kyverno/pkg/userinfo/roleRef.go

package userinfo

import (
	"fmt"

	authenticationv1 "k8s.io/api/authentication/v1"
	rbacv1 "k8s.io/api/rbac/v1"
	labels "k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/util/sets"
)

const (
	clusterroleKind = "ClusterRole"
	roleKind        = "Role"
)

type RoleBindingLister interface {
	List(labels.Selector) ([]*rbacv1.RoleBinding, error)
}

type ClusterRoleBindingLister interface {
	List(labels.Selector) ([]*rbacv1.ClusterRoleBinding, error)
}

// GetRoleRef gets the list of roles and cluster roles for the incoming api-request
func GetRoleRef(rbLister RoleBindingLister, crbLister ClusterRoleBindingLister, userInfo authenticationv1.UserInfo) ([]string, []string, error) {
	// rolebindings
	roleBindings, err := rbLister.List(labels.Everything())
	if err != nil {
		return nil, nil, fmt.Errorf("failed to list rolebindings: %v", err)
	}
	rs, crs := getRoleRefByRoleBindings(roleBindings, userInfo)
	// clusterrolebindings
	clusterroleBindings, err := crbLister.List(labels.Everything())
	if err != nil {
		return nil, nil, fmt.Errorf("failed to list clusterrolebindings: %v", err)
	}
	crs = append(crs, getRoleRefByClusterRoleBindings(clusterroleBindings, userInfo)...)
	if rs != nil {
		rs = sets.List(sets.New(rs...))
	}
	if crs != nil {
		crs = sets.List(sets.New(crs...))
	}
	return rs, crs, nil
}

func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) ([]string, []string) {
	var roles, clusterRoles []string
	for _, rolebinding := range roleBindings {
		if matchBindingSubjects(rolebinding.Subjects, userInfo, rolebinding.Namespace) {
			switch rolebinding.RoleRef.Kind {
			case roleKind:
				roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)
			case clusterroleKind:
				clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)
			}
		}
	}
	return roles, clusterRoles
}

func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) []string {
	var clusterRoles []string
	for _, clusterRoleBinding := range clusterroleBindings {
		if matchBindingSubjects(clusterRoleBinding.Subjects, userInfo, "") {
			if clusterRoleBinding.RoleRef.Kind == clusterroleKind {
				clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)
			}
		}
	}
	return clusterRoles
}

func matchBindingSubjects(subjects []rbacv1.Subject, userInfo authenticationv1.UserInfo, namespace string) bool {
	for _, subject := range subjects {
		switch subject.Kind {
		case rbacv1.ServiceAccountKind:
			ns := subject.Namespace
			if ns == "" {
				ns = namespace
			}
			if ns != "" {
				username := "system:serviceaccount:" + ns + ":" + subject.Name
				if userInfo.Username == username {
					return true
				}
			}
		case rbacv1.GroupKind:
			for _, group := range userInfo.Groups {
				if group == subject.Name {
					return true
				}
			}
		case rbacv1.UserKind:
			if userInfo.Username == subject.Name {
				return true
			}
		}
	}
	return false
}
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`package userinfo`

			`import (`
			`"fmt"`
bug fixes 2020-07-10 22:23:07 +00:00
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`authenticationv1 "k8s.io/api/authentication/v1"`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 23:43:13 +00:00			`rbacv1 "k8s.io/api/rbac/v1"`
			`labels "k8s.io/apimachinery/pkg/labels"`
refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`"k8s.io/apimachinery/pkg/util/sets"`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`)`

correct role/clusterrole kind 2019-11-14 23:49:11 +00:00			`const (`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`clusterroleKind = "ClusterRole"`
			`roleKind = "Role"`
correct role/clusterrole kind 2019-11-14 23:49:11 +00:00			`)`

refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`type RoleBindingLister interface {`
			`List(labels.Selector) ([]*rbacv1.RoleBinding, error)`
			`}`

