コード例 #1
0
ファイル: master_config.go プロジェクト: vikaslaad/origin
func newAuthorizer(policyClient policyclient.ReadOnlyPolicyClient, projectRequestDenyMessage string) authorizer.Authorizer {
	authorizer := authorizer.NewAuthorizer(rulevalidation.NewDefaultRuleResolver(
		rulevalidation.PolicyGetter(policyClient),
		rulevalidation.BindingLister(policyClient),
		rulevalidation.ClusterPolicyGetter(policyClient),
		rulevalidation.ClusterBindingLister(policyClient),
	), authorizer.NewForbiddenMessageResolver(projectRequestDenyMessage))
	return authorizer
}
コード例 #2
0
ファイル: authorizer_test.go プロジェクト: RomainVabre/origin
func TestAuthorize(t *testing.T) {
	testCases := []struct {
		name                string
		user                user.Info
		attributes          defaultauthorizer.DefaultAuthorizationAttributes
		delegateAuthAllowed bool
		expectedCalled      bool
		expectedAllowed     bool
		expectedErr         string
		expectedMsg         string
	}{
		{
			name:        "no user",
			expectedErr: `user missing from context`,
		},
		{
			name:           "no extra",
			user:           &user.DefaultInfo{},
			expectedCalled: true,
		},
		{
			name:           "empty extra",
			user:           &user.DefaultInfo{Extra: map[string][]string{}},
			expectedCalled: true,
		},
		{
			name:           "empty scopes",
			user:           &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {}}},
			expectedCalled: true,
		},
		{
			name:        "bad scope",
			user:        &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"does-not-exist"}}},
			expectedMsg: `scopes [does-not-exist] prevent this action; User "" cannot "" "" with name "" in project "ns"`,
			expectedErr: `no scope evaluator found for "does-not-exist"`,
		},
		{
			name:        "bad scope 2",
			user:        &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:dne"}}},
			expectedMsg: `scopes [user:dne] prevent this action; User "" cannot "" "" with name "" in project "ns"`,
			expectedErr: `unrecognized scope: user:dne`,
		},
		{
			name:        "scope doesn't cover",
			user:        &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:info"}}},
			attributes:  defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", Resource: "users", ResourceName: "harold"},
			expectedMsg: `scopes [user:info] prevent this action; User "" cannot get users in project "ns"`,
		},
		{
			name:           "scope covers",
			user:           &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:info"}}},
			attributes:     defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", Resource: "users", ResourceName: "~"},
			expectedCalled: true,
		},
		{
			name:           "scope covers for discovery",
			user:           &user.DefaultInfo{Extra: map[string][]string{authorizationapi.ScopesKey: {"user:info"}}},
			attributes:     defaultauthorizer.DefaultAuthorizationAttributes{Verb: "get", NonResourceURL: true, URL: "/api"},
			expectedCalled: true,
		},
	}

	for _, tc := range testCases {
		delegate := &fakeAuthorizer{allowed: tc.delegateAuthAllowed}
		authorizer := NewAuthorizer(delegate, nil, defaultauthorizer.NewForbiddenMessageResolver(""))

		ctx := kapi.WithNamespace(kapi.NewContext(), "ns")
		if tc.user != nil {
			ctx = kapi.WithUser(ctx, tc.user)

		}

		actualAllowed, actualMsg, actualErr := authorizer.Authorize(ctx, tc.attributes)
		switch {
		case len(tc.expectedErr) == 0 && actualErr == nil:
		case len(tc.expectedErr) == 0 && actualErr != nil:
			t.Errorf("%s: unexpected error: %v", tc.name, actualErr)
		case len(tc.expectedErr) != 0 && actualErr == nil:
			t.Errorf("%s: missing error: %v", tc.name, tc.expectedErr)
		case len(tc.expectedErr) != 0 && actualErr != nil:
			if !strings.Contains(actualErr.Error(), tc.expectedErr) {
				t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedErr, actualErr)
			}
		}
		if tc.expectedMsg != actualMsg {
			t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedMsg, actualMsg)
		}
		if tc.expectedAllowed != actualAllowed {
			t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedAllowed, actualAllowed)
		}
		if tc.expectedCalled != delegate.called {
			t.Errorf("%s: expected %v, got %v", tc.name, tc.expectedCalled, delegate.called)
		}
	}
}
コード例 #3
0
ファイル: master_config.go プロジェクト: rhamilto/origin
func newAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, informerFactory shared.InformerFactory, projectRequestDenyMessage string) authorizer.Authorizer {
	messageMaker := authorizer.NewForbiddenMessageResolver(projectRequestDenyMessage)
	roleBasedAuthorizer := authorizer.NewAuthorizer(ruleResolver, messageMaker)
	scopeLimitedAuthorizer := scope.NewAuthorizer(roleBasedAuthorizer, informerFactory.ClusterPolicies().Lister().ClusterPolicies(), messageMaker)
	return scopeLimitedAuthorizer
}
コード例 #4
0
ファイル: master_config.go プロジェクト: sgallagher/origin
func newAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, policyClient policyclient.ReadOnlyPolicyClient, projectRequestDenyMessage string) authorizer.Authorizer {
	messageMaker := authorizer.NewForbiddenMessageResolver(projectRequestDenyMessage)
	roleBasedAuthorizer := authorizer.NewAuthorizer(ruleResolver, messageMaker)
	scopeLimitedAuthorizer := scope.NewAuthorizer(roleBasedAuthorizer, policyClient, messageMaker)
	return scopeLimitedAuthorizer
}