diff --git a/api/protobuf-spec/github_com_openshift_origin_pkg_authorization_api_v1.proto b/api/protobuf-spec/github_com_openshift_origin_pkg_authorization_api_v1.proto index bac97fece9a8..91acc13a79de 100644 --- a/api/protobuf-spec/github_com_openshift_origin_pkg_authorization_api_v1.proto +++ b/api/protobuf-spec/github_com_openshift_origin_pkg_authorization_api_v1.proto @@ -35,6 +35,12 @@ message Action { // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" optional string resourceName = 6; + // Path is the path of a non resource URL + optional string path = 8; + + // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy) + optional bool isNonResourceURL = 9; + // Content is the actual content of the request for create and update optional k8s.io.kubernetes.pkg.runtime.RawExtension content = 7; } diff --git a/api/swagger-spec/oapi-v1.json b/api/swagger-spec/oapi-v1.json index 5252a16a5e43..bc0afc1ae584 100644 --- a/api/swagger-spec/oapi-v1.json +++ b/api/swagger-spec/oapi-v1.json @@ -27586,7 +27586,9 @@ "resourceAPIGroup", "resourceAPIVersion", "resource", - "resourceName" + "resourceName", + "path", + "isNonResourceURL" ], "properties": { "kind": { @@ -27621,6 +27623,14 @@ "type": "string", "description": "ResourceName is the name of the resource being requested for a \"get\" or deleted for a \"delete\"" }, + "path": { + "type": "string", + "description": "Path is the path of a non resource URL" + }, + "isNonResourceURL": { + "type": "boolean", + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)" + }, "content": { "type": "string", "description": "Content is the actual content of the request for create and update" @@ -27637,6 +27647,8 @@ "resourceAPIVersion", "resource", "resourceName", + "path", + "isNonResourceURL", "user", "groups", "scopes" @@ -27674,6 +27686,14 @@ "type": "string", "description": "ResourceName is the name of the resource being requested for a \"get\" or deleted for a \"delete\"" }, + "path": { + "type": "string", + "description": "Path is the path of a non resource URL" + }, + "isNonResourceURL": { + "type": "boolean", + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)" + }, "content": { "type": "string", "description": "Content is the actual content of the request for create and update" @@ -28746,7 +28766,9 @@ "resourceAPIGroup", "resourceAPIVersion", "resource", - "resourceName" + "resourceName", + "path", + "isNonResourceURL" ], "properties": { "kind": { @@ -28781,6 +28803,14 @@ "type": "string", "description": "ResourceName is the name of the resource being requested for a \"get\" or deleted for a \"delete\"" }, + "path": { + "type": "string", + "description": "Path is the path of a non resource URL" + }, + "isNonResourceURL": { + "type": "boolean", + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)" + }, "content": { "type": "string", "description": "Content is the actual content of the request for create and update" @@ -29333,6 +29363,8 @@ "resourceAPIVersion", "resource", "resourceName", + "path", + "isNonResourceURL", "user", "groups", "scopes" @@ -29370,6 +29402,14 @@ "type": "string", "description": "ResourceName is the name of the resource being requested for a \"get\" or deleted for a \"delete\"" }, + "path": { + "type": "string", + "description": "Path is the path of a non resource URL" + }, + "isNonResourceURL": { + "type": "boolean", + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)" + }, "content": { "type": "string", "description": "Content is the actual content of the request for create and update" diff --git a/api/swagger-spec/openshift-openapi-spec.json b/api/swagger-spec/openshift-openapi-spec.json index afecdaaf3d85..1b44c25ec27a 100644 --- a/api/swagger-spec/openshift-openapi-spec.json +++ b/api/swagger-spec/openshift-openapi-spec.json @@ -51992,7 +51992,9 @@ "resourceAPIGroup", "resourceAPIVersion", "resource", - "resourceName" + "resourceName", + "path", + "isNonResourceURL" ], "properties": { "apiVersion": { @@ -52003,6 +52005,10 @@ "description": "Content is the actual content of the request for create and update", "$ref": "#/definitions/runtime.RawExtension" }, + "isNonResourceURL": { + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + "type": "boolean" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds", "type": "string" @@ -52011,6 +52017,10 @@ "description": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces", "type": "string" }, + "path": { + "description": "Path is the path of a non resource URL", + "type": "string" + }, "resource": { "description": "Resource is one of the existing resource types", "type": "string" @@ -52042,6 +52052,8 @@ "resourceAPIVersion", "resource", "resourceName", + "path", + "isNonResourceURL", "user", "groups", "scopes" @@ -52062,6 +52074,10 @@ "type": "string" } }, + "isNonResourceURL": { + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + "type": "boolean" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds", "type": "string" @@ -52070,6 +52086,10 @@ "description": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces", "type": "string" }, + "path": { + "description": "Path is the path of a non resource URL", + "type": "string" + }, "resource": { "description": "Resource is one of the existing resource types", "type": "string" @@ -54480,7 +54500,9 @@ "resourceAPIGroup", "resourceAPIVersion", "resource", - "resourceName" + "resourceName", + "path", + "isNonResourceURL" ], "properties": { "apiVersion": { @@ -54491,6 +54513,10 @@ "description": "Content is the actual content of the request for create and update", "$ref": "#/definitions/runtime.RawExtension" }, + "isNonResourceURL": { + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + "type": "boolean" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds", "type": "string" @@ -54499,6 +54525,10 @@ "description": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces", "type": "string" }, + "path": { + "description": "Path is the path of a non resource URL", + "type": "string" + }, "resource": { "description": "Resource is one of the existing resource types", "type": "string" @@ -56019,6 +56049,8 @@ "resourceAPIVersion", "resource", "resourceName", + "path", + "isNonResourceURL", "user", "groups", "scopes" @@ -56039,6 +56071,10 @@ "type": "string" } }, + "isNonResourceURL": { + "description": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + "type": "boolean" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds", "type": "string" @@ -56047,6 +56083,10 @@ "description": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces", "type": "string" }, + "path": { + "description": "Path is the path of a non resource URL", + "type": "string" + }, "resource": { "description": "Resource is one of the existing resource types", "type": "string" diff --git a/pkg/authorization/api/types.go b/pkg/authorization/api/types.go index e914cab101ed..0f86a24eca53 100644 --- a/pkg/authorization/api/types.go +++ b/pkg/authorization/api/types.go @@ -291,6 +291,10 @@ type Action struct { Resource string // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" ResourceName string + // Path is the path of a non resource URL + Path string + // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy) + IsNonResourceURL bool // Content is the actual content of the request for create and update Content kruntime.Object } diff --git a/pkg/authorization/api/v1/generated.pb.go b/pkg/authorization/api/v1/generated.pb.go index b10f05452572..63783de20074 100644 --- a/pkg/authorization/api/v1/generated.pb.go +++ b/pkg/authorization/api/v1/generated.pb.go @@ -366,6 +366,18 @@ func (m *Action) MarshalTo(data []byte) (int, error) { return 0, err } i += n1 + data[i] = 0x42 + i++ + i = encodeVarintGenerated(data, i, uint64(len(m.Path))) + i += copy(data[i:], m.Path) + data[i] = 0x48 + i++ + if m.IsNonResourceURL { + data[i] = 1 + } else { + data[i] = 0 + } + i++ return i, nil } @@ -2159,6 +2171,9 @@ func (m *Action) Size() (n int) { n += 1 + l + sovGenerated(uint64(l)) l = m.Content.Size() n += 1 + l + sovGenerated(uint64(l)) + l = len(m.Path) + n += 1 + l + sovGenerated(uint64(l)) + n += 2 return n } @@ -2816,6 +2831,8 @@ func (this *Action) String() string { `Resource:` + fmt.Sprintf("%v", this.Resource) + `,`, `ResourceName:` + fmt.Sprintf("%v", this.ResourceName) + `,`, `Content:` + strings.Replace(strings.Replace(this.Content.String(), "RawExtension", "k8s_io_kubernetes_pkg_runtime.RawExtension", 1), `&`, ``, 1) + `,`, + `Path:` + fmt.Sprintf("%v", this.Path) + `,`, + `IsNonResourceURL:` + fmt.Sprintf("%v", this.IsNonResourceURL) + `,`, `}`, }, "") return s @@ -3523,6 +3540,55 @@ func (m *Action) Unmarshal(data []byte) error { return err } iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Path", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := data[iNdEx] + iNdEx++ + stringLen |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + intStringLen + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Path = string(data[iNdEx:postIndex]) + iNdEx = postIndex + case 9: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field IsNonResourceURL", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := data[iNdEx] + iNdEx++ + v |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + m.IsNonResourceURL = bool(v != 0) default: iNdEx = preIndex skippy, err := skipGenerated(data[iNdEx:]) @@ -8883,132 +8949,134 @@ var ( ) var fileDescriptorGenerated = []byte{ - // 2019 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xec, 0x59, 0xcd, 0x6f, 0x1b, 0xc7, - 0x15, 0xd7, 0x90, 0x14, 0x25, 0x3e, 0x4a, 0x96, 0x34, 0x56, 0xec, 0xb5, 0x52, 0x8b, 0xc2, 0x22, - 0x68, 0x15, 0x24, 0x26, 0x6b, 0x21, 0x45, 0x53, 0x37, 0x80, 0x2b, 0x3a, 0x8e, 0xeb, 0x42, 0xb6, - 0x85, 0x51, 0x63, 0x04, 0xe9, 0x47, 0xb0, 0x5c, 0x8d, 0xa8, 0xad, 0x57, 0xbb, 0xec, 0xce, 0x2e, - 0x9d, 0xf6, 0x52, 0x1f, 0xd2, 0x0f, 0xa0, 0x3d, 0xe4, 0x52, 0xa4, 0xbd, 0x15, 0x28, 0xd0, 0x4b, - 0x8b, 0x5e, 0x7b, 0x69, 0x6f, 0x05, 0x2a, 0xf4, 0x10, 0x04, 0xe8, 0xc5, 0x87, 0x84, 0xad, 0xd9, - 0x22, 0x87, 0x1e, 0xfa, 0x07, 0x04, 0x3d, 0x14, 0x33, 0x3b, 0xfb, 0xc9, 0x5d, 0x98, 0x22, 0x29, - 0xa2, 0x31, 0x7c, 0x92, 0x76, 0xe6, 0xcd, 0xfb, 0x9e, 0xdf, 0xbc, 0xf7, 0x08, 0xaf, 0xb6, 0x0d, - 0xf7, 0xd0, 0x6b, 0xd5, 0x75, 0xfb, 0xa8, 0x61, 0x77, 0xa8, 0xc5, 0x0e, 0x8d, 0x03, 0xb7, 0x61, - 0x3b, 0x46, 0xdb, 0xb0, 0x1a, 0x9d, 0x7b, 0xed, 0x86, 0xe6, 0xb9, 0x87, 0xb6, 0x63, 0x7c, 0x5f, - 0x73, 0x0d, 0xdb, 0x6a, 0x68, 0x1d, 0xa3, 0xd1, 0xbd, 0xdc, 0x68, 0x53, 0x8b, 0x3a, 0x9a, 0x4b, - 0xf7, 0xeb, 0x1d, 0xc7, 0x76, 0x6d, 0xfc, 0x52, 0xc4, 0xa5, 0x1e, 0x72, 0xa9, 0xfb, 0x5c, 0xea, - 0x9d, 0x7b, 0xed, 0x7a, 0x82, 0x4b, 0x5d, 0xeb, 0x18, 0xf5, 0xee, 0xe5, 0xb5, 0x4b, 0x31, 0xd9, - 0x6d, 0xbb, 0x6d, 0x37, 0x04, 0xb3, 0x96, 0x77, 0x20, 0xbe, 0xc4, 0x87, 0xf8, 0xcf, 0x17, 0xb2, - 0xf6, 0x85, 0x7b, 0x2f, 0xb3, 0xba, 0x61, 0x37, 0xee, 0x79, 0x2d, 0xea, 0x58, 0xd4, 0xa5, 0xcc, - 0x57, 0xb0, 0x63, 0x34, 0x3c, 0xab, 0x4b, 0x1d, 0x66, 0xd8, 0x16, 0xdd, 0x4f, 0xeb, 0xb6, 0xf6, - 0x62, 0xfe, 0xb1, 0x41, 0x4b, 0xd6, 0x2e, 0x65, 0x53, 0x3b, 0x9e, 0xe5, 0x1a, 0x47, 0x74, 0x80, - 0xfc, 0x72, 0x36, 0xb9, 0xe7, 0x1a, 0x66, 0xc3, 0xb0, 0x5c, 0xe6, 0x3a, 0xe9, 0x23, 0xea, 0x7b, - 0x45, 0x28, 0x6f, 0xeb, 0xdc, 0x0f, 0xb8, 0x01, 0x15, 0x4b, 0x3b, 0xa2, 0xac, 0xa3, 0xe9, 0x54, - 0x41, 0x1b, 0x68, 0xb3, 0xd2, 0x5c, 0x39, 0xee, 0xd5, 0x66, 0xfa, 0xbd, 0x5a, 0xe5, 0x76, 0xb0, - 0x41, 0x22, 0x1a, 0xbc, 0x01, 0xa5, 0x2e, 0x75, 0x5a, 0x4a, 0x41, 0xd0, 0x2e, 0x48, 0xda, 0xd2, - 0x5d, 0xea, 0xb4, 0x88, 0xd8, 0xc1, 0x5f, 0x82, 0x65, 0x87, 0x32, 0xdb, 0x73, 0x74, 0xba, 0xbd, - 0x7b, 0xf3, 0x86, 0x63, 0x7b, 0x1d, 0xa5, 0x28, 0xa8, 0x17, 0x25, 0xf5, 0xac, 0x58, 0x24, 0x03, - 0x64, 0xf8, 0x2a, 0xe0, 0xd8, 0xda, 0x5d, 0xdf, 0xa1, 0x4a, 0x49, 0x1c, 0x5e, 0x92, 0x87, 0xe7, - 0xe4, 0x32, 0xc9, 0x20, 0xc5, 0x2f, 0xc2, 0x7c, 0xb0, 0xaa, 0xcc, 0x8a, 0x63, 0xcb, 0xf2, 0xd8, - 0x3c, 0x91, 0xeb, 0x24, 0xa4, 0xc0, 0x2f, 0xc3, 0x42, 0xf0, 0x3f, 0xb7, 0x55, 0x29, 0x8b, 0x13, - 0xab, 0xf2, 0xc4, 0x02, 0x89, 0xed, 0x91, 0x04, 0x25, 0xbe, 0x0b, 0x73, 0xba, 0x6d, 0xb9, 0xd4, - 0x72, 0x95, 0xb9, 0x0d, 0xb4, 0x59, 0xdd, 0x7a, 0xa1, 0xee, 0x87, 0xa1, 0x1e, 0x85, 0x41, 0x64, - 0x9d, 0x8c, 0x5a, 0x9d, 0x68, 0xf7, 0xaf, 0xbf, 0xed, 0x52, 0x8b, 0x6b, 0x19, 0x99, 0x72, 0xcd, - 0xe7, 0x41, 0x02, 0x66, 0xea, 0xdf, 0x0a, 0xb0, 0x78, 0xcd, 0xf4, 0x98, 0x4b, 0x9d, 0x5d, 0xdb, - 0x34, 0xf4, 0xef, 0xe1, 0x37, 0x60, 0xfe, 0x88, 0xba, 0xda, 0xbe, 0xe6, 0x6a, 0x22, 0x3e, 0xd5, - 0xad, 0xcd, 0x1c, 0x51, 0x7e, 0x4a, 0xd7, 0xef, 0xb4, 0xbe, 0x43, 0x75, 0xf7, 0x16, 0x75, 0xb5, - 0x26, 0x96, 0x72, 0x20, 0x5a, 0x23, 0x21, 0x37, 0x4c, 0x61, 0xc1, 0xd4, 0x98, 0x7b, 0xcb, 0xde, - 0x37, 0x0e, 0x0c, 0xba, 0x2f, 0x22, 0x9a, 0x6f, 0x08, 0xe7, 0x1e, 0xcb, 0xf1, 0xfa, 0xd7, 0x8d, - 0x23, 0x1a, 0xb9, 0x6a, 0x27, 0xc6, 0x88, 0x24, 0xd8, 0xe2, 0x07, 0x08, 0x66, 0x1d, 0xdb, 0xa4, - 0x4c, 0x29, 0x6e, 0x14, 0x37, 0xab, 0x5b, 0xaf, 0xd5, 0x47, 0xb9, 0xa9, 0x75, 0xee, 0xf6, 0x7d, - 0xe9, 0x1a, 0x62, 0x9b, 0xb4, 0xa9, 0x06, 0xc9, 0xc4, 0xbf, 0xd8, 0x27, 0xbd, 0xda, 0x4a, 0x9a, - 0x84, 0x11, 0x5f, 0xb0, 0xfa, 0x51, 0x11, 0x56, 0x13, 0x5e, 0x6d, 0x1a, 0xd6, 0xbe, 0x61, 0xb5, - 0x3f, 0xfd, 0xce, 0xfd, 0x36, 0x54, 0x3a, 0xc2, 0x22, 0x42, 0x0f, 0xc4, 0x25, 0xab, 0x6e, 0x5d, - 0x1a, 0xc6, 0x02, 0x42, 0x0f, 0xa8, 0x43, 0x2d, 0x9d, 0x46, 0xb7, 0x7d, 0x37, 0xe0, 0x43, 0x22, - 0x96, 0xf8, 0xd7, 0x08, 0x16, 0xb8, 0x0f, 0xa5, 0xc3, 0x98, 0x52, 0x12, 0x31, 0xbc, 0x35, 0xa1, - 0x18, 0xfa, 0x5c, 0x9b, 0x9f, 0x0f, 0x6f, 0x5c, 0x4c, 0xd4, 0x27, 0xbd, 0x9a, 0x92, 0x73, 0x80, - 0x91, 0x84, 0x52, 0xea, 0xbf, 0x11, 0x28, 0x59, 0xf1, 0xdd, 0x31, 0x98, 0x8b, 0xbf, 0x35, 0x10, - 0xe3, 0xc6, 0x90, 0x51, 0xe0, 0xc7, 0x45, 0xa8, 0x43, 0x0c, 0x09, 0x56, 0x62, 0x81, 0xb6, 0x61, - 0xd6, 0x70, 0xe9, 0x11, 0x53, 0x0a, 0xc2, 0x33, 0x5f, 0x1b, 0xcd, 0x33, 0x59, 0xda, 0x47, 0x70, - 0x79, 0x93, 0x0b, 0x20, 0xbe, 0x1c, 0xf5, 0x43, 0x04, 0x2b, 0x09, 0xf2, 0x69, 0x58, 0x79, 0x98, - 0xb4, 0xf2, 0xda, 0x24, 0xac, 0xcc, 0x36, 0xef, 0x7d, 0x04, 0xd5, 0x58, 0xc4, 0x4f, 0xf5, 0x8a, - 0xce, 0x3a, 0x1e, 0xc7, 0x25, 0xdf, 0xa6, 0xaf, 0x8c, 0x66, 0x93, 0xbc, 0x36, 0x9e, 0x49, 0x23, - 0x83, 0xf8, 0x17, 0x07, 0x1f, 0xfe, 0x47, 0xfd, 0x59, 0x09, 0xf0, 0x60, 0x0a, 0x9f, 0xa2, 0x5d, - 0x1d, 0xa8, 0x78, 0x8c, 0x3a, 0xe2, 0xf5, 0x96, 0xb8, 0x33, 0x62, 0xbc, 0xee, 0x74, 0xf8, 0x97, - 0x66, 0x0a, 0x56, 0xcd, 0x45, 0x8e, 0x12, 0xaf, 0x07, 0x9c, 0x49, 0x24, 0x04, 0x33, 0x80, 0x36, - 0x7f, 0xbf, 0x7d, 0x91, 0xc5, 0xc9, 0x89, 0x3c, 0xc3, 0x8d, 0xbc, 0x11, 0xb2, 0x26, 0x31, 0x31, - 0xf8, 0x1b, 0x30, 0xcf, 0x3c, 0x61, 0x7f, 0x80, 0x4a, 0x27, 0x44, 0xbe, 0x30, 0xdf, 0xf7, 0x24, - 0x1b, 0x12, 0x32, 0xc4, 0x6f, 0xc0, 0x1c, 0x47, 0x18, 0x8e, 0xaa, 0xb3, 0xa3, 0xa0, 0x6a, 0xf8, - 0xc2, 0x13, 0x9f, 0x0b, 0x09, 0xd8, 0xa9, 0x1f, 0x23, 0x38, 0x37, 0x98, 0x0e, 0xd3, 0xb8, 0xc3, - 0x47, 0xc9, 0x3b, 0xfc, 0xd5, 0xb1, 0xee, 0x70, 0x1c, 0xbe, 0xb3, 0x2f, 0xf2, 0x43, 0x04, 0x4b, - 0x31, 0xe2, 0x69, 0x58, 0x78, 0x90, 0xb4, 0x70, 0x7b, 0x7c, 0x0b, 0xb3, 0x4d, 0x7b, 0x0f, 0xc1, - 0xb2, 0x5f, 0xc2, 0x52, 0xe6, 0x3a, 0x86, 0x5f, 0x49, 0xab, 0x50, 0x16, 0xd9, 0xc9, 0x14, 0xb4, - 0x51, 0xdc, 0xac, 0x34, 0xa1, 0xdf, 0xab, 0x95, 0x05, 0x15, 0x23, 0x72, 0x07, 0xbf, 0x05, 0x65, - 0x53, 0x6b, 0x51, 0x33, 0xd0, 0xf0, 0xa5, 0x61, 0xad, 0xe7, 0x87, 0xf6, 0xa8, 0x49, 0x75, 0xd7, - 0x76, 0xa2, 0x27, 0x3b, 0x58, 0x61, 0x44, 0xb2, 0x55, 0x6b, 0x70, 0xf1, 0x26, 0xdb, 0xa5, 0x0e, - 0xe3, 0x77, 0x48, 0xe6, 0xf5, 0xb6, 0xae, 0x53, 0xc6, 0x08, 0xed, 0x1a, 0xf4, 0xbe, 0x7a, 0x1f, - 0x2e, 0xec, 0xd8, 0xba, 0x66, 0x06, 0xb5, 0x6d, 0x7c, 0x13, 0xbf, 0x19, 0xb4, 0x05, 0x32, 0x38, - 0xaf, 0x8c, 0xe6, 0x40, 0x9f, 0x47, 0xb3, 0xc4, 0xd5, 0x24, 0x65, 0x4d, 0x7c, 0xa9, 0xbf, 0x2d, - 0x80, 0x22, 0x24, 0x67, 0x68, 0x75, 0x9a, 0x82, 0x79, 0xc3, 0xc2, 0x91, 0x2a, 0xdd, 0xb0, 0x70, - 0x20, 0x23, 0x62, 0x07, 0x7f, 0x2e, 0x8c, 0x5c, 0x51, 0x44, 0x6e, 0xa9, 0xdf, 0xab, 0x55, 0xfd, - 0xc8, 0xed, 0x99, 0x86, 0x4e, 0xc3, 0xf0, 0x1d, 0x42, 0x99, 0xe9, 0x76, 0x87, 0x32, 0xd1, 0x92, - 0x54, 0xb7, 0x5e, 0x1d, 0x0f, 0xe3, 0xf6, 0x04, 0x2f, 0x3f, 0x51, 0xfc, 0xff, 0x89, 0xe4, 0xaf, - 0xfe, 0x12, 0xc1, 0x72, 0xba, 0xf8, 0xe1, 0x96, 0xf0, 0x3e, 0x4c, 0xb6, 0x69, 0xa1, 0x25, 0xa2, - 0x3d, 0x11, 0x3b, 0x58, 0x87, 0x12, 0xc7, 0x19, 0x89, 0xfa, 0x13, 0xc8, 0xff, 0x50, 0x88, 0xc0, - 0x31, 0xc1, 0x5c, 0xfd, 0x23, 0x82, 0xf3, 0x39, 0x85, 0xd9, 0x10, 0x2a, 0xfe, 0x00, 0xaa, 0xb1, - 0xda, 0x4d, 0x6a, 0x3a, 0x39, 0x2c, 0x3a, 0x2b, 0x45, 0x56, 0x63, 0x8b, 0x24, 0x2e, 0x51, 0xfd, - 0x29, 0x02, 0xd1, 0xd9, 0xee, 0x0f, 0xe9, 0xd3, 0x6f, 0x26, 0x7c, 0x7a, 0x65, 0x34, 0x4d, 0x73, - 0x9d, 0xf9, 0xfb, 0x20, 0xd0, 0x27, 0xf3, 0xe2, 0xdb, 0x59, 0x5e, 0xdc, 0x1e, 0x43, 0xb7, 0xa1, - 0xdd, 0x77, 0x05, 0x16, 0x13, 0x6f, 0x34, 0xae, 0x05, 0xa0, 0xeb, 0xc3, 0x5e, 0x25, 0x8d, 0x96, - 0x57, 0xe6, 0x7f, 0xf1, 0xab, 0xda, 0xcc, 0x83, 0x0f, 0x37, 0x66, 0xd4, 0x2f, 0xc3, 0x99, 0x64, - 0xee, 0x9f, 0xe4, 0xf0, 0x9f, 0x0a, 0x50, 0x7e, 0x52, 0x7a, 0x62, 0x27, 0xd9, 0x12, 0x5f, 0x1d, - 0xa3, 0x9d, 0x12, 0x81, 0x7a, 0x36, 0xdd, 0x0b, 0x43, 0xb8, 0x17, 0x36, 0xc1, 0xc7, 0x45, 0x58, - 0x7c, 0xda, 0xfd, 0x9e, 0xa8, 0xfb, 0xfd, 0x79, 0x76, 0xf7, 0xfb, 0xda, 0xb8, 0xe1, 0x92, 0x97, - 0xed, 0xf9, 0x9c, 0xb6, 0x77, 0x25, 0x4d, 0x99, 0xee, 0x77, 0x79, 0x0b, 0x38, 0xf5, 0x46, 0x77, - 0x32, 0x2d, 0xe0, 0x30, 0x1d, 0xee, 0xfb, 0x08, 0x60, 0x7a, 0xad, 0xad, 0x96, 0xb4, 0xeb, 0x95, - 0xb1, 0xec, 0xca, 0x36, 0xe8, 0xc7, 0xc5, 0xc0, 0x20, 0xde, 0x19, 0x72, 0xd0, 0xeb, 0x52, 0xa7, - 0x95, 0x00, 0xbd, 0xbb, 0x7c, 0x81, 0xf8, 0xeb, 0xf8, 0x01, 0x82, 0x67, 0x34, 0xd7, 0x75, 0x8c, - 0x96, 0xe7, 0xd2, 0x58, 0x8d, 0xc9, 0x1e, 0x73, 0x91, 0x32, 0x87, 0x8d, 0x17, 0xa5, 0x4a, 0xcf, - 0x6c, 0x67, 0x71, 0x24, 0xd9, 0x82, 0xf0, 0x0b, 0x50, 0xd1, 0x3a, 0xc6, 0x8d, 0x78, 0x59, 0x24, - 0xfa, 0xbf, 0x60, 0x54, 0xcb, 0x48, 0xb4, 0xcf, 0x89, 0x83, 0xe9, 0xa8, 0x7f, 0x47, 0x24, 0x71, - 0x50, 0x64, 0x32, 0x12, 0xed, 0xe3, 0x2f, 0xc2, 0x62, 0x7c, 0x94, 0xca, 0x94, 0x59, 0x71, 0x60, - 0xa5, 0xdf, 0xab, 0x2d, 0xc6, 0x27, 0xae, 0x8c, 0x24, 0xe9, 0x70, 0x13, 0x96, 0x2c, 0xdb, 0x0a, - 0x48, 0x5e, 0x27, 0x3b, 0x4c, 0x29, 0x8b, 0xa3, 0x4a, 0xbf, 0x57, 0x5b, 0xbd, 0x9d, 0xdc, 0xf2, - 0x0b, 0xb7, 0xf4, 0x01, 0xd5, 0x81, 0xd5, 0xa9, 0x57, 0xbe, 0x7f, 0x47, 0xf0, 0x99, 0x2c, 0xa1, - 0x84, 0xb2, 0x8e, 0x6d, 0x31, 0x7a, 0xf2, 0x19, 0xfc, 0x73, 0x30, 0xcb, 0x0b, 0x57, 0x3f, 0x65, - 0x2b, 0x7e, 0x97, 0xcc, 0xeb, 0x59, 0x69, 0xb5, 0xbf, 0x39, 0x7c, 0x59, 0x7b, 0x15, 0xce, 0xd0, - 0xae, 0x66, 0x7a, 0x5c, 0xdb, 0xeb, 0x8e, 0x63, 0x3b, 0x72, 0xe2, 0x7e, 0x5e, 0x2a, 0xb1, 0x74, - 0x9d, 0xef, 0x6a, 0xe1, 0x36, 0x49, 0x91, 0xab, 0x7f, 0x41, 0x50, 0x7a, 0x32, 0x86, 0x35, 0x3f, - 0x2c, 0x41, 0xf5, 0xe9, 0x94, 0xe6, 0xe9, 0x94, 0xe6, 0x21, 0x82, 0xa5, 0x29, 0x8f, 0x67, 0x26, - 0x33, 0xbc, 0x78, 0xfc, 0x5c, 0xe6, 0x63, 0x04, 0xe7, 0xe2, 0xd5, 0x7d, 0x6c, 0x84, 0x71, 0x7a, - 0xd9, 0xee, 0x40, 0x89, 0x75, 0xa8, 0x2e, 0x13, 0x7d, 0x77, 0x6c, 0xdb, 0x62, 0x5a, 0xef, 0x75, - 0xa8, 0x1e, 0xf5, 0x48, 0xfc, 0x8b, 0x08, 0x59, 0xea, 0x7f, 0x10, 0xac, 0x65, 0x1f, 0x99, 0x46, - 0x38, 0xbf, 0x9b, 0x0c, 0xe7, 0xce, 0x24, 0x4d, 0xce, 0x89, 0xec, 0x47, 0xc5, 0x3c, 0x83, 0xb9, - 0x57, 0xf0, 0x3b, 0x08, 0x96, 0x38, 0x1a, 0x38, 0xd1, 0xba, 0x34, 0xfc, 0xfa, 0x68, 0xca, 0x89, - 0x11, 0x4a, 0x4c, 0xab, 0xb3, 0xfc, 0xad, 0x48, 0x2d, 0x92, 0xb4, 0x48, 0xfc, 0x13, 0x04, 0xcb, - 0x02, 0x20, 0xe2, 0x7a, 0xf8, 0x79, 0x31, 0x62, 0x61, 0x9d, 0x1e, 0xc5, 0x35, 0x57, 0xfb, 0xbd, - 0xda, 0xc0, 0x80, 0x8e, 0x0c, 0x48, 0xc5, 0xbf, 0x43, 0x70, 0x81, 0x51, 0xa7, 0x6b, 0xe8, 0x54, - 0xd3, 0x75, 0xdb, 0xb3, 0xdc, 0xb8, 0x4e, 0x3e, 0x42, 0xde, 0x19, 0x4d, 0xa7, 0x3d, 0x9f, 0xed, - 0xb6, 0xcf, 0x36, 0xae, 0xdc, 0xc5, 0x7e, 0xaf, 0x76, 0x21, 0x77, 0x9b, 0xe4, 0x2b, 0xa4, 0xfe, - 0x15, 0xc1, 0xfc, 0xb4, 0x46, 0xa9, 0x6f, 0x25, 0xd3, 0x77, 0x9c, 0xb1, 0x47, 0x76, 0xb2, 0xbe, - 0x53, 0x80, 0x73, 0x7b, 0xd4, 0x3c, 0x90, 0xb0, 0xee, 0xbf, 0xc2, 0x7e, 0x31, 0x16, 0x80, 0x05, - 0x1a, 0x07, 0x2c, 0xb2, 0x79, 0xe7, 0x81, 0x05, 0xee, 0x42, 0x99, 0xb9, 0x9a, 0xeb, 0x05, 0x6f, - 0xf1, 0xed, 0x11, 0xa5, 0x0e, 0x4a, 0x14, 0x5c, 0x9b, 0x67, 0xa4, 0xcc, 0xb2, 0xff, 0x4d, 0xa4, - 0x34, 0xf5, 0x47, 0x08, 0xd6, 0xf2, 0x55, 0x8d, 0x4d, 0x1c, 0xd1, 0x29, 0x4f, 0x1c, 0x4d, 0x38, - 0x9f, 0x4e, 0x4a, 0xf9, 0x4c, 0x0e, 0x31, 0x8e, 0x4a, 0x54, 0xb0, 0x85, 0xc7, 0x57, 0xb0, 0x6a, - 0x0f, 0x41, 0xfe, 0x1d, 0xc0, 0xef, 0x22, 0x58, 0x4a, 0x5e, 0x03, 0xbf, 0x57, 0x1a, 0xf9, 0x87, - 0xe7, 0x1c, 0xcb, 0xa2, 0x0a, 0x37, 0x49, 0xc0, 0x48, 0x5a, 0x3c, 0xae, 0x03, 0x84, 0xda, 0x27, - 0xea, 0xee, 0xd0, 0x3c, 0x46, 0x62, 0x14, 0xea, 0x6f, 0x0a, 0x70, 0xf6, 0xe9, 0xa4, 0x7b, 0x88, - 0xbc, 0xfb, 0x17, 0x82, 0x67, 0x33, 0x1c, 0x35, 0x7a, 0x73, 0xf4, 0x3c, 0xcc, 0x69, 0xa6, 0x69, - 0xdf, 0x97, 0x63, 0xa7, 0xf9, 0xa8, 0xca, 0xdb, 0xf6, 0x97, 0x49, 0xb0, 0x8f, 0x3f, 0x0b, 0x65, - 0x87, 0x6a, 0x4c, 0x62, 0x7d, 0x25, 0xba, 0xa4, 0x44, 0xac, 0x12, 0xb9, 0x8b, 0xb7, 0x61, 0x89, - 0x26, 0x5b, 0xa0, 0xc7, 0x75, 0x48, 0x69, 0x7a, 0xf5, 0xbf, 0x08, 0x70, 0x06, 0xd4, 0x59, 0x09, - 0xa8, 0xdb, 0x99, 0x18, 0xe8, 0xfc, 0xbf, 0xc1, 0xdc, 0x31, 0x82, 0x73, 0x39, 0x10, 0x17, 0x64, - 0x2d, 0xca, 0xcd, 0xda, 0xe8, 0x97, 0xb5, 0x42, 0xee, 0x2f, 0x6b, 0x51, 0xc2, 0x16, 0x4f, 0x39, - 0x61, 0xff, 0x8c, 0x40, 0xc9, 0xb3, 0x3f, 0x6a, 0x53, 0xd1, 0x69, 0xb6, 0xa9, 0x59, 0x09, 0x59, - 0x38, 0x61, 0x42, 0xfe, 0x01, 0x41, 0xba, 0x56, 0xc3, 0xb5, 0x60, 0xae, 0x10, 0x1b, 0x4c, 0x89, - 0xb9, 0x42, 0x30, 0x52, 0x18, 0x26, 0x12, 