vendor files

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/BUILD

@@ -0,0 +1,53 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["config_test.go"],
+    data = [
+        "//pkg/auth/authorizer/abac:example_policy",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authorizer",
+    library = ":go_default_library",
+    deps = ["//pkg/kubeapiserver/authorizer/modes:go_default_library"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["config.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authorizer",
+    deps = [
+        "//pkg/auth/authorizer/abac:go_default_library",
+        "//pkg/auth/nodeidentifier:go_default_library",
+        "//pkg/client/informers/informers_generated/internalversion:go_default_library",
+        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
+        "//plugin/pkg/auth/authorizer/node:go_default_library",
+        "//plugin/pkg/auth/authorizer/rbac:go_default_library",
+        "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library",
+        "//vendor/k8s.io/apiserver/plugin/pkg/authorizer/webhook:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//pkg/kubeapiserver/authorizer/modes:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config.go

@@ -0,0 +1,139 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
+	"k8s.io/apiserver/pkg/authorization/union"
+	"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
+	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
+	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
+	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
+	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
+	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
+	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy"
+)
+
+type AuthorizationConfig struct {
+	AuthorizationModes []string
+
+	// Options for ModeABAC
+
+	// Path to an ABAC policy file.
+	PolicyFile string
+
+	// Options for ModeWebhook
+
+	// Kubeconfig file for Webhook authorization plugin.
+	WebhookConfigFile string
+	// TTL for caching of authorized responses from the webhook server.
+	WebhookCacheAuthorizedTTL time.Duration
+	// TTL for caching of unauthorized responses from the webhook server.
+	WebhookCacheUnauthorizedTTL time.Duration
+
+	InformerFactory informers.SharedInformerFactory
+}
+
+// New returns the right sort of union of multiple authorizer.Authorizer objects
+// based on the authorizationMode or an error.
+func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleResolver, error) {
+	if len(config.AuthorizationModes) == 0 {
+		return nil, nil, errors.New("At least one authorization mode should be passed")
+	}
+
+	var (
+		authorizers   []authorizer.Authorizer
+		ruleResolvers []authorizer.RuleResolver
+	)
+	authorizerMap := make(map[string]bool)
+
+	for _, authorizationMode := range config.AuthorizationModes {
+		if authorizerMap[authorizationMode] {
+			return nil, nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode)
+		}
+		// Keep cases in sync with constant list above.
+		switch authorizationMode {
+		case modes.ModeNode:
+			graph := node.NewGraph()
+			node.AddGraphEventHandlers(
+				graph,
+				config.InformerFactory.Core().InternalVersion().Pods(),
+				config.InformerFactory.Core().InternalVersion().PersistentVolumes(),
+			)
+			nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())
+			authorizers = append(authorizers, nodeAuthorizer)
+
+		case modes.ModeAlwaysAllow:
+			alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
+			authorizers = append(authorizers, alwaysAllowAuthorizer)
+			ruleResolvers = append(ruleResolvers, alwaysAllowAuthorizer)
+		case modes.ModeAlwaysDeny:
+			alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer()
+			authorizers = append(authorizers, alwaysDenyAuthorizer)
+			ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
+		case modes.ModeABAC:
+			if config.PolicyFile == "" {
+				return nil, nil, errors.New("ABAC's authorization policy file not passed")
+			}
+			abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)
+			if err != nil {
+				return nil, nil, err
+			}
+			authorizers = append(authorizers, abacAuthorizer)
+			ruleResolvers = append(ruleResolvers, abacAuthorizer)
+		case modes.ModeWebhook:
+			if config.WebhookConfigFile == "" {
+				return nil, nil, errors.New("Webhook's configuration file not passed")
+			}
+			webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
+				config.WebhookCacheAuthorizedTTL,
+				config.WebhookCacheUnauthorizedTTL)
+			if err != nil {
+				return nil, nil, err
+			}
+			authorizers = append(authorizers, webhookAuthorizer)
+			ruleResolvers = append(ruleResolvers, webhookAuthorizer)
+		case modes.ModeRBAC:
+			rbacAuthorizer := rbac.New(
+				&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
+				&rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
+				&rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
+				&rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
+			)
+			authorizers = append(authorizers, rbacAuthorizer)
+			ruleResolvers = append(ruleResolvers, rbacAuthorizer)
+		default:
+			return nil, nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode)
+		}
+		authorizerMap[authorizationMode] = true
+	}
+
+	if !authorizerMap[modes.ModeABAC] && config.PolicyFile != "" {
+		return nil, nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
+	}
+	if !authorizerMap[modes.ModeWebhook] && config.WebhookConfigFile != "" {
+		return nil, nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
+	}
+
+	return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config_test.go

