Support proxy object in k8s access expression

LEDfan · LEDfan · commit 9d18b47e065c · 2024-05-02T16:24:45.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/backend/kubernetes/KubernetesBackend.java b/src/main/java/eu/openanalytics/containerproxy/backend/kubernetes/KubernetesBackend.java
@@ -331,7 +331,7 @@ public Proxy startContainer(Authentication user, Container initialContainer, Con
             rContainerBuilder.addRuntimeValue(new RuntimeValue(BackendContainerNameKey.inst, effectiveKubeNamespace + "/" + patchedPod.getMetadata().getName()), false);
 
             // create additional manifests -> use the effective (i.e. patched) namespace if no namespace is provided
-            createAdditionalManifests(user, proxySpec, proxy, specExtension, effectiveKubeNamespace);
+            createAdditionalManifests(user, proxySpec, proxy, specExtension, effectiveKubeNamespace, initialContainer);
 
             // tell the status service we are starting the pod/container
             proxyStartupLogBuilder.startingContainer(initialContainer.getIndex());
@@ -513,12 +513,12 @@ private JsonPatch readPatchFromSpec(String patchAsString) throws JsonProcessingE
      *
      * The resource will only be created if it does not already exist.
      */
-    private void createAdditionalManifests(Authentication auth, ProxySpec proxySpec, Proxy proxy, KubernetesSpecExtension specExtension, String namespace) throws JsonProcessingException {
+    private void createAdditionalManifests(Authentication auth, ProxySpec proxySpec, Proxy proxy, KubernetesSpecExtension specExtension, String namespace, Container container) throws JsonProcessingException {
         for (GenericKubernetesResource fullObject : parseAdditionalManifests(proxy, namespace, specExtension.getKubernetesAdditionalManifests(), false)) {
             applyAdditionalManifest(proxy, fullObject);
         }
         for (AuthorizedAdditionalManifests authorizedAdditionalManifests : specExtension.kubernetesAuthorizedAdditionalManifests) {
-            if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl)) {
+            if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl, proxy, container)) {
                 for (GenericKubernetesResource fullObject : parseAdditionalManifests(proxy, namespace, authorizedAdditionalManifests.manifests, false)) {
                     applyAdditionalManifest(proxy, fullObject);
                 }
@@ -528,7 +528,7 @@ private void createAdditionalManifests(Authentication auth, ProxySpec proxySpec,
             applyAdditionalManifest(proxy, fullObject);
         }
         for (AuthorizedAdditionalManifests authorizedAdditionalManifests : specExtension.kubernetesAuthorizedAdditionalPersistentManifests) {
-            if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl)) {
+            if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl, proxy, container)) {
                 for (GenericKubernetesResource fullObject : parseAdditionalManifests(proxy, namespace, authorizedAdditionalManifests.manifests, true)) {
                     applyAdditionalManifest(proxy, fullObject);
                 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java b/src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java
@@ -25,6 +25,7 @@
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
+import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -44,7 +45,7 @@ public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend,
         this.specExpressionResolver = specExpressionResolver;
     }
 
-    public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl) {
+    public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
         if (auth instanceof AnonymousAuthenticationToken) {
             // if anonymous -> only allow access if the backend has no authorization enabled
             return !authBackend.hasAuthorization();
@@ -62,7 +63,7 @@ public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl ac
             return true;
         }
 
-        return allowedByExpression(auth, spec, accessControl);
+        return allowedByExpression(auth, spec, accessControl, objects);
     }
 
     public boolean hasAccessControl(AccessControl accessControl) {
@@ -101,12 +102,13 @@ public boolean allowedByUsers(Authentication auth, AccessControl accessControl)
         return false;
     }
 
-    public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl) {
+    public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
         if (!accessControl.hasExpressionAccess()) {
             // no expression defined -> this user has no access based on the expression
             return false;
         }
-        SpecExpressionContext context = SpecExpressionContext.create(auth, auth.getPrincipal(), auth.getCredentials(), spec);
+        Object[] args = ArrayUtils.addAll(new Object[]{auth, auth.getPrincipal(), auth.getCredentials(), spec}, objects);
+        SpecExpressionContext context = SpecExpressionContext.create(args);
         return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), context);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -331,7 +331,7 @@ public Proxy startContainer(Authentication user, Container initialContainer, Con`
`331`	`331`	`rContainerBuilder.addRuntimeValue(new RuntimeValue(BackendContainerNameKey.inst, effectiveKubeNamespace + "/" + patchedPod.getMetadata().getName()), false);`
`332`	`332`
`333`	`333`	`// create additional manifests -> use the effective (i.e. patched) namespace if no namespace is provided`
`334`		`- createAdditionalManifests(user, proxySpec, proxy, specExtension, effectiveKubeNamespace);`
	`334`	`+ createAdditionalManifests(user, proxySpec, proxy, specExtension, effectiveKubeNamespace, initialContainer);`
`335`	`335`
`336`	`336`	`// tell the status service we are starting the pod/container`
`337`	`337`	`proxyStartupLogBuilder.startingContainer(initialContainer.getIndex());`
`@@ -513,12 +513,12 @@ private JsonPatch readPatchFromSpec(String patchAsString) throws JsonProcessingE`
`513`	`513`	`*`
`514`	`514`	`* The resource will only be created if it does not already exist.`
`515`	`515`	`*/`
`516`		`- private void createAdditionalManifests(Authentication auth, ProxySpec proxySpec, Proxy proxy, KubernetesSpecExtension specExtension, String namespace) throws JsonProcessingException {`
	`516`	`+ private void createAdditionalManifests(Authentication auth, ProxySpec proxySpec, Proxy proxy, KubernetesSpecExtension specExtension, String namespace, Container container) throws JsonProcessingException {`
`517`	`517`	`for (GenericKubernetesResource fullObject : parseAdditionalManifests(proxy, namespace, specExtension.getKubernetesAdditionalManifests(), false)) {`
`518`	`518`	`applyAdditionalManifest(proxy, fullObject);`
`519`	`519`	`}`
`520`	`520`	`for (AuthorizedAdditionalManifests authorizedAdditionalManifests : specExtension.kubernetesAuthorizedAdditionalManifests) {`
`521`		`- if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl)) {`
	`521`	`+ if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl, proxy, container)) {`
`522`	`522`	`for (GenericKubernetesResource fullObject : parseAdditionalManifests(proxy, namespace, authorizedAdditionalManifests.manifests, false)) {`
`523`	`523`	`applyAdditionalManifest(proxy, fullObject);`
`524`	`524`	`}`
`@@ -528,7 +528,7 @@ private void createAdditionalManifests(Authentication auth, ProxySpec proxySpec,`
`528`	`528`	`applyAdditionalManifest(proxy, fullObject);`
`529`	`529`	`}`
`530`	`530`	`for (AuthorizedAdditionalManifests authorizedAdditionalManifests : specExtension.kubernetesAuthorizedAdditionalPersistentManifests) {`
`531`		`- if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl)) {`
	`531`	`+ if (accessControlEvaluationService.checkAccess(auth, proxySpec, authorizedAdditionalManifests.accessControl, proxy, container)) {`
`532`	`532`	`for (GenericKubernetesResource fullObject : parseAdditionalManifests(proxy, namespace, authorizedAdditionalManifests.manifests, true)) {`
`533`	`533`	`applyAdditionalManifest(proxy, fullObject);`
`534`	`534`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@`
`25`	`25`	`import eu.openanalytics.containerproxy.model.spec.ProxySpec;`
`26`	`26`	`import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;`
`27`	`27`	`import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;`
	`28`	`+import org.apache.commons.lang3.ArrayUtils;`
`28`	`29`	`import org.springframework.context.annotation.Lazy;`
`29`	`30`	`import org.springframework.security.authentication.AnonymousAuthenticationToken;`
`30`	`31`	`import org.springframework.security.core.Authentication;`
`@@ -44,7 +45,7 @@ public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend,`
`44`	`45`	`this.specExpressionResolver = specExpressionResolver;`
`45`	`46`	`}`
`46`	`47`
`47`		`- public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl) {`
	`48`	`+ public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {`
`48`	`49`	`if (auth instanceof AnonymousAuthenticationToken) {`
`49`	`50`	`// if anonymous -> only allow access if the backend has no authorization enabled`
`50`	`51`	`return !authBackend.hasAuthorization();`
`@@ -62,7 +63,7 @@ public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl ac`
`62`	`63`	`return true;`
`63`	`64`	`}`
`64`	`65`
`65`		`- return allowedByExpression(auth, spec, accessControl);`
	`66`	`+ return allowedByExpression(auth, spec, accessControl, objects);`
`66`	`67`	`}`
`67`	`68`
`68`	`69`	`public boolean hasAccessControl(AccessControl accessControl) {`
`@@ -101,12 +102,13 @@ public boolean allowedByUsers(Authentication auth, AccessControl accessControl)`
`101`	`102`	`return false;`
`102`	`103`	`}`
`103`	`104`
`104`		`- public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl) {`
	`105`	`+ public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {`
`105`	`106`	`if (!accessControl.hasExpressionAccess()) {`
`106`	`107`	`// no expression defined -> this user has no access based on the expression`
`107`	`108`	`return false;`
`108`	`109`	`}`
`109`		`- SpecExpressionContext context = SpecExpressionContext.create(auth, auth.getPrincipal(), auth.getCredentials(), spec);`
	`110`	`+ Object[] args = ArrayUtils.addAll(new Object[]{auth, auth.getPrincipal(), auth.getCredentials(), spec}, objects);`
	`111`	`+ SpecExpressionContext context = SpecExpressionContext.create(args);`
`110`	`112`	`return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), context);`
`111`	`113`	`}`
`112`	`114`