YAML Editor enhancements

LICENSE.md

@@ -329,6 +329,10 @@ Copyright (c) Isaac Z. Schlueter and Contributors\
 Copyright (c) 2014-2017 Automattic <dev@cloudup.com>\
 [MIT License](https://github.com/socketio/socket.io/blob/master/LICENSE)
 
+- [swagger-parser](https://github.com/APIDevTools/swagger-parser)\
+Copyright (c) 2015 James Messinger\
+[MIT License](https://github.com/APIDevTools/swagger-parser/blob/master/LICENSE)
+
 - [uuid](https://github.com/kelektiv/node-uuid)\
 Copyright (c) 2010-2016 Robert Kieffer and other contributors\
 [MIT License](https://github.com/kelektiv/node-uuid/blob/master/LICENSE.md)

backend/.nycrc

@@ -4,7 +4,7 @@
   "lines": 87,
   "statements": 87,
   "functions": 91,
-  "branches": 66,
+  "branches": 65,
   "include": [
     "lib/**/*.js"
   ],

backend/lib/kubernetes-client/nonResourceEndpoints/OpenAPI.js

@@ -0,0 +1,32 @@
+//
+// Copyright (c) 2019 by SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+'use strict'
+
+const HttpClient = require('../HttpClient')
+const { http } = require('../symbols')
+
+class OpenAPI extends HttpClient {
+  constructor (options = {}) {
+    super({ ...options, responseType: 'json' })
+  }
+
+  get () {
+    return this[http.request]('openapi/v2', { method: 'get' })
+  }
+}
+
+module.exports = OpenAPI

backend/lib/kubernetes-client/nonResourceEndpoints/index.js

@@ -17,10 +17,12 @@
 'use strict'
 
 const Healthz = require('./Healthz')
+const OpenAPI = require('./OpenAPI')
 
 function load (options) {
   return {
-    healthz: new Healthz(options)
+    healthz: new Healthz(options),
+    openapi: new OpenAPI(options)
   }
 }
 

backend/lib/openapi/index.js

@@ -0,0 +1,63 @@
+//
+// Copyright (c) 2019 by SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+'use strict'
+
+const { canGetOpenAPI } = require('../services/authorization')
+const { Forbidden } = require('../errors')
+const SwaggerParser = require('swagger-parser')
+const express = require('express')
+const { dashboardClient } = require('../kubernetes-client')
+const _ = require('lodash')
+
+const router = module.exports = express.Router()
+
+router.route('/')
+  .get(async (req, res, next) => {
+    try {
+      const user = req.user
+      const schemaDefinitions = await getSchemaDefinitions(user)
+      res.send(schemaDefinitions)
+    } catch (err) {
+      next(err)
+    }
+  })
+
+const schemaDefinitions = {} // Cache, TODO: Need to update cache when apiserver gets updated
+
+async function getSchemaDefinitions (user) {
+  const hasAuthorization = await canGetOpenAPI(user)
+  if (!hasAuthorization) {
+    throw new Forbidden('User is not allowed to read OpenAPI schemas definitions')
+  }
+
+  if (_.isEmpty(schemaDefinitions)) {
+    // Do not use client of user as the result gets cached and returned to other users
+    const swaggerApi = await dashboardClient.openapi.get()
+    const dereferencedSwaggerApi = await SwaggerParser.dereference(swaggerApi)
+
+    const selectedSchemaDefinitions = _
+      .chain(dereferencedSwaggerApi)
+      .get('definitions')
+      .pick([
+        'com.github.gardener.gardener.pkg.apis.core.v1beta1.Shoot'
+      ])
+      .value()
+    _.assign(schemaDefinitions, selectedSchemaDefinitions)
+  }
+
+  return schemaDefinitions
+}

backend/lib/routes/index.js

@@ -21,6 +21,7 @@ const config = require('../config')
 
 module.exports = {
   '/info': require('./info'),
+  '/openapi': require('../openapi'),
   '/user': require('./user'),
   '/cloudprofiles': require('./cloudprofiles'),
   '/shoots': require('./shoots'),

backend/lib/services/authorization.js

@@ -18,7 +18,7 @@
 
 const { Resources } = require('../kubernetes-client')
 
