auth

package
v0.4.0-rc5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 8, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package auth is holds common webhook code used during authentication

Index

Constants

View Source
const (
	// CreatorIDAnn is an annotation key for the id of the creator.
	CreatorIDAnn = "field.cattle.io/creatorId"
)

Variables

This section is empty.

Functions

func ConfirmNoEscalation added in v0.1.6

func ConfirmNoEscalation(request *admission.Request, rules []rbacv1.PolicyRule, namespace string, ruleResolver validation.AuthorizationRuleResolver) error

ConfirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting to grant.

func EscalationAuthorized added in v0.1.6

func EscalationAuthorized(request *admission.Request, gvr schema.GroupVersionResource, sar authorizationv1.SubjectAccessReviewInterface, namespace string) (bool, error)

EscalationAuthorized checks if the user associated with the context is explicitly authorized to escalate the given GVR.

func SetEscalationResponse added in v0.1.6

func SetEscalationResponse(response *admissionv1.AdmissionResponse, err error)

SetEscalationResponse will update the given webhook response based on the provided error from an escalation request. Deprecated: use admission.ResponseFailedEscalation() instead.

func ToExtraString

func ToExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string

ToExtraString will convert a map of map[string]authenticationv1.ExtraValue to map[string]string.

Types

type GlobalRoleResolver added in v0.4.0

type GlobalRoleResolver struct {
	// contains filtered or unexported fields
}

GlobalRoleResolver provides utilities to determine which rules a globalRoles gives in various contexts.

func NewGlobalRoleResolver added in v0.4.0

func NewGlobalRoleResolver(roleTemplateResolver *RoleTemplateResolver, grCache controllerv3.GlobalRoleCache) *GlobalRoleResolver

NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches

func (*GlobalRoleResolver) ClusterRulesFromRole added in v0.4.0

func (g *GlobalRoleResolver) ClusterRulesFromRole(gr *v3.GlobalRole) ([]rbacv1.PolicyRule, error)

ClusterRulesFromRole finds all rules which this gr gives on downstream clusters.

func (*GlobalRoleResolver) GetRoleTemplatesForGlobalRole added in v0.4.0

func (g *GlobalRoleResolver) GetRoleTemplatesForGlobalRole(gr *v3.GlobalRole) ([]*v3.RoleTemplate, error)

GetRoleTemplate allows the caller to retrieve the roleTemplates in use by a given global role. Does not recursively evaluate roleTemplates - only returns the top-level resources.

func (*GlobalRoleResolver) GlobalRoleCache added in v0.4.0

func (g *GlobalRoleResolver) GlobalRoleCache() controllerv3.GlobalRoleCache

GlobalRoleCache allows caller to retrieve the globalRoleCache used by the resolver.

func (*GlobalRoleResolver) GlobalRulesFromRole added in v0.4.0

func (g *GlobalRoleResolver) GlobalRulesFromRole(gr *v3.GlobalRole) []rbacv1.PolicyRule

GlobalRulesFromRole finds all rules which apply globally - meaning valid for escalation checks at the cluster scope in the local cluster.

type RBACRestGetter

type RBACRestGetter struct {
	Roles               wranglerv1.RoleCache
	RoleBindings        wranglerv1.RoleBindingCache
	ClusterRoles        wranglerv1.ClusterRoleCache
	ClusterRoleBindings wranglerv1.ClusterRoleBindingCache
}

RBACRestGetter is used to encapsulate Getters for core RBAC resource types.

func (RBACRestGetter) GetClusterRole

func (r RBACRestGetter) GetClusterRole(name string) (*rbacv1.ClusterRole, error)

GetClusterRole gets the clusterRole with the given name.

func (RBACRestGetter) GetRole

func (r RBACRestGetter) GetRole(namespace, name string) (*rbacv1.Role, error)

GetRole gets role within the given namespace that matches the provided name.

func (RBACRestGetter) ListClusterRoleBindings

func (r RBACRestGetter) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)

ListClusterRoleBindings list all clusterRoleBindings.

func (RBACRestGetter) ListRoleBindings

func (r RBACRestGetter) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)

ListRoleBindings list all roleBindings in the given namespace.

type RoleTemplateResolver added in v0.1.6

type RoleTemplateResolver struct {
	// contains filtered or unexported fields
}

RoleTemplateResolver provides an interface to flatten role templates into slice of rules.

func NewRoleTemplateResolver added in v0.1.6

func NewRoleTemplateResolver(roleTemplates v3.RoleTemplateCache, clusterRoles v1.ClusterRoleCache) *RoleTemplateResolver

NewRoleTemplateResolver creates a newly allocated RoleTemplateResolver from the provided caches

func (*RoleTemplateResolver) RoleTemplateCache added in v0.1.6

func (r *RoleTemplateResolver) RoleTemplateCache() v3.RoleTemplateCache

RoleTemplateCache allows caller to retrieve the roleTemplateCache used by the resolver.

func (*RoleTemplateResolver) RulesFromTemplate added in v0.1.6

func (r *RoleTemplateResolver) RulesFromTemplate(roleTemplate *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error)

RulesFromTemplate gets all rules from the template and all referenced templates.

func (*RoleTemplateResolver) RulesFromTemplateName added in v0.1.6

func (r *RoleTemplateResolver) RulesFromTemplateName(name string) ([]rbacv1.PolicyRule, error)

RulesFromTemplateName gets the rules for a roleTemplate with a given name. Simple wrapper around RulesFromTemplate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL