Restructure code

rancher · Nov 10, 2020 · 0e84917 · 0e84917
1 parent e3995eb
commit 0e84917
Show file tree

Hide file tree

Showing 13 changed files with 161 additions and 174 deletions.
diff --git a/main.go b/main.go
@@ -6,7 +6,7 @@ import (
 	"context"
 	"os"
 
-	"github.com/rancher/webhook/pkg/admission"
+	"github.com/rancher/webhook/pkg/server"
 	"github.com/rancher/wrangler/pkg/kubeconfig"
 	"github.com/rancher/wrangler/pkg/ratelimit"
 	"github.com/rancher/wrangler/pkg/signals"
@@ -28,7 +28,7 @@ func run() error {
 	cfg.RateLimiter = ratelimit.None
 
 	ctx := signals.SetupSignalHandler(context.Background())
-	if err := admission.ListenAndServe(ctx, cfg); err != nil {
+	if err := server.ListenAndServe(ctx, cfg); err != nil {
 		return err
 	}
 

diff --git a/pkg/admission/validation.go b/pkg/admission/validation.go
diff --git a/pkg/auth/escalation.go b/pkg/auth/escalation.go
@@ -6,8 +6,9 @@ import (
 
 	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	v3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
-	k8srbacv1 "github.com/rancher/webhook/pkg/generated/controllers/rbac.authorization.k8s.io/v1"
+	k8srbacv1 "github.com/rancher/wrangler/pkg/generated/controllers/rbac/v1"
 	"github.com/rancher/wrangler/pkg/webhook"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/user"
@@ -30,14 +31,14 @@ type EscalationChecker struct {
 	ruleSolver    validation.AuthorizationRuleResolver
 }
 
-// confirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting
+// ConfirmNoEscalation checks that the user attempting to create a binding/role has all the permissions they are attempting
 // to grant
-func (ec *EscalationChecker) confirmNoEscalation(response *webhook.Response, request *webhook.Request, rules []rbacv1.PolicyRule, namespace string) error {
+func (ec *EscalationChecker) ConfirmNoEscalation(response *webhook.Response, request *webhook.Request, rules []rbacv1.PolicyRule, namespace string) error {
 	userInfo := &user.DefaultInfo{
 		Name:   request.UserInfo.Username,
 		UID:    request.UserInfo.UID,
 		Groups: request.UserInfo.Groups,
-		Extra:  toExtraString(request.UserInfo.Extra),
+		Extra:  ToExtraString(request.UserInfo.Extra),
 	}
 
 	globaleCtx := k8srequest.WithNamespace(k8srequest.WithUser(context.Background(), userInfo), namespace)
@@ -55,8 +56,8 @@ func (ec *EscalationChecker) confirmNoEscalation(response *webhook.Response, req
 	return nil
 }
 
-// rulesFromTemplate gets all rules from the template and all referenced templates
-func (ec *EscalationChecker) rulesFromTemplate(rt *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error) {
+// RulesFromTemplate gets all rules from the template and all referenced templates
+func (ec *EscalationChecker) RulesFromTemplate(rt *rancherv3.RoleTemplate) ([]rbacv1.PolicyRule, error) {
 	var rules []rbacv1.PolicyRule
 	var err error
 	templatesSeen := make(map[string]bool)
@@ -99,3 +100,11 @@ func (ec *EscalationChecker) gatherRules(rt *rancherv3.RoleTemplate, rules []rba
 	}
 	return rules, nil
 }
+
+func ToExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string {
+	result := make(map[string][]string)
+	for k, v := range extra {
+		result[k] = v
+	}
+	return result
+}
diff --git a/pkg/authentication/rolegetter.go → pkg/auth/rolegetter.go b/pkg/authentication/rolegetter.go → pkg/auth/rolegetter.go
@@ -1,7 +1,7 @@
-package authentication
+package auth
 
 import (
-	wranglerv1 "github.com/rancher/wrangler-api/pkg/generated/controllers/rbac/v1"
+	wranglerv1 "github.com/rancher/wrangler/pkg/generated/controllers/rbac/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )

diff --git a/pkg/clients/clients.go b/pkg/clients/clients.go
@@ -0,0 +1,52 @@
+package clients
+
+import (
+	v1 "github.com/rancher/rancher/pkg/apis/catalog.cattle.io/v1"
+	"github.com/rancher/webhook/pkg/auth"
+	"github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io"
+	managementv3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
+	"github.com/rancher/wrangler/pkg/clients"
+	"github.com/rancher/wrangler/pkg/schemes"
+	"k8s.io/client-go/rest"
+	rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
+)
+
+type Clients struct {
+	clients.Clients
+
+	Management        managementv3.Interface
+	EscalationChecker *auth.EscalationChecker
+}
+
+func New(rest *rest.Config) (*Clients, error) {
+	clients, err := clients.NewFromConfig(rest, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := schemes.Register(v1.AddToScheme); err != nil {
+		return nil, err
+	}
+
+	mgmt, err := management.NewFactoryFromConfigWithOptions(rest, clients.FactoryOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	rbacRestGetter := auth.RBACRestGetter{
+		Roles:               clients.RBAC.Role().Cache(),
+		RoleBindings:        clients.RBAC.RoleBinding().Cache(),
+		ClusterRoles:        clients.RBAC.ClusterRole().Cache(),
+		ClusterRoleBindings: clients.RBAC.ClusterRoleBinding().Cache(),
+	}
+
+	ruleResolver := rbacregistryvalidation.NewDefaultRuleResolver(rbacRestGetter, rbacRestGetter, rbacRestGetter, rbacRestGetter)
+	escalationChecker := auth.NewEscalationChecker(ruleResolver,
+		mgmt.Management().V3().RoleTemplate().Cache(), clients.RBAC.ClusterRole().Cache())
+
+	return &Clients{
+		Clients:           *clients,
+		Management:        mgmt.Management().V3(),
+		EscalationChecker: escalationChecker,
+	}, nil
+}
diff --git a/pkg/codegen/main.go b/pkg/codegen/main.go
@@ -6,7 +6,6 @@ import (
 	v3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	controllergen "github.com/rancher/wrangler/pkg/controller-gen"
 	"github.com/rancher/wrangler/pkg/controller-gen/args"
-	v1 "k8s.io/api/rbac/v1"
 )
 
 func main() {
@@ -17,15 +16,11 @@ func main() {
 		Groups: map[string]args.Group{
 			"management.cattle.io": {
 				Types: []interface{}{
+					v3.Cluster{},
 					v3.GlobalRole{},
 					v3.RoleTemplate{},
 				},
 			},
-			"rbac.authorization.k8s.io": {
-				Types: []interface{}{
-					v1.ClusterRole{},
-				},
-			},
 		},
 	})
 }
diff --git a/pkg/cluster/cluster.go → pkg/resources/cluster/cluster.go b/pkg/cluster/cluster.go → pkg/resources/cluster/cluster.go
@@ -12,7 +12,7 @@ import (
 	authorizationv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
 )
 
-func NewClusterValidator(sar authorizationv1.SubjectAccessReviewInterface) webhook.Handler {
+func NewValidator(sar authorizationv1.SubjectAccessReviewInterface) webhook.Handler {
 	return &clusterValidator{
 		sar: sar,
 	}

diff --git a/pkg/auth/clusterrtb.go → .../clusterroletemplatebinding/clusterrtb.go b/pkg/auth/clusterrtb.go → .../clusterroletemplatebinding/clusterrtb.go
@@ -1,9 +1,10 @@
-package auth
+package clusterroletemplatebinding
 
 import (
 	"time"
 
 	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	"github.com/rancher/webhook/pkg/auth"
 	v3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
 	"github.com/rancher/wrangler/pkg/webhook"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -12,15 +13,15 @@ import (
 	"k8s.io/utils/trace"
 )
 
-func NewCRTBValidator(rt v3.RoleTemplateCache, escalationChecker *EscalationChecker) webhook.Handler {
+func NewValidator(rt v3.RoleTemplateCache, escalationChecker *auth.EscalationChecker) webhook.Handler {
 	return &clusterRoleTemplateBindingValidator{
 		escalationChecker: escalationChecker,
 		roleTemplates:     rt,
 	}
 }
 
 type clusterRoleTemplateBindingValidator struct {
-	escalationChecker *EscalationChecker
+	escalationChecker *auth.EscalationChecker
 	roleTemplates     v3.RoleTemplateCache
 }
 
@@ -47,12 +48,12 @@ func (c *clusterRoleTemplateBindingValidator) Admit(response *webhook.Response,
 		return err
 	}
 
-	rules, err := c.escalationChecker.rulesFromTemplate(rt)
+	rules, err := c.escalationChecker.RulesFromTemplate(rt)
 	if err != nil {
 		return err
 	}
 
