-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Validate
billingEntityRef
on Organization object (#87)
- v0.33.4
- v0.33.3
- v0.33.2
- v0.33.1
- v0.33.0
- v0.32.2
- v0.32.1
- v0.32.0
- v0.32.0-beta3
- v0.32.0-beta2
- v0.32.0-beta1
- v0.31.0
- v0.30.0
- v0.29.1
- v0.29.0
- v0.28.0
- v0.27.1
- v0.27.0
- v0.26.0
- v0.25.1
- v0.25.0
- v0.24.1
- v0.24.0
- v0.23.0
- v0.23.0-dev1
- v0.22.0
- v0.21.0
- v0.20.0
- v0.20.0-dev3
- v0.20.0-dev2
- v0.20.0-dev1
- v0.19.2
- v0.19.1
- v0.19.0
- v0.18.1
- v0.18.0
- v0.17.0
- v0.16.1
- v0.16.0
- v0.15.1
- v0.15.0
- v0.14.0
- v0.13.0
- v0.12.0
- v0.11.0
- v0.10.0
Showing
9 changed files
with
227 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package organization | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
|
||
"k8s.io/apiserver/pkg/authentication/user" | ||
"k8s.io/apiserver/pkg/endpoints/request" | ||
restclient "k8s.io/client-go/rest" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
|
||
billingv1 "github.com/appuio/control-api/apis/billing/v1" | ||
orgv1 "github.com/appuio/control-api/apis/organization/v1" | ||
) | ||
|
||
// +kubebuilder:rbac:groups="",resources=users;groups;serviceaccounts,verbs=impersonate | ||
|
||
// impersonator can build a client that impersonates a user | ||
type impersonator interface { | ||
Impersonate(u user.Info) (client.Client, error) | ||
} | ||
|
||
// impersonatorFromRestconf can build a client that impersonates a user | ||
// from a rest.Config and client.Options | ||
type impersonatorFromRestconf struct { | ||
config *restclient.Config | ||
opts client.Options | ||
} | ||
|
||
var _ impersonator = impersonatorFromRestconf{} | ||
|
||
// Impersonate returns a client that impersonates the given user | ||
func (c impersonatorFromRestconf) Impersonate(u user.Info) (client.Client, error) { | ||
conf := restclient.CopyConfig(c.config) | ||
|
||
conf.Impersonate = restclient.ImpersonationConfig{ | ||
UserName: u.GetName(), | ||
UID: u.GetUID(), | ||
Groups: u.GetGroups(), | ||
Extra: u.GetExtra(), | ||
} | ||
return client.New(conf, c.opts) | ||
} | ||
|
||
// billingEntityValidator validates that the billing entity exists and the requesting user has access to it. | ||
// it does so by impersonating the user and trying to get the billing entity. | ||
func (s *organizationStorage) billingEntityValidator(ctx context.Context, org, oldOrg *orgv1.Organization) error { | ||
// check if changed | ||
if oldOrg != nil && oldOrg.Spec.BillingEntityRef == org.Spec.BillingEntityRef { | ||
return nil | ||
} | ||
// check if we allow empty billing entities | ||
if org.Spec.BillingEntityRef == "" && s.allowEmptyBillingEntity { | ||
return nil | ||
} | ||
|
||
user, ok := request.UserFrom(ctx) | ||
if !ok { | ||
return fmt.Errorf("no user in context") | ||
} | ||
|
||
var be billingv1.BillingEntity | ||
c, err := s.impersonator.Impersonate(user) | ||
if err != nil { | ||
return fmt.Errorf("failed to impersonate user: %w", err) | ||
} | ||
|
||
if err := c.Get(ctx, client.ObjectKey{Name: org.Spec.BillingEntityRef}, &be); err != nil { | ||
return err | ||
} | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters