vendor files

vendor/k8s.io/kubernetes/pkg/auth/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- erictune
+- liggitt
+- deads2k
+reviewers:
+- enj

vendor/k8s.io/kubernetes/pkg/auth/authenticator/OWNERS

@@ -0,0 +1 @@
+reviewers:

vendor/k8s.io/kubernetes/pkg/auth/authorizer/OWNERS

@@ -0,0 +1 @@
+reviewers:

vendor/k8s.io/kubernetes/pkg/auth/authorizer/abac/BUILD

@@ -0,0 +1,61 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["abac.go"],
+    importpath = "k8s.io/kubernetes/pkg/auth/authorizer/abac",
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/latest:go_default_library",
+        "//pkg/apis/abac/v0:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "example_policy",
+    testonly = True,
+    srcs = [
+        "example_policy_file.jsonl",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["abac_test.go"],
+    data = [
+        ":example_policy",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/auth/authorizer/abac",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/v0:go_default_library",
+        "//pkg/apis/abac/v1beta1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/auth/authorizer/abac/abac.go

@@ -0,0 +1,273 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package abac
+
+// Policy authorizes Kubernetes API actions using an Attribute-based access
+// control scheme.
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/golang/glog"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/kubernetes/pkg/apis/abac"
+	_ "k8s.io/kubernetes/pkg/apis/abac/latest"
+	"k8s.io/kubernetes/pkg/apis/abac/v0"
+)
+
+type policyLoadError struct {
+	path string
+	line int
+	data []byte
+	err  error
+}
+
+func (p policyLoadError) Error() string {
+	if p.line >= 0 {
+		return fmt.Sprintf("error reading policy file %s, line %d: %s: %v", p.path, p.line, string(p.data), p.err)
+	}
+	return fmt.Sprintf("error reading policy file %s: %v", p.path, p.err)
+}
+
+type policyList []*abac.Policy
+
+// TODO: Have policies be created via an API call and stored in REST storage.
+func NewFromFile(path string) (policyList, error) {
+	// File format is one map per line.  This allows easy concatentation of files,
+	// comments in files, and identification of errors by line number.
+	file, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	pl := make(policyList, 0)
+
+	decoder := abac.Codecs.UniversalDecoder()
+
+	i := 0
+	unversionedLines := 0
+	for scanner.Scan() {
+		i++
+		p := &abac.Policy{}
+		b := scanner.Bytes()
+
+		// skip comment lines and blank lines
+		trimmed := strings.TrimSpace(string(b))
+		if len(trimmed) == 0 || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+
+		decodedObj, _, err := decoder.Decode(b, nil, nil)
+		if err != nil {
+			if !(runtime.IsMissingVersion(err) || runtime.IsMissingKind(err) || runtime.IsNotRegisteredError(err)) {
+				return nil, policyLoadError{path, i, b, err}
+			}
+			unversionedLines++
+			// Migrate unversioned policy object
+			oldPolicy := &v0.Policy{}
+			if err := runtime.DecodeInto(decoder, b, oldPolicy); err != nil {
+				return nil, policyLoadError{path, i, b, err}
+			}
+			if err := abac.Scheme.Convert(oldPolicy, p, nil); err != nil {
+				return nil, policyLoadError{path, i, b, err}
+			}
+			pl = append(pl, p)
+			continue
+		}
+
+		decodedPolicy, ok := decodedObj.(*abac.Policy)
+		if !ok {
+			return nil, policyLoadError{path, i, b, fmt.Errorf("unrecognized object: %#v", decodedObj)}
+		}
+		pl = append(pl, decodedPolicy)
+	}
+
+	if unversionedLines > 0 {
+		glog.Warningf("Policy file %s contained unversioned rules. See docs/admin/authorization.md#abac-mode for ABAC file format details.", path)
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, policyLoadError{path, -1, nil, err}
+	}
+	return pl, nil
+}
+
+func matches(p abac.Policy, a authorizer.Attributes) bool {
+	if subjectMatches(p, a.GetUser()) {
+		if verbMatches(p, a) {
+			// Resource and non-resource requests are mutually exclusive, at most one will match a policy
+			if resourceMatches(p, a) {
+				return true
+			}
+			if nonResourceMatches(p, a) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// subjectMatches returns true if specified user and group properties in the policy match the attributes
+func subjectMatches(p abac.Policy, user user.Info) bool {
+	matched := false
+
+	if user == nil {
+		return false
+	}
+	username := user.GetName()
+	groups := user.GetGroups()
+
+	// If the policy specified a user, ensure it matches
+	if len(p.Spec.User) > 0 {
+		if p.Spec.User == "*" {
+			matched = true
+		} else {
+			matched = p.Spec.User == username
+			if !matched {
+				return false
+			}
+		}
+	}
+