-	return c.escalationChecker.confirmNoEscalation(response, request, rules, "local")
+	return c.escalationChecker.ConfirmNoEscalation(response, request, rules, "local")
 }
 
 func crtbObject(request *webhook.Request) (*rancherv3.ClusterRoleTemplateBinding, error) {

diff --git a/pkg/auth/globarolebinding.go → ...ces/globalrolebinding/globarolebinding.go b/pkg/auth/globarolebinding.go → ...ces/globalrolebinding/globarolebinding.go
@@ -1,26 +1,26 @@
-package auth
+package globalrolebinding
 
 import (
 	"time"
 
 	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	"github.com/rancher/webhook/pkg/auth"
 	v3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
 	"github.com/rancher/wrangler/pkg/webhook"
 	admissionv1 "k8s.io/api/admission/v1"
-	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/trace"
 )
 
-func NewGRBValidator(grClient v3.GlobalRoleCache, escalationChecker *EscalationChecker) webhook.Handler {
+func NewValidator(grClient v3.GlobalRoleCache, escalationChecker *auth.EscalationChecker) webhook.Handler {
 	return &globalRoleBindingValidator{
 		escalationChecker: escalationChecker,
 		globalRoles:       grClient,
 	}
 }
 
 type globalRoleBindingValidator struct {
-	escalationChecker *EscalationChecker
+	escalationChecker *auth.EscalationChecker
 	globalRoles       v3.GlobalRoleCache
 }
 
@@ -39,7 +39,7 @@ func (grbv *globalRoleBindingValidator) Admit(response *webhook.Response, reques
 		return err
 	}
 
-	return grbv.escalationChecker.confirmNoEscalation(response, request, globalRole.Rules, "")
+	return grbv.escalationChecker.ConfirmNoEscalation(response, request, globalRole.Rules, "")
 }
 
 func grbObject(request *webhook.Request) (*rancherv3.GlobalRoleBinding, error) {
@@ -52,11 +52,3 @@ func grbObject(request *webhook.Request) (*rancherv3.GlobalRoleBinding, error) {
 	}
 	return grb.(*rancherv3.GlobalRoleBinding), err
 }
-
-func toExtraString(extra map[string]authenticationv1.ExtraValue) map[string][]string {
-	result := make(map[string][]string)
-	for k, v := range extra {
-		result[k] = v
-	}
-	return result
-}
diff --git a/pkg/auth/projectrtb.go → .../projectroletemplatebinding/projectrtb.go b/pkg/auth/projectrtb.go → .../projectroletemplatebinding/projectrtb.go
@@ -1,10 +1,11 @@
-package auth
+package projectroletemplatebinding
 
 import (
 	"strings"
 	"time"
 
 	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
+	"github.com/rancher/webhook/pkg/auth"
 	v3 "github.com/rancher/webhook/pkg/generated/controllers/management.cattle.io/v3"
 	"github.com/rancher/wrangler/pkg/webhook"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -13,15 +14,15 @@ import (
 	"k8s.io/utils/trace"
 )
 
-func NewPRTBValidator(rt v3.RoleTemplateCache, escalationChecker *EscalationChecker) webhook.Handler {
+func NewValidator(rt v3.RoleTemplateCache, escalationChecker *auth.EscalationChecker) webhook.Handler {
 	return &projectRoleTemplateBindingValidator{
 		escalationChecker: escalationChecker,
 		roleTemplates:     rt,
 	}
 }
 
 type projectRoleTemplateBindingValidator struct {
-	escalationChecker *EscalationChecker
+	escalationChecker *auth.EscalationChecker
 	roleTemplates     v3.RoleTemplateCache
 }
 
@@ -50,12 +51,12 @@ func (p *projectRoleTemplateBindingValidator) Admit(response *webhook.Response,
 		return err
 	}
 
-	rules, err := p.escalationChecker.rulesFromTemplate(rt)
+	rules, err := p.escalationChecker.RulesFromTemplate(rt)
 	if err != nil {
 		return err
 	}
 
-	return p.escalationChecker.confirmNoEscalation(response, request, rules, projectNS)
+	return p.escalationChecker.ConfirmNoEscalation(response, request, rules, projectNS)
 }
 
 func prtbObject(request *webhook.Request) (*rancherv3.ProjectRoleTemplateBinding, error) {