Merge pull request #3266 from sttts/sttts-authz-simplify

🌱 authorizers: misc prefactorings

Author: kcp-ci-bot

pkg/authorization/maximal_permission_policy_authorizer.go

@@ -44,7 +44,10 @@ const (
 
 // NewMaximalPermissionPolicyAuthorizer returns an authorizer that first checks if the request is for a
 // bound resource or not. If the resource is bound it checks the maximal permission policy of the underlying API export.
-func NewMaximalPermissionPolicyAuthorizer(kubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory, kcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory, delegate authorizer.Authorizer) authorizer.Authorizer {
+func NewMaximalPermissionPolicyAuthorizer(
+	kubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory,
+	kcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory,
+) func(delegate authorizer.Authorizer) authorizer.Authorizer {
 	// Make sure informer knows what to watch
 	kubeInformers.Rbac().V1().Roles().Lister()
 	kubeInformers.Rbac().V1().RoleBindings().Lister()
@@ -64,37 +67,39 @@ func NewMaximalPermissionPolicyAuthorizer(kubeInformers, globalKubeInformers kcp
 		indexers.ByLogicalClusterPathAndName: indexers.IndexByLogicalClusterPathAndName,
 	})
 
-	return &MaximalPermissionPolicyAuthorizer{
-		getAPIBindings: func(clusterName logicalcluster.Name) ([]*apisv1alpha1.APIBinding, error) {
-			return kcpInformers.Apis().V1alpha1().APIBindings().Lister().Cluster(clusterName).List(labels.Everything())
-		},
-		getAPIExport: func(path logicalcluster.Path, name string) (*apisv1alpha1.APIExport, error) {
-			return indexers.ByPathAndNameWithFallback[*apisv1alpha1.APIExport](apisv1alpha1.Resource("apiexports"), kcpInformers.Apis().V1alpha1().APIExports().Informer().GetIndexer(), globalKcpInformers.Apis().V1alpha1().APIExports().Informer().GetIndexer(), path, name)
-		},
-		newAuthorizer: func(clusterName logicalcluster.Name) authorizer.Authorizer {
-			return rbac.New(
-				&rbac.RoleGetter{Lister: rbacwrapper.NewMergedRoleLister(
-					kubeInformers.Rbac().V1().Roles().Lister().Cluster(clusterName),
-					globalKubeInformers.Rbac().V1().Roles().Lister().Cluster(clusterName),
-					kubeInformers.Rbac().V1().Roles().Lister().Cluster(controlplaneapiserver.LocalAdminCluster),
-				)},
-				&rbac.RoleBindingLister{Lister: rbacwrapper.NewMergedRoleBindingLister(
-					kubeInformers.Rbac().V1().RoleBindings().Lister().Cluster(clusterName),
-					globalKubeInformers.Rbac().V1().RoleBindings().Lister().Cluster(clusterName),
-				)},
-				&rbac.ClusterRoleGetter{Lister: rbacwrapper.NewMergedClusterRoleLister(
-					kubeInformers.Rbac().V1().ClusterRoles().Lister().Cluster(clusterName),
-					globalKubeInformers.Rbac().V1().ClusterRoles().Lister().Cluster(clusterName),
-					kubeInformers.Rbac().V1().ClusterRoles().Lister().Cluster(controlplaneapiserver.LocalAdminCluster),
-				)},
-				&rbac.ClusterRoleBindingLister{Lister: rbacwrapper.NewMergedClusterRoleBindingLister(
-					kubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Cluster(clusterName),
-					globalKubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Cluster(clusterName),
-					kubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Cluster(controlplaneapiserver.LocalAdminCluster),
-				)},
-			)
-		},
-		delegate: delegate,
+	return func(delegate authorizer.Authorizer) authorizer.Authorizer {
+		return &MaximalPermissionPolicyAuthorizer{
+			getAPIBindings: func(clusterName logicalcluster.Name) ([]*apisv1alpha1.APIBinding, error) {
+				return kcpInformers.Apis().V1alpha1().APIBindings().Lister().Cluster(clusterName).List(labels.Everything())
+			},
+			getAPIExport: func(path logicalcluster.Path, name string) (*apisv1alpha1.APIExport, error) {
+				return indexers.ByPathAndNameWithFallback[*apisv1alpha1.APIExport](apisv1alpha1.Resource("apiexports"), kcpInformers.Apis().V1alpha1().APIExports().Informer().GetIndexer(), globalKcpInformers.Apis().V1alpha1().APIExports().Informer().GetIndexer(), path, name)
+			},
+			newAuthorizer: func(clusterName logicalcluster.Name) authorizer.Authorizer {
+				return rbac.New(
+					&rbac.RoleGetter{Lister: rbacwrapper.NewMergedRoleLister(
+						kubeInformers.Rbac().V1().Roles().Lister().Cluster(clusterName),
+						globalKubeInformers.Rbac().V1().Roles().Lister().Cluster(clusterName),
+						kubeInformers.Rbac().V1().Roles().Lister().Cluster(controlplaneapiserver.LocalAdminCluster),
+					)},
+					&rbac.RoleBindingLister{Lister: rbacwrapper.NewMergedRoleBindingLister(
+						kubeInformers.Rbac().V1().RoleBindings().Lister().Cluster(clusterName),
+						globalKubeInformers.Rbac().V1().RoleBindings().Lister().Cluster(clusterName),
+					)},
+					&rbac.ClusterRoleGetter{Lister: rbacwrapper.NewMergedClusterRoleLister(
+						kubeInformers.Rbac().V1().ClusterRoles().Lister().Cluster(clusterName),
+						globalKubeInformers.Rbac().V1().ClusterRoles().Lister().Cluster(clusterName),
+						kubeInformers.Rbac().V1().ClusterRoles().Lister().Cluster(controlplaneapiserver.LocalAdminCluster),
+					)},
+					&rbac.ClusterRoleBindingLister{Lister: rbacwrapper.NewMergedClusterRoleBindingLister(
+						kubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Cluster(clusterName),
+						globalKubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Cluster(clusterName),
+						kubeInformers.Rbac().V1().ClusterRoleBindings().Lister().Cluster(controlplaneapiserver.LocalAdminCluster),
+					)},
+				)
+			},
+			delegate: delegate,
+		}
 	}
 }
 