+	// If the policy specified a group, ensure it matches
+	if len(p.Spec.Group) > 0 {
+		if p.Spec.Group == "*" {
+			matched = true
+		} else {
+			matched = false
+			for _, group := range groups {
+				if p.Spec.Group == group {
+					matched = true
+				}
+			}
+			if !matched {
+				return false
+			}
+		}
+	}
+
+	return matched
+}
+
+func verbMatches(p abac.Policy, a authorizer.Attributes) bool {
+	// TODO: match on verb
+
+	// All policies allow read only requests
+	if a.IsReadOnly() {
+		return true
+	}
+
+	// Allow if policy is not readonly
+	if !p.Spec.Readonly {
+		return true
+	}
+
+	return false
+}
+
+func nonResourceMatches(p abac.Policy, a authorizer.Attributes) bool {
+	// A non-resource policy cannot match a resource request
+	if !a.IsResourceRequest() {
+		// Allow wildcard match
+		if p.Spec.NonResourcePath == "*" {
+			return true
+		}
+		// Allow exact match
+		if p.Spec.NonResourcePath == a.GetPath() {
+			return true
+		}
+		// Allow a trailing * subpath match
+		if strings.HasSuffix(p.Spec.NonResourcePath, "*") && strings.HasPrefix(a.GetPath(), strings.TrimRight(p.Spec.NonResourcePath, "*")) {
+			return true
+		}
+	}
+	return false
+}
+
+func resourceMatches(p abac.Policy, a authorizer.Attributes) bool {
+	// A resource policy cannot match a non-resource request
+	if a.IsResourceRequest() {
+		if p.Spec.Namespace == "*" || p.Spec.Namespace == a.GetNamespace() {
+			if p.Spec.Resource == "*" || p.Spec.Resource == a.GetResource() {
+				if p.Spec.APIGroup == "*" || p.Spec.APIGroup == a.GetAPIGroup() {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// Authorizer implements authorizer.Authorize
+func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {
+	for _, p := range pl {
+		if matches(*p, a) {
+			return authorizer.DecisionAllow, "", nil
+		}
+	}
+	return authorizer.DecisionNoOpinion, "No policy matched.", nil
+	// TODO: Benchmark how much time policy matching takes with a medium size
+	// policy file, compared to other steps such as encoding/decoding.
+	// Then, add Caching only if needed.
+}
+
+func (pl policyList) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
+	var (
+		resourceRules    []authorizer.ResourceRuleInfo
+		nonResourceRules []authorizer.NonResourceRuleInfo
+	)
+
+	for _, p := range pl {
+		if subjectMatches(*p, user) {
+			if p.Spec.Namespace == "*" || p.Spec.Namespace == namespace {
+				if len(p.Spec.Resource) > 0 {
+					r := authorizer.DefaultResourceRuleInfo{
+						Verbs:     getVerbs(p.Spec.Readonly),
+						APIGroups: []string{p.Spec.APIGroup},
+						Resources: []string{p.Spec.Resource},
+					}
+					var resourceRule authorizer.ResourceRuleInfo = &r
+					resourceRules = append(resourceRules, resourceRule)
+				}
+				if len(p.Spec.NonResourcePath) > 0 {
+					r := authorizer.DefaultNonResourceRuleInfo{
+						Verbs:           getVerbs(p.Spec.Readonly),
+						NonResourceURLs: []string{p.Spec.NonResourcePath},
+					}
+					var nonResourceRule authorizer.NonResourceRuleInfo = &r
+					nonResourceRules = append(nonResourceRules, nonResourceRule)
+				}
+			}
+		}
+	}
+	return resourceRules, nonResourceRules, false, nil
+}
+
+func getVerbs(isReadOnly bool) []string {
+	if isReadOnly {
+		return []string{"get", "list", "watch"}
+	}
+	return []string{"*"}
+}

vendor/k8s.io/kubernetes/pkg/auth/authorizer/abac/example_policy_file.jsonl

@@ -0,0 +1,11 @@
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:authenticated",  "nonResourcePath": "*", "readonly": true}}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group":"system:unauthenticated", "nonResourcePath": "*", "readonly": true}}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin",     "namespace": "*",              "resource": "*",         "apiGroup": "*"                   }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*",              "resource": "pods",                       "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*",              "resource": "bindings"                                     }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "pods",                       "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "services",                   "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "endpoints",                  "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "events"                                       }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"alice",     "namespace": "projectCaribou", "resource": "*",         "apiGroup": "*"                   }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"bob",       "namespace": "projectCaribou", "resource": "*",         "apiGroup": "*", "readonly": true }}

