-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathnamespace_validator.go
150 lines (126 loc) · 4.09 KB
/
namespace_validator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package kubeauth
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"strings"
v1 "k8s.io/api/core/v1"
kubeerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
k8s_yaml "k8s.io/apimachinery/pkg/util/yaml"
)
// namespaceValidator defines a namespace validator interface
type namespaceValidator interface {
validateLabels(context.Context, *http.Client, string, string) (bool, error)
}
type namespaceValidatorFactory func(*kubeConfig) namespaceValidator
// namespaceValidatorWrapper implements the namespaceValidator interface
type namespaceValidatorWrapper struct {
config *kubeConfig
}
func newNsValidatorWrapper(config *kubeConfig) namespaceValidator {
return &namespaceValidatorWrapper{
config: config,
}
}
func (v *namespaceValidatorWrapper) validateLabels(ctx context.Context, client *http.Client, namespace string, namespaceSelector string) (bool, error) {
labelSelector, err := makeNsLabelSelector(namespaceSelector)
if err != nil {
return false, err
}
selector, err := metav1.LabelSelectorAsSelector(labelSelector)
if err != nil {
return false, err
}
nsLabels, err := v.getNamespaceLabels(ctx, client, namespace)
if err != nil {
return false, err
}
return selector.Matches(labels.Set(nsLabels)), nil
}
func (v *namespaceValidatorWrapper) getNamespaceLabels(ctx context.Context, client *http.Client, namespace string) (map[string]string, error) {
url := fmt.Sprintf("%s/api/v1/namespaces/%s", strings.TrimSuffix(v.config.Host, "/"), namespace)
req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
if err != nil {
return nil, err
}
// Use the configured TokenReviewer JWT as the bearer
if v.config.TokenReviewerJWT == "" {
return nil, errors.New("namespace lookup failed: TokenReviewer JWT needs to be configured to use namespace selectors")
}
setRequestHeader(req, fmt.Sprintf("Bearer %s", v.config.TokenReviewerJWT))
resp, err := client.Do(req)
if err != nil {
return nil, err
}
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
}
if resp.StatusCode != http.StatusOK {
var errStatus metav1.Status
if err = json.Unmarshal(body, &errStatus); err != nil {
return nil, fmt.Errorf("failed to parse error status on namespace retrieval failure err=%s", err)
}
if errStatus.Status != metav1.StatusSuccess {
return nil, fmt.Errorf("failed to get namespace (code %d status %s)",
resp.StatusCode, kubeerrors.FromObject(runtime.Object(&errStatus)))
}
}
var ns v1.Namespace
err = json.Unmarshal(body, &ns)
if err != nil {
return nil, err
}
return ns.Labels, nil
}
func makeLabelSelector(selector string) (*metav1.LabelSelector, error) {
labelSelector := metav1.LabelSelector{}
decoder := k8s_yaml.NewYAMLOrJSONDecoder(strings.NewReader(selector), len(selector))
err := decoder.Decode(&labelSelector)
if err != nil {
return nil, err
}
return &labelSelector, nil
}
func makeNsLabelSelector(namespaceSelector string) (*metav1.LabelSelector, error) {
if namespaceSelector == "" {
return nil, fmt.Errorf("namespace selector is empty")
}
labelSelector, err := makeLabelSelector(namespaceSelector)
if err != nil {
return nil, err
}
if labelSelector.MatchExpressions != nil {
return nil, fmt.Errorf("label selector match expressions are not supported")
}
return labelSelector, nil
}
type mockNamespaceValidator struct {
labels map[string]string
}
func mockNamespaceValidateFactory(labels map[string]string) namespaceValidatorFactory {
return func(config *kubeConfig) namespaceValidator {
return &mockNamespaceValidator{
labels: labels,
}
}
}
func (v *mockNamespaceValidator) validateLabels(ctx context.Context, client *http.Client, namespace string, namespaceSelector string) (bool, error) {
labelSelector, err := makeNsLabelSelector(namespaceSelector)
if err != nil {
return false, err
}
selector, err := metav1.LabelSelectorAsSelector(labelSelector)
if err != nil {
return false, err
}
return selector.Matches(labels.Set(v.labels)), nil
}