add user options to can-i

Author: deads2k

contrib/completions/bash/oc

@@ -10712,6 +10712,8 @@ _oc_policy_can-i()
 
     flags+=("--all-namespaces")
     local_nonpersistent_flags+=("--all-namespaces")
+    flags+=("--groups=")
+    local_nonpersistent_flags+=("--groups=")
     flags+=("--ignore-scopes")
     local_nonpersistent_flags+=("--ignore-scopes")
     flags+=("--list")
@@ -10721,6 +10723,8 @@ _oc_policy_can-i()
     local_nonpersistent_flags+=("--quiet")
     flags+=("--scopes=")
     local_nonpersistent_flags+=("--scopes=")
+    flags+=("--user=")
+    local_nonpersistent_flags+=("--user=")
     flags+=("--as=")
     flags+=("--certificate-authority=")
     flags_with_completion+=("--certificate-authority")
@@ -10745,7 +10749,6 @@ _oc_policy_can-i()
     two_word_flags+=("-n")
     flags+=("--server=")
     flags+=("--token=")
-    flags+=("--user=")
 
     must_have_one_flag=()
     must_have_one_noun=()

contrib/completions/bash/openshift

@@ -15258,6 +15258,8 @@ _openshift_cli_policy_can-i()
 
     flags+=("--all-namespaces")
     local_nonpersistent_flags+=("--all-namespaces")
+    flags+=("--groups=")
+    local_nonpersistent_flags+=("--groups=")
     flags+=("--ignore-scopes")
     local_nonpersistent_flags+=("--ignore-scopes")
     flags+=("--list")
@@ -15267,6 +15269,8 @@ _openshift_cli_policy_can-i()
     local_nonpersistent_flags+=("--quiet")
     flags+=("--scopes=")
     local_nonpersistent_flags+=("--scopes=")
+    flags+=("--user=")
+    local_nonpersistent_flags+=("--user=")
     flags+=("--as=")
     flags+=("--certificate-authority=")
     flags_with_completion+=("--certificate-authority")
@@ -15292,7 +15296,6 @@ _openshift_cli_policy_can-i()
     two_word_flags+=("-n")
     flags+=("--server=")
     flags+=("--token=")
-    flags+=("--user=")
 
     must_have_one_flag=()
     must_have_one_noun=()

contrib/completions/zsh/oc

@@ -10873,6 +10873,8 @@ _oc_policy_can-i()
 
     flags+=("--all-namespaces")
     local_nonpersistent_flags+=("--all-namespaces")
+    flags+=("--groups=")
+    local_nonpersistent_flags+=("--groups=")
     flags+=("--ignore-scopes")
     local_nonpersistent_flags+=("--ignore-scopes")
     flags+=("--list")
@@ -10882,6 +10884,8 @@ _oc_policy_can-i()
     local_nonpersistent_flags+=("--quiet")
     flags+=("--scopes=")
     local_nonpersistent_flags+=("--scopes=")
+    flags+=("--user=")
+    local_nonpersistent_flags+=("--user=")
     flags+=("--as=")
     flags+=("--certificate-authority=")
     flags_with_completion+=("--certificate-authority")
@@ -10906,7 +10910,6 @@ _oc_policy_can-i()
     two_word_flags+=("-n")
     flags+=("--server=")
     flags+=("--token=")
-    flags+=("--user=")
 
     must_have_one_flag=()
     must_have_one_noun=()

contrib/completions/zsh/openshift

@@ -15419,6 +15419,8 @@ _openshift_cli_policy_can-i()
 
     flags+=("--all-namespaces")
     local_nonpersistent_flags+=("--all-namespaces")
+    flags+=("--groups=")
+    local_nonpersistent_flags+=("--groups=")
     flags+=("--ignore-scopes")
     local_nonpersistent_flags+=("--ignore-scopes")
     flags+=("--list")
@@ -15428,6 +15430,8 @@ _openshift_cli_policy_can-i()
     local_nonpersistent_flags+=("--quiet")
     flags+=("--scopes=")
     local_nonpersistent_flags+=("--scopes=")
+    flags+=("--user=")
+    local_nonpersistent_flags+=("--user=")
     flags+=("--as=")
     flags+=("--certificate-authority=")
     flags_with_completion+=("--certificate-authority")
@@ -15453,7 +15457,6 @@ _openshift_cli_policy_can-i()
     two_word_flags+=("-n")
     flags+=("--server=")
     flags+=("--token=")
-    flags+=("--user=")
 
     must_have_one_flag=()
     must_have_one_noun=()

docs/man/man1/oc-policy-can-i.1

@@ -21,6 +21,10 @@ Check whether an action is allowed
 \fB\-\-all\-namespaces\fP=false
     Check the specified action in all namespaces.
 
