github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/authorizationreview.go

github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/authorizationreview.go (about)

     1  // Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.
     2  
     3  package v3
     4  
     5  // The contents of this file create the model for performing authorization determination based on authorization header
     6  // exchanges with the tigera-apiserver. No storage is required for achieving this and no libcalico client code will be
     7  // created for the purpose of doing so.
     8  // The tigera-apiserver will expose a create method just like k8s has for the TokenReviews api. A call to this endpoint
     9  // will only reach the api-server if a valid authorization header is added to the request, otherwise the k8s api-server
    10  // will respond directly with a 40x. If the request header is valid, the tigera-apiserver obtains the user information
    11  // automatically from the k8s-apiserver and then performs an RBAC calculation based on the request data in the Spec.
    12  // Since the response is based on the authorization header, the generated client may not very suitable for
    13  // interacting with this api, depending on whether the client is handling requests for multiple users or not.
    14  
    15  import (
    16  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    17  )
    18  
    19  const (
    20  	KindAuthorizationReview     = "AuthorizationReview"
    21  	KindAuthorizationReviewList = "AuthorizationReviewList"
    22  )
    23  
    24  // +genclient:nonNamespaced
    25  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    26  
    27  // AuthorizationReviewList is a list of AuthorizationReview objects.
    28  type AuthorizationReviewList struct {
    29  	metav1.TypeMeta `json:",inline"`
    30  	metav1.ListMeta `json:"metadata,omitempty"`
    31  
    32  	Items []AuthorizationReview `json:"items"`
    33  }
    34  
    35  // +genclient
    36  // +genclient:nonNamespaced
    37  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    38  
    39  type AuthorizationReview struct {
    40  	metav1.TypeMeta   `json:",inline"`
    41  	metav1.ObjectMeta `json:"metadata,omitempty"`
    42  
    43  	Spec   AuthorizationReviewSpec   `json:"spec,omitempty"`
    44  	Status AuthorizationReviewStatus `json:"status,omitempty"`
    45  }
    46  
    47  type AuthorizationReviewSpec struct {
    48  	// The set of resource attributes that are being checked. Each resource attribute is expanded into individual
    49  	// kind/resource and verbs.
    50  	ResourceAttributes []AuthorizationReviewResourceAttributes `json:"resourceAttributes,omitempty" validate:"omitempty"`
    51  }
    52  
    53  type AuthorizationReviewResourceAttributes struct {
    54  	// The API Group to check.
    55  	APIGroup string `json:"apiGroup,omitempty" validate:"omitempty"`
    56  	// The set of resources to check within the same API Group.
    57  	Resources []string `json:"resources,omitempty" validate:"omitempty"`
    58  	// The set of verbs to check. This is expanded for each resource and within the same API Group.
    59  	Verbs []string `json:"verbs,omitempty" validate:"omitempty"`
    60  }
    61  
    62  type AuthorizationReviewStatus struct {
    63  	// The set of authorized resource actions. A given API Group and resource combination will appear at most once in
    64  	// this slice.
    65  	AuthorizedResourceVerbs []AuthorizedResourceVerbs `json:"authorizedResourceVerbs,omitempty" validate:"omitempty"`
    66  }
    67  
    68  type AuthorizedResourceVerbs struct {
    69  	// The API group.
    70  	APIGroup string `json:"apiGroup,omitempty" validate:"omitempty"`
    71  	// The resource.
    72  	Resource string `json:"resource,omitempty" validate:"omitempty"`
    73  	// The set of authorized actions for this resource. For a specific verb, this contains the set of resources for
    74  	// which the user is authorized to perform that action. This is calculated to avoid duplication such that a single
    75  	// resource instance can only be associated with a single entry in this slice. This allows a consumer of this API
    76  	// to issue a minimal set of queries (e.g. watches) that cover, uniquely, the authorized set of resources.
    77  	Verbs []AuthorizedResourceVerb `json:"verbs,omitempty" validate:"omitempty,dive"`
    78  }
    79  
    80  type AuthorizedResourceVerb struct {
    81  	// The verb.
    82  	Verb string `json:"verb"`
    83  	// The group of resource instances that are authorized for this verb.
    84  	ResourceGroups []AuthorizedResourceGroup `json:"resourceGroups"`
    85  }
    86  
    87  type AuthorizedResourceGroup struct {
    88  	// The tier.  This is only valid for tiered policies, and tiers.
    89  	Tier string `json:"tier,omitempty" validate:"omitempty"`
    90  
    91  	// The namespace. If this is empty then the user is authorized cluster-wide (i.e. across all namespaces). This will
    92  	// always be empty for cluster-scoped resources when the user is authorized.
    93  	Namespace string `json:"namespace" validate:"omitempty"`
    94  
    95  	// The UISettingsGroup name. This is only valid for uisettingsgroup/data sub resources.
    96  	UISettingsGroup string `json:"uiSettingsGroup" validate:"omitempty"`
    97  
    98  	// ManagedCluster is the name of the ManagedCluster. This is only valid for managedclusters.
    99  	ManagedCluster string `json:"managedCluster" validate:"omitempty"`
   100  }
   101  
   102  // New AuthorizationReview creates a new (zeroed) AuthorizationReview struct with the TypeMetadata
   103  // initialized to the current version.
   104  func NewAuthorizationReview() *AuthorizationReview {
   105  	return &AuthorizationReview{
   106  		TypeMeta: metav1.TypeMeta{
   107  			Kind:       KindAuthorizationReview,
   108  			APIVersion: GroupVersionCurrent,
   109  		},
   110  	}
   111  }