Check access authorization before querying

Cornelius Weig · Cornelius Weig · commit 0d9bf011708d · 2019-02-21T21:28:00.000+01:00
Note: this is quite slow. Maybe it is faster to retrieve resources individually without checking access beforehand.
diff --git a/go.mod b/go.mod
@@ -21,10 +21,10 @@ require (
 	github.com/spf13/viper v1.3.1
 	github.com/stretchr/testify v1.2.2
 	golang.org/x/net v0.0.0-20190213061140-3a22650c66bd // indirect
-	golang.org/x/oauth2 v0.0.0-20190212230446-3e8b2be13635 // indirect
+        golang.org/x/oauth2 v0.0.0-20190212230446-3e8b2be13635
 	golang.org/x/time v0.0.0-20181108054448-85acf8d2951c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/api v0.0.0-20181121191454-a61488babbd6 // indirect
+        k8s.io/api v0.0.0-20181121191454-a61488babbd6
 	k8s.io/apimachinery v0.0.0-20190211022232-e355a776c090
 	k8s.io/cli-runtime v0.0.0-20190202014047-491c94071cfa
 	k8s.io/client-go v10.0.0+incompatible
diff --git a/pkg/client/access.go b/pkg/client/access.go
@@ -0,0 +1,154 @@
+/*
+Copyright 2019 Cornelius Weig
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package client
+
+import (
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/viper"
+	"k8s.io/api/authorization/v1"
+	authv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	"sync"
+)
+
+/*
+restConfig, _ := flags.ToRESTConfig()
+authClient, _ := authv1.NewForConfig(restConfig)
+allowed, err := CheckResourceAccessPar(authClient, resources)
+if err != nil {
+	return nil, errors.Wrap(err, "check resource access")
+}
+
+allowedResourceTypes := ToResourceTypes(allowed)*/
+
+func CheckResourceAccessPar(authClient *authv1.AuthorizationV1Client, grs []groupResource) (allowed []groupResource, err error) {
+	reviews := authClient.SelfSubjectAccessReviews()
+
+	allowedChan := make(chan groupResource)
+	forbiddenChan := make(chan groupResource)
+
+	group := sync.WaitGroup{}
+
+	namespace := viper.GetString("namespace")
+	for _, gr := range grs {
+		namespace := namespace
+		gr := gr
+		group.Add(1)
+		go func(allowed, forbidden chan<- groupResource) {
+			defer group.Done()
+
+			// This seems to be a bug in kubernetes. If namespace is set for non-namespaced
+			// resources, the access is reported as "allowed", but in fact it is forbidden.
+			if !gr.APIResource.Namespaced {
+				namespace = ""
+			}
+
+			review := v1.SelfSubjectAccessReview{
+				Spec: v1.SelfSubjectAccessReviewSpec{
+					ResourceAttributes: &v1.ResourceAttributes{
+						Verb:      "list",
+						Resource:  gr.APIResource.Name,
+						Group:     gr.APIGroup,
+						Namespace: namespace,
+					},
+				},
+			}
+			accessReview, e := reviews.Create(&review)
+			if e != nil {
+				err = errors.Wrap(e, "retrieve authority")
+				return
+			}
+			logrus.Info(accessReview)
+			if accessReview.Status.Allowed {
+				allowed <- gr
+			} else {
+				forbidden <- gr
+			}
+		}(allowedChan, forbiddenChan)
+	}
+
+	forbidden := []groupResource{}
+	go func(c <-chan groupResource) {
+		for gr := range c {
+			forbidden = append(forbidden, gr)
+		}
+	}(forbiddenChan)
+	go func(c <-chan groupResource) {
+		for gr := range c {
+			allowed = append(allowed, gr)
+		}
+	}(allowedChan)
+
+	group.Wait()
+
+	close(allowedChan)
+	close(forbiddenChan)
+
+	if len(forbidden) > 0 {
+		logrus.Warnf("The following resources may not be read: %s", ToResourceTypes(forbidden))
+	}
+
+	logrus.Debugf("Readable: %s", ToResourceTypes(allowed))
+
+	return
+}
+
+func CheckResourceAccess(authClient *authv1.AuthorizationV1Client, grs []groupResource) (allowed []groupResource, err error) {
+	forbidden := []groupResource{}
+	reviews := authClient.SelfSubjectAccessReviews()
+
+	namespace := viper.GetString("namespace")
+	for _, gr := range grs {
+		namespace := namespace
+		gr := gr
+		// This seems to be a bug in kubernetes. If namespace is set for non-namespaced
+		// resources, the access is reported as "allowed", but in fact it is forbidden.
+		if !gr.APIResource.Namespaced {
+			namespace = ""
+		}
+
+		review := v1.SelfSubjectAccessReview{
+			Spec: v1.SelfSubjectAccessReviewSpec{
+				ResourceAttributes: &v1.ResourceAttributes{
+					Verb:      "list",
+					Resource:  gr.APIResource.Name,
+					Group:     gr.APIGroup,
+					Namespace: namespace,
+				},
+			},
+		}
+		accessReview, e := reviews.Create(&review)
+		if e != nil {
+			err = errors.Wrap(e, "retrieve authority")
+			return
+		}
+		logrus.Info(accessReview)
+		if accessReview.Status.Allowed {
+			allowed = append(allowed, gr)
+		} else {
+			forbidden = append(forbidden, gr)
+		}
+	}
+
+	if len(forbidden) > 0 {
+		logrus.Warnf("The following resources may not be read: %s", ToResourceTypes(forbidden))
+	}
+
+	logrus.Debugf("Readable: %s", ToResourceTypes(allowed))
+
+	return
+}
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/cli-runtime/pkg/genericclioptions/resource"
+	authv1 "k8s.io/client-go/kubernetes/typed/authorization/v1"
 	"sort"
 	"strings"
 )
@@ -48,15 +49,26 @@ func GetAllServerResources(flags *genericclioptions.ConfigFlags) (runtime.Object
 		return nil, errors.Wrap(err, "fetch available group resources")
 	}
 
