// List returns the set of namespace names the user has access to view func (ac *AuthorizationCache) List(userInfo user.Info) (*kapi.NamespaceList, error) { keys := util.StringSet{} user := userInfo.GetName() groups := userInfo.GetGroups() obj, exists, _ := ac.userSubjectRecordStore.GetByKey(user) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } for _, group := range groups { obj, exists, _ := ac.groupSubjectRecordStore.GetByKey(group) if exists { subjectRecord := obj.(*subjectRecord) keys.Insert(subjectRecord.namespaces.List()...) } } namespaceList := &kapi.NamespaceList{} for key := range keys { namespace, exists, err := ac.namespaceStore.GetByKey(key) if err != nil { return nil, err } if exists { namespaceList.Items = append(namespaceList.Items, *namespace.(*kapi.Namespace)) } } return namespaceList, nil }
func UserToSubject(u user.Info) pkix.Name { return pkix.Name{ CommonName: u.GetName(), SerialNumber: u.GetUID(), Organization: u.GetGroups(), } }
// constraintAppliesTo inspects the constraint's users and groups against the userInfo to determine // if it is usable by the userInfo. func constraintAppliesTo(constraint *kapi.SecurityContextConstraints, userInfo user.Info) bool { for _, user := range constraint.Users { if userInfo.GetName() == user { return true } } for _, userGroup := range userInfo.GetGroups() { if constraintSupportsGroup(userGroup, constraint.Groups) { return true } } return false }
func (v *TagVerifier) Verify(old, stream *api.ImageStream, user user.Info) fielderrors.ValidationErrorList { var errors fielderrors.ValidationErrorList oldTags := map[string]api.TagReference{} if old != nil && old.Spec.Tags != nil { oldTags = old.Spec.Tags } for tag, tagRef := range stream.Spec.Tags { if tagRef.From == nil { continue } if len(tagRef.From.Namespace) == 0 { continue } if stream.Namespace == tagRef.From.Namespace { continue } if oldRef, ok := oldTags[tag]; ok && !tagRefChanged(oldRef, tagRef, stream.Namespace) { continue } streamName, _, err := parseFromReference(stream, tagRef.From) if err != nil { errors = append(errors, fielderrors.NewFieldInvalid(fmt.Sprintf("spec.tags[%s].from.name", tag), tagRef.From.Name, "must be of the form <tag>, <repo>:<tag>, <id>, or <repo>@<id>")) continue } subjectAccessReview := authorizationapi.SubjectAccessReview{ Verb: "get", Resource: "imagestreams", User: user.GetName(), Groups: util.NewStringSet(user.GetGroups()...), ResourceName: streamName, } ctx := kapi.WithNamespace(kapi.NewContext(), tagRef.From.Namespace) glog.V(1).Infof("Performing SubjectAccessReview for user=%s, groups=%v to %s/%s", user.GetName(), user.GetGroups(), tagRef.From.Namespace, streamName) resp, err := v.subjectAccessReviewClient.CreateSubjectAccessReview(ctx, &subjectAccessReview) if err != nil || resp == nil || (resp != nil && !resp.Allowed) { errors = append(errors, fielderrors.NewFieldForbidden(fmt.Sprintf("spec.tags[%s].from", tag), fmt.Sprintf("%s/%s", tagRef.From.Namespace, streamName))) continue } } return errors }
func (a *Authenticator) AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error) { session, err := a.store.Get(req, a.name) if err != nil { return false, err } values := session.Values() values[UserNameKey] = user.GetName() values[UserUIDKey] = user.GetUID() // TODO: should we save groups, scope, and extra in the session as well? return false, a.store.Save(w, req) }
func appliesToUser(ruleUsers, ruleGroups util.StringSet, user user.Info) bool { if ruleUsers.Has(user.GetName()) { return true } for _, currGroup := range user.GetGroups() { if ruleGroups.Has(currGroup) { return true } } return false }
func validateList(t *testing.T, lister Lister, user user.Info, expectedSet util.StringSet) { namespaceList, err := lister.List(user) if err != nil { t.Errorf("Unexpected error %v", err) } results := util.StringSet{} for _, namespace := range namespaceList.Items { results.Insert(namespace.Name) } if results.Len() != expectedSet.Len() || !results.HasAll(expectedSet.List()...) { t.Errorf("User %v, Expected: %v, Actual: %v", user.GetName(), expectedSet, results) } }