+.PP
+\fB\-\-groups\fP=[]
+    Check the specified action using these groups instead of your groups.
+
 .PP
 \fB\-\-ignore\-scopes\fP=false
     Disregard any scopes present on this request and evaluate considering full permissions.
@@ -37,6 +41,10 @@ Check whether an action is allowed
 \fB\-\-scopes\fP=[]
     Check the specified action using these scopes.  By default, the scopes on the current token will be used.
 
+.PP
+\fB\-\-user\fP=""
+    Check the specified action using this user instead of your user.
+
 
 .SH OPTIONS INHERITED FROM PARENT COMMANDS
 .PP
@@ -99,10 +107,6 @@ Check whether an action is allowed
 \fB\-\-token\fP=""
     Bearer token for authentication to the API server
 
-.PP
-\fB\-\-user\fP=""
-    The name of the kubeconfig user to use
-
 
 .SH SEE ALSO
 .PP

docs/man/man1/openshift-cli-policy-can-i.1

@@ -21,6 +21,10 @@ Check whether an action is allowed
 \fB\-\-all\-namespaces\fP=false
     Check the specified action in all namespaces.
 
+.PP
+\fB\-\-groups\fP=[]
+    Check the specified action using these groups instead of your groups.
+
 .PP
 \fB\-\-ignore\-scopes\fP=false
     Disregard any scopes present on this request and evaluate considering full permissions.
@@ -37,6 +41,10 @@ Check whether an action is allowed
 \fB\-\-scopes\fP=[]
     Check the specified action using these scopes.  By default, the scopes on the current token will be used.
 
+.PP
+\fB\-\-user\fP=""
+    Check the specified action using this user instead of your user.
+
 
 .SH OPTIONS INHERITED FROM PARENT COMMANDS
 .PP
@@ -99,10 +107,6 @@ Check whether an action is allowed
 \fB\-\-token\fP=""
     Bearer token for authentication to the API server
 
-.PP
-\fB\-\-user\fP=""
-    The name of the kubeconfig user to use
-
 
 .SH SEE ALSO
 .PP

pkg/cmd/admin/policy/cani.go

@@ -14,6 +14,7 @@ import (
 	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+	"k8s.io/kubernetes/pkg/util/sets"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	"github.com/openshift/origin/pkg/client"
@@ -24,14 +25,17 @@ import (
 const CanIRecommendedName = "can-i"
 
 type canIOptions struct {
-	AllNamespaces     bool
-	ListAll           bool
-	Quiet             bool
-	IgnoreScopes      bool
-	Scopes            []string
-	Namespace         string
-	RulesReviewClient client.SelfSubjectRulesReviewsNamespacer
-	SARClient         client.SubjectAccessReviews
+	AllNamespaces         bool
+	ListAll               bool
+	Quiet                 bool
+	IgnoreScopes          bool
+	User                  string
+	Groups                []string
+	Scopes                []string
+	Namespace             string
+	SelfRulesReviewClient client.SelfSubjectRulesReviewsNamespacer
+	RulesReviewClient     client.SubjectRulesReviewsNamespacer
+	SARClient             client.SubjectAccessReviews
 
 	Verb         string
 	Resource     unversioned.GroupVersionResource
@@ -72,6 +76,8 @@ func NewCmdCanI(name, fullName string, f *clientcmd.Factory, out io.Writer) *cob
 	cmd.Flags().BoolVarP(&o.Quiet, "quiet", "q", o.Quiet, "Suppress output and just return the exit code.")
 	cmd.Flags().BoolVar(&o.IgnoreScopes, "ignore-scopes", o.IgnoreScopes, "Disregard any scopes present on this request and evaluate considering full permissions.")
 	cmd.Flags().StringSliceVar(&o.Scopes, "scopes", o.Scopes, "Check the specified action using these scopes.  By default, the scopes on the current token will be used.")
+	cmd.Flags().StringVar(&o.User, "user", o.User, "Check the specified action using this user instead of your user.")
+	cmd.Flags().StringSliceVar(&o.Groups, "groups", o.Groups, "Check the specified action using these groups instead of your groups.")
 
 	return cmd
 }
@@ -115,6 +121,7 @@ func (o *canIOptions) Complete(f *clientcmd.Factory, args []string) error {
 	if err != nil {
 		return err
 	}
+	o.SelfRulesReviewClient = oclient
 	o.RulesReviewClient = oclient
 	o.SARClient = oclient
 
