switch meaning to openshift.GetResource to match upstream

Author: deads2k

pkg/authorization/authorizer/adapter/attributes.go

@@ -38,16 +38,11 @@ func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oa
 		APIGroup:     kattrs.GetAPIGroup(),
 		APIVersion:   kattrs.GetAPIVersion(),
 		Resource:     kattrs.GetResource(),
+		Subresource:  kattrs.GetSubresource(),
 		ResourceName: kattrs.GetName(),
 
 		NonResourceURL: kattrs.IsResourceRequest() == false,
 		URL:            kattrs.GetPath(),
-
-		// TODO: add to kube authorizer attributes
-		// RequestAttributes interface{}
-	}
-	if len(kattrs.GetSubresource()) > 0 {
-		oattrs.Resource = kattrs.GetResource() + "/" + kattrs.GetSubresource()
 	}
 
 	return ctx, oattrs

pkg/authorization/authorizer/adapter/attributes_test.go

@@ -22,6 +22,7 @@ func TestRoundTrip(t *testing.T) {
 		APIVersion:     "av",
 		APIGroup:       "ag",
 		Resource:       "r",
+		Subresource:    "sub",
 		ResourceName:   "rn",
 		NonResourceURL: true,
 		URL:            "/123",
@@ -73,6 +74,9 @@ func TestRoundTrip(t *testing.T) {
 	if oattrs.GetResource() != oattrs2.GetResource() {
 		t.Errorf("Expected %v, got %v", oattrs.GetResource(), oattrs2.GetResource())
 	}
+	if oattrs.GetSubresource() != oattrs2.GetSubresource() {
+		t.Errorf("Expected %v, got %v", oattrs.GetSubresource(), oattrs2.GetSubresource())
+	}
 
 	// Ensure origin-specific info is preserved
 	if oattrs.GetAPIVersion() != oattrs2.GetAPIVersion() {
@@ -95,7 +99,7 @@ func TestRoundTrip(t *testing.T) {
 func TestAttributeIntersection(t *testing.T) {
 	// These are the things we expect to be shared
 	// Everything in this list should be used by OriginAuthorizerAttributes
-	expectedIntersection := sets.NewString("GetVerb", "GetResource", "GetAPIGroup", "GetAPIVersion")
+	expectedIntersection := sets.NewString("GetVerb", "GetResource", "GetSubresource", "GetAPIGroup", "GetAPIVersion")
 
 	// These are the things we expect to only be in the Kubernetes interface
 	// Everything in this list should be used by OriginAuthorizerAttributes or derivative (like IsReadOnly)

pkg/authorization/authorizer/attributes.go

@@ -14,6 +14,7 @@ type DefaultAuthorizationAttributes struct {
 	APIVersion     string
 	APIGroup       string
 	Resource       string
+	Subresource    string
 	ResourceName   string
 	NonResourceURL bool
 	URL            string
@@ -22,11 +23,24 @@ type DefaultAuthorizationAttributes struct {
 // ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes.  Namespace is not included
 // because the authorizer takes that information on the context
 func ToDefaultAuthorizationAttributes(in authorizationapi.Action) Action {
+	// to match the RequestInfoFactory assuming an in.resource of one/two/three, one==resource, two==subresource, three=nothing
+	tokens := strings.SplitN(in.Resource, "/", 2)
+	resource := ""
+	subresource := ""
+	switch {
+	case len(tokens) >= 2:
+		subresource = tokens[1]
+		fallthrough
+	case len(tokens) == 1:
+		resource = tokens[0]
+	}
+
 	return DefaultAuthorizationAttributes{
 		Verb:           in.Verb,
 		APIGroup:       in.Group,
 		APIVersion:     in.Version,
-		Resource:       in.Resource,
+		Resource:       resource,
+		Subresource:    subresource,
 		ResourceName:   in.ResourceName,
 		URL:            in.Path,
 		NonResourceURL: in.IsNonResourceURL,
@@ -85,7 +99,15 @@ func verbMatches(a Action, verbs sets.String) bool {
 }
 
 func resourceMatches(a Action, allowedResourceTypes sets.String) bool {
-	return allowedResourceTypes.Has(authorizationapi.ResourceAll) || allowedResourceTypes.Has(strings.ToLower(a.GetResource()))
+	if allowedResourceTypes.Has(authorizationapi.ResourceAll) {
+		return true
+	}
+
+	if len(a.GetSubresource()) == 0 {
+		return allowedResourceTypes.Has(strings.ToLower(a.GetResource()))
+	}
+
+	return allowedResourceTypes.Has(strings.ToLower(a.GetResource() + "/" + a.GetSubresource()))
 }
 
 // nameMatches checks to see if the resourceName of the action is in a the specified whitelist.  An empty whitelist indicates that any name is allowed.
@@ -147,6 +169,10 @@ func (a DefaultAuthorizationAttributes) GetResource() string {
 	return a.Resource
 }
 
+func (a DefaultAuthorizationAttributes) GetSubresource() string {
+	return a.Subresource
+}
+
 func (a DefaultAuthorizationAttributes) GetResourceName() string {
 	return a.ResourceName
 }

pkg/authorization/authorizer/attributes_builder.go

@@ -30,16 +30,12 @@ func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request
 		}, nil
 	}
 
-	resource := requestInfo.Resource
-	if len(requestInfo.Subresource) > 0 {
-		resource = requestInfo.Resource + "/" + requestInfo.Subresource
-	}
-
 	return DefaultAuthorizationAttributes{
 		Verb:           requestInfo.Verb,
 		APIGroup:       requestInfo.APIGroup,
 		APIVersion:     requestInfo.APIVersion,
-		Resource:       resource,
+		Resource:       requestInfo.Resource,
+		Subresource:    requestInfo.Subresource,
 		ResourceName:   requestInfo.Name,
 		NonResourceURL: false,
 		URL:            requestInfo.Path,

pkg/authorization/authorizer/attributes_test.go

@@ -1,6 +1,7 @@
 package authorizer
 
 import (
+	"strings"
 	"testing"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
@@ -29,7 +30,21 @@ func (a authorizationAttributesAdapter) GetAPIGroup() string {
 }
 
 func (a authorizationAttributesAdapter) GetResource() string {
-	return a.attrs.Resource
+	// to match the RequestInfoFactory assuming an in.resource of one/two/three, one==resource, two==subresource, three=nothing
+	tokens := strings.SplitN(a.attrs.Resource, "/", 2)
+	if len(tokens) >= 1 {
+		return tokens[0]
+	}
+	return ""
+}
+
+func (a authorizationAttributesAdapter) GetSubresource() string {
+	// to match the RequestInfoFactory assuming an in.resource of one/two/three, one==resource, two==subresource, three=nothing
+	tokens := strings.SplitN(a.attrs.Resource, "/", 2)
+	if len(tokens) >= 2 {
+		return tokens[1]
+	}
+	return ""
 }
 
 func (a authorizationAttributesAdapter) GetResourceName() string {

pkg/authorization/authorizer/bootstrap_policy_test.go

@@ -378,8 +378,9 @@ func TestAdminGetStatusInMallet(t *testing.T) {
 	test := &authorizeTest{
 		context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "mallet"), &user.DefaultInfo{Name: "Matthew"}),
 		attributes: &DefaultAuthorizationAttributes{
-			Verb:     "get",
-			Resource: "pods/status",
+			Verb:        "get",
+			Resource:    "pods",
+			Subresource: "status",
 		},
 		expectedAllowed: true,
 		expectedReason:  "allowed by rule in mallet",

pkg/authorization/authorizer/cache/authorizer.go

@@ -128,6 +128,7 @@ func cacheKey(ctx kapi.Context, a authorizer.Action) (string, error) {
 		"apiVersion":     a.GetAPIVersion(),
 		"apiGroup":       a.GetAPIGroup(),
 		"resource":       a.GetResource(),
+		"subresource":    a.GetSubresource(),
 		"resourceName":   a.GetResourceName(),
 		"nonResourceURL": a.IsNonResourceURL(),
 		"url":            a.GetURL(),

pkg/authorization/authorizer/cache/authorizer_test.go

@@ -29,7 +29,7 @@ func TestCacheKey(t *testing.T) {
 		"empty": {
 			Context:     kapi.NewContext(),
 			Attrs:       &authorizer.DefaultAuthorizationAttributes{},
-			ExpectedKey: `{"apiGroup":"","apiVersion":"","nonResourceURL":false,"resource":"","resourceName":"","url":"","verb":""}`,
+			ExpectedKey: `{"apiGroup":"","apiVersion":"","nonResourceURL":false,"resource":"","resourceName":"","subresource":"","url":"","verb":""}`,
 		},
 		"full": {
 			Context: kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), "myns"), &user.DefaultInfo{Name: "me", Groups: []string{"group1", "group2"}}),
@@ -38,11 +38,12 @@ func TestCacheKey(t *testing.T) {
 				APIVersion:     "av",
 				APIGroup:       "ag",
 				Resource:       "r",
+				Subresource:    "sub",
 				ResourceName:   "rn",
 				NonResourceURL: true,
 				URL:            "/abc",
 			},
-			ExpectedKey: `{"apiGroup":"ag","apiVersion":"av","groups":["group1","group2"],"namespace":"myns","nonResourceURL":true,"resource":"r","resourceName":"rn","scopes":null,"url":"/abc","user":"me","verb":"v"}`,
+			ExpectedKey: `{"apiGroup":"ag","apiVersion":"av","groups":["group1","group2"],"namespace":"myns","nonResourceURL":true,"resource":"r","resourceName":"rn","scopes":null,"subresource":"sub","url":"/abc","user":"me","verb":"v"}`,
 		},
 	}
 

