kyverno/pkg/userinfo/roleRef.go

package userinfo

import (
	"fmt"
	"strings"

	v1beta1 "k8s.io/api/admission/v1beta1"
	authenticationv1 "k8s.io/api/authentication/v1"
	rbacv1 "k8s.io/api/rbac/v1"
	labels "k8s.io/apimachinery/pkg/labels"
	rbaclister "k8s.io/client-go/listers/rbac/v1"
	"sigs.k8s.io/controller-runtime/pkg/log"
)

const (
	clusterrolekind = "ClusterRole"
	rolekind        = "Role"
	SaPrefix        = "system:serviceaccount:"
)

//GetRoleRef gets the list of roles and cluster roles for the incoming api-request
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {
	// rolebindings
	roleBindings, err := rbLister.List(labels.NewSelector())
	if err != nil {
		return roles, clusterRoles, fmt.Errorf("failed to list rolebindings: %v", err)
	}

	rs, crs, err := getRoleRefByRoleBindings(roleBindings, request.UserInfo)
	if err != nil {
		return roles, clusterRoles, err
	}
	roles = append(roles, rs...)
	clusterRoles = append(clusterRoles, crs...)

	// clusterrolebindings
	clusterroleBindings, err := crbLister.List(labels.NewSelector())
	if err != nil {
		return roles, clusterRoles, fmt.Errorf("failed to list clusterrolebindings: %v", err)
	}

	crs, err = getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo)
	if err != nil {
		return roles, clusterRoles, err
	}
	clusterRoles = append(clusterRoles, crs...)

	return roles, clusterRoles, nil
}

func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string, err error) {
	for _, rolebinding := range roleBindings {
		for _, subject := range rolebinding.Subjects {
			if !matchSubjectsMap(subject, userInfo) {
				continue
			}

			switch rolebinding.RoleRef.Kind {
			case rolekind:
				roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)
			case clusterrolekind:
				clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)
			}
		}
	}

	return roles, clusterRoles, nil
}

// RoleRef in ClusterRoleBindings can only reference a ClusterRole in the global namespace
func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) (clusterRoles []string, err error) {
	for _, clusterRoleBinding := range clusterroleBindings {
		for _, subject := range clusterRoleBinding.Subjects {
			if !matchSubjectsMap(subject, userInfo) {
				continue
			}

			if clusterRoleBinding.RoleRef.Kind == clusterrolekind {
				clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)
			}
		}
	}
	return clusterRoles, nil
}

// matchSubjectsMap checks if userInfo found in subject
// return true directly if found a match
// subject.kind can only be ServiceAccount, User and Group
func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	// ServiceAccount
	if strings.Contains(userInfo.Username, SaPrefix) {
		return matchServiceAccount(subject, userInfo)
	} else {
		// User or Group
		return matchUserOrGroup(subject, userInfo)
	}
}

// matchServiceAccount checks if userInfo sa matche the subject sa
// serviceaccount represents as saPrefix:namespace:name in userInfo
func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	subjectServiceAccount := subject.Namespace + ":" + subject.Name
	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
		log.Log.V(3).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))
		return false
	}

	return true
}

// matchUserOrGroup checks if userInfo contains user or group info in a subject
func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
	keys := append(userInfo.Groups, userInfo.Username)
	for _, key := range keys {
		if subject.Name == key {
			return true
		}
	}

	log.Log.V(3).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))
	return false
}
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`package userinfo`

			`import (`
			`"fmt"`
			`"strings"`

			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`authenticationv1 "k8s.io/api/authentication/v1"`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`rbacv1 "k8s.io/api/rbac/v1"`
			`labels "k8s.io/apimachinery/pkg/labels"`
			`rbaclister "k8s.io/client-go/listers/rbac/v1"`
refactor logging 2020-03-17 16:25:34 -07:00			`"sigs.k8s.io/controller-runtime/pkg/log"`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`)`

correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`const (`
			`clusterrolekind = "ClusterRole"`
			`rolekind = "Role"`
644 fixing compilation issue 2020-02-09 19:15:39 +05:30			`SaPrefix = "system:serviceaccount:"`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`)`

linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`//GetRoleRef gets the list of roles and cluster roles for the incoming api-request`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {`
			`// rolebindings`
			`roleBindings, err := rbLister.List(labels.NewSelector())`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if err != nil {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`return roles, clusterRoles, fmt.Errorf("failed to list rolebindings: %v", err)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`rs, crs, err := getRoleRefByRoleBindings(roleBindings, request.UserInfo)`
			`if err != nil {`
			`return roles, clusterRoles, err`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`roles = append(roles, rs...)`
			`clusterRoles = append(clusterRoles, crs...)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00
			`// clusterrolebindings`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`clusterroleBindings, err := crbLister.List(labels.NewSelector())`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if err != nil {`
			`return roles, clusterRoles, fmt.Errorf("failed to list clusterrolebindings: %v", err)`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`crs, err = getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if err != nil {`
			`return roles, clusterRoles, err`
			`}`
			`clusterRoles = append(clusterRoles, crs...)`

			`return roles, clusterRoles, nil`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string, err error) {`
			`for _, rolebinding := range roleBindings {`
			`for _, subject := range rolebinding.Subjects {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if !matchSubjectsMap(subject, userInfo) {`
			`continue`
			`}`

user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`switch rolebinding.RoleRef.Kind {`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`case rolekind:`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`case clusterrolekind:`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`
			`}`

			`return roles, clusterRoles, nil`
			`}`

			`// RoleRef in ClusterRoleBindings can only reference a ClusterRole in the global namespace`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) (clusterRoles []string, err error) {`
			`for _, clusterRoleBinding := range clusterroleBindings {`
			`for _, subject := range clusterRoleBinding.Subjects {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`if !matchSubjectsMap(subject, userInfo) {`
			`continue`
			`}`

correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`if clusterRoleBinding.RoleRef.Kind == clusterrolekind {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`
			`}`
			`return clusterRoles, nil`
			`}`

			`// matchSubjectsMap checks if userInfo found in subject`
			`// return true directly if found a match`
correct role/clusterrole kind 2019-11-14 15:49:11 -08:00			`// subject.kind can only be ServiceAccount, User and Group`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`// ServiceAccount`
644 circle ci changes 2020-02-09 19:28:51 +05:30			`if strings.Contains(userInfo.Username, SaPrefix) {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return matchServiceAccount(subject, userInfo)`
644 circle ci changes 2020-02-09 19:56:38 +05:30			`} else {`
			`// User or Group`
			`return matchUserOrGroup(subject, userInfo)`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`

			`// matchServiceAccount checks if userInfo sa matche the subject sa`
			`// serviceaccount represents as saPrefix:namespace:name in userInfo`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
			`subjectServiceAccount := subject.Namespace + ":" + subject.Name`
644 fixing compilation issue 2020-02-09 19:15:39 +05:30			`if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {`
refactor logging 2020-03-17 16:25:34 -07:00			`log.Log.V(3).Info(fmt.Sprintf("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]))`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return false`
			`}`

			`return true`
			`}`

			`// matchUserOrGroup checks if userInfo contains user or group info in a subject`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`keys := append(userInfo.Groups, userInfo.Username)`
			`for _, key := range keys {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 15:43:13 -08:00			`if subject.Name == key {`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return true`
			`}`
			`}`

refactor logging 2020-03-17 16:25:34 -07:00			`log.Log.V(3).Info(fmt.Sprintf("user/group '%v' info not found in request userInfo: %v", subject.Name, keys))`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`return false`
			`}`