
values[UserUIDKey] = user.GetUID()
// TODO: should we save groups, scope, and extra in the session as well?
return false, a.store.Save(w, req)
}
// constraintAppliesTo inspects the constraint's users and groups against the userInfo to determine
// if it is usable by the userInfo.
func constraintAppliesTo(constraint *kapi.SecurityContextConstraints, userInfo user.Info) bool {
for _, user := range constraint.Users {
if userInfo.GetName() == user {
return true
}
}
for _, userGroup := range userInfo.GetGroups() {
if constraintSupportsGroup(userGroup, constraint.Groups) {
return true
}
}
return false
}
func appliesToUser(ruleUsers, ruleGroups util.StringSet, user user.Info) bool {
if ruleUsers.Has(user.GetName()) {
return true
}
for _, currGroup := range user.GetGroups() {
if ruleGroups.Has(currGroup) {
return true
}
}
return false
}
func (c *ClientAuthorizationGrantChecker) HasAuthorizedClient(user user.Info, grant *api.Grant) (approved bool, err error) {
id := c.registry.ClientAuthorizationName(user.GetName(), grant.Client.GetId())
authorization, err := c.registry.GetClientAuthorization(kapi.NewContext(), id)
if errors.IsNotFound(err) {
return false, nil
}
if err != nil {
return false, err
}
if len(authorization.UserUID) != 0 && authorization.UserUID != user.GetUID() {
return false, fmt.Errorf("user %s UID %s does not match stored client authorization value for UID %s", user.GetName(), user.GetUID(), authorization.UserUID)
}
// TODO: improve this to allow the scope implementation to determine overlap
if !scope.Covers(authorization.Scopes, scope.Split(grant.Scope)) {
return false, nil
}
return true, nil
}
func (v *TagVerifier) Verify(old, stream *api.ImageStream, user user.Info) fielderrors.ValidationErrorList {
var errors fielderrors.ValidationErrorList
oldTags := map[string]api.TagReference{}
if old != nil && old.Spec.Tags != nil {
oldTags = old.Spec.Tags
}
for tag, tagRef := range stream.Spec.Tags {
if tagRef.From == nil {
continue
}
if len(tagRef.From.Namespace) == 0 {
continue
}
if stream.Namespace == tagRef.From.Namespace {
continue
}
if oldRef, ok := oldTags[tag]; ok && !tagRefChanged(oldRef, tagRef, stream.Namespace) {
continue
}
streamName, _, err := parseFromReference(stream, tagRef.From)
if err != nil {
errors = append(errors, fielderrors.NewFieldInvalid(fmt.Sprintf("spec.tags[%s].from.name", tag), tagRef.From.Name, "must be of the form <tag>, <repo>:<tag>, <id>, or <repo>@<id>"))
continue
}
subjectAccessReview := authorizationapi.SubjectAccessReview{
Verb: "get",
Resource: "imagestreams",
User: user.GetName(),
Groups: util.NewStringSet(user.GetGroups()...),
ResourceName: streamName,
}
ctx := kapi.WithNamespace(kapi.NewContext(), tagRef.From.Namespace)
glog.V(1).Infof("Performing SubjectAccessReview for user=%s, groups=%v to %s/%s", user.GetName(), user.GetGroups(), tagRef.From.Namespace, streamName)
resp, err := v.subjectAccessReviewClient.CreateSubjectAccessReview(ctx, &subjectAccessReview)
if err != nil || resp == nil || (resp != nil && !resp.Allowed) {
errors = append(errors, fielderrors.NewFieldForbidden(fmt.Sprintf("spec.tags[%s].from", tag), fmt.Sprintf("%s/%s", tagRef.From.Namespace, streamName)))
continue
}
}
return errors
}
func UserToSubject(u user.Info) pkix.Name {
return pkix.Name{
CommonName: u.GetName(),
SerialNumber: u.GetUID(),
Organization: u.GetGroups(),
}
}
func validateList(t *testing.T, lister Lister, user user.Info, expectedSet util.StringSet) {
namespaceList, err := lister.List(user)
if err != nil {
t.Errorf("Unexpected error %v", err)
}
results := util.StringSet{}
for _, namespace := range namespaceList.Items {
results.Insert(namespace.Name)
}
if results.Len() != expectedSet.Len() || !results.HasAll(expectedSet.List()...) {
t.Errorf("User %v, Expected: %v, Actual: %v", user.GetName(), expectedSet, results)
}
}
func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Request) {
q := req.URL.Query()
then := q.Get("then")
clientID := q.Get("client_id")
scopes := q.Get("scopes")
redirectURI := q.Get("redirect_uri")
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
uri, err := getBaseURL(req)
if err != nil {
glog.Errorf("Unable to generate base URL: %v", err)
http.Error(w, "Unable to determine URL", http.StatusInternalServerError)
return
}
csrf, err := l.csrf.Generate(w, req)
if err != nil {
glog.Errorf("Unable to generate CSRF token: %v", err)
l.failed("Could not generate CSRF token", w, req)
return
}
form := Form{
Action: uri.String(),
Values: FormValues{
Then: then,
ThenParam: thenParam,
CSRF: csrf,
CSRFParam: csrfParam,
ClientID: client.Name,
ClientIDParam: clientIDParam,
UserName: user.GetName(),
UserNameParam: userNameParam,
Scopes: scopes,
ScopesParam: scopesParam,
RedirectURI: redirectURI,
RedirectURIParam: redirectURIParam,
ApproveParam: approveParam,
DenyParam: denyParam,
},
}
l.render.Render(form, w, req)
}
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) {
if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil {
glog.Errorf("Unable to check CSRF token: %v", err)
l.failed("Invalid CSRF token", w, req)
return
}
then := req.FormValue("then")
scopes := req.FormValue("scopes")
if len(req.FormValue(approveParam)) == 0 {
// Redirect with rejection param
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access denied, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("error", "access_denied")
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
return
}
clientID := req.FormValue("client_id")
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
ctx := kapi.NewContext()
clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID)
if err == nil && clientAuth != nil {
// Add new scopes and update
clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to update authorization: %v", err)
l.failed("Could not update client authorization", w, req)
return
}
} else {
// Make sure client name, user name, grant scope, expiration, and redirect uri match
clientAuth = &oapi.OAuthClientAuthorization{
UserName: user.GetName(),
UserUID: user.GetUID(),
ClientName: client.Name,
Scopes: scope.Split(scopes),
}
clientAuth.Name = clientAuthID
if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to create authorization: %v", err)
l.failed("Could not create client authorization", w, req)
return
}
}
if len(then) == 0 {
l.failed("Approval granted, but no redirect URL was specified", w, req)
return
}
http.Redirect(w, req, then, http.StatusFound)
}