pkg/authorization/authorizer/interfaces.go

@@ -28,6 +28,7 @@ type Action interface {
 	GetAPIGroup() string
 	// GetResource returns the resource type.  If IsNonResourceURL() is true, then GetResource() is "".
 	GetResource() string
+	GetSubresource() string
 	GetResourceName() string
 	// IsNonResourceURL returns true if this is not an action performed against the resource API
 	IsNonResourceURL() bool

pkg/authorization/authorizer/messages.go

@@ -21,27 +21,28 @@ type ForbiddenMessageResolver struct {
 
 func NewForbiddenMessageResolver(projectRequestForbiddenTemplate string) *ForbiddenMessageResolver {
 	apiGroupIfNotEmpty := "{{if len .Attributes.GetAPIGroup }}{{.Attributes.GetAPIGroup}}.{{end}}"
+	resourceWithSubresourceIfNotEmpty := "{{if len .Attributes.GetSubresource }}{{.Attributes.GetResource}}/{{.Attributes.GetSubresource}}{{else}}{{.Attributes.GetResource}}{{end}}"
 
 	messageResolver := &ForbiddenMessageResolver{
 		namespacedVerbsToResourcesToForbiddenMessageMaker: map[string]map[string]ForbiddenMessageMaker{},
 		rootScopedVerbsToResourcesToForbiddenMessageMaker: map[string]map[string]ForbiddenMessageMaker{},
 		nonResourceURLForbiddenMessageMaker:               newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot "{{.Attributes.GetVerb}}" on "{{.Attributes.GetURL}}"`),
-		defaultForbiddenMessageMaker:                      newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot "{{.Attributes.GetVerb}}" "` + apiGroupIfNotEmpty + `{{.Attributes.GetResource}}" with name "{{.Attributes.GetResourceName}}" in project "{{.Namespace}}"`),
+		defaultForbiddenMessageMaker:                      newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot "{{.Attributes.GetVerb}}" "` + apiGroupIfNotEmpty + resourceWithSubresourceIfNotEmpty + `" with name "{{.Attributes.GetResourceName}}" in project "{{.Namespace}}"`),
 	}
 
 	// general messages
-	messageResolver.addNamespacedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`))
-	messageResolver.addRootScopedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} at the cluster scope`))
-	messageResolver.addNamespacedForbiddenMessageMaker("get", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot get `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`))
-	messageResolver.addRootScopedForbiddenMessageMaker("get", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot get `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} at the cluster scope`))
-	messageResolver.addNamespacedForbiddenMessageMaker("list", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot list `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`))
-	messageResolver.addRootScopedForbiddenMessageMaker("list", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot list all `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in the cluster`))
-	messageResolver.addNamespacedForbiddenMessageMaker("watch", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot watch `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`))
-	messageResolver.addRootScopedForbiddenMessageMaker("watch", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot watch all `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in the cluster`))
-	messageResolver.addNamespacedForbiddenMessageMaker("update", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot update `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`))
-	messageResolver.addRootScopedForbiddenMessageMaker("update", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot update `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} at the cluster scope`))
-	messageResolver.addNamespacedForbiddenMessageMaker("delete", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot delete `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`))
-	messageResolver.addRootScopedForbiddenMessageMaker("delete", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot delete `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} at the cluster scope`))
+	messageResolver.addNamespacedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`))
+	messageResolver.addRootScopedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` at the cluster scope`))
+	messageResolver.addNamespacedForbiddenMessageMaker("get", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot get `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`))
+	messageResolver.addRootScopedForbiddenMessageMaker("get", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot get `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` at the cluster scope`))
+	messageResolver.addNamespacedForbiddenMessageMaker("list", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot list `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`))
+	messageResolver.addRootScopedForbiddenMessageMaker("list", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot list all `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in the cluster`))
+	messageResolver.addNamespacedForbiddenMessageMaker("watch", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot watch `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`))
+	messageResolver.addRootScopedForbiddenMessageMaker("watch", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot watch all `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in the cluster`))
+	messageResolver.addNamespacedForbiddenMessageMaker("update", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot update `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`))
+	messageResolver.addRootScopedForbiddenMessageMaker("update", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot update `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` at the cluster scope`))
+	messageResolver.addNamespacedForbiddenMessageMaker("delete", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot delete `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`))
+	messageResolver.addRootScopedForbiddenMessageMaker("delete", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot delete `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` at the cluster scope`))
 