@@ -146,6 +153,8 @@ func (o *canIOptions) Run() (bool, error) {
 			Resource:     o.Resource.Resource,
 			ResourceName: o.ResourceName,
 		},
+		User:   o.User,
+		Groups: sets.NewString(o.Groups...),
 	}
 	if o.IgnoreScopes {
 		sar.Scopes = []string{}
@@ -173,19 +182,40 @@ func (o *canIOptions) Run() (bool, error) {
 }
 
 func (o *canIOptions) listAllPermissions() error {
-	rulesReview := &authorizationapi.SelfSubjectRulesReview{}
-	if len(o.Scopes) > 0 {
-		rulesReview.Spec.Scopes = o.Scopes
-	}
+	var rulesReviewStatus authorizationapi.SubjectRulesReviewStatus
+
+	if len(o.User) == 0 && len(o.Groups) == 0 {
+		rulesReview := &authorizationapi.SelfSubjectRulesReview{}
+		if len(o.Scopes) > 0 {
+			rulesReview.Spec.Scopes = o.Scopes
+		}
+
+		whatCanIDo, err := o.SelfRulesReviewClient.SelfSubjectRulesReviews(o.Namespace).Create(rulesReview)
+		if err != nil {
+			return err
+		}
+		rulesReviewStatus = whatCanIDo.Status
+
+	} else {
+		rulesReview := &authorizationapi.SubjectRulesReview{
+			Spec: authorizationapi.SubjectRulesReviewSpec{
+				User:   o.User,
+				Groups: o.Groups,
+				Scopes: o.Scopes,
+			},
+		}
+
+		whatCanYouDo, err := o.RulesReviewClient.SubjectRulesReviews(o.Namespace).Create(rulesReview)
+		if err != nil {
+			return err
+		}
+		rulesReviewStatus = whatCanYouDo.Status
 
-	whatCanIDo, err := o.RulesReviewClient.SelfSubjectRulesReviews(o.Namespace).Create(rulesReview)
-	if err != nil {
-		return err
 	}
 
 	writer := tabwriter.NewWriter(o.Out, tabwriterMinWidth, tabwriterWidth, tabwriterPadding, tabwriterPadChar, tabwriterFlags)
 	fmt.Fprint(writer, describe.PolicyRuleHeadings+"\n")
-	for _, rule := range whatCanIDo.Status.Rules {
+	for _, rule := range rulesReviewStatus.Rules {
 		describe.DescribePolicyRule(writer, rule, "")
 
 	}

test/cmd/policy.sh

@@ -80,8 +80,22 @@ os::cmd::expect_success_and_text 'oc policy can-i --list' 'get update.*imagestre
 os::cmd::expect_success_and_text 'oc policy can-i create pods --all-namespaces' 'yes'
 os::cmd::expect_success_and_text 'oc policy can-i create pods' 'yes'
 os::cmd::expect_success_and_text 'oc policy can-i create pods --as harold' 'no'
+os::cmd::expect_failure 'oc policy can-i create pods --as harold --user harold'
+os::cmd::expect_failure 'oc policy can-i --list --as harold --user harold'
 os::cmd::expect_failure 'oc policy can-i create pods --as harold -q'
 
+os::cmd::expect_success_and_text 'oc policy can-i create pods --user system:admin' 'yes'
+os::cmd::expect_success_and_text 'oc policy can-i create pods --groups system:unauthenticated --groups system:masters' 'yes'
+os::cmd::expect_success_and_text 'oc policy can-i create pods --groups system:unauthenticated' 'no'
+os::cmd::expect_success_and_text 'oc policy can-i create pods --user harold' 'no'
+
+os::cmd::expect_success_and_text 'oc policy can-i --list --user system:admin' 'get update.*imagestreams/layers'
+os::cmd::expect_success_and_text 'oc policy can-i --list --groups system:unauthenticated --groups system:cluster-readers' 'get.*imagestreams/layers'
+os::cmd::expect_success_and_not_text 'oc policy can-i --list --groups system:unauthenticated' 'get update.*imagestreams/layers'
+os::cmd::expect_success_and_not_text 'oc policy can-i --list --user harold --groups system:authenticated' 'get update.*imagestreams/layers'
+os::cmd::expect_success_and_text 'oc policy can-i --list --user harold --groups system:authenticated' 'create get.*buildconfigs/webhooks'
+
+
 
 # adjust the cluster-admin role to check defaulting and coverage checks
 # this is done here instead of an integration test because we need to make sure the actual yaml serializations work