Add auth API to get self subject attributes

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-07-22 04:01:52 +04:00
parent 178f246bbc
commit 00dfba473b
68 changed files with 3417 additions and 6 deletions
--- a/pkg/registry/authentication/rest/storage_authentication.go
+++ b/pkg/registry/authentication/rest/storage_authentication.go
@@ -18,13 +18,18 @@ package rest

 import (
 	authenticationv1 "k8s.io/api/authentication/v1"
+	authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/registry/generic"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	serverstorage "k8s.io/apiserver/pkg/server/storage"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/klog/v2"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/authentication"
+	"k8s.io/kubernetes/pkg/features"
+	"k8s.io/kubernetes/pkg/registry/authentication/selfsubjectreview"
 	"k8s.io/kubernetes/pkg/registry/authentication/tokenreview"
 )

@@ -43,6 +48,10 @@ func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorag
 	// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
 	// TODO refactor the plumbing to provide the information in the APIGroupInfo

+	if storageMap := p.v1alpha1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 {
+		apiGroupInfo.VersionedResourcesStorageMap[authenticationv1alpha1.SchemeGroupVersion.Version] = storageMap
+	}
+
 	if storageMap := p.v1Storage(apiResourceConfigSource, restOptionsGetter); len(storageMap) > 0 {
 		apiGroupInfo.VersionedResourcesStorageMap[authenticationv1.SchemeGroupVersion.Version] = storageMap
 	}
@@ -62,6 +71,21 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
 	return storage
 }

+func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
+	storage := map[string]rest.Storage{}
+
+	// selfsubjectreviews
+	if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
+		if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) {
+			selfSRStorage := selfsubjectreview.NewREST()
+			storage[resource] = selfSRStorage
+		} else {
+			klog.Warningln("SelfSubjectReview API is disabled because corresponding feature gate APISelfSubjectReview is not enabled.")
+		}
+	}
+	return storage
+}
+
 func (p RESTStorageProvider) GroupName() string {
 	return authentication.GroupName
 }
--- a/pkg/registry/authentication/selfsubjectreview/rest.go
+++ b/pkg/registry/authentication/selfsubjectreview/rest.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selfsubjectreview
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
+)
+
+// REST implements a RESTStorage for selfsubjectreviews.
+type REST struct {
+}
+
+// NewREST returns a RESTStorage object that will work against selfsubjectrulesreviews.
+func NewREST() *REST {
+	return &REST{}
+}
+
+// NamespaceScoped fulfill rest.Scoper
+func (r *REST) NamespaceScoped() bool {
+	return false
+}
+
+// New creates a new selfsubjectrulesreview object.
+func (r *REST) New() runtime.Object {
+	return &authenticationapi.SelfSubjectReview{}
+}
+
+// Destroy cleans up resources on shutdown.
+func (r *REST) Destroy() {
+	// Given no underlying store, we don't destroy anything
+	// here explicitly.
+}
+
+// Create returns attributes of the subject making the request.
+func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
+	if createValidation != nil {
+		if err := createValidation(ctx, obj.DeepCopyObject()); err != nil {
+			return nil, err
+		}
+	}
+
+	_, ok := obj.(*authenticationapi.SelfSubjectReview)
+	if !ok {
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectReview: %#v", obj))
+	}
+
+	user, ok := genericapirequest.UserFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("no user present on request")
+	}
+
+	extra := user.GetExtra()
+
+	selfSAR := &authenticationapi.SelfSubjectReview{
+		ObjectMeta: metav1.ObjectMeta{
+			CreationTimestamp: metav1.NewTime(time.Now()),
+		},
+		Status: authenticationapi.SelfSubjectReviewStatus{
+			UserInfo: authenticationapi.UserInfo{
+				Username: user.GetName(),
+				UID:      user.GetUID(),
+				Groups:   user.GetGroups(),
+				Extra:    make(map[string]authenticationapi.ExtraValue, len(extra)),
+			},
+		},
+	}
+	for key, attr := range extra {
+		selfSAR.Status.UserInfo.Extra[key] = attr
+	}
+
+	return selfSAR, nil
+}