 	// project request rejection
 	projectRequestDeny := projectRequestForbiddenTemplate

pkg/authorization/authorizer/remote/authorizer.go

@@ -93,21 +93,19 @@ func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes autho
 }
 
 func getAction(namespace string, attributes authorizer.Action) authzapi.Action {
+	resource := attributes.GetResource()
+	if len(attributes.GetSubresource()) > 0 {
+		resource = resource + "/" + attributes.GetSubresource()
+	}
 	return authzapi.Action{
 		Namespace:    namespace,
 		Verb:         attributes.GetVerb(),
 		Group:        attributes.GetAPIGroup(),
 		Version:      attributes.GetAPIVersion(),
-		Resource:     attributes.GetResource(),
+		Resource:     resource,
 		ResourceName: attributes.GetResourceName(),
 
 		Path:             attributes.GetURL(),
 		IsNonResourceURL: attributes.IsNonResourceURL(),
-
-		// TODO: missing from authorizer.Action:
-		// Content
-
-		// TODO: missing from authzapi.Action
-		// RequestAttributes (unserializable?)
 	}
 }

pkg/cmd/server/kubernetes/node_auth.go

@@ -60,7 +60,8 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt
 		APIVersion:   "v1",
 		APIGroup:     "",
 		Verb:         apiVerb,
-		Resource:     "nodes/proxy",
+		Resource:     "nodes",
+		Subresource:  "proxy",
 		ResourceName: n.nodeName,
 		URL:          r.URL.Path,
 	}

pkg/cmd/server/origin/master_config.go

@@ -826,9 +826,9 @@ func newAuthorizationAttributeBuilder(requestContextMapper kapi.RequestContextMa
 		sets.NewString(bootstrappolicy.AuthenticatedGroup),
 		requestInfoFactory,
 	)
-	personalSARRequestInfoResolveer := authorizer.NewPersonalSARRequestInfoResolver(browserSafeRequestInfoResolver)
+	personalSARRequestInfoResolver := authorizer.NewPersonalSARRequestInfoResolver(browserSafeRequestInfoResolver)
 
-	authorizationAttributeBuilder := authorizer.NewAuthorizationAttributeBuilder(requestContextMapper, personalSARRequestInfoResolveer)
+	authorizationAttributeBuilder := authorizer.NewAuthorizationAttributeBuilder(requestContextMapper, personalSARRequestInfoResolver)
 	return authorizationAttributeBuilder
 }
 

pkg/scheduler/admission/podnodeconstraints/admission.go

@@ -177,9 +177,10 @@ func (o *podNodeConstraints) Validate() error {
 func (o *podNodeConstraints) checkPodsBindAccess(attr admission.Attributes) (bool, error) {
 	ctx := kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), attr.GetNamespace()), attr.GetUserInfo())
 	authzAttr := authorizer.DefaultAuthorizationAttributes{
-		Verb:     "create",
-		Resource: "pods/binding",
-		APIGroup: kapi.GroupName,
+		Verb:        "create",
+		Resource:    "pods",
+		Subresource: "binding",
+		APIGroup:    kapi.GroupName,
 	}
 	if attr.GetResource().GroupResource() == kapi.Resource("pods") {
 		authzAttr.ResourceName = attr.GetName()

pkg/service/admission/endpoint_admission.go

@@ -6,7 +6,6 @@ import (
 	"net"
 	"reflect"
 
-	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
 	"github.com/openshift/origin/pkg/client"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
@@ -86,7 +85,8 @@ func (r *restrictedEndpointsAdmission) checkAccess(attr kadmission.Attributes) (
 	ctx := kapi.WithUser(kapi.WithNamespace(kapi.NewContext(), attr.GetNamespace()), attr.GetUserInfo())
 	authzAttr := authorizer.DefaultAuthorizationAttributes{
 		Verb:         "create",
-		Resource:     authorizationapi.RestrictedEndpointsResource,
+		Resource:     "endpoints",
+		Subresource:  "restricted",
 		APIGroup:     kapi.GroupName,
 		ResourceName: attr.GetName(),
 	}