test/e2e/framework/auth/helpers.go - third_party/kubernetes - Git at Google

 /*
 Copyright 2016 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

 package auth

 import (
 	"context"
 	"fmt"
 	"sync"
 	"time"

 	authorizationv1 "k8s.io/api/authorization/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	v1authorization "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	v1rbac "k8s.io/client-go/kubernetes/typed/rbac/v1"
 	"k8s.io/kubernetes/test/e2e/framework"
 )

 const (
 	policyCachePollInterval = 100 * time.Millisecond
 	policyCachePollTimeout  = 5 * time.Second
 )

 type bindingsGetter interface {
 	v1rbac.RoleBindingsGetter
 	v1rbac.ClusterRoleBindingsGetter
 	v1rbac.ClusterRolesGetter
 }

 // WaitForAuthorizationUpdate checks if the given user can perform the named verb and action.
 // If policyCachePollTimeout is reached without the expected condition matching, an error is returned
 func WaitForAuthorizationUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error {
 	return WaitForNamedAuthorizationUpdate(ctx, c, user, namespace, verb, "", resource, allowed)
 }

 // WaitForNamedAuthorizationUpdate checks if the given user can perform the named verb and action on the named resource.
 // If policyCachePollTimeout is reached without the expected condition matching, an error is returned
 func WaitForNamedAuthorizationUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user, namespace, verb, resourceName string, resource schema.GroupResource, allowed bool) error {
 	review := &authorizationv1.SubjectAccessReview{
 		Spec: authorizationv1.SubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationv1.ResourceAttributes{
 				Group:     resource.Group,
 				Verb:      verb,
 				Resource:  resource.Resource,
 				Namespace: namespace,
 				Name:      resourceName,
 			},
 			User: user,
 		},
 	}

 	err := wait.PollWithContext(ctx, policyCachePollInterval, policyCachePollTimeout, func(ctx context.Context) (bool, error) {
 		response, err := c.SubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
 		if err != nil {
 			return false, err
 		}
 		if response.Status.Allowed != allowed {
 			return false, nil
 		}
 		return true, nil
 	})
 	return err
 }

 // BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil
 // is returned with no action.
 func BindClusterRole(ctx context.Context, c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error {
 	if !IsRBACEnabled(ctx, c) {
 		return nil
 	}

 	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
 	_, err := c.ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: ns + "--" + clusterRole,
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
 			Name:     clusterRole,
 		},
 		Subjects: subjects,
 	}, metav1.CreateOptions{})

 	if err != nil {
 		return fmt.Errorf("binding clusterrole/%s for %q for %v: %w", clusterRole, ns, subjects, err)
 	}

 	return nil
 }

 // BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil
 // is returned with no action.
 func BindClusterRoleInNamespace(ctx context.Context, c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error {
 	return bindInNamespace(ctx, c, "ClusterRole", clusterRole, ns, subjects...)
 }

 // BindRoleInNamespace binds the role at the namespace scope. If RBAC is not enabled, nil
 // is returned with no action.
 func BindRoleInNamespace(ctx context.Context, c bindingsGetter, role, ns string, subjects ...rbacv1.Subject) error {
 	return bindInNamespace(ctx, c, "Role", role, ns, subjects...)
 }

 func bindInNamespace(ctx context.Context, c bindingsGetter, roleType, role, ns string, subjects ...rbacv1.Subject) error {
 	if !IsRBACEnabled(ctx, c) {
 		return nil
 	}

 	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
 	_, err := c.RoleBindings(ns).Create(ctx, &rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: ns + "--" + role,
 		},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     roleType,
 			Name:     role,
 		},
 		Subjects: subjects,
 	}, metav1.CreateOptions{})

 	if err != nil {
 		return fmt.Errorf("binding %s/%s into %q for %v: %w", roleType, role, ns, subjects, err)
 	}

 	return nil
 }

 var (
 	isRBACEnabledOnce sync.Once
 	isRBACEnabled     bool
 )

 // IsRBACEnabled returns true if RBAC is enabled. Otherwise false.
 func IsRBACEnabled(ctx context.Context, crGetter v1rbac.ClusterRolesGetter) bool {
 	isRBACEnabledOnce.Do(func() {
 		crs, err := crGetter.ClusterRoles().List(ctx, metav1.ListOptions{})
 		if err != nil {
 			framework.Logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err)
 			isRBACEnabled = false
 		} else if crs == nil || len(crs.Items) == 0 {
 			framework.Logf("No ClusterRoles found; assuming RBAC is disabled.")
 			isRBACEnabled = false
 		} else {
 			framework.Logf("Found ClusterRoles; assuming RBAC is enabled.")
 			isRBACEnabled = true
 		}
 	})

 	return isRBACEnabled
 }
	/*
	Copyright 2016 The Kubernetes Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package auth

	import (
	"context"
	"fmt"
	"sync"
	"time"

	authorizationv1 "k8s.io/api/authorization/v1"
	rbacv1 "k8s.io/api/rbac/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"
	"k8s.io/apimachinery/pkg/util/wait"
	v1authorization "k8s.io/client-go/kubernetes/typed/authorization/v1"
	v1rbac "k8s.io/client-go/kubernetes/typed/rbac/v1"
	"k8s.io/kubernetes/test/e2e/framework"
	)

	const (
	policyCachePollInterval = 100 * time.Millisecond
	policyCachePollTimeout = 5 * time.Second
	)

	type bindingsGetter interface {
	v1rbac.RoleBindingsGetter
	v1rbac.ClusterRoleBindingsGetter
	v1rbac.ClusterRolesGetter
	}