0xd1, 0x6f, 0x9c, 0xc5, 0x53, 0xf9, 0x8d, 0xb3, 0xf9, - 0xdc, 0xf1, 0xa3, 0xf5, 0x99, 0x0f, 0x1e, 0xad, 0xcf, 0x3c, 0x7c, 0xb4, 0x3e, 0xf3, 0xa0, 0xbf, - 0x8e, 0x8e, 0xfb, 0xeb, 0xe8, 0x83, 0xfe, 0x3a, 0xfa, 0x47, 0x7f, 0x1d, 0xbd, 0xfb, 0xcf, 0xf5, - 0x99, 0x37, 0x0b, 0xdd, 0xcb, 0xff, 0x0b, 0x00, 0x00, 0xff, 0xff, 0x52, 0x10, 0xca, 0xe1, 0x56, - 0x2a, 0x00, 0x00, + // 2059 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x09, 0x6e, 0x88, 0x02, 0xff, 0xec, 0x59, 0xcd, 0x6f, 0x1c, 0x49, + 0x15, 0x77, 0xcd, 0x8c, 0xc7, 0x9e, 0x37, 0x76, 0x6c, 0x57, 0xbc, 0x49, 0xc7, 0x4b, 0x3c, 0x56, + 0x6b, 0x05, 0x5e, 0xed, 0x66, 0x86, 0x58, 0x8b, 0x58, 0xc2, 0x4a, 0xc1, 0x93, 0x64, 0x43, 0x90, + 0x93, 0x58, 0x65, 0x36, 0x5a, 0x2d, 0x1f, 0xab, 0x76, 0xbb, 0x6c, 0x37, 0x69, 0x77, 0x37, 0x5d, + 0xdd, 0x93, 0x85, 0x0b, 0x39, 0x2c, 0x1f, 0x12, 0x1c, 0xf6, 0x82, 0x80, 0x1b, 0x12, 0x12, 0x17, + 0x10, 0x57, 0x2e, 0x70, 0x43, 0xc2, 0xe2, 0xb0, 0x5a, 0x89, 0x4b, 0x0e, 0xbb, 0x03, 0x19, 0xd0, + 0x1e, 0x38, 0xf0, 0x07, 0xac, 0x90, 0x40, 0x55, 0x5d, 0xfd, 0x39, 0xdd, 0xca, 0x78, 0x66, 0x3c, + 0x62, 0x57, 0x39, 0xcd, 0x74, 0xd5, 0xab, 0xf7, 0x5d, 0xbf, 0x7e, 0xef, 0x35, 0x5c, 0x3f, 0x30, + 0xbc, 0x43, 0x7f, 0xb7, 0xa9, 0xdb, 0x47, 0x2d, 0xdb, 0xa1, 0x16, 0x3b, 0x34, 0xf6, 0xbd, 0x96, + 0xed, 0x1a, 0x07, 0x86, 0xd5, 0x72, 0xee, 0x1f, 0xb4, 0x34, 0xdf, 0x3b, 0xb4, 0x5d, 0xe3, 0xbb, + 0x9a, 0x67, 0xd8, 0x56, 0x4b, 0x73, 0x8c, 0x56, 0xe7, 0x72, 0xeb, 0x80, 0x5a, 0xd4, 0xd5, 0x3c, + 0xba, 0xd7, 0x74, 0x5c, 0xdb, 0xb3, 0xf1, 0x4b, 0x31, 0x97, 0x66, 0xc4, 0xa5, 0x19, 0x70, 0x69, + 0x3a, 0xf7, 0x0f, 0x9a, 0x29, 0x2e, 0x4d, 0xcd, 0x31, 0x9a, 0x9d, 0xcb, 0x2b, 0x97, 0x12, 0xb2, + 0x0f, 0xec, 0x03, 0xbb, 0x25, 0x98, 0xed, 0xfa, 0xfb, 0xe2, 0x49, 0x3c, 0x88, 0x7f, 0x81, 0x90, + 0x95, 0xcf, 0xdd, 0x7f, 0x99, 0x35, 0x0d, 0xbb, 0x75, 0xdf, 0xdf, 0xa5, 0xae, 0x45, 0x3d, 0xca, + 0x02, 0x05, 0x1d, 0xa3, 0xe5, 0x5b, 0x1d, 0xea, 0x32, 0xc3, 0xb6, 0xe8, 0x5e, 0x56, 0xb7, 0x95, + 0x17, 0x8b, 0x8f, 0xf5, 0x5b, 0xb2, 0x72, 0x29, 0x9f, 0xda, 0xf5, 0x2d, 0xcf, 0x38, 0xa2, 0x7d, + 0xe4, 0x97, 0xf3, 0xc9, 0x7d, 0xcf, 0x30, 0x5b, 0x86, 0xe5, 0x31, 0xcf, 0xcd, 0x1e, 0x51, 0xff, + 0x5b, 0x86, 0xea, 0xa6, 0xce, 0xfd, 0x80, 0x5b, 0x50, 0xb3, 0xb4, 0x23, 0xca, 0x1c, 0x4d, 0xa7, + 0x0a, 0x5a, 0x43, 0xeb, 0xb5, 0xf6, 0xd2, 0x71, 0xb7, 0x31, 0xd5, 0xeb, 0x36, 0x6a, 0x77, 0xc2, + 0x0d, 0x12, 0xd3, 0xe0, 0x35, 0xa8, 0x74, 0xa8, 0xbb, 0xab, 0x94, 0x04, 0xed, 0x9c, 0xa4, 0xad, + 0xdc, 0xa3, 0xee, 0x2e, 0x11, 0x3b, 0xf8, 0x0b, 0xb0, 0xe8, 0x52, 0x66, 0xfb, 0xae, 0x4e, 0x37, + 0xb7, 0x6f, 0xdd, 0x74, 0x6d, 0xdf, 0x51, 0xca, 0x82, 0x7a, 0x5e, 0x52, 0x4f, 0x8b, 0x45, 0xd2, + 0x47, 0x86, 0xaf, 0x02, 0x4e, 0xac, 0xdd, 0x0b, 0x1c, 0xaa, 0x54, 0xc4, 0xe1, 0x05, 0x79, 0x78, + 0x46, 0x2e, 0x93, 0x1c, 0x52, 0xfc, 0x22, 0xcc, 0x86, 0xab, 0xca, 0xb4, 0x38, 0xb6, 0x28, 0x8f, + 0xcd, 0x12, 0xb9, 0x4e, 0x22, 0x0a, 0xfc, 0x32, 0xcc, 0x85, 0xff, 0xb9, 0xad, 0x4a, 0x55, 0x9c, + 0x58, 0x96, 0x27, 0xe6, 0x48, 0x62, 0x8f, 0xa4, 0x28, 0xf1, 0x3d, 0x98, 0xd1, 0x6d, 0xcb, 0xa3, + 0x96, 0xa7, 0xcc, 0xac, 0xa1, 0xf5, 0xfa, 0xc6, 0x0b, 0xcd, 0x20, 0x0c, 0xcd, 0x38, 0x0c, 0x22, + 0xeb, 0x64, 0xd4, 0x9a, 0x44, 0x7b, 0x70, 0xe3, 0x2d, 0x8f, 0x5a, 0x5c, 0xcb, 0xd8, 0x94, 0x6b, + 0x01, 0x0f, 0x12, 0x32, 0xe3, 0xde, 0x75, 0x34, 0xef, 0x50, 0x99, 0x4d, 0x7b, 0x77, 0x5b, 0xf3, + 0x0e, 0x89, 0xd8, 0xc1, 0xd7, 0x61, 0xd1, 0x60, 0x77, 0x6c, 0x2b, 0x54, 0xee, 0x35, 0xb2, 0xa5, + 0xd4, 0xd6, 0xd0, 0xfa, 0x6c, 0x5b, 0x91, 0xd4, 0x8b, 0xb7, 0x32, 0xfb, 0xa4, 0xef, 0x84, 0xfa, + 0xd7, 0x12, 0xcc, 0x5f, 0x33, 0x7d, 0xe6, 0x51, 0x77, 0xdb, 0x36, 0x0d, 0xfd, 0x3b, 0xf8, 0x75, + 0x98, 0x3d, 0xa2, 0x9e, 0xb6, 0xa7, 0x79, 0x9a, 0xc8, 0x83, 0xfa, 0xc6, 0x7a, 0x81, 0x49, 0xc1, + 0xd5, 0x69, 0xde, 0xdd, 0xfd, 0x16, 0xd5, 0xbd, 0xdb, 0xd4, 0xd3, 0xda, 0x58, 0x4a, 0x86, 0x78, + 0x8d, 0x44, 0xdc, 0x30, 0x85, 0x39, 0x53, 0x63, 0xde, 0x6d, 0x7b, 0xcf, 0xd8, 0x37, 0xe8, 0x9e, + 0xc8, 0x9c, 0x62, 0x87, 0x71, 0xee, 0x89, 0xbb, 0xd4, 0xfc, 0xaa, 0x71, 0x44, 0xe3, 0x90, 0x6c, + 0x25, 0x18, 0x91, 0x14, 0x5b, 0xfc, 0x10, 0xc1, 0xb4, 0x6b, 0x9b, 0x94, 0x29, 0xe5, 0xb5, 0xf2, + 0x7a, 0x7d, 0xe3, 0xd5, 0xe6, 0x30, 0x88, 0xd0, 0xe4, 0xe1, 0xdd, 0x93, 0xae, 0x21, 0xb6, 0x49, + 0xdb, 0x6a, 0x98, 0xb4, 0xfc, 0x89, 0x7d, 0xd4, 0x6d, 0x2c, 0x65, 0x49, 0x18, 0x09, 0x04, 0xab, + 0x1f, 0x94, 0x61, 0x39, 0xe5, 0xd5, 0xb6, 0x61, 0xed, 0x19, 0xd6, 0xc1, 0xc7, 0xdf, 0xb9, 0xdf, + 0x84, 0x9a, 0x23, 0x2c, 0x22, 0x74, 0x5f, 0x5c, 0xe6, 0xfa, 0xc6, 0xa5, 0x41, 0x2c, 0x20, 0x74, + 0x9f, 0xba, 0xd4, 0xd2, 0x69, 0x8c, 0x2a, 0xdb, 0x21, 0x1f, 0x12, 0xb3, 0xc4, 0xbf, 0x42, 0x30, + 0xc7, 0x7d, 0x28, 0x1d, 0xc6, 0x94, 0x8a, 0x88, 0xe1, 0xed, 0x31, 0xc5, 0x30, 0xe0, 0xda, 0xfe, + 0x6c, 0x74, 0xb3, 0x13, 0xa2, 0x3e, 0xea, 0x36, 0x94, 0x82, 0x03, 0x8c, 0xa4, 0x94, 0x52, 0xff, + 0x85, 0x40, 0xc9, 0x8b, 0xef, 0x96, 0xc1, 0x3c, 0xfc, 0x8d, 0xbe, 0x18, 0xb7, 0x06, 0x8c, 0x02, + 0x3f, 0x2e, 0x42, 0x1d, 0x61, 0x55, 0xb8, 0x92, 0x08, 0xb4, 0x0d, 0xd3, 0x86, 0x47, 0x8f, 0x98, + 0x52, 0x12, 0x9e, 0xf9, 0xca, 0x70, 0x9e, 0xc9, 0xd3, 0x3e, 0x86, 0xe5, 0x5b, 0x5c, 0x00, 0x09, + 0xe4, 0xa8, 0xef, 0x23, 0x58, 0x4a, 0x91, 0x4f, 0xc2, 0xca, 0xc3, 0xb4, 0x95, 0xd7, 0xc6, 0x61, + 0x65, 0xbe, 0x79, 0xef, 0x22, 0xa8, 0x27, 0x22, 0x7e, 0xaa, 0x57, 0x74, 0xda, 0xf5, 0x39, 0x2e, + 0x05, 0x36, 0x7d, 0x69, 0x38, 0x9b, 0xe4, 0xb5, 0xf1, 0x4d, 0x1a, 0x1b, 0xc4, 0x9f, 0x38, 0xf8, + 0xf0, 0x1f, 0xf5, 0x27, 0x15, 0xc0, 0xfd, 0x29, 0x7c, 0x8a, 0x76, 0x39, 0x50, 0xf3, 0x19, 0x75, + 0x45, 0x95, 0x20, 0x71, 0x67, 0xc8, 0x78, 0xdd, 0x75, 0xf8, 0x93, 0x66, 0x0a, 0x56, 0xed, 0x79, + 0x8e, 0x12, 0xaf, 0x85, 0x9c, 0x49, 0x2c, 0x04, 0x33, 0x80, 0x03, 0x5e, 0x27, 0x04, 0x22, 0xcb, + 0xe3, 0x13, 0x79, 0x86, 0x1b, 0x79, 0x33, 0x62, 0x4d, 0x12, 0x62, 0xf0, 0xd7, 0x60, 0x96, 0xf9, + 0xc2, 0xfe, 0x10, 0x95, 0x4e, 0x88, 0x7c, 0x51, 0xbe, 0xef, 0x48, 0x36, 0x24, 0x62, 0x88, 0x5f, + 0x87, 0x19, 0x8e, 0x30, 0x1c, 0x55, 0xa7, 0x87, 0x41, 0xd5, 0xa8, 0x92, 0x20, 0x01, 0x17, 0x12, + 0xb2, 0x53, 0x3f, 0x44, 0x70, 0xae, 0x3f, 0x1d, 0x26, 0x71, 0x87, 0x8f, 0xd2, 0x77, 0xf8, 0xcb, + 0x23, 0xdd, 0xe1, 0x24, 0x7c, 0xe7, 0x5f, 0xe4, 0x47, 0x08, 0x16, 0x12, 0xc4, 0x93, 0xb0, 0x70, + 0x3f, 0x6d, 0xe1, 0xe6, 0xe8, 0x16, 0xe6, 0x9b, 0xf6, 0x33, 0x04, 0x8b, 0x41, 0xa9, 0x4c, 0x99, + 0xe7, 0x1a, 0x41, 0xc5, 0xae, 0x42, 0x55, 0x64, 0x27, 0x53, 0xd0, 0x5a, 0x79, 0xbd, 0xd6, 0x86, + 0x5e, 0xb7, 0x51, 0x15, 0x54, 0x8c, 0xc8, 0x1d, 0xfc, 0x26, 0x54, 0x4d, 0x6d, 0x97, 0x9a, 0xa1, + 0x86, 0x2f, 0x0d, 0x6a, 0x3d, 0x3f, 0xb4, 0x43, 0x4d, 0xaa, 0x7b, 0xb6, 0x1b, 0xbf, 0xb2, 0xc3, + 0x15, 0x46, 0x24, 0x5b, 0xb5, 0x01, 0x17, 0x6f, 0xb1, 0x6d, 0xea, 0x32, 0x7e, 0x87, 0x64, 0x5e, + 0x6f, 0xea, 0x3a, 0x65, 0x8c, 0xd0, 0x8e, 0x41, 0x1f, 0xa8, 0x0f, 0xe0, 0xc2, 0x96, 0xad, 0x6b, + 0x66, 0x58, 0x74, 0x26, 0x37, 0xf1, 0x1b, 0x61, 0xfb, 0x21, 0x83, 0xf3, 0xca, 0x70, 0x0e, 0x0c, + 0x78, 0xb4, 0x2b, 0x5c, 0x4d, 0x52, 0xd5, 0xc4, 0x93, 0xfa, 0x9b, 0x12, 0x28, 0x42, 0x72, 0x8e, + 0x56, 0xa7, 0x29, 0x98, 0x97, 0xee, 0x1c, 0xa9, 0xb2, 0x8d, 0x11, 0x07, 0x32, 0x22, 0x76, 0xf0, + 0x67, 0xa2, 0xc8, 0x95, 0x45, 0xe4, 0x16, 0x7a, 0xdd, 0x46, 0x3d, 0x88, 0xdc, 0x8e, 0x69, 0xe8, + 0x34, 0x0a, 0xdf, 0x21, 0x54, 0x99, 0x6e, 0x3b, 0x94, 0x89, 0xd6, 0xa7, 0xbe, 0x71, 0x7d, 0x34, + 0x8c, 0xdb, 0x11, 0xbc, 0x82, 0x44, 0x09, 0xfe, 0x13, 0xc9, 0x5f, 0xfd, 0x05, 0x82, 0xc5, 0x6c, + 0xf1, 0xc3, 0x2d, 0xe1, 0xfd, 0x9e, 0x6c, 0x07, 0x23, 0x4b, 0x44, 0x1b, 0x24, 0x76, 0xb0, 0x0e, + 0x15, 0x8e, 0x33, 0x12, 0xf5, 0xc7, 0x90, 0xff, 0x91, 0x10, 0x81, 0x63, 0x82, 0xb9, 0xfa, 0x07, + 0x04, 0xe7, 0x0b, 0x0a, 0xb3, 0x01, 0x54, 0xfc, 0x1e, 0xd4, 0x13, 0xb5, 0x9b, 0xd4, 0x74, 0x7c, + 0x58, 0x74, 0x56, 0x8a, 0xac, 0x27, 0x16, 0x49, 0x52, 0xa2, 0xfa, 0x63, 0x04, 0xa2, 0x83, 0xde, + 0x1b, 0xd0, 0xa7, 0x5f, 0x4f, 0xf9, 0xf4, 0xca, 0x70, 0x9a, 0x16, 0x3a, 0xf3, 0x77, 0x61, 0xa0, + 0x4f, 0xe6, 0xc5, 0xb7, 0xf2, 0xbc, 0xb8, 0x39, 0x82, 0x6e, 0x03, 0xbb, 0xef, 0x0a, 0xcc, 0xa7, + 0xde, 0xd1, 0xb8, 0x11, 0x82, 0x6e, 0x00, 0x7b, 0xb5, 0x2c, 0x5a, 0x5e, 0x99, 0xfd, 0xf9, 0x2f, + 0x1b, 0x53, 0x0f, 0xdf, 0x5f, 0x9b, 0x52, 0xbf, 0x08, 0x67, 0xd2, 0xb9, 0x7f, 0x92, 0xc3, 0x7f, + 0x2c, 0x41, 0xf5, 0x93, 0xd2, 0x13, 0xbb, 0xe9, 0x96, 0xf8, 0xea, 0x08, 0xed, 0x94, 0x08, 0xd4, + 0xb3, 0xd9, 0x5e, 0x18, 0xa2, 0xbd, 0xa8, 0x09, 0x3e, 0x2e, 0xc3, 0xfc, 0xd3, 0xee, 0xf7, 0x44, + 0xdd, 0xef, 0x4f, 0xf3, 0xbb, 0xdf, 0x57, 0x47, 0x0d, 0x97, 0xbc, 0x6c, 0xcf, 0x17, 0xb4, 0xbd, + 0x4b, 0x59, 0xca, 0x6c, 0xbf, 0xcb, 0x5b, 0xc0, 0x89, 0x37, 0xba, 0xe3, 0x69, 0x01, 0x07, 0xe9, + 0x70, 0xdf, 0x45, 0x00, 0x93, 0x6b, 0x6d, 0xb5, 0xb4, 0x5d, 0xaf, 0x8c, 0x64, 0x57, 0xbe, 0x41, + 0x3f, 0x2c, 0x87, 0x06, 0xf1, 0xce, 0x90, 0x83, 0x5e, 0x87, 0xba, 0xbb, 0x29, 0xd0, 0xbb, 0xc7, + 0x17, 0x48, 0xb0, 0x8e, 0x1f, 0x22, 0x78, 0x46, 0xf3, 0x3c, 0xd7, 0xd8, 0xf5, 0x3d, 0x9a, 0xa8, + 0x31, 0xd9, 0x13, 0x2e, 0x52, 0xee, 0x50, 0xf3, 0xa2, 0x54, 0xe9, 0x99, 0xcd, 0x3c, 0x8e, 0x24, + 0x5f, 0x10, 0x7e, 0x01, 0x6a, 0x9a, 0x63, 0xdc, 0x4c, 0x96, 0x45, 0xa2, 0xff, 0x0b, 0x47, 0xc2, + 0x8c, 0xc4, 0xfb, 0x9c, 0x38, 0x9c, 0xc2, 0x06, 0x77, 0x44, 0x12, 0x87, 0x45, 0x26, 0x23, 0xf1, + 0x3e, 0xfe, 0x3c, 0xcc, 0x27, 0x47, 0xb6, 0x4c, 0x99, 0x16, 0x07, 0x96, 0x7a, 0xdd, 0xc6, 0x7c, + 0x72, 0xb2, 0xcb, 0x48, 0x9a, 0x0e, 0xb7, 0x61, 0xc1, 0x4a, 0x4d, 0x4b, 0x99, 0x52, 0x15, 0x47, + 0x95, 0x5e, 0xb7, 0xb1, 0x9c, 0x1e, 0xa4, 0xca, 0xc2, 0x2d, 0x7b, 0x40, 0x75, 0x61, 0x79, 0xe2, + 0x95, 0xef, 0xdf, 0x10, 0x7c, 0x2a, 0x4f, 0x28, 0xa1, 0xcc, 0xb1, 0x2d, 0x46, 0x4f, 0x3e, 0xeb, + 0x7f, 0x0e, 0xa6, 0x79, 0xe1, 0x1a, 0xa4, 0x6c, 0x2d, 0xe8, 0x92, 0x79, 0x3d, 0x2b, 0xad, 0x0e, + 0x36, 0x07, 0x2f, 0x6b, 0xaf, 0xc2, 0x19, 0xda, 0xd1, 0x4c, 0x9f, 0x6b, 0x7b, 0xc3, 0x75, 0x6d, + 0x57, 0x4e, 0xf6, 0xcf, 0x4b, 0x25, 0x16, 0x6e, 0xf0, 0x5d, 0x2d, 0xda, 0x26, 0x19, 0x72, 0xf5, + 0xcf, 0x08, 0x2a, 0x9f, 0x8c, 0x61, 0xcd, 0xf7, 0x2b, 0x50, 0x7f, 0x3a, 0xa5, 0x79, 0x3a, 0xa5, + 0x79, 0x84, 0x60, 0x61, 0xc2, 0xe3, 0x99, 0xf1, 0x0c, 0x2f, 0x9e, 0x3c, 0x97, 0xf9, 0x10, 0xc1, + 0xb9, 0x64, 0x75, 0x9f, 0x18, 0x61, 0x9c, 0x5e, 0xb6, 0xbb, 0x50, 0x61, 0x0e, 0xd5, 0x65, 0xa2, + 0x6f, 0x8f, 0x6c, 0x5b, 0x42, 0xeb, 0x1d, 0x87, 0xea, 0x71, 0x8f, 0xc4, 0x9f, 0x88, 0x90, 0xa5, + 0xfe, 0x1b, 0xc1, 0x4a, 0xfe, 0x91, 0x49, 0x84, 0xf3, 0xdb, 0xe9, 0x70, 0x6e, 0x8d, 0xd3, 0xe4, + 0x82, 0xc8, 0x7e, 0x50, 0x2e, 0x32, 0x98, 0x7b, 0x05, 0xbf, 0x8d, 0x60, 0x81, 0xa3, 0x81, 0x1b, + 0xaf, 0x4b, 0xc3, 0x6f, 0x0c, 0xa7, 0x9c, 0x18, 0xa1, 0x24, 0xb4, 0x3a, 0xcb, 0xdf, 0x15, 0x99, + 0x45, 0x92, 0x15, 0x89, 0x7f, 0x84, 0x60, 0x51, 0x00, 0x44, 0x52, 0x8f, 0x20, 0x2f, 0x86, 0x2c, + 0xac, 0xb3, 0xa3, 0xb8, 0xf6, 0x72, 0xaf, 0xdb, 0xe8, 0x1b, 0xd0, 0x91, 0x3e, 0xa9, 0xf8, 0xb7, + 0x08, 0x2e, 0x30, 0xea, 0x76, 0x0c, 0x9d, 0x6a, 0xba, 0x6e, 0xfb, 0x96, 0x97, 0xd4, 0x29, 0x40, + 0xc8, 0xbb, 0xc3, 0xe9, 0xb4, 0x13, 0xb0, 0xdd, 0x0c, 0xd8, 0x26, 0x95, 0xbb, 0xd8, 0xeb, 0x36, + 0x2e, 0x14, 0x6e, 0x93, 0x62, 0x85, 0xd4, 0xbf, 0x20, 0x98, 0x9d, 0xd4, 0x28, 0xf5, 0xcd, 0x74, + 0xfa, 0x8e, 0x32, 0xf6, 0xc8, 0x4f, 0xd6, 0xb7, 0x4b, 0x70, 0x6e, 0x87, 0x9a, 0xfb, 0x12, 0xd6, + 0x83, 0xb7, 0x70, 0x50, 0x8c, 0x85, 0x60, 0x81, 0x46, 0x01, 0x8b, 0x7c, 0xde, 0x45, 0x60, 0x81, + 0x3b, 0x50, 0x65, 0x9e, 0xe6, 0xf9, 0xe1, 0xbb, 0xf8, 0xce, 0x90, 0x52, 0xfb, 0x25, 0x0a, 0xae, + 0xed, 0x33, 0x52, 0x66, 0x35, 0x78, 0x26, 0x52, 0x9a, 0xfa, 0x03, 0x04, 0x2b, 0xc5, 0xaa, 0x26, + 0x26, 0x8e, 0xe8, 0x94, 0x27, 0x8e, 0x26, 0x9c, 0xcf, 0x26, 0xa5, 0x7c, 0x4d, 0x0e, 0x30, 0x8e, + 0x4a, 0x55, 0xb0, 0xa5, 0x27, 0x57, 0xb0, 0x6a, 0x17, 0x41, 0xf1, 0x1d, 0xc0, 0xef, 0x20, 0x58, + 0x48, 0x5f, 0x83, 0xa0, 0x57, 0x1a, 0xfa, 0xc3, 0x73, 0x81, 0x65, 0x71, 0x85, 0x9b, 0x26, 0x60, + 0x24, 0x2b, 0x1e, 0x37, 0x01, 0x22, 0xed, 0x53, 0x75, 0x77, 0x64, 0x1e, 0x23, 0x09, 0x0a, 0xf5, + 0xd7, 0x25, 0x38, 0xfb, 0x74, 0xd2, 0x3d, 0x40, 0xde, 0xfd, 0x13, 0xc1, 0xb3, 0x39, 0x8e, 0x1a, + 0xbe, 0x39, 0x7a, 0x1e, 0x66, 0x34, 0xd3, 0xb4, 0x1f, 0xc8, 0xb1, 0xd3, 0x6c, 0x5c, 0xe5, 0x6d, + 0x06, 0xcb, 0x24, 0xdc, 0xc7, 0x9f, 0x86, 0xaa, 0x4b, 0x35, 0x26, 0xb1, 0xbe, 0x16, 0x5f, 0x52, + 0x22, 0x56, 0x89, 0xdc, 0xc5, 0x9b, 0xb0, 0x40, 0xd3, 0x2d, 0xd0, 0x93, 0x3a, 0xa4, 0x2c, 0xbd, + 0xfa, 0x1f, 0x04, 0x38, 0x07, 0xea, 0xac, 0x14, 0xd4, 0x6d, 0x8d, 0x0d, 0x74, 0xfe, 0xdf, 0x60, + 0xee, 0x18, 0xc1, 0xb9, 0x02, 0x88, 0x0b, 0xb3, 0x16, 0x15, 0x66, 0x6d, 0xfc, 0x65, 0xad, 0x54, + 0xf8, 0x65, 0x2d, 0x4e, 0xd8, 0xf2, 0x29, 0x27, 0xec, 0x9f, 0x10, 0x28, 0x45, 0xf6, 0xc7, 0x6d, + 0x2a, 0x3a, 0xcd, 0x36, 0x35, 0x2f, 0x21, 0x4b, 0x27, 0x4c, 0xc8, 0xdf, 0x23, 0xc8, 0xd6, 0x6a, + 0xb8, 0x11, 0xce, 0x15, 0x12, 0x83, 0x29, 0x31, 0x57, 0x08, 0x47, 0x0a, 0x83, 0x44, 0x22, 0xfe, + 0xc6, 0x59, 0x3e, 0x95, 0x6f, 0x9c, 0xed, 0xe7, 0x8e, 0x1f, 0xaf, 0x4e, 0xbd, 0xf7, 0x78, 0x75, + 0xea, 0xd1, 0xe3, 0xd5, 0xa9, 0x87, 0xbd, 0x55, 0x74, 0xdc, 0x5b, 0x45, 0xef, 0xf5, 0x56, 0xd1, + 0xdf, 0x7b, 0xab, 0xe8, 0x9d, 0x7f, 0xac, 0x4e, 0xbd, 0x51, 0xea, 0x5c, 0xfe, 0x5f, 0x00, 0x00, + 0x00, 0xff, 0xff, 0xa2, 0x2f, 0xf0, 0xc8, 0xbe, 0x2a, 0x00, 0x00, } diff --git a/pkg/authorization/api/v1/generated.proto b/pkg/authorization/api/v1/generated.proto index bac97fece9a8..91acc13a79de 100644 --- a/pkg/authorization/api/v1/generated.proto +++ b/pkg/authorization/api/v1/generated.proto @@ -35,6 +35,12 @@ message Action { // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" optional string resourceName = 6; + // Path is the path of a non resource URL + optional string path = 8; + + // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy) + optional bool isNonResourceURL = 9; + // Content is the actual content of the request for create and update optional k8s.io.kubernetes.pkg.runtime.RawExtension content = 7; } diff --git a/pkg/authorization/api/v1/swagger_doc.go b/pkg/authorization/api/v1/swagger_doc.go index 50c7c1c79cc1..d904e571b2c1 100644 --- a/pkg/authorization/api/v1/swagger_doc.go +++ b/pkg/authorization/api/v1/swagger_doc.go @@ -13,6 +13,8 @@ var map_Action = map[string]string{ "resourceAPIVersion": "Version is the API version of the resource Serialized as resourceAPIVersion to avoid confusion with TypeMeta.apiVersion and ObjectMeta.resourceVersion when inlined", "resource": "Resource is one of the existing resource types", "resourceName": "ResourceName is the name of the resource being requested for a \"get\" or deleted for a \"delete\"", + "path": "Path is the path of a non resource URL", + "isNonResourceURL": "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", "content": "Content is the actual content of the request for create and update", } diff --git a/pkg/authorization/api/v1/types.go b/pkg/authorization/api/v1/types.go index 03b7060ac876..3b205abcdaeb 100644 --- a/pkg/authorization/api/v1/types.go +++ b/pkg/authorization/api/v1/types.go @@ -302,6 +302,10 @@ type Action struct { Resource string `json:"resource" protobuf:"bytes,5,opt,name=resource"` // ResourceName is the name of the resource being requested for a "get" or deleted for a "delete" ResourceName string `json:"resourceName" protobuf:"bytes,6,opt,name=resourceName"` + // Path is the path of a non resource URL + Path string `json:"path" protobuf:"bytes,8,opt,name=path"` + // IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy) + IsNonResourceURL bool `json:"isNonResourceURL" protobuf:"varint,9,opt,name=isNonResourceURL"` // Content is the actual content of the request for create and update Content kruntime.RawExtension `json:"content,omitempty" protobuf:"bytes,7,opt,name=content"` } diff --git a/pkg/authorization/api/v1/zz_generated.conversion.go b/pkg/authorization/api/v1/zz_generated.conversion.go index a0d6ddd1c76e..f7e7a733ba08 100644 --- a/pkg/authorization/api/v1/zz_generated.conversion.go +++ b/pkg/authorization/api/v1/zz_generated.conversion.go @@ -106,6 +106,8 @@ func autoConvert_v1_Action_To_api_Action(in *Action, out *api.Action, s conversi out.Version = in.Version out.Resource = in.Resource out.ResourceName = in.ResourceName + out.Path = in.Path + out.IsNonResourceURL = in.IsNonResourceURL if err := runtime.Convert_runtime_RawExtension_To_runtime_Object(&in.Content, &out.Content, s); err != nil { return err } @@ -123,6 +125,8 @@ func autoConvert_api_Action_To_v1_Action(in *api.Action, out *Action, s conversi out.Version = in.Version out.Resource = in.Resource out.ResourceName = in.ResourceName + out.Path = in.Path + out.IsNonResourceURL = in.IsNonResourceURL if err := runtime.Convert_runtime_Object_To_runtime_RawExtension(&in.Content, &out.Content, s); err != nil { return err } diff --git a/pkg/authorization/api/v1/zz_generated.deepcopy.go b/pkg/authorization/api/v1/zz_generated.deepcopy.go index f9e7c9c8400d..a2a171bdad12 100644 --- a/pkg/authorization/api/v1/zz_generated.deepcopy.go +++ b/pkg/authorization/api/v1/zz_generated.deepcopy.go @@ -74,6 +74,8 @@ func DeepCopy_v1_Action(in interface{}, out interface{}, c *conversion.Cloner) e out.Version = in.Version out.Resource = in.Resource out.ResourceName = in.ResourceName + out.Path = in.Path + out.IsNonResourceURL = in.IsNonResourceURL if err := runtime.DeepCopy_runtime_RawExtension(&in.Content, &out.Content, c); err != nil { return err } diff --git a/pkg/authorization/api/validation/validation.go b/pkg/authorization/api/validation/validation.go index 0607d6a6ffe1..02f98d8c0f6d 100644 --- a/pkg/authorization/api/validation/validation.go +++ b/pkg/authorization/api/validation/validation.go @@ -29,15 +29,45 @@ func ValidateSubjectRulesReview(rules *authorizationapi.SubjectRulesReview) fiel return allErrs } +func validateCommonAccessReviewAction(fldPath *field.Path, action *authorizationapi.Action) field.ErrorList { + var allErrs field.ErrorList + if action.IsNonResourceURL { + if len(action.Path) == 0 { + allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) + } + if len(action.Resource) != 0 { + allErrs = append(allErrs, field.Invalid(fldPath.Child("resource"), action.Resource, "resource may not be specified with non resource URLs")) + } + if len(action.Group) != 0 { + allErrs = append(allErrs, field.Invalid(fldPath.Child("group"), action.Group, "group may not be specified with non resource URLs")) + } + if len(action.Version) != 0 { + allErrs = append(allErrs, field.Invalid(fldPath.Child("version"), action.Version, "version may not be specified with non resource URLs")) + } + if len(action.ResourceName) != 0 { + allErrs = append(allErrs, field.Invalid(fldPath.Child("resourceName"), action.ResourceName, "resourceName may not be specified with non resource URLs")) + } + if len(action.Namespace) != 0 { + allErrs = append(allErrs, field.Invalid(fldPath.Child("namespace"), action.Namespace, "namespace may not be specified with non resource URLs")) + } + if action.Content != nil { + allErrs = append(allErrs, field.Invalid(fldPath.Child("content"), nil, "content may not be specified with non resource URLs")) + } + } else { + if len(action.Resource) == 0 { + allErrs = append(allErrs, field.Required(fldPath.Child("resource"), "")) + } + } + return allErrs +} + func ValidateSubjectAccessReview(review *authorizationapi.SubjectAccessReview) field.ErrorList { allErrs := field.ErrorList{} if len(review.Action.Verb) == 0 { allErrs = append(allErrs, field.Required(field.NewPath("verb"), "")) } - if len(review.Action.Resource) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resource"), "")) - } + allErrs = append(allErrs, validateCommonAccessReviewAction(nil, &review.Action)...) return allErrs } @@ -48,9 +78,7 @@ func ValidateResourceAccessReview(review *authorizationapi.ResourceAccessReview) if len(review.Action.Verb) == 0 { allErrs = append(allErrs, field.Required(field.NewPath("verb"), "")) } - if len(review.Action.Resource) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resource"), "")) - } + allErrs = append(allErrs, validateCommonAccessReviewAction(nil, &review.Action)...) return allErrs } @@ -61,9 +89,7 @@ func ValidateLocalSubjectAccessReview(review *authorizationapi.LocalSubjectAcces if len(review.Action.Verb) == 0 { allErrs = append(allErrs, field.Required(field.NewPath("verb"), "")) } - if len(review.Action.Resource) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resource"), "")) - } + allErrs = append(allErrs, validateCommonAccessReviewAction(nil, &review.Action)...) return allErrs } @@ -74,9 +100,7 @@ func ValidateLocalResourceAccessReview(review *authorizationapi.LocalResourceAcc if len(review.Action.Verb) == 0 { allErrs = append(allErrs, field.Required(field.NewPath("verb"), "")) } - if len(review.Action.Resource) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resource"), "")) - } + allErrs = append(allErrs, validateCommonAccessReviewAction(nil, &review.Action)...) return allErrs } diff --git a/pkg/authorization/api/zz_generated.deepcopy.go b/pkg/authorization/api/zz_generated.deepcopy.go index bedd61948ef6..ecfd33c747a9 100644 --- a/pkg/authorization/api/zz_generated.deepcopy.go +++ b/pkg/authorization/api/zz_generated.deepcopy.go @@ -72,6 +72,8 @@ func DeepCopy_api_Action(in interface{}, out interface{}, c *conversion.Cloner) out.Version = in.Version out.Resource = in.Resource out.ResourceName = in.ResourceName + out.Path = in.Path + out.IsNonResourceURL = in.IsNonResourceURL if in.Content == nil { out.Content = nil } else if newVal, err := c.DeepCopy(&in.Content); err != nil { diff --git a/pkg/authorization/authorizer/attributes.go b/pkg/authorization/authorizer/attributes.go index 