pkg/authorization/requiredgroups_authorizer.go

@@ -42,18 +42,20 @@ const (
 
 // NewRequiredGroupsAuthorizer returns an authorizer that a set of groups stored
 // on the LogicalCluster object. Service account by-pass this.
-func NewRequiredGroupsAuthorizer(local, global corev1alpha1listers.LogicalClusterClusterLister, delegate authorizer.Authorizer) authorizer.Authorizer {
-	return &requiredGroupsAuthorizer{
-		getLogicalCluster: func(logicalCluster logicalcluster.Name) (*corev1alpha1.LogicalCluster, error) {
-			obj, err := local.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
-			if err != nil && !errors.IsNotFound(err) {
-				return nil, err
-			} else if errors.IsNotFound(err) {
-				return global.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
-			}
-			return obj, nil
-		},
-		delegate: delegate,
+func NewRequiredGroupsAuthorizer(local, global corev1alpha1listers.LogicalClusterClusterLister) func(delegate authorizer.Authorizer) authorizer.Authorizer {
+	return func(delegate authorizer.Authorizer) authorizer.Authorizer {
+		return &requiredGroupsAuthorizer{
+			getLogicalCluster: func(logicalCluster logicalcluster.Name) (*corev1alpha1.LogicalCluster, error) {
+				obj, err := local.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
+				if err != nil && !errors.IsNotFound(err) {
+					return nil, err
+				} else if errors.IsNotFound(err) {
+					return global.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
+				}
+				return obj, nil
+			},
+			delegate: delegate,
+		}
 	}
 }
 

pkg/authorization/workspace_content_authorizer.go

@@ -44,25 +44,27 @@ const (
 	WorkspaceAccessNotPermittedReason = "workspace access not permitted"
 )
 