func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Request) { q := req.URL.Query() then := q.Get("then") clientID := q.Get("client_id") scopes := q.Get("scopes") redirectURI := q.Get("redirect_uri") client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID) if err != nil || client == nil { l.failed("Could not find client for client_id", w, req) return } uri, err := getBaseURL(req) if err != nil { glog.Errorf("Unable to generate base URL: %v", err) http.Error(w, "Unable to determine URL", http.StatusInternalServerError) return } csrf, err := l.csrf.Generate(w, req) if err != nil { glog.Errorf("Unable to generate CSRF token: %v", err) l.failed("Could not generate CSRF token", w, req) return } form := Form{ Action: uri.String(), Values: FormValues{ Then: then, ThenParam: thenParam, CSRF: csrf, CSRFParam: csrfParam, ClientID: client.Name, ClientIDParam: clientIDParam, UserName: user.GetName(), UserNameParam: userNameParam, Scopes: scopes, ScopesParam: scopesParam, RedirectURI: redirectURI, RedirectURIParam: redirectURIParam, ApproveParam: approveParam, DenyParam: denyParam, }, } l.render.Render(form, w, req) }
func (c *ClientAuthorizationGrantChecker) HasAuthorizedClient(user user.Info, grant *api.Grant) (approved bool, err error) { id := c.registry.ClientAuthorizationName(user.GetName(), grant.Client.GetId()) authorization, err := c.registry.GetClientAuthorization(kapi.NewContext(), id) if errors.IsNotFound(err) { return false, nil } if err != nil { return false, err } if len(authorization.UserUID) != 0 && authorization.UserUID != user.GetUID() { return false, fmt.Errorf("user %s UID %s does not match stored client authorization value for UID %s", user.GetName(), user.GetUID(), authorization.UserUID) } // TODO: improve this to allow the scope implementation to determine overlap if !scope.Covers(authorization.Scopes, scope.Split(grant.Scope)) { return false, nil } return true, nil }
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) { if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil { glog.Errorf("Unable to check CSRF token: %v", err) l.failed("Invalid CSRF token", w, req) return } then := req.FormValue("then") scopes := req.FormValue("scopes") if len(req.FormValue(approveParam)) == 0 { // Redirect with rejection param url, err := url.Parse(then) if len(then) == 0 || err != nil { l.failed("Access denied, but no redirect URL was specified", w, req) return } q := url.Query() q.Set("error", "access_denied") url.RawQuery = q.Encode() http.Redirect(w, req, url.String(), http.StatusFound) return } clientID := req.FormValue("client_id") client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID) if err != nil || client == nil { l.failed("Could not find client for client_id", w, req) return } clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name) ctx := kapi.NewContext() clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID) if err == nil && clientAuth != nil { // Add new scopes and update clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes)) if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil { glog.Errorf("Unable to update authorization: %v", err) l.failed("Could not update client authorization", w, req) return } } else { // Make sure client name, user name, grant scope, expiration, and redirect uri match clientAuth = &oapi.OAuthClientAuthorization{ UserName: user.GetName(), UserUID: user.GetUID(), ClientName: client.Name, Scopes: scope.Split(scopes), } clientAuth.Name = clientAuthID if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil { glog.Errorf("Unable to create authorization: %v", err) l.failed("Could not create client authorization", w, req) return } } if len(then) == 0 { l.failed("Approval granted, but no redirect URL was specified", w, req) return } http.Redirect(w, req, then, http.StatusFound) }