kyverno/pkg/policy/mutate/auth.go

package mutate

import (
	"context"

	"github.com/kyverno/kyverno/pkg/auth"
	"github.com/kyverno/kyverno/pkg/clients/dclient"
)

type authChecker struct {
	client dclient.Interface
	user   string
}

type AuthChecker interface {
	CanIUpdate(ctx context.Context, gvks, namespace, subresource string) (bool, error)
	CanIGet(ctx context.Context, gvks, namespace, subresource string) (bool, error)
}

func newAuthChecker(client dclient.Interface, user string) AuthChecker {
	return &authChecker{client: client, user: user}
}

func (a *authChecker) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
	checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "update", subresource, a.user)
	return checker.RunAccessCheck(ctx)
}

func (a *authChecker) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
	checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "get", subresource, a.user)
	return checker.RunAccessCheck(ctx)
}
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-03-22 21:14:57 +08:00			`package mutate`

			`import (`
			`"context"`

			`"github.com/kyverno/kyverno/pkg/auth"`
			`"github.com/kyverno/kyverno/pkg/clients/dclient"`
			`)`

			`type authChecker struct {`
			`client dclient.Interface`
feat: new access checks for background policies (#6970) * switch to use sar for access checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * update helm config Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix username Signed-off-by: ShutingZhao <shuting@nirmata.com> * update msg Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix sa name Signed-off-by: ShutingZhao <shuting@nirmata.com> * update install.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-04-24 18:31:42 +08:00			`user string`
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-03-22 21:14:57 +08:00			`}`

			`type AuthChecker interface {`
fix: auth checks with the APIVersion and the subresource (#7628) * fix auth checks with apiVersion and subresource Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove duplicate code Signed-off-by: ShutingZhao <shuting@nirmata.com> * update permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-06-22 22:14:06 +08:00			`CanIUpdate(ctx context.Context, gvks, namespace, subresource string) (bool, error)`
			`CanIGet(ctx context.Context, gvks, namespace, subresource string) (bool, error)`
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-03-22 21:14:57 +08:00			`}`

feat: new access checks for background policies (#6970) * switch to use sar for access checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * update helm config Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix username Signed-off-by: ShutingZhao <shuting@nirmata.com> * update msg Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix sa name Signed-off-by: ShutingZhao <shuting@nirmata.com> * update install.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-04-24 18:31:42 +08:00			`func newAuthChecker(client dclient.Interface, user string) AuthChecker {`
			`return &authChecker{client: client, user: user}`
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-03-22 21:14:57 +08:00			`}`

fix: auth checks with the APIVersion and the subresource (#7628) * fix auth checks with apiVersion and subresource Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove duplicate code Signed-off-by: ShutingZhao <shuting@nirmata.com> * update permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-06-22 22:14:06 +08:00			`func (a *authChecker) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {`
			`checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "update", subresource, a.user)`
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-03-22 21:14:57 +08:00			`return checker.RunAccessCheck(ctx)`
			`}`

fix: auth checks with the APIVersion and the subresource (#7628) * fix auth checks with apiVersion and subresource Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove duplicate code Signed-off-by: ShutingZhao <shuting@nirmata.com> * update permissions Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-06-22 22:14:06 +08:00			`func (a *authChecker) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) {`
			`checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "get", subresource, a.user)`
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> 2023-03-22 21:14:57 +08:00			`return checker.RunAccessCheck(ctx)`
			`}`