-func NewWorkspaceContentAuthorizer(localInformers, globalInformers kcpkubernetesinformers.SharedInformerFactory, localLogicalClusterLister, globalLogicalClusterLister corev1alpha1listers.LogicalClusterClusterLister, delegate authorizer.Authorizer) authorizer.Authorizer {
-	return &workspaceContentAuthorizer{
-		localClusterRoleLister:        localInformers.Rbac().V1().ClusterRoles().Lister(),
-		localClusterRoleBindingLister: localInformers.Rbac().V1().ClusterRoleBindings().Lister(),
-
-		globalClusterRoleLister:        globalInformers.Rbac().V1().ClusterRoles().Lister(),
-		globalClusterRoleBindingLister: globalInformers.Rbac().V1().ClusterRoleBindings().Lister(),
-
-		getLogicalCluster: func(logicalCluster logicalcluster.Name) (*corev1alpha1.LogicalCluster, error) {
-			obj, err := localLogicalClusterLister.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
-			if err != nil && !errors.IsNotFound(err) {
-				return nil, err
-			} else if errors.IsNotFound(err) {
-				return globalLogicalClusterLister.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
-			}
-			return obj, nil
-		},
-
-		delegate: delegate,
+func NewWorkspaceContentAuthorizer(localInformers, globalInformers kcpkubernetesinformers.SharedInformerFactory, localLogicalClusterLister, globalLogicalClusterLister corev1alpha1listers.LogicalClusterClusterLister) func(delegate authorizer.Authorizer) authorizer.Authorizer {
+	return func(delegate authorizer.Authorizer) authorizer.Authorizer {
+		return &workspaceContentAuthorizer{
+			localClusterRoleLister:        localInformers.Rbac().V1().ClusterRoles().Lister(),
+			localClusterRoleBindingLister: localInformers.Rbac().V1().ClusterRoleBindings().Lister(),
+
+			globalClusterRoleLister:        globalInformers.Rbac().V1().ClusterRoles().Lister(),
+			globalClusterRoleBindingLister: globalInformers.Rbac().V1().ClusterRoleBindings().Lister(),
+
+			getLogicalCluster: func(logicalCluster logicalcluster.Name) (*corev1alpha1.LogicalCluster, error) {
+				obj, err := localLogicalClusterLister.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
+				if err != nil && !errors.IsNotFound(err) {
+					return nil, err
+				} else if errors.IsNotFound(err) {
+					return globalLogicalClusterLister.Cluster(logicalCluster).Get(corev1alpha1.LogicalClusterName)
+				}
+				return obj, nil
+			},
+
+			delegate: delegate,
+		}
 	}
 }
 

pkg/authorization/workspace_content_authorizer_test.go

@@ -125,7 +125,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 			wantReason:   "delegating due to user logical cluster access",
 		},
 		{
-			testName: "user with scope to another cluster is denied",
+			testName: "user with scope to another cluster is not allowed",
 
 			requestedWorkspace: "root:ready",
 			requestingUser: &user.DefaultInfo{Name: "user-access", Extra: map[string][]string{
@@ -143,26 +143,26 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 			wantReason:         "delegating due to local service account access",
 		},
 		{
-			testName: "user is granted access on root",
+			testName: "a authenticated user is granted access on root:authenticated",
 
-			requestedWorkspace: "root",
+			requestedWorkspace: "root:authenticated",
 			requestingUser:     &user.DefaultInfo{Name: "somebody", Groups: []string{"system:authenticated"}},
 			wantDecision:       authorizer.DecisionAllow,
 			wantReason:         "delegating due to user logical cluster access",
 		},
 		{
-			testName: "service account from other cluster is denied on root",
+			testName: "service account from other cluster is denied on root:authenticated",
 
-			requestedWorkspace: "root",
+			requestedWorkspace: "root:authenticated",
 			requestingUser:     newServiceAccountWithCluster("somebody", "someworkspace", "system:authenticated"),
 			wantDecision:       authorizer.DecisionDeny,
 			wantReason:         "foreign service account",
 		},
 		{
-			testName: "service account from root cluster is granted access on root",
+			testName: "service account from root:authenticated cluster is granted access on root:authenticated",
 