vendor/k8s.io/kubernetes/pkg/auth/group/OWNERS

@@ -0,0 +1 @@
+reviewers:

vendor/k8s.io/kubernetes/pkg/auth/handlers/OWNERS

@@ -0,0 +1 @@
+reviewers:

vendor/k8s.io/kubernetes/pkg/auth/nodeidentifier/BUILD

@@ -0,0 +1,38 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "default.go",
+        "interfaces.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/auth/nodeidentifier",
+    deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["default_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/auth/nodeidentifier",
+    library = ":go_default_library",
+    deps = ["//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/auth/nodeidentifier/default.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodeidentifier
+
+import (
+	"strings"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+// NewDefaultNodeIdentifier returns a default NodeIdentifier implementation,
+// which returns isNode=true if the user groups contain the system:nodes group
+// and the user name matches the format system:node:<nodeName>, and populates
+// nodeName if isNode is true
+func NewDefaultNodeIdentifier() NodeIdentifier {
+	return defaultNodeIdentifier{}
+}
+
+// defaultNodeIdentifier implements NodeIdentifier
+type defaultNodeIdentifier struct{}
+
+// nodeUserNamePrefix is the prefix for usernames in the form `system:node:<nodeName>`
+const nodeUserNamePrefix = "system:node:"
+
+// NodeIdentity returns isNode=true if the user groups contain the system:nodes
+// group and the user name matches the format system:node:<nodeName>, and
+// populates nodeName if isNode is true
+func (defaultNodeIdentifier) NodeIdentity(u user.Info) (string, bool) {
+	// Make sure we're a node, and can parse the node name
+	if u == nil {
+		return "", false
+	}
+
+	userName := u.GetName()
+	if !strings.HasPrefix(userName, nodeUserNamePrefix) {
+		return "", false
+	}
+
+	isNode := false
+	for _, g := range u.GetGroups() {
+		if g == user.NodesGroup {
+			isNode = true
+			break
+		}
+	}
+	if !isNode {
+		return "", false
+	}
+
+	nodeName := strings.TrimPrefix(userName, nodeUserNamePrefix)
+	return nodeName, true
+}

vendor/k8s.io/kubernetes/pkg/auth/nodeidentifier/default_test.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodeidentifier
+
+import (
+	"testing"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+func TestDefaultNodeIdentifier_NodeIdentity(t *testing.T) {
+	tests := []struct {
+		name           string
+		user           user.Info
+		expectNodeName string
+		expectIsNode   bool
+	}{
+		{
+			name:           "nil user",
+			user:           nil,
+			expectNodeName: "",
+			expectIsNode:   false,
+		},
+		{
+			name:           "node username without group",
+			user:           &user.DefaultInfo{Name: "system:node:foo"},
+			expectNodeName: "",
+			expectIsNode:   false,
+		},
+		{
+			name:           "node group without username",
+			user:           &user.DefaultInfo{Name: "foo", Groups: []string{"system:nodes"}},
+			expectNodeName: "",
+			expectIsNode:   false,
+		},
+		{
+			name:           "node group and username",
+			user:           &user.DefaultInfo{Name: "system:node:foo", Groups: []string{"system:nodes"}},
+			expectNodeName: "foo",
+			expectIsNode:   true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			nodeName, isNode := NewDefaultNodeIdentifier().NodeIdentity(tt.user)
+			if nodeName != tt.expectNodeName {
+				t.Errorf("DefaultNodeIdentifier.NodeIdentity() got = %v, want %v", nodeName, tt.expectNodeName)
+			}
+			if isNode != tt.expectIsNode {
+				t.Errorf("DefaultNodeIdentifier.NodeIdentity() got1 = %v, want %v", isNode, tt.expectIsNode)
+			}
+		})
+	}
+}

vendor/k8s.io/kubernetes/pkg/auth/nodeidentifier/interfaces.go

@@ -0,0 +1,30 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package nodeidentifier
+
+import (
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+// NodeIdentifier determines node information from a given user
+type NodeIdentifier interface {
+	// NodeIdentity determines node information from the given user.Info.
+	// nodeName is the name of the Node API object associated with the user.Info,
+	// and may be empty if a specific node cannot be determined.
+	// isNode is true if the user.Info represents an identity issued to a node.
+	NodeIdentity(user.Info) (nodeName string, isNode bool)
+}