PoC for a policy.json similar to OpenStack

.gitignore

@@ -1,4 +1,3 @@
-*.json
 *.sublime-project
 *.sublime-workspace
 *.swp

examples/policy.json

@@ -0,0 +1,46 @@
+[
+  {
+    "resource": {
+      "verb": "*",
+      "resource": "*",
+      "version": "*",
+      "namespace": "*"
+    },
+    "match": {
+      "type": "role",
+      "value": "*"
+    }
+  },
+  {
+    "resource": {
+      "verb": "*",
+      "resource": "*",
+      "version": "*",
+      "namespace": "*"
+    },
+    "match": {
+      "type": "group",
+      "value": "*"
+    }
+  },
+  {
+    "nonresource": {
+      "verb": "*",
+      "path": "*"
+    },
+    "match": {
+      "type": "role",
+      "value": "*"
+    }
+  },
+  {
+    "nonresource": {
+      "verb": "*",
+      "path": "*"
+    },
+    "match": {
+      "type": "group",
+      "value": "*"
+    }
+  }
+]

main.go

@@ -38,6 +38,7 @@ var (
 	tlsPrivateKey  string
 	keystoneURL    string
 	keystoneCaFile string
+	policyFile     string
 )
 
 func main() {
@@ -46,18 +47,22 @@ func main() {
 	flag.StringVar(&tlsPrivateKey, "tls-private-key-file", "", "File containing the default x509 private key matching --tls-cert-file.")
 	flag.StringVar(&keystoneURL, "keystone-url", "http://localhost/identity/v3/", "URL for the OpenStack Keystone API")
 	flag.StringVar(&keystoneCaFile, "keystone-ca-file", "", "File containing the certificate authority for Keystone Service.")
+	flag.StringVar(&policyFile, "keystone-policy-file", "", "File containing the policy.")
 	flag.Parse()
 
 	if tlsCertFile == "" || tlsPrivateKey == "" {
 		log.Fatal("Please specify --tls-cert-file and --tls-private-key-file arguments.")
 	}
+	if policyFile == "" {
+		log.Fatal("Please specify --keystone-policy-file argument.")
+	}
 
 	authentication_handler, err := keystone.NewKeystoneAuthenticator(keystoneURL, keystoneCaFile)
 	if err != nil {
 		log.Fatal(err.Error())
 	}
 
-	authorization_handler, err := keystone.NewKeystoneAuthorizer(keystoneURL, keystoneCaFile)
+	authorization_handler, err := keystone.NewKeystoneAuthorizer(keystoneURL, keystoneCaFile, policyFile)
 	if err != nil {
 		log.Fatal(err.Error())
 	}

pkg/authenticator/token/keystone/authorizer.go

@@ -17,18 +17,148 @@ limitations under the License.
 package keystone
 
 import (
-	"fmt"
+	"log"
 	"github.com/gophercloud/gophercloud"
 
 	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"encoding/json"
 )
 
 type KeystoneAuthorizer struct {
 	authURL string
 	client  *gophercloud.ServiceClient
+	pl      policyList
+}
+
+func resourceMatches(p Policy, a authorizer.Attributes) bool {
+	if p.NonResourceSpec != nil && p.ResourceSpec != nil {
+		log.Printf("Policy has both resource and nonresource sections. skipping : %#v", p)
+		return false
+	}
+
+	if p.ResourceSpec.Verb == "" {
+		log.Printf("verb is empty. skipping : %#v", p)
+		return false
+	}
+
+	if p.ResourceSpec.APIGroup == nil || p.ResourceSpec.Namespace == nil || p.ResourceSpec.Resource == nil {
+		log.Printf("version/namespace/resource should be all set. skipping : %#v", p)
+		return false
+	}
+
+	if p.ResourceSpec.Verb == "*" || p.ResourceSpec.Verb == a.GetVerb() {
+		if *p.ResourceSpec.APIGroup == "*" || *p.ResourceSpec.APIGroup == a.GetAPIGroup() {
+			if *p.ResourceSpec.Namespace == "*" || *p.ResourceSpec.Namespace == a.GetNamespace() {
+				if *p.ResourceSpec.Resource == "*" || *p.ResourceSpec.Resource == a.GetResource() {
+					allowed := match(p.Match, a)
+					if allowed {
+						output, err := json.MarshalIndent(p, "", "  ")
+						if err == nil {
+							log.Printf(">>>> matched rule : %s", string(output))
+						}
+						return true
+					}
+				}
+			}
+		}
+	}
+	return false
+}
+
+func nonResourceMatches(p Policy, a authorizer.Attributes) bool {
+	if p.NonResourceSpec.Verb == "" {
+		log.Printf("verb is empty. skipping : %#v", p)
+		return false
+	}
+
+	if p.NonResourceSpec.NonResourcePath == nil {
+		log.Printf("path should be set. skipping : %#v", p)
+		return false
+	}
+
+	if p.NonResourceSpec.Verb == "*" || p.NonResourceSpec.Verb == a.GetVerb() {
+		if *p.NonResourceSpec.NonResourcePath == "*" || *p.NonResourceSpec.NonResourcePath == a.GetPath() {
+			if *p.ResourceSpec.Resource == "*" || *p.ResourceSpec.Resource == a.GetResource() {
+				allowed := match(p.Match, a)
+				if allowed {
+					output, err := json.MarshalIndent(p, "", "  ")
+					if err == nil {
+						log.Printf(">>>> matched rule : %s", string(output))
+					}
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+func match(match Match, attributes authorizer.Attributes) bool {
+	user := attributes.GetUser()
+	if match.Type == "group" {
+		for _, group  := range user.GetGroups() {
+			if match.Value == "*" || group == match.Value {
+				return true
+			}
+		}
+	} else if match.Type == "user" {
+		if match.Value == "*" || user.GetName() == match.Value || user.GetUID() == match.Value {
+			return true
+		}
+	} else if match.Type == "project" {
+		if val, ok := user.GetExtra()["alpha.kubernetes.io/identity/project/id"]; ok {
+			if ok {
+				for _, item := range val {
+					if match.Value == "*" || item == match.Value {
+						return true
+					}
+				}
+
+			}
+		}
+		if val, ok := user.GetExtra()["alpha.kubernetes.io/identity/project/name"]; ok {
+			if ok {
+				for _, item := range val {
+					if match.Value == "*" || item == match.Value {
+						return true
+					}
+				}
+
+			}
+		}
+	} else if match.Type == "role" {
+		if val, ok := user.GetExtra()["alpha.kubernetes.io/identity/roles"]; ok {
+			if ok {
+				for _, item := range val {
+					if match.Value == "*" || item == match.Value {
+						return true
+					}
+				}
+
+			}
+		}
+	} else {
+		log.Printf("unknown type %s. skipping.", match.Type)
+	}
+	return false
 }
 
