Merge pull request #11321 from deads2k/allow-who-can

Merged by openshift-bot

Author: OpenShift Bot

pkg/project/admission/lifecycle/admission.go

@@ -10,11 +10,11 @@ import (
 
 	"k8s.io/kubernetes/pkg/admission"
 	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	"k8s.io/kubernetes/pkg/util/sets"
 
-	"github.com/openshift/origin/pkg/api"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	"github.com/openshift/origin/pkg/project/cache"
 	projectutil "github.com/openshift/origin/pkg/project/util"
@@ -33,10 +33,17 @@ type lifecycle struct {
 	cache  *cache.ProjectCache
 
 	// creatableResources is a set of resources that can be created even if the namespace is terminating
-	creatableResources sets.String
+	creatableResources map[unversioned.GroupResource]bool
 }
 
-var recommendedCreatableResources = sets.NewString("resourceaccessreviews", "localresourceaccessreviews")
+var recommendedCreatableResources = map[unversioned.GroupResource]bool{
+	authorizationapi.Resource("resourceaccessreviews"):      true,
+	authorizationapi.Resource("localresourceaccessreviews"): true,
+	authorizationapi.Resource("subjectaccessreviews"):       true,
+	authorizationapi.Resource("localsubjectaccessreviews"):  true,
+	authorizationapi.Resource("selfsubjectrulesreviews"):    true,
+	authorizationapi.Resource("subjectrulesreviews"):        true,
+}
 var _ = oadmission.WantsProjectCache(&lifecycle{})
 var _ = oadmission.Validator(&lifecycle{})
 
@@ -46,9 +53,8 @@ func (e *lifecycle) Admit(a admission.Attributes) (err error) {
 	if len(a.GetNamespace()) == 0 {
 		return nil
 	}
-	// always allow a SAR request through, the SAR will return information about
-	// the ability to take action on the object, no need to verify it here.
-	if isSubjectAccessReview(a) {
+	// always allow creatable resources through.  These requests should always be allowed.
+	if e.creatableResources[a.GetResource().GroupResource()] {
 		return nil
 	}
 
@@ -117,18 +123,9 @@ func (e *lifecycle) Validate() error {
 	return nil
 }
 
-func NewLifecycle(client clientset.Interface, creatableResources sets.String) (admission.Interface, error) {
+func NewLifecycle(client clientset.Interface, creatableResources map[unversioned.GroupResource]bool) (admission.Interface, error) {
 	return &lifecycle{
 		client:             client,
 		creatableResources: creatableResources,
 	}, nil
 }
-
-var (
-	sar  = api.Kind("SubjectAccessReview")
-	lsar = api.Kind("LocalSubjectAccessReview")
-)
-
-func isSubjectAccessReview(a admission.Attributes) bool {
-	return a.GetKind().GroupKind() == sar || a.GetKind().GroupKind() == lsar
-}

pkg/project/admission/lifecycle/admission_test.go

@@ -88,7 +88,7 @@ func TestSAR(t *testing.T) {
 	cache := projectcache.NewFake(mockClient.Namespaces(), store, "")
 
 	mockClientset := clientsetfake.NewSimpleClientset()
-	handler := &lifecycle{client: mockClientset}
+	handler := &lifecycle{client: mockClientset, creatableResources: recommendedCreatableResources}
 	handler.SetProjectCache(cache)
 
 	tests := map[string]struct {

test/cmd/projects.sh

@@ -3,6 +3,21 @@ source "$(dirname "${BASH_SOURCE}")/../../hack/lib/init.sh"
 trap os::test::junit::reconcile_output EXIT
 
 os::test::junit::declare_suite_start "cmd/projects"
+
+os::test::junit::declare_suite_start "cmd/projects/lifecycle"
+# resourceaccessreview
+os::cmd::expect_success 'oc policy who-can get pods -n missing-ns'
+# selfsubjectaccessreview
+os::cmd::expect_success 'oc policy can-i get pods -n missing-ns'
+# selfsubjectrulesreivew
+os::cmd::expect_success 'oc policy can-i --list -n missing-ns'
+# subjectaccessreview
+os::cmd::expect_success 'oc policy can-i get pods --user=bob -n missing-ns'
+# subjectrulesreview
+os::cmd::expect_success 'oc policy can-i --list  --user=bob -n missing-ns'
+echo 'project lifecycle ok'
+os::test::junit::declare_suite_end
+
 os::cmd::expect_failure_and_text 'oc projects test_arg' 'no arguments'
 # log in as a test user and expect no projects
 os::cmd::expect_success 'oc login -u test -p test'
@@ -21,4 +36,6 @@ os::cmd::try_until_text 'oc projects' 'test6'
 os::cmd::expect_success_and_text 'oc project test6' 'Now using project "test6"'
 os::cmd::expect_success_and_text 'oc config view -o jsonpath="{.contexts[*].context.namespace}"' '\btest6\b'
 echo 'projects command ok'
+
+
 os::test::junit::declare_suite_end