-			requestedWorkspace: "root",
-			requestingUser:     newServiceAccountWithCluster("somebody", "root", "system:authenticated"),
+			requestedWorkspace: "root:authenticated",
+			requestingUser:     newServiceAccountWithCluster("somebody", "root:authenticated", "system:authenticated"),
 			wantDecision:       authorizer.DecisionAllow,
 			wantReason:         "delegating due to local service account access",
 		},
@@ -248,9 +248,9 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 				&v1.ClusterRoleBinding{
 					ObjectMeta: metav1.ObjectMeta{
 						Annotations: map[string]string{
-							logicalcluster.AnnotationKey: "root",
+							logicalcluster.AnnotationKey: "root:authenticated",
 						},
-						Name: "system:authenticated:access",
+						Name: "system:authenticated:root:authenticated:access",
 					},
 					Subjects: []v1.Subject{
 						{
@@ -270,7 +270,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 						Annotations: map[string]string{
 							logicalcluster.AnnotationKey: "root:ready",
 						},
-						Name: "user-access-ready-access",
+						Name: "user-access:root:ready:access",
 					},
 					Subjects: []v1.Subject{
 						{
@@ -290,7 +290,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 						Annotations: map[string]string{
 							logicalcluster.AnnotationKey: "root:initializing",
 						},
-						Name: "user-access-initializing-access",
+						Name: "user-access:root:initializing:access",
 					},
 					Subjects: []v1.Subject{
 						{
@@ -310,7 +310,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 						Annotations: map[string]string{
 							logicalcluster.AnnotationKey: "rootwithoutparent",
 						},
-						Name: "system:authenticated:access",
+						Name: "user-access:rootwithoutparent:access",
 					},
 					Subjects: []v1.Subject{
 						{
@@ -343,7 +343,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 
 			localIndexer := cache.NewIndexer(kcpcache.MetaClusterNamespaceKeyFunc, cache.Indexers{})
 			require.NoError(t, localIndexer.Add(&corev1alpha1.LogicalCluster{
-				ObjectMeta: metav1.ObjectMeta{Name: corev1alpha1.LogicalClusterName, Annotations: map[string]string{logicalcluster.AnnotationKey: "root"}},
+				ObjectMeta: metav1.ObjectMeta{Name: corev1alpha1.LogicalClusterName, Annotations: map[string]string{logicalcluster.AnnotationKey: "root:authenticated"}},
 				Status:     corev1alpha1.LogicalClusterStatus{Phase: corev1alpha1.LogicalClusterPhaseReady},
 			}))
 			require.NoError(t, localIndexer.Add(&corev1alpha1.LogicalCluster{
@@ -369,7 +369,7 @@ func TestWorkspaceContentAuthorizer(t *testing.T) {
 			globalLogicalClusters := corev1alpha1listers.NewLogicalClusterClusterLister(globalIndexer)
 
 			recordingAuthorizer := &recordingAuthorizer{decision: authorizer.DecisionAllow, reason: "allowed"}
-			w := NewWorkspaceContentAuthorizer(local, global, localLogicalClusters, globalLogicalClusters, recordingAuthorizer)
+			w := NewWorkspaceContentAuthorizer(local, global, localLogicalClusters, globalLogicalClusters)(recordingAuthorizer)
 
 			requestedCluster := request.Cluster{
 				Name: logicalcluster.Name(tt.requestedWorkspace),

pkg/server/options/authorization.go

@@ -136,7 +136,8 @@ func (s *Authorization) ApplyTo(ctx context.Context, config *genericapiserver.Co
 
 	// group authorizer
 	if len(s.AlwaysAllowGroups) > 0 {
-		authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(s.AlwaysAllowGroups...))
+		privGroups := authorizerfactory.NewPrivilegedGroups(s.AlwaysAllowGroups...)
+		authorizers = append(authorizers, privGroups)
 	}
 