-	resNames := extractRelevantResourceNames(grs, viper.GetStringSlice(constants.FlagExclude))
+	resources := extractRelevantResourceNames(grs, viper.GetStringSlice(constants.FlagExclude))
+
+	restConfig, _ := flags.ToRESTConfig()
+	authClient, _ := authv1.NewForConfig(restConfig)
+	allowed, err := CheckResourceAccessPar(authClient, resources)
+	if err != nil {
+		return nil, errors.Wrap(err, "check resource access")
+	}
+
+	allowedResourceTypes := ToResourceTypes(allowed)
+	logrus.Debugf("Resources to fetch: %s", allowedResourceTypes)
 
 	request := resource.NewBuilder(flags).
 		Unstructured().
 		SelectAllParam(true).
-		ResourceTypes(resNames...).
+		ResourceTypes(allowedResourceTypes...).
 		Latest()
 
 	if ns := viper.GetString(constants.FlagNamespace); ns != "" {
+		logrus.Debugf("Restricting to namespace %s", ns)
 		request.NamespaceParam(ns)
 	} else {
 		request.AllNamespaces(true)
@@ -126,11 +138,11 @@ func FetchAvailableGroupResources(cache bool, scope string, flags *genericcliopt
 	return grs, nil
 }
 
-func extractRelevantResourceNames(grs []groupResource, exclusions []string) []string {
+func extractRelevantResourceNames(grs []groupResource, exclusions []string) []groupResource {
 	sort.Stable(sortableGroupResource(grs))
 	forbidden := sets.NewString(exclusions...)
 
-	result := []string{}
+	result := []groupResource{}
 	for _, r := range grs {
 		name := r.fullName()
 		resourceIds := r.APIResource.ShortNames
@@ -139,10 +151,9 @@ func extractRelevantResourceNames(grs []groupResource, exclusions []string) []st
 			logrus.Debugf("Excluding %s", name)
 			continue
 		}
-		result = append(result, name)
+		result = append(result, r)
 	}
 
-	logrus.Debugf("Resources to fetch: %s", result)
 	return result
 }
 
@@ -172,6 +183,14 @@ func (g groupResource) fullName() string {
 
 type sortableGroupResource []groupResource
 
+func ToResourceTypes(in []groupResource) []string {
+	result := []string{}
+	for _, r := range in {
+		result = append(result, r.fullName())
+	}
+	return result
+}
+
 func (s sortableGroupResource) Len() int      { return len(s) }
 func (s sortableGroupResource) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
 func (s sortableGroupResource) Less(i, j int) bool {