5513aec596c6..b0d73bf639db 100644 --- a/pkg/authorization/authorizer/attributes.go +++ b/pkg/authorization/authorizer/attributes.go @@ -25,11 +25,13 @@ type DefaultAuthorizationAttributes struct { // because the authorizer takes that information on the context func ToDefaultAuthorizationAttributes(in authorizationapi.Action) DefaultAuthorizationAttributes { return DefaultAuthorizationAttributes{ - Verb: in.Verb, - APIGroup: in.Group, - APIVersion: in.Version, - Resource: in.Resource, - ResourceName: in.ResourceName, + Verb: in.Verb, + APIGroup: in.Group, + APIVersion: in.Version, + Resource: in.Resource, + ResourceName: in.ResourceName, + URL: in.Path, + NonResourceURL: in.IsNonResourceURL, } } diff --git a/pkg/authorization/authorizer/remote/authorizer.go b/pkg/authorization/authorizer/remote/authorizer.go index 7d2ce9317f2b..343bee8f3db1 100644 --- a/pkg/authorization/authorizer/remote/authorizer.go +++ b/pkg/authorization/authorizer/remote/authorizer.go @@ -101,12 +101,13 @@ func getAction(namespace string, attributes authorizer.Action) authzapi.Action { Resource: attributes.GetResource(), ResourceName: attributes.GetResourceName(), + Path: attributes.GetURL(), + IsNonResourceURL: attributes.IsNonResourceURL(), + // TODO: missing from authorizer.Action: // Content // TODO: missing from authzapi.Action // RequestAttributes (unserializable?) - // IsNonResourceURL - // URL (doesn't make sense for remote authz?) } } diff --git a/pkg/cmd/server/authenticator/remote.go b/pkg/cmd/server/authenticator/remote.go new file mode 100644 index 000000000000..45e705479683 --- /dev/null +++ b/pkg/cmd/server/authenticator/remote.go @@ -0,0 +1,66 @@ +package authenticator + +import ( + "crypto/x509" + "time" + + "k8s.io/kubernetes/pkg/auth/authenticator" + unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/internalversion" + + oauthenticator "github.com/openshift/origin/pkg/auth/authenticator" + "github.com/openshift/origin/pkg/auth/authenticator/anonymous" + "github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken" + "github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest" + "github.com/openshift/origin/pkg/auth/authenticator/request/x509request" + authncache "github.com/openshift/origin/pkg/auth/authenticator/token/cache" + authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotetokenreview" + "github.com/openshift/origin/pkg/auth/group" + "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" +) + +// NewRemoteAuthenticator creates an authenticator that checks the provided remote endpoint for tokens, allows any linked clientCAs to be checked, and caches +// responses as indicated. If no authentication is possible, the user will be system:anonymous. +func NewRemoteAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter, clientCAs *x509.CertPool, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) { + authenticators := []oauthenticator.Request{} + + // API token auth + var ( + tokenAuthenticator oauthenticator.Token + err error + ) + // Authenticate against the remote master + tokenAuthenticator, err = authnremote.NewAuthenticator(authenticationClient) + if err != nil { + return nil, err + } + // Cache results + if cacheTTL > 0 && cacheSize > 0 { + tokenAuthenticator, err = authncache.NewAuthenticator(tokenAuthenticator, cacheTTL, cacheSize) + if err != nil { + return nil, err + } + } + authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true)) + + // Client-cert auth + if clientCAs != nil { + opts := x509request.DefaultVerifyOptions() + opts.Roots = clientCAs + certauth := x509request.New(opts, x509request.SubjectToUserConversion) + authenticators = append(authenticators, certauth) + } + + ret := &unionrequest.Authenticator{ + // Anonymous requests will pass the token and cert checks without errors + // Bad tokens or bad certs will produce errors, in which case we should not continue to authenticate them as "system:anonymous" + FailOnError: true, + Handlers: []oauthenticator.Request{ + // Add the "system:authenticated" group to users that pass token/cert authentication + group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}), + // Fall back to the "system:anonymous" user + anonymous.NewAuthenticator(), + }, + } + + return ret, nil +} diff --git a/pkg/cmd/server/handlers/authentication.go b/pkg/cmd/server/handlers/authentication.go new file mode 100644 index 000000000000..cf16371f8f91 --- /dev/null +++ b/pkg/cmd/server/handlers/authentication.go @@ -0,0 +1,34 @@ +package handlers + +import ( + "net/http" + + "github.com/golang/glog" + + kapi "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/auth/authenticator" +) + +// AuthenticationHandlerFilter creates a filter object that will enforce authentication directly +func AuthenticationHandlerFilter(handler http.Handler, authenticator authenticator.Request, contextMapper kapi.RequestContextMapper) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + user, ok, err := authenticator.AuthenticateRequest(req) + if err != nil || !ok { + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + + ctx, ok := contextMapper.Get(req) + if !ok { + http.Error(w, "Unable to find request context", http.StatusInternalServerError) + return + } + if err := contextMapper.Update(req, kapi.WithUser(ctx, user)); err != nil { + glog.V(4).Infof("Error setting authenticated context: %v", err) + http.Error(w, "Unable to set authenticated request context", http.StatusInternalServerError) + return + } + + handler.ServeHTTP(w, req) + }) +} diff --git a/pkg/cmd/server/handlers/authorization.go b/pkg/cmd/server/handlers/authorization.go new file mode 100644 index 000000000000..c1390e150511 --- /dev/null +++ b/pkg/cmd/server/handlers/authorization.go @@ -0,0 +1,113 @@ +package handlers + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "net/http" + + restful "github.com/emicklei/go-restful" + + kapi "k8s.io/kubernetes/pkg/api" + kapierrors "k8s.io/kubernetes/pkg/api/errors" + "k8s.io/kubernetes/pkg/api/unversioned" + "k8s.io/kubernetes/pkg/runtime" + "k8s.io/kubernetes/pkg/util/sets" + + "github.com/openshift/origin/pkg/authorization/authorizer" +) + +type bypassAuthorizer struct { + paths sets.String + authorizer authorizer.Authorizer +} + +// NewBypassAuthorizer creates an Authorizer that always allows the exact paths described, and delegates to the nested +// authorizer for everything else. +func NewBypassAuthorizer(auth authorizer.Authorizer, paths ...string) authorizer.Authorizer { + return bypassAuthorizer{paths: sets.NewString(paths...), authorizer: auth} +} + +func (a bypassAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Action) (allowed bool, reason string, err error) { + if attributes.IsNonResourceURL() && a.paths.Has(attributes.GetURL()) { + return true, "always allowed", nil + } + return a.authorizer.Authorize(ctx, attributes) +} +func (a bypassAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) { + return a.authorizer.GetAllowedSubjects(ctx, attributes) +} + +// AuthorizationFilter imposes normal authorization rules +func AuthorizationFilter(handler http.Handler, authorizer authorizer.Authorizer, authorizationAttributeBuilder authorizer.AuthorizationAttributeBuilder, contextMapper kapi.RequestContextMapper) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + attributes, err := authorizationAttributeBuilder.GetAttributes(req) + if err != nil { + Forbidden(err.Error(), attributes, w, req) + return + } + if attributes == nil { + Forbidden("No attributes", attributes, w, req) + return + } + + ctx, exists := contextMapper.Get(req) + if !exists { + Forbidden("context not found", attributes, w, req) + return + } + + allowed, reason, err := authorizer.Authorize(ctx, attributes) + if err != nil { + Forbidden(err.Error(), attributes, w, req) + return + } + if !allowed { + Forbidden(reason, attributes, w, req) + return + } + + handler.ServeHTTP(w, req) + }) +} + +// Forbidden renders a simple forbidden error to the response +func Forbidden(reason string, attributes authorizer.Action, w http.ResponseWriter, req *http.Request) { + kind := "" + resource := "" + group := "" + name := "" + // the attributes can be empty for two basic reasons: + // 1. malformed API request + // 2. not an API request at all + // In these cases, just assume default that will work better than nothing + if attributes != nil { + group = attributes.GetAPIGroup() + resource = attributes.GetResource() + kind = attributes.GetResource() + if len(attributes.GetAPIGroup()) > 0 { + kind = attributes.GetAPIGroup() + "." + kind + } + name = attributes.GetResourceName() + } + + // Reason is an opaque string that describes why access is allowed or forbidden (forbidden by the time we reach here). + // We don't have direct access to kind or name (not that those apply either in the general case) + // We create a NewForbidden to stay close the API, but then we override the message to get a serialization + // that makes sense when a human reads it. + forbiddenError := kapierrors.NewForbidden(unversioned.GroupResource{Group: group, Resource: resource}, name, errors.New("") /*discarded*/) + forbiddenError.ErrStatus.Message = reason + + formatted := &bytes.Buffer{} + output, err := runtime.Encode(kapi.Codecs.LegacyCodec(kapi.SchemeGroupVersion), &forbiddenError.ErrStatus) + if err != nil { + fmt.Fprintf(formatted, "%s", forbiddenError.Error()) + } else { + json.Indent(formatted, output, "", " ") + } + + w.Header().Set("Content-Type", restful.MIME_JSON) + w.WriteHeader(http.StatusForbidden) + w.Write(formatted.Bytes()) +} diff --git a/pkg/cmd/server/handlers/impersonation.go b/pkg/cmd/server/handlers/impersonation.go new file mode 100644 index 000000000000..f8cfc46102e3 --- /dev/null +++ b/pkg/cmd/server/handlers/impersonation.go @@ -0,0 +1,142 @@ +package handlers + +import ( + "fmt" + "net/http" + + kapi "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/auth/user" + "k8s.io/kubernetes/pkg/httplog" + "k8s.io/kubernetes/pkg/serviceaccount" + + authenticationapi "github.com/openshift/origin/pkg/auth/api" + authorizationapi "github.com/openshift/origin/pkg/authorization/api" + "github.com/openshift/origin/pkg/authorization/authorizer" + "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" + userapi "github.com/openshift/origin/pkg/user/api" + uservalidation "github.com/openshift/origin/pkg/user/api/validation" +) + +type GroupCache interface { + GroupsFor(string) ([]*userapi.Group, error) +} + +// ImpersonationFilter checks for impersonation rules against the current user. +func ImpersonationFilter(handler http.Handler, a authorizer.Authorizer, groupCache GroupCache, contextMapper kapi.RequestContextMapper) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + requestedUser := req.Header.Get(authenticationapi.ImpersonateUserHeader) + if len(requestedUser) == 0 { + handler.ServeHTTP(w, req) + return + } + + subjects := authorizationapi.BuildSubjects([]string{requestedUser}, req.Header[authenticationapi.ImpersonateGroupHeader], + // validates whether the usernames are regular users or system users + uservalidation.ValidateUserName, + // validates group names are regular groups or system groups + uservalidation.ValidateGroupName) + + ctx, exists := contextMapper.Get(req) + if !exists { + Forbidden("context not found", nil, w, req) + return + } + + // if groups are not specified, then we need to look them up differently depending on the type of user + // if they are specified, then they are the authority + groupsSpecified := len(req.Header[authenticationapi.ImpersonateGroupHeader]) > 0 + + // make sure we're allowed to impersonate each subject. While we're iterating through, start building username + // and group information + username := "" + groups := []string{} + for _, subject := range subjects { + actingAsAttributes := &authorizer.DefaultAuthorizationAttributes{ + Verb: "impersonate", + } + + switch subject.GetObjectKind().GroupVersionKind().GroupKind() { + case userapi.Kind(authorizationapi.GroupKind): + actingAsAttributes.APIGroup = userapi.GroupName + actingAsAttributes.Resource = authorizationapi.GroupResource + actingAsAttributes.ResourceName = subject.Name + groups = append(groups, subject.Name) + + case userapi.Kind(authorizationapi.SystemGroupKind): + actingAsAttributes.APIGroup = userapi.GroupName + actingAsAttributes.Resource = authorizationapi.SystemGroupResource + actingAsAttributes.ResourceName = subject.Name + groups = append(groups, subject.Name) + + case userapi.Kind(authorizationapi.UserKind): + actingAsAttributes.APIGroup = userapi.GroupName + actingAsAttributes.Resource = authorizationapi.UserResource + actingAsAttributes.ResourceName = subject.Name + username = subject.Name + if !groupsSpecified { + if actualGroups, err := groupCache.GroupsFor(subject.Name); err == nil { + for _, group := range actualGroups { + groups = append(groups, group.Name) + } + } + groups = append(groups, bootstrappolicy.AuthenticatedGroup, bootstrappolicy.AuthenticatedOAuthGroup) + } + + case userapi.Kind(authorizationapi.SystemUserKind): + actingAsAttributes.APIGroup = userapi.GroupName + actingAsAttributes.Resource = authorizationapi.SystemUserResource + actingAsAttributes.ResourceName = subject.Name + username = subject.Name + if !groupsSpecified { + if subject.Name == bootstrappolicy.UnauthenticatedUsername { + groups = append(groups, bootstrappolicy.UnauthenticatedGroup) + } else { + groups = append(groups, bootstrappolicy.AuthenticatedGroup) + } + } + + case kapi.Kind(authorizationapi.ServiceAccountKind): + actingAsAttributes.APIGroup = kapi.GroupName + actingAsAttributes.Resource = authorizationapi.ServiceAccountResource + actingAsAttributes.ResourceName = subject.Name + username = serviceaccount.MakeUsername(subject.Namespace, subject.Name) + if !groupsSpecified { + groups = append(serviceaccount.MakeGroupNames(subject.Namespace, subject.Name), bootstrappolicy.AuthenticatedGroup) + } + + default: + Forbidden(fmt.Sprintf("unknown subject type: %v", subject), actingAsAttributes, w, req) + return + } + + authCheckCtx := kapi.WithNamespace(ctx, subject.Namespace) + + allowed, reason, err := a.Authorize(authCheckCtx, actingAsAttributes) + if err != nil { + Forbidden(err.Error(), actingAsAttributes, w, req) + return + } + if !allowed { + Forbidden(reason, actingAsAttributes, w, req) + return + } + } + + var extra map[string][]string + if requestScopes, ok := req.Header[authenticationapi.ImpersonateUserScopeHeader]; ok { + extra = map[string][]string{authorizationapi.ScopesKey: requestScopes} + } + + newUser := &user.DefaultInfo{ + Name: username, + Groups: groups, + Extra: extra, + } + contextMapper.Update(req, kapi.WithUser(ctx, newUser)) + + oldUser, _ := kapi.UserFrom(ctx) + httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser) + + handler.ServeHTTP(w, req) + }) +} diff --git a/pkg/cmd/server/kubernetes/node_auth.go b/pkg/cmd/server/kubernetes/node_auth.go index 403b7925c99d..962d68607cdc 100644 --- a/pkg/cmd/server/kubernetes/node_auth.go +++ b/pkg/cmd/server/kubernetes/node_auth.go @@ -1,80 +1,23 @@ package kubernetes import ( - "crypto/x509" "net/http" "strings" "time" "github.com/golang/glog" - "k8s.io/kubernetes/pkg/auth/authenticator" kauthorizer "k8s.io/kubernetes/pkg/auth/authorizer" "k8s.io/kubernetes/pkg/auth/user" - unversionedauthentication "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authentication/internalversion" - - oauthenticator "github.com/openshift/origin/pkg/auth/authenticator" - "github.com/openshift/origin/pkg/auth/authenticator/anonymous" - "github.com/openshift/origin/pkg/auth/authenticator/request/bearertoken" - "github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest" - "github.com/openshift/origin/pkg/auth/authenticator/request/x509request" - authncache "github.com/openshift/origin/pkg/auth/authenticator/token/cache" - authnremote "github.com/openshift/origin/pkg/auth/authenticator/token/remotetokenreview" - "github.com/openshift/origin/pkg/auth/group" + authorizationapi "github.com/openshift/origin/pkg/authorization/api" oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer" authzadapter "github.com/openshift/origin/pkg/authorization/authorizer/adapter" authzcache "github.com/openshift/origin/pkg/authorization/authorizer/cache" authzremote "github.com/openshift/origin/pkg/authorization/authorizer/remote" oclient "github.com/openshift/origin/pkg/client" - "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" ) -func newAuthenticator(authenticationClient unversionedauthentication.TokenReviewsGetter, clientCAs *x509.CertPool, cacheTTL time.Duration, cacheSize int) (authenticator.Request, error) { - authenticators := []oauthenticator.Request{} - - // API token auth - var ( - tokenAuthenticator oauthenticator.Token - err error - ) - // Authenticate against the remote master - tokenAuthenticator, err = authnremote.NewAuthenticator(authenticationClient) - if err != nil { - return nil, err - } - // Cache results - if cacheTTL > 0 && cacheSize > 0 { - tokenAuthenticator, err = authncache.NewAuthenticator(tokenAuthenticator, cacheTTL, cacheSize) - if err != nil { - return nil, err - } - } - authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true)) - - // Client-cert auth - if clientCAs != nil { - opts := x509request.DefaultVerifyOptions() - opts.Roots = clientCAs - certauth := x509request.New(opts, x509request.SubjectToUserConversion) - authenticators = append(authenticators, certauth) - } - - ret := &unionrequest.Authenticator{ - // Anonymous requests will pass the token and cert checks without errors - // Bad tokens or bad certs will produce errors, in which case we should not continue to authenticate them as "system:anonymous" - FailOnError: true, - Handlers: []oauthenticator.Request{ - // Add the "system:authenticated" group to users that pass token/cert authentication - group.NewGroupAdder(unionrequest.NewUnionAuthentication(authenticators...), []string{bootstrappolicy.AuthenticatedGroup}), - // Fall back to the "system:anonymous" user - anonymous.NewAuthenticator(), - }, - } - - return ret, nil -} - func newAuthorizerAttributesGetter(nodeName string) (kauthorizer.RequestAttributesGetter, error) { return NodeAuthorizerAttributesGetter{nodeName}, nil } diff --git a/pkg/cmd/server/kubernetes/node_config.go b/pkg/cmd/server/kubernetes/node_config.go index 192c090fae27..ec90fff6e573 100644 --- a/pkg/cmd/server/kubernetes/node_config.go +++ b/pkg/cmd/server/kubernetes/node_config.go @@ -32,6 +32,7 @@ import ( osclient "github.com/openshift/origin/pkg/client" configapi "github.com/openshift/origin/pkg/cmd/server/api" + serverauthenticator "github.com/openshift/origin/pkg/cmd/server/authenticator" "github.com/openshift/origin/pkg/cmd/server/crypto" cmdutil "github.com/openshift/origin/pkg/cmd/util" cmdflags "github.com/openshift/origin/pkg/cmd/util/flags" @@ -237,7 +238,7 @@ func BuildKubernetesNodeConfig(options configapi.NodeConfig, enableProxy, enable if err != nil { return nil, err } - authn, err := newAuthenticator(kubeClient.Authentication(), clientCAs, authnTTL, options.AuthConfig.AuthenticationCacheSize) + authn, err := serverauthenticator.NewRemoteAuthenticator(kubeClient.Authentication(), clientCAs, authnTTL, options.AuthConfig.AuthenticationCacheSize) if err != nil { return nil, err } diff --git a/pkg/cmd/server/origin/auth.go b/pkg/cmd/server/origin/auth.go index 92557f7828b1..78da901ac20b 100644 --- a/pkg/cmd/server/origin/auth.go +++ b/pkg/cmd/server/origin/auth.go @@ -762,27 +762,3 @@ func (redirectSuccessHandler) AuthenticationSucceeded(user kuser.Info, then stri http.Redirect(w, req, then, http.StatusFound) return true, nil } - -// authenticationHandlerFilter creates a filter object that will enforce authentication directly -func authenticationHandlerFilter(handler http.Handler, authenticator authenticator.Request, contextMapper kapi.RequestContextMapper) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - user, ok, err := authenticator.AuthenticateRequest(req) - if err != nil || !ok { - http.Error(w, "Unauthorized", http.StatusUnauthorized) - return - } - - ctx, ok := contextMapper.Get(req) - if !ok { - http.Error(w, "Unable to find request context", http.StatusInternalServerError) - return - } - if err := contextMapper.Update(req, kapi.WithUser(ctx, user)); err != nil { - glog.V(4).Infof("Error setting authenticated context: %v", err) - http.Error(w, "Unable to set authenticated request context", http.StatusInternalServerError) - return - } - - handler.ServeHTTP(w, req) - }) -} diff --git a/pkg/cmd/server/origin/handlers.go b/pkg/cmd/server/origin/handlers.go index 0b968bf4d29e..85f6b59ff4b3 100644 --- a/pkg/cmd/server/origin/handlers.go +++ b/pkg/cmd/server/origin/handlers.go @@ -1,10 +1,7 @@ package origin import ( - "bytes" "encoding/json" - "errors" - "fmt" "net/http" "regexp" "sort" @@ -13,22 +10,12 @@ import ( "github.com/golang/glog" kapi "k8s.io/kubernetes/pkg/api" - kapierrors "k8s.io/kubernetes/pkg/api/errors" "k8s.io/kubernetes/pkg/api/unversioned" "k8s.io/kubernetes/pkg/apiserver/request" - "k8s.io/kubernetes/pkg/auth/user" - "k8s.io/kubernetes/pkg/httplog" - "k8s.io/kubernetes/pkg/runtime" - "k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/util/sets" - authenticationapi "github.com/openshift/origin/pkg/auth/api" - authorizationapi "github.com/openshift/origin/pkg/authorization/api" - "github.com/openshift/origin/pkg/authorization/authorizer" configapi "github.com/openshift/origin/pkg/cmd/server/api" - "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy" - userapi "github.com/openshift/origin/pkg/user/api" - uservalidation "github.com/openshift/origin/pkg/user/api/validation" + serverhandlers "github.com/openshift/origin/pkg/cmd/server/handlers" "github.com/openshift/origin/pkg/util/httprequest" ) @@ -72,78 +59,6 @@ func indexAPIPaths(osAPIVersions, kubeAPIVersions []string, handler http.Handler }) } -func (c *MasterConfig) authorizationFilter(handler http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - attributes, err := c.AuthorizationAttributeBuilder.GetAttributes(req) - if err != nil { - forbidden(err.Error(), attributes, w, req) - return - } - if attributes == nil { - forbidden("No attributes", attributes, w, req) - return - } - - ctx, exists := c.RequestContextMapper.Get(req) - if !exists { - forbidden("context not found", attributes, w, req) - return - } - - allowed, reason, err := c.Authorizer.Authorize(ctx, attributes) - if err != nil { - forbidden(err.Error(), attributes, w, req) - return - } - if !allowed { - forbidden(reason, attributes, w, req) - return - } - - handler.ServeHTTP(w, req) - }) -} - -// forbidden renders a simple forbidden error -func forbidden(reason string, attributes authorizer.Action, w http.ResponseWriter, req *http.Request) { - kind := "" - resource := "" - group := "" - name := "" - // the attributes can be empty for two basic reasons: - // 1. malformed API request - // 2. not an API request at all - // In these cases, just assume default that will work better than nothing - if attributes != nil { - group = attributes.GetAPIGroup() - resource = attributes.GetResource() - kind = attributes.GetResource() - if len(attributes.GetAPIGroup()) > 0 { - kind = attributes.GetAPIGroup() + "." + kind - } - name = attributes.GetResourceName() - } - - // Reason is an opaque string that describes why access is allowed or forbidden (forbidden by the time we reach here). - // We don't have direct access to kind or name (not that those apply either in the general case) - // We create a NewForbidden to stay close the API, but then we override the message to get a serialization - // that makes sense when a human reads it. - forbiddenError := kapierrors.NewForbidden(unversioned.GroupResource{Group: group, Resource: resource}, name, errors.New("") /*discarded*/) - forbiddenError.ErrStatus.Message = reason - - formatted := &bytes.Buffer{} - output, err := runtime.Encode(kapi.Codecs.LegacyCodec(kapi.SchemeGroupVersion), &forbiddenError.ErrStatus) - if err != nil { - fmt.Fprintf(formatted, "%s", forbiddenError.Error()) - } else { - json.Indent(formatted, output, "", " ") - } - - w.Header().Set("Content-Type", restful.MIME_JSON) - w.WriteHeader(http.StatusForbidden) - w.Write(formatted.Bytes()) -} - // cacheControlFilter sets the Cache-Control header to the specified value. func cacheControlFilter(handler http.Handler, value string) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { @@ -268,14 +183,14 @@ func (c *MasterConfig) versionSkewFilter(handler http.Handler, contextMapper kap } if !foundMatch { - forbidden(defaultMessage, nil, w, req) + serverhandlers.Forbidden(defaultMessage, nil, w, req) return } } for _, filter := range deniedFilters { if filter.matches(req.Method, userAgent) { - forbidden(filter.message, nil, w, req) + serverhandlers.Forbidden(filter.message, nil, w, req) return } } @@ -297,122 +212,3 @@ func WithAssetServerRedirect(handler http.Handler, assetPublicURL string) http.H handler.ServeHTTP(w, req) }) } - -func (c *MasterConfig) impersonationFilter(handler http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - requestedUser := req.Header.Get(authenticationapi.ImpersonateUserHeader) - if len(requestedUser) == 0 { - handler.ServeHTTP(w, req) - return - } - - subjects := authorizationapi.BuildSubjects([]string{requestedUser}, req.Header[authenticationapi.ImpersonateGroupHeader], - // validates whether the usernames are regular users or system users - uservalidation.ValidateUserName, - // validates group names are regular groups or system groups - uservalidation.ValidateGroupName) - - ctx, exists := c.RequestContextMapper.Get(req) - if !exists { - forbidden("context not found", nil, w, req) - return - } - - // if groups are not specified, then we need to look them up differently depending on the type of user - // if they are specified, then they are the authority - groupsSpecified := len(req.Header[authenticationapi.ImpersonateGroupHeader]) > 0 - - // make sure we're allowed to impersonate each subject. While we're iterating through, start building username - // and group information - username := "" - groups := []string{} - for _, subject := range subjects { - actingAsAttributes := &authorizer.DefaultAuthorizationAttributes{ - Verb: "impersonate", - } - - switch subject.GetObjectKind().GroupVersionKind().GroupKind() { - case userapi.Kind(authorizationapi.GroupKind): - actingAsAttributes.APIGroup = userapi.GroupName - actingAsAttributes.Resource = authorizationapi.GroupResource - actingAsAttributes.ResourceName = subject.Name - groups = append(groups, subject.Name) - - case userapi.Kind(authorizationapi.SystemGroupKind): - actingAsAttributes.APIGroup = userapi.GroupName - actingAsAttributes.Resource = authorizationapi.SystemGroupResource - actingAsAttributes.ResourceName = subject.Name - groups = append(groups, subject.Name) - - case userapi.Kind(authorizationapi.UserKind): - actingAsAttributes.APIGroup = userapi.GroupName - actingAsAttributes.Resource = authorizationapi.UserResource - actingAsAttributes.ResourceName = subject.Name - username = subject.Name - if !groupsSpecified { - if actualGroups, err := c.GroupCache.GroupsFor(subject.Name); err == nil { - for _, group := range actualGroups { - groups = append(groups, group.Name) - } - } - groups = append(groups, bootstrappolicy.AuthenticatedGroup, bootstrappolicy.AuthenticatedOAuthGroup) - } - - case userapi.Kind(authorizationapi.SystemUserKind): - actingAsAttributes.APIGroup = userapi.GroupName - actingAsAttributes.Resource = authorizationapi.SystemUserResource - actingAsAttributes.ResourceName = subject.Name - username = subject.Name - if !groupsSpecified { - if subject.Name == bootstrappolicy.UnauthenticatedUsername { - groups = append(groups, bootstrappolicy.UnauthenticatedGroup) - } else { - groups = append(groups, bootstrappolicy.AuthenticatedGroup) - } - } - - case kapi.Kind(authorizationapi.ServiceAccountKind): - actingAsAttributes.APIGroup = kapi.GroupName - actingAsAttributes.Resource = authorizationapi.ServiceAccountResource - actingAsAttributes.ResourceName = subject.Name - username = serviceaccount.MakeUsername(subject.Namespace, subject.Name) - if !groupsSpecified { - groups = append(serviceaccount.MakeGroupNames(subject.Namespace, subject.Name), bootstrappolicy.AuthenticatedGroup) - } - - default: - forbidden(fmt.Sprintf("unknown subject type: %v", subject), actingAsAttributes, w, req) - return - } - - authCheckCtx := kapi.WithNamespace(ctx, subject.Namespace) - - allowed, reason, err := c.Authorizer.Authorize(authCheckCtx, actingAsAttributes) - if err != nil { - forbidden(err.Error(), actingAsAttributes, w, req) - return - } - if !allowed { - forbidden(reason, actingAsAttributes, w, req) - return - } - } - - var extra map[string][]string - if requestScopes, ok := req.Header[authenticationapi.ImpersonateUserScopeHeader]; ok { - extra = map[string][]string{authorizationapi.ScopesKey: requestScopes} - } - - newUser := &user.DefaultInfo{ - Name: username, - Groups: groups, - Extra: extra, - } - c.RequestContextMapper.Update(req, kapi.WithUser(ctx, newUser)) - - oldUser, _ := kapi.UserFrom(ctx) - httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser) - - handler.ServeHTTP(w, req) - }) -} diff --git a/pkg/cmd/server/origin/handlers_test.go b/pkg/cmd/server/origin/handlers_test.go index 785e32670570..5faa9b4ca2e2 100644 --- a/pkg/cmd/server/origin/handlers_test.go +++ b/pkg/cmd/server/origin/handlers_test.go @@ -20,6 +20,7 @@ import ( authenticationapi "github.com/openshift/origin/pkg/auth/api" "github.com/openshift/origin/pkg/authorization/authorizer" configapi "github.com/openshift/origin/pkg/cmd/server/api" + serverhandlers "github.com/openshift/origin/pkg/cmd/server/handlers" "github.com/openshift/origin/pkg/cmd/server/kubernetes" userapi "github.com/openshift/origin/pkg/user/api" usercache "github.com/openshift/origin/pkg/user/cache" @@ -286,7 +287,7 @@ func TestImpersonationFilter(t *testing.T) { delegate.ServeHTTP(w, req) }) - }(config.impersonationFilter(doNothingHandler)) + }(serverhandlers.ImpersonationFilter(doNothingHandler, config.Authorizer, config.GroupCache, config.RequestContextMapper)) handler = kapi.WithRequestContext(handler, config.RequestContextMapper) server := httptest.NewServer(handler) diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go index 4f0e0097ab9f..ee4068308e10 100644 --- a/pkg/cmd/server/origin/master.go +++ b/pkg/cmd/server/origin/master.go @@ -39,6 +39,8 @@ import ( "k8s.io/kubernetes/pkg/util/sets" utilwait "k8s.io/kubernetes/pkg/util/wait" + authzcache "github.com/openshift/origin/pkg/authorization/authorizer/cache" + authzremote "github.com/openshift/origin/pkg/authorization/authorizer/remote" buildclient "github.com/openshift/origin/pkg/build/client" buildgenerator "github.com/openshift/origin/pkg/build/generator" buildregistry "github.com/openshift/origin/pkg/build/registry/build" @@ -49,7 +51,9 @@ import ( "github.com/openshift/origin/pkg/build/webhook" "github.com/openshift/origin/pkg/build/webhook/generic" "github.com/openshift/origin/pkg/build/webhook/github" + serverauthenticator "github.com/openshift/origin/pkg/cmd/server/authenticator" "github.com/openshift/origin/pkg/cmd/server/crypto" + serverhandlers "github.com/openshift/origin/pkg/cmd/server/handlers" cmdutil "github.com/openshift/origin/pkg/cmd/util" deployconfigregistry "github.com/openshift/origin/pkg/deploy/registry/deployconfig" deployconfigetcd "github.com/openshift/origin/pkg/deploy/registry/deployconfig/etcd" @@ -263,11 +267,12 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha // TODO(sttts): resync with upstream handler chain and re-use upstream filters as much as possible return func(apiHandler http.Handler, kc *genericapiserver.Config) (secure, insecure http.Handler) { - attributeGetter := kapiserverfilters.NewRequestAttributeGetter(c.RequestContextMapper) + contextMapper := c.getRequestContextMapper() + attributeGetter := kapiserverfilters.NewRequestAttributeGetter(contextMapper) - handler := c.versionSkewFilter(apiHandler, c.getRequestContextMapper()) - handler = c.authorizationFilter(handler) - handler = c.impersonationFilter(handler) + handler := c.versionSkewFilter(apiHandler, contextMapper) + handler = serverhandlers.AuthorizationFilter(handler, c.Authorizer, c.AuthorizationAttributeBuilder, contextMapper) + handler = serverhandlers.ImpersonationFilter(handler, c.Authorizer, c.GroupCache, contextMapper) // audit handler must comes before the impersonationFilter to read the original user if c.Options.AuditConfig.Enabled { @@ -285,8 +290,8 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha } handler = kapiserverfilters.WithAudit(handler, attributeGetter, writer) } - handler = authenticationHandlerFilter(handler, c.Authenticator, c.getRequestContextMapper()) - handler = namespacingFilter(handler, c.getRequestContextMapper()) + handler = serverhandlers.AuthenticationHandlerFilter(handler, c.Authenticator, contextMapper) + handler = namespacingFilter(handler, contextMapper) handler = cacheControlFilter(handler, "no-store") // protected endpoints should not be cached if c.Options.OAuthConfig != nil { @@ -313,27 +318,51 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha } handler = kgenericfilters.WithCORS(handler, c.Options.CORSAllowedOrigins, nil, nil, nil, "true") - handler = kgenericfilters.WithPanicRecovery(handler, c.RequestContextMapper) + handler = kgenericfilters.WithPanicRecovery(handler, contextMapper) handler = kgenericfilters.WithTimeoutForNonLongRunningRequests(handler, kc.LongRunningFunc) // TODO: MaxRequestsInFlight should be subdivided by intent, type of behavior, and speed of // execution - updates vs reads, long reads vs short reads, fat reads vs skinny reads. // NOTE: read vs. write is implemented in Kube 1.6+ handler = kgenericfilters.WithMaxInFlightLimit(handler, kc.MaxRequestsInFlight, kc.LongRunningFunc) - handler = kapiserverfilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(kc), kc.RequestContextMapper) - handler = kapi.WithRequestContext(handler, kc.RequestContextMapper) + handler = kapiserverfilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(kc), contextMapper) + handler = kapi.WithRequestContext(handler, contextMapper) return handler, nil }, messages, nil } -func (c *MasterConfig) RunHealth() { +func (c *MasterConfig) RunHealth() error { apiContainer := genericmux.NewAPIContainer(http.NewServeMux(), kapi.Codecs) healthz.InstallHandler(&apiContainer.NonSwaggerRoutes, healthz.PingHealthz) initReadinessCheckRoute(apiContainer, "/healthz/ready", func() bool { return true }) - initMetricsRoute(apiContainer, "/metrics") + genericroutes.Profiling{}.Install(apiContainer) + genericroutes.MetricsWithReset{}.Install(apiContainer) - c.serve(apiContainer.ServeMux, []string{"Started health checks at %s"}) + // TODO: replace me with a service account for controller manager + authn, err := serverauthenticator.NewRemoteAuthenticator(c.PrivilegedLoopbackKubernetesClientset.Authentication(), c.APIClientCAs, 5*time.Minute, 10) + if err != nil { + return err + } + authz, err := authzremote.NewAuthorizer(c.PrivilegedLoopbackOpenShiftClient) + if err != nil { + return err + } + authz, err = authzcache.NewAuthorizer(authz, 5*time.Minute, 10) + if err != nil { + return err + } + // we use direct bypass to allow readiness and health to work regardless of the master health + authz = serverhandlers.NewBypassAuthorizer(authz, "/healthz", "/healthz/ready") + contextMapper := c.getRequestContextMapper() + handler := serverhandlers.AuthorizationFilter(apiContainer.ServeMux, authz, c.AuthorizationAttributeBuilder, contextMapper) + handler = serverhandlers.AuthenticationHandlerFilter(handler, authn, contextMapper) + handler = kgenericfilters.WithPanicRecovery(handler, contextMapper) + handler = kapiserverfilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(&genericapiserver.Config{}), contextMapper) + handler = kapi.WithRequestContext(handler, contextMapper) + + c.serve(handler, []string{"Started health checks at %s"}) + return nil } // serve starts serving the provided http.Handler using security settings derived from the MasterConfig diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go index 59ca213e6f0b..292c2af1436b 100644 --- a/pkg/cmd/server/start/start_master.go +++ b/pkg/cmd/server/start/start_master.go @@ -450,8 +450,7 @@ func (m *Master) Start() error { } func startHealth(openshiftConfig *origin.MasterConfig) error { - openshiftConfig.RunHealth() - return nil + return openshiftConfig.RunHealth() } // StartAPI starts the components of the master that are considered part of the API - the Kubernetes diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go index 99349b8f6b6f..1e0082651c61 100644 --- a/pkg/openapi/zz_generated.openapi.go +++ b/pkg/openapi/zz_generated.openapi.go @@ -7259,6 +7259,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ Format: "", }, }, + "path": { + SchemaProps: spec.SchemaProps{ + Description: "Path is the path of a non resource URL", + Type: []string{"string"}, + Format: "", + }, + }, + "isNonResourceURL": { + SchemaProps: spec.SchemaProps{ + Description: "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + Type: []string{"boolean"}, + Format: "", + }, + }, "content": { SchemaProps: spec.SchemaProps{ Description: "Content is the actual content of the request for create and update", @@ -7266,7 +7280,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, }, }, - Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName"}, + Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "path", "isNonResourceURL"}, }, }, Dependencies: []string{ @@ -15236,6 +15250,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ Format: "", }, }, + "path": { + SchemaProps: spec.SchemaProps{ + Description: "Path is the path of a non resource URL", + Type: []string{"string"}, + Format: "", + }, + }, + "isNonResourceURL": { + SchemaProps: spec.SchemaProps{ + Description: "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + Type: []string{"boolean"}, + Format: "", + }, + }, "content": { SchemaProps: spec.SchemaProps{ Description: "Content is the actual content of the request for create and update", @@ -15243,7 +15271,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, }, }, - Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName"}, + Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "path", "isNonResourceURL"}, }, }, Dependencies: []string{ @@ -15310,6 +15338,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ Format: "", }, }, + "path": { + SchemaProps: spec.SchemaProps{ + Description: "Path is the path of a non resource URL", + Type: []string{"string"}, + Format: "", + }, + }, + "isNonResourceURL": { + SchemaProps: spec.SchemaProps{ + Description: "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + Type: []string{"boolean"}, + Format: "", + }, + }, "content": { SchemaProps: spec.SchemaProps{ Description: "Content is the actual content of the request for create and update", @@ -15352,7 +15394,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, }, }, - Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "user", "groups", "scopes"}, + Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "path", "isNonResourceURL", "user", "groups", "scopes"}, }, }, Dependencies: []string{ @@ -20285,6 +20327,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ Format: "", }, }, + "path": { + SchemaProps: spec.SchemaProps{ + Description: "Path is the path of a non resource URL", + Type: []string{"string"}, + Format: "", + }, + }, + "isNonResourceURL": { + SchemaProps: spec.SchemaProps{ + Description: "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + Type: []string{"boolean"}, + Format: "", + }, + }, "content": { SchemaProps: spec.SchemaProps{ Description: "Content is the actual content of the request for create and update", @@ -20292,7 +20348,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, }, }, - Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName"}, + Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "path", "isNonResourceURL"}, }, }, Dependencies: []string{ @@ -23017,6 +23073,20 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ Format: "", }, }, + "path": { + SchemaProps: spec.SchemaProps{ + Description: "Path is the path of a non resource URL", + Type: []string{"string"}, + Format: "", + }, + }, + "isNonResourceURL": { + SchemaProps: spec.SchemaProps{ + Description: "IsNonResourceURL is true if this is a request for a non-resource URL (outside of the resource hieraarchy)", + Type: []string{"boolean"}, + Format: "", + }, + }, "content": { SchemaProps: spec.SchemaProps{ Description: "Content is the actual content of the request for create and update", @@ -23059,7 +23129,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, }, }, - Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "user", "groups", "scopes"}, + Required: []string{"namespace", "verb", "resourceAPIGroup", "resourceAPIVersion", "resource", "resourceName", "path", "isNonResourceURL", "user", "groups", "scopes"}, }, }, Dependencies: []string{ diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh index ee24cc975e7d..427d24276813 100755 --- a/test/cmd/authentication.sh +++ b/test/cmd/authentication.sh @@ -12,6 +12,7 @@ fi ( set +e oc delete oauthaccesstokens --all + oadm policy remove-cluster-role-from-user cluster-debugger user3 exit 0 ) &>/dev/null @@ -78,7 +79,23 @@ os::cmd::expect_success_and_text "oc policy can-i create pods --token='${accesst os::cmd::expect_success_and_text "oc policy can-i --list --token='${accesstoken}' -n '${project}' --scopes='role:admin:*'" 'get.*pods' os::cmd::expect_success_and_not_text "oc policy can-i --list --token='${accesstoken}' -n '${project}'" 'get.*pods' +os::test::junit::declare_suite_end +os::test::junit::declare_suite_start "cmd/authentication/debugging" +os::cmd::expect_success_and_text 'oc login -u user3 -p pw' 'Login successful' +os::cmd::expect_success 'oc login -u system:admin' +os::cmd::expect_failure_and_text 'oc get --raw /debug/pprof/ --as=user3' 'Forbidden' +os::cmd::expect_failure_and_text 'oc get --raw /metrics --as=user3' 'Forbidden' +os::cmd::expect_success_and_text 'oc get --raw /healthz --as=user3' 'ok' +os::cmd::expect_success 'oadm policy add-cluster-role-to-user cluster-debugger user3' +os::cmd::try_until_text 'oc get --raw /debug/pprof/ --as=user3' 'full goroutine stack dump' +os::cmd::expect_success_and_text 'oc get --raw /debug/pprof/ --as=user3' 'full goroutine stack dump' +os::cmd::expect_success_and_text 'oc get --raw /metrics --as=user3' 'apiserver_request_latencies' +os::cmd::expect_success_and_text 'oc get --raw /healthz --as=user3' 'ok' +# TODO validate controller os::test::junit::declare_suite_end +os::test::junit::declare_suite_start "cmd/authentication/scopedtokens" + + os::test::junit::declare_suite_end