			`type ClusterRoleBindingLister interface {`
			`List(labels.Selector) ([]*rbacv1.ClusterRoleBinding, error)`
			`}`

chore: enable gofmt and gofumpt linters (#3931) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 06:19:03 +00:00			`// GetRoleRef gets the list of roles and cluster roles for the incoming api-request`
refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`func GetRoleRef(rbLister RoleBindingLister, crbLister ClusterRoleBindingLister, userInfo authenticationv1.UserInfo) ([]string, []string, error) {`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 23:43:13 +00:00			`// rolebindings`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`roleBindings, err := rbLister.List(labels.Everything())`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`if err != nil {`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`return nil, nil, fmt.Errorf("failed to list rolebindings: %v", err)`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`
refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`rs, crs := getRoleRefByRoleBindings(roleBindings, userInfo)`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`// clusterrolebindings`
fix: use labels.Everything in userinfo clusterroles matching (#6351) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-02-20 11:06:49 +00:00			`clusterroleBindings, err := crbLister.List(labels.Everything())`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`if err != nil {`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`return nil, nil, fmt.Errorf("failed to list clusterrolebindings: %v", err)`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`
refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`crs = append(crs, getRoleRefByClusterRoleBindings(clusterroleBindings, userInfo)...)`
			`if rs != nil {`
			`rs = sets.List(sets.New(rs...))`
			`}`
			`if crs != nil {`
			`crs = sets.List(sets.New(crs...))`
			`}`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`return rs, crs, nil`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`

refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) ([]string, []string) {`
			`var roles, clusterRoles []string`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 23:43:13 +00:00			`for _, rolebinding := range roleBindings {`
fix: role matching from authentication infos (#6358) * fix: role matching from authentication infos Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-02-21 16:57:17 +00:00			`if matchBindingSubjects(rolebinding.Subjects, userInfo, rolebinding.Namespace) {`
			`switch rolebinding.RoleRef.Kind {`
			`case roleKind:`
			`roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)`
			`case clusterroleKind:`
			`clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`
			`}`
			`}`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`return roles, clusterRoles`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`

refactor: reduce userinfos deps and add unit tests (#6524) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-03-10 09:09:19 +00:00			`func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) []string {`
			`var clusterRoles []string`
user sharedInformer for rolebindings and clusterrolebindings 2019-11-11 23:43:13 +00:00			`for _, clusterRoleBinding := range clusterroleBindings {`
fix: role matching from authentication infos (#6358) * fix: role matching from authentication infos Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-02-21 16:57:17 +00:00			`if matchBindingSubjects(clusterRoleBinding.Subjects, userInfo, "") {`
			`if clusterRoleBinding.RoleRef.Kind == clusterroleKind {`
			`clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`
			`}`
			`}`
chore: remove dead code (#3561) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-04-11 08:47:18 +00:00			`return clusterRoles`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`

fix: role matching from authentication infos (#6358) * fix: role matching from authentication infos Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-02-21 16:57:17 +00:00			`func matchBindingSubjects(subjects []rbacv1.Subject, userInfo authenticationv1.UserInfo, namespace string) bool {`
			`for _, subject := range subjects {`
			`switch subject.Kind {`
			`case rbacv1.ServiceAccountKind:`
			`ns := subject.Namespace`
			`if ns == "" {`
			`ns = namespace`
			`}`
			`if ns != "" {`
			`username := "system:serviceaccount:" + ns + ":" + subject.Name`
			`if userInfo.Username == username {`
			`return true`
			`}`
			`}`
			`case rbacv1.GroupKind:`
			`for _, group := range userInfo.Groups {`
			`if group == subject.Name {`
			`return true`
			`}`
			`}`
			`case rbacv1.UserKind:`
			`if userInfo.Username == subject.Name {`
			`return true`
			`}`
make getRoleRef a separate package 2019-11-11 22:52:09 +00:00			`}`
			`}`
			`return false`
			`}`