 func (KeystoneAuthorizer *KeystoneAuthorizer) Authorize(a authorizer.Attributes) (authorized bool, reason string, err error) {
-	fmt.Printf("Authorize Attributes : %#v\n", a)
-	return true, "", nil
+	log.Printf("Authorizing user : %#v\n", a.GetUser())
+	for _, p := range KeystoneAuthorizer.pl {
+		if p.NonResourceSpec != nil && p.ResourceSpec != nil {
+			log.Printf("Policy has both resource and nonresource sections. skipping : %#v", p)
+			continue
+		}
+		if p.ResourceSpec != nil {
+			if resourceMatches(*p, a) {
+				return true, "", nil
+			}
+		} else if p.NonResourceSpec != nil {
+			if nonResourceMatches(*p, a) {
+				return true, "", nil
+			}
+		}
+	}
+	return false, "No policy matched.", nil
 }

pkg/authenticator/token/keystone/keystone.go

@@ -19,15 +19,17 @@ package keystone
 import (
 	"crypto/tls"
 	"errors"
+	"encoding/json"
+	"fmt"
 	"net/http"
+	"log"
 	//"strings"
 
 	"github.com/golang/glog"
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
 	"github.com/gophercloud/gophercloud/openstack/utils"
 
-	"fmt"
 	netutil "k8s.io/apimachinery/pkg/util/net"
 	certutil "k8s.io/client-go/util/cert"
 )
@@ -111,11 +113,19 @@ func NewKeystoneAuthenticator(authURL string, caFile string) (*KeystoneAuthentic
 	return &KeystoneAuthenticator{authURL: authURL, client: client}, nil
 }
 
-func NewKeystoneAuthorizer(authURL string, caFile string) (*KeystoneAuthorizer, error) {
+func NewKeystoneAuthorizer(authURL string, caFile string, policyFile string) (*KeystoneAuthorizer, error) {
 	client, err := createKeystoneClient(authURL, caFile)
 	if err != nil {
 		return nil, err
 	}
 
-	return &KeystoneAuthorizer{authURL: authURL, client: client}, nil
+	policyList, err := NewFromFile(policyFile)
+	output, err := json.MarshalIndent(policyList, "", "  ")
+	if err == nil {
+		log.Printf(">>> Policy %s", string(output))
+	} else {
+		log.Fatalf(">>> Error %#v", err)
+	}
+
+	return &KeystoneAuthorizer{authURL: authURL, client: client, pl:policyList}, nil
 }

pkg/authenticator/token/keystone/policy.go

@@ -0,0 +1,87 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package keystone
+
+import (
+	"os"
+	"bufio"
+	"encoding/json"
+)
+
+type Policy struct {
+	ResourceSpec *ResourcePolicySpec `json:"resource,omitempty"`
+
+	NonResourceSpec *NonResourcePolicySpec `json:"nonresource,omitempty"`
+
+	// One of user:foo, project:bar, role:baz, group:qux
+	Match Match `json:"match"`
+}
+
+type Match struct {
+	Type string `json:"type"`
+
+	Value string `json:"value"`
+}
+
+type ResourcePolicySpec struct {
+	// Kubernetes resource API verb like: get, list, watch, create, update, delete, proxy.
+	// "*" matches all verbs.
+	Verb string `json:"verb"`
+
+	// Resource is the name of a resource.
+	// "*" matches all resources
+	Resource *string `json:"resource"`
+
+	// APIGroup is the name of an API group.
+	// "*" matches all API groups
+	APIGroup *string `json:"version"`
+
+	// Namespace is the name of a namespace.
+	// "*" matches all namespaces (including unnamespaced requests)
+	Namespace *string `json:"namespace"`
+}
+
+type NonResourcePolicySpec struct {
+	// Kubernetes resource API verb like: get, list, watch, create, update, delete, proxy.
+	// "*" matches all verbs.
+	Verb string `json:"verb"`
+
+	// NonResourcePath matches non-resource request paths.
+	// "*" matches all paths
+	// "/foo/*" matches all subpaths of foo
+	NonResourcePath *string `json:"path"`
+}
+
+type policyList []*Policy
+
+func NewFromFile(path string) (policyList, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	var data policyList
+
+	reader := bufio.NewReader(file)
+	decoder := json.NewDecoder(reader)
+	err = decoder.Decode(&data)
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}