@@ -0,0 +1,101 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+import (
+	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+	"testing"
+)
+
+// New has multiple return possibilities. This test
+// validates that errors are returned only when proper.
+func TestNew(t *testing.T) {
+	examplePolicyFile := "../../auth/authorizer/abac/example_policy_file.jsonl"
+
+	tests := []struct {
+		config  AuthorizationConfig
+		wantErr bool
+		msg     string
+	}{
+		{
+			// Unknown modes should return errors
+			config:  AuthorizationConfig{AuthorizationModes: []string{"DoesNotExist"}},
+			wantErr: true,
+			msg:     "using a fake mode should have returned an error",
+		},
+		{
+			// ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile
+			// but error if one is given
+			config: AuthorizationConfig{AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny}},
+			msg:    "returned an error for valid config",
+		},
+		{
+			// ModeABAC requires a policy file
+			config:  AuthorizationConfig{AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny, modes.ModeABAC}},
+			wantErr: true,
+			msg:     "specifying ABAC with no policy file should return an error",
+		},
+		{
+			// ModeABAC should not error if a valid policy path is provided
+			config: AuthorizationConfig{
+				AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny, modes.ModeABAC},
+				PolicyFile:         examplePolicyFile,
+			},
+			msg: "errored while using a valid policy file",
+		},
+		{
+
+			// Authorization Policy file cannot be used without ModeABAC
+			config: AuthorizationConfig{
+				AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny},
+				PolicyFile:         examplePolicyFile,
+			},
+			wantErr: true,
+			msg:     "should have errored when Authorization Policy File is used without ModeABAC",
+		},
+		{
+			// At least one authorizationMode is necessary
+			config:  AuthorizationConfig{PolicyFile: examplePolicyFile},
+			wantErr: true,
+			msg:     "should have errored when no authorization modes are passed",
+		},
+		{
+			// ModeWebhook requires at minimum a target.
+			config:  AuthorizationConfig{AuthorizationModes: []string{modes.ModeWebhook}},
+			wantErr: true,
+			msg:     "should have errored when config was empty with ModeWebhook",
+		},
+		{
+			// Cannot provide webhook flags without ModeWebhook
+			config: AuthorizationConfig{
+				AuthorizationModes: []string{modes.ModeAlwaysAllow},
+				WebhookConfigFile:  "authz_webhook_config.yml",
+			},
+			wantErr: true,
+			msg:     "should have errored when Webhook config file is used without ModeWebhook",
+		},
+	}
+
+	for _, tt := range tests {
+		_, _, err := tt.config.New()
+		if tt.wantErr && (err == nil) {
+			t.Errorf("New %s", tt.msg)
+		} else if !tt.wantErr && (err != nil) {
+			t.Errorf("New %s: %v", tt.msg, err)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/BUILD

@@ -0,0 +1,33 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["modes_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes",
+    library = ":go_default_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["modes.go"],
+    importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes",
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go

@@ -0,0 +1,38 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package modes
+
+const (
+	ModeAlwaysAllow string = "AlwaysAllow"
+	ModeAlwaysDeny  string = "AlwaysDeny"
+	ModeABAC        string = "ABAC"
+	ModeWebhook     string = "Webhook"
+	ModeRBAC        string = "RBAC"
+	ModeNode        string = "Node"
+)
+
+var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC, ModeWebhook, ModeRBAC, ModeNode}
+
+// IsValidAuthorizationMode returns true if the given authorization mode is a valid one for the apiserver
+func IsValidAuthorizationMode(authzMode string) bool {
+	for _, validMode := range AuthorizationModeChoices {
+		if authzMode == validMode {
+			return true
+		}
+	}
+	return false
+}

vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes_test.go

@@ -0,0 +1,45 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package modes
+
+import "testing"
+
+func TestIsValidAuthorizationMode(t *testing.T) {
+	var tests = []struct {
+		authzMode string
+		expected  bool
+	}{
+		{"", false},
+		{"rBAC", false},        // not supported
+		{"falsy value", false}, // not supported
+		{"RBAC", true},         // supported
+		{"ABAC", true},         // supported
+		{"Webhook", true},      // supported
+		{"AlwaysAllow", true},  // supported
+		{"AlwaysDeny", true},   // supported
+	}
+	for _, rt := range tests {
+		actual := IsValidAuthorizationMode(rt.authzMode)
+		if actual != rt.expected {
+			t.Errorf(
+				"failed ValidAuthorizationMode:\n\texpected: %t\n\t  actual: %t",
+				rt.expected,
+				actual,
+			)
+		}
+	}
+}