Skip to content

Commit

Permalink
Revert "fix: getAllowedResources for all namespaces using SelfSubject…
Browse files Browse the repository at this point in the history
…RulesReview (#6614)"

This reverts commit 6d7090f

Signed-off-by: Iku-turso <[email protected]>
  • Loading branch information
Iku-turso committed Nov 25, 2022
1 parent 4a13f51 commit 8e98767
Show file tree
Hide file tree
Showing 12 changed files with 110 additions and 320 deletions.
10 changes: 8 additions & 2 deletions integration/__tests__/cluster-pages.tests.ts
Original file line number Diff line number Diff line change
Expand Up @@ -390,6 +390,12 @@ const scenarios = [
sidebarItemTestId: "sidebar-item-link-for-service-accounts",
},

{
expectedSelector: "h5.title",
parentSidebarItemTestId: "sidebar-item-link-for-user-management",
sidebarItemTestId: "sidebar-item-link-for-roles",
},

{
expectedSelector: "h5.title",
parentSidebarItemTestId: "sidebar-item-link-for-user-management",
Expand All @@ -399,7 +405,7 @@ const scenarios = [
{
expectedSelector: "h5.title",
parentSidebarItemTestId: "sidebar-item-link-for-user-management",
sidebarItemTestId: "sidebar-item-link-for-roles",
sidebarItemTestId: "sidebar-item-link-for-role-bindings",
},

{
Expand All @@ -411,7 +417,7 @@ const scenarios = [
{
expectedSelector: "h5.title",
parentSidebarItemTestId: "sidebar-item-link-for-user-management",
sidebarItemTestId: "sidebar-item-link-for-role-bindings",
sidebarItemTestId: "sidebar-item-link-for-pod-security-policies",
},

{
Expand Down
7 changes: 7 additions & 0 deletions src/common/cluster-types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,13 @@ export enum ClusterMetricsResourceType {
*/
export const initialNodeShellImage = "docker.io/alpine:3.13";

/**
* The arguments for requesting to refresh a cluster's metadata
*/
export interface ClusterRefreshOptions {
refreshMetadata?: boolean;
}

/**
* The data representing a cluster's state, for passing between main and renderer
*/
Expand Down
87 changes: 0 additions & 87 deletions src/common/cluster/authorization-namespace-review.injectable.ts

This file was deleted.

65 changes: 26 additions & 39 deletions src/common/cluster/authorization-review.injectable.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,55 +5,42 @@

import type { KubeConfig, V1ResourceAttributes } from "@kubernetes/client-node";
import { AuthorizationV1Api } from "@kubernetes/client-node";
import logger from "../logger";
import { getInjectable } from "@ogre-tools/injectable";
import type { Logger } from "../logger";
import loggerInjectable from "../logger.injectable";

/**
* Requests the permissions for actions on the kube cluster
* @param resourceAttributes The descriptor of the action that is desired to be known if it is allowed
* @returns `true` if the actions described are allowed
*/
export type CanI = (resourceAttributes: V1ResourceAttributes) => Promise<boolean>;

/**
* @param proxyConfig This config's `currentContext` field must be set, and will be used as the target cluster
*/
export type AuthorizationReview = (proxyConfig: KubeConfig) => CanI;

interface Dependencies {
logger: Logger;
}

const authorizationReview = ({ logger }: Dependencies): AuthorizationReview => {
return (proxyConfig) => {
const api = proxyConfig.makeApiClient(AuthorizationV1Api);

return async (resourceAttributes: V1ResourceAttributes): Promise<boolean> => {
try {
const { body } = await api.createSelfSubjectAccessReview({
apiVersion: "authorization.k8s.io/v1",
kind: "SelfSubjectAccessReview",
spec: { resourceAttributes },
});

return body.status?.allowed ?? false;
} catch (error) {
logger.error(`[AUTHORIZATION-REVIEW]: failed to create access review: ${error}`, { resourceAttributes });

return false;
}
};
*/
export function authorizationReview(proxyConfig: KubeConfig): CanI {
const api = proxyConfig.makeApiClient(AuthorizationV1Api);

/**
* Requests the permissions for actions on the kube cluster
* @param resourceAttributes The descriptor of the action that is desired to be known if it is allowed
* @returns `true` if the actions described are allowed
*/
return async (resourceAttributes: V1ResourceAttributes): Promise<boolean> => {
try {
const { body } = await api.createSelfSubjectAccessReview({
apiVersion: "authorization.k8s.io/v1",
kind: "SelfSubjectAccessReview",
spec: { resourceAttributes },
});

return body.status?.allowed ?? false;
} catch (error) {
logger.error(`[AUTHORIZATION-REVIEW]: failed to create access review: ${error}`, { resourceAttributes });

return false;
}
};
};
}

const authorizationReviewInjectable = getInjectable({
id: "authorization-review",
instantiate: (di) => {
const logger = di.inject(loggerInjectable);

return authorizationReview({ logger });
},
instantiate: () => authorizationReview,
});

export default authorizationReviewInjectable;
Loading

0 comments on commit 8e98767

Please sign in to comment.