 	// path authorizer
@@ -190,31 +191,33 @@ func (s *Authorization) ApplyTo(ctx context.Context, config *genericapiserver.Co
 	globalAuth, _ := authz.NewGlobalAuthorizer(kubeInformers, globalKubeInformers)
 	globalAuth = authz.NewDecorator("05-global", globalAuth).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
 
+	chain := union.New(bootstrapAuth, localAuth, globalAuth)
+
 	// everything below - skipped for Deep SAR
 
 	// enforce maximal permission policy
-	maxPermissionPolicyAuth := authz.NewMaximalPermissionPolicyAuthorizer(kubeInformers, globalKubeInformers, kcpInformers, globalKcpInformers, union.New(bootstrapAuth, localAuth, globalAuth))
-	maxPermissionPolicyAuth = authz.NewDecorator("04-maxpermissionpolicy", maxPermissionPolicyAuth).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
+	chain = authz.NewMaximalPermissionPolicyAuthorizer(kubeInformers, globalKubeInformers, kcpInformers, globalKcpInformers)(chain)
+	chain = authz.NewDecorator("04-maxpermissionpolicy", chain).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
 
 	// protect status updates to apiexport and apibinding
-	systemCRDAuth := authz.NewSystemCRDAuthorizer(maxPermissionPolicyAuth)
-	systemCRDAuth = authz.NewDecorator("03-systemcrd", systemCRDAuth).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
+	chain = authz.NewSystemCRDAuthorizer(chain)
+	chain = authz.NewDecorator("03-systemcrd", chain).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
 
 	// content auth deteremines if users have access to the workspace itself - by default, in Kube there is a set
 	// of default permissions given even to system:authenticated (like access to discovery) - this authorizer allows
 	// kcp to make workspaces entirely invisible to users that have not been given access, by making system:authenticated
 	// mean nothing unless they also have `verb=access` on `/`
-	contentAuth := authz.NewWorkspaceContentAuthorizer(kubeInformers, globalKubeInformers, localLogicalClusterLister, globalLogicalClusterLister, systemCRDAuth)
-	contentAuth = authz.NewDecorator("02-content", contentAuth).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
+	chain = authz.NewWorkspaceContentAuthorizer(kubeInformers, globalKubeInformers, localLogicalClusterLister, globalLogicalClusterLister)(chain)
+	chain = authz.NewDecorator("02-content", chain).AddAuditLogging().AddAnonymization().AddReasonAnnotation()
 
 	// workspaces are annotated to list the groups required on users wishing to access the workspace -
 	// this is mostly useful when adding a core set of groups to an org workspace and having them inherited
 	// by child workspaces; this gives administrators of an org control over which users can be given access
 	// to content in sub-workspaces
-	requiredGroupsAuth := authz.NewRequiredGroupsAuthorizer(localLogicalClusterLister, globalLogicalClusterLister, contentAuth)
-	requiredGroupsAuth = authz.NewDecorator("01-requiredgroups", requiredGroupsAuth).AddAuditLogging().AddAnonymization()
+	chain = authz.NewRequiredGroupsAuthorizer(localLogicalClusterLister, globalLogicalClusterLister)(chain)
+	chain = authz.NewDecorator("01-requiredgroups", chain).AddAuditLogging().AddAnonymization()
 
-	authorizers = append(authorizers, requiredGroupsAuth)
+	authorizers = append(authorizers, chain)
 
 	config.RuleResolver = union.NewRuleResolvers(bootstrapRules, localResolver)
 	config.Authorization.Authorizer = union.New(authorizers...)

test/e2e/authorizer/serviceaccounts_test.go

@@ -253,7 +253,7 @@ func TestServiceAccounts(t *testing.T) {
 				}, metav1.CreateOptions{})
 				require.NoError(t, err, "failed to create role")
 
-				t.Log("Verifying if service account is allowed to escalate")
+				t.Log("Verifying if service account is allowed to delegate")
 				framework.Eventually(t, func() (bool, string) { // authz makes this eventually succeed
 					_, err = saKubeClusterClient.Cluster(wsPath).RbacV1().ClusterRoles().Create(ctx, &rbacv1.ClusterRole{
 						ObjectMeta: metav1.ObjectMeta{