	// WaitForAuthorizationUpdate checks if the given user can perform the named verb and action.
	// If policyCachePollTimeout is reached without the expected condition matching, an error is returned
	func WaitForAuthorizationUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user, namespace, verb string, resource schema.GroupResource, allowed bool) error {
	return WaitForNamedAuthorizationUpdate(ctx, c, user, namespace, verb, "", resource, allowed)
	}

	// WaitForNamedAuthorizationUpdate checks if the given user can perform the named verb and action on the named resource.
	// If policyCachePollTimeout is reached without the expected condition matching, an error is returned
	func WaitForNamedAuthorizationUpdate(ctx context.Context, c v1authorization.SubjectAccessReviewsGetter, user, namespace, verb, resourceName string, resource schema.GroupResource, allowed bool) error {
	review := &authorizationv1.SubjectAccessReview{
	Spec: authorizationv1.SubjectAccessReviewSpec{
	ResourceAttributes: &authorizationv1.ResourceAttributes{
	Group: resource.Group,
	Verb: verb,
	Resource: resource.Resource,
	Namespace: namespace,
	Name: resourceName,
	},
	User: user,
	},
	}

	err := wait.PollWithContext(ctx, policyCachePollInterval, policyCachePollTimeout, func(ctx context.Context) (bool, error) {
	response, err := c.SubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
	if err != nil {
	return false, err
	}
	if response.Status.Allowed != allowed {
	return false, nil
	}
	return true, nil
	})
	return err
	}

	// BindClusterRole binds the cluster role at the cluster scope. If RBAC is not enabled, nil
	// is returned with no action.
	func BindClusterRole(ctx context.Context, c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error {
	if !IsRBACEnabled(ctx, c) {
	return nil
	}

	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
	_, err := c.ClusterRoleBindings().Create(ctx, &rbacv1.ClusterRoleBinding{
	ObjectMeta: metav1.ObjectMeta{
	Name: ns + "--" + clusterRole,
	},
	RoleRef: rbacv1.RoleRef{
	APIGroup: "rbac.authorization.k8s.io",
	Kind: "ClusterRole",
	Name: clusterRole,
	},
	Subjects: subjects,
	}, metav1.CreateOptions{})

	if err != nil {
	return fmt.Errorf("binding clusterrole/%s for %q for %v: %w", clusterRole, ns, subjects, err)
	}

	return nil
	}

	// BindClusterRoleInNamespace binds the cluster role at the namespace scope. If RBAC is not enabled, nil
	// is returned with no action.
	func BindClusterRoleInNamespace(ctx context.Context, c bindingsGetter, clusterRole, ns string, subjects ...rbacv1.Subject) error {
	return bindInNamespace(ctx, c, "ClusterRole", clusterRole, ns, subjects...)
	}

	// BindRoleInNamespace binds the role at the namespace scope. If RBAC is not enabled, nil
	// is returned with no action.
	func BindRoleInNamespace(ctx context.Context, c bindingsGetter, role, ns string, subjects ...rbacv1.Subject) error {
	return bindInNamespace(ctx, c, "Role", role, ns, subjects...)
	}

	func bindInNamespace(ctx context.Context, c bindingsGetter, roleType, role, ns string, subjects ...rbacv1.Subject) error {
	if !IsRBACEnabled(ctx, c) {
	return nil
	}

	// Since the namespace names are unique, we can leave this lying around so we don't have to race any caches
	_, err := c.RoleBindings(ns).Create(ctx, &rbacv1.RoleBinding{
	ObjectMeta: metav1.ObjectMeta{
	Name: ns + "--" + role,
	},
	RoleRef: rbacv1.RoleRef{
	APIGroup: "rbac.authorization.k8s.io",
	Kind: roleType,
	Name: role,
	},
	Subjects: subjects,
	}, metav1.CreateOptions{})

	if err != nil {
	return fmt.Errorf("binding %s/%s into %q for %v: %w", roleType, role, ns, subjects, err)
	}

	return nil
	}

	var (
	isRBACEnabledOnce sync.Once
	isRBACEnabled bool
	)

	// IsRBACEnabled returns true if RBAC is enabled. Otherwise false.
	func IsRBACEnabled(ctx context.Context, crGetter v1rbac.ClusterRolesGetter) bool {
	isRBACEnabledOnce.Do(func() {
	crs, err := crGetter.ClusterRoles().List(ctx, metav1.ListOptions{})
	if err != nil {
	framework.Logf("Error listing ClusterRoles; assuming RBAC is disabled: %v", err)
	isRBACEnabled = false
	} else if crs == nil \|\| len(crs.Items) == 0 {
	framework.Logf("No ClusterRoles found; assuming RBAC is disabled.")
	isRBACEnabled = false
	} else {
	framework.Logf("Found ClusterRoles; assuming RBAC is enabled.")
	isRBACEnabled = true
	}
	})

	return isRBACEnabled
	}