-async function hasAuthorization (user, resourceAttributes) {
+async function hasAuthorization (user, { resourceAttributes, nonResourceAttributes }) {
   if (!user) {
     return false
   }
@@ -28,7 +28,8 @@ async function hasAuthorization (user, resourceAttributes) {
     kind,
     apiVersion,
     spec: {
-      resourceAttributes
+      resourceAttributes,
+      nonResourceAttributes
     }
   }
   const {
@@ -38,14 +39,24 @@ async function hasAuthorization (user, resourceAttributes) {
   } = await client['authorization.k8s.io'].selfsubjectaccessreviews.create(body)
   return allowed
 }
-exports.hasAuthorization = hasAuthorization
 
 exports.isAdmin = function (user) {
   // if someone is allowed to get secrets in all namespaces he is considered to be an administrator
   return hasAuthorization(user, {
-    verb: 'get',
-    group: '',
-    resource: 'secrets'
+    resourceAttributes: {
+      verb: 'get',
+      group: '',
+      resource: 'secrets'
+    }
+  })
+}
+
+exports.canGetOpenAPI = function (user) {
+  return hasAuthorization(user, {
+    nonResourceAttributes: {
+      verb: 'get',
+      path: '/openapi/v2'
+    }
   })
 }
 

backend/package.json

@@ -49,6 +49,7 @@
     "p-retry": "^4.2.0",
     "p-timeout": "^3.2.0",
     "reconnect-core": "^1.3.0",
+    "swagger-parser": "^8.0.1",
     "semver": "^7.1.2",
     "socket.io": "^2.3.0",
     "uuid": "^3.3.2",

backend/test/acceptance.spec.js

@@ -89,6 +89,10 @@ describe('acceptance', function () {
     require('./acceptance/healthz.spec.js')(context)
   })
 
+  describe('openapi', function () {
+    require('./acceptance/openapi.spec.js')(context)
+  })
+
   describe('security', function () {
     require('./acceptance/security.spec.js')(context)
   })

backend/test/acceptance/api.info.spec.js

@@ -22,7 +22,7 @@ module.exports = function info ({ agent, k8s, auth }) {
   /* eslint no-unused-expressions: 0 */
   const username = 'john.doe@example.org'
   const id = username
-  const aud = [ 'gardener' ]
+  const aud = ['gardener']
 
   it('should reject requests csrf protection error', async function () {
     const res = await agent
@@ -58,7 +58,7 @@ module.exports = function info ({ agent, k8s, auth }) {
   })
 
   it('should reject requests with invalid audience', async function () {
-    const user = auth.createUser({ id, aud: [ 'invalid-audience' ] })
+    const user = auth.createUser({ id, aud: ['invalid-audience'] })
     const res = await agent
       .get('/api/info')
       .set('cookie', await user.cookie)

backend/test/acceptance/openapi.spec.js

@@ -0,0 +1,45 @@
+//
+// Copyright (c) 2019 by SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+'use strict'
+const SwaggerParser = require('swagger-parser')
+
+module.exports = function ({ agent, k8s, auth }) {
+  /* eslint no-unused-expressions: 0 */
+  const username = 'john.doe@example.org'
+  const id = username
+  const sandbox = sinon.createSandbox()
+
+  afterEach(function () {
+    sandbox.restore()
+  })
+
+  it('should fetch shoot openapi schema', async function () {
+    const user = auth.createUser({ id })
+    const bearer = await user.bearer
+    k8s.stub.getShootDefinition(bearer)
+    sandbox.stub(SwaggerParser, 'dereference').callsFake((obj) => {
+      return obj
+    })
+    const res = await agent
+      .get('/api/openapi')
+      .set('cookie', await user.cookie)
+
+    expect(res).to.have.status(200)
+    expect(res).to.be.json
+    expect(res.body).to.have.property('com.github.gardener.gardener.pkg.apis.core.v1beta1.Shoot').that.is.eql({ type: 'object' })
+  })
+}

backend/test/support/nocks/k8s.js

@@ -260,6 +260,24 @@ function canGetSecretsInAllNamespaces (scope) {
     })
 }
 
+function canGetOpenAPI (scope) {
+  return scope
+    .post('/apis/authorization.k8s.io/v1/selfsubjectaccessreviews', body => {
+      const { verb, path } = body.spec.nonResourceAttributes
+      return path === '/openapi/v2' && verb === 'get'
+    })
+    .reply(200, function (body) {
+      const [, token] = _.split(this.req.headers.authorization, ' ', 2)
+      const payload = jwt.decode(token)
+      const allowed = !_.isEmpty(payload.id)
+      return _.assign({
+        status: {
+          allowed
+        }
+      }, body)
+    })
+}
+
 function getKubeconfigSecret (scope, { namespace, name, server }) {
   const url = new URL(server)
   const secret = {
@@ -316,7 +334,7 @@ function getUser (name) {
   }
 }
 
-function getProject ({ name, namespace, createdBy, owner, members = [], description, purpose, phase = 'Ready', costObject = "" }) {
+function getProject ({ name, namespace, createdBy, owner, members = [], description, purpose, phase = 'Ready', costObject = '' }) {
   owner = owner || createdBy
   namespace = namespace || `garden-${name}`
   members = _
@@ -1387,16 +1405,16 @@ const stub = {
         const incomplete = false
         if (_.endsWith(payload.id, 'example.org')) {
           resourceRules = resourceRules.concat([{
-              verbs: ['get'],
-              apiGroups: ['core.gardener.cloud'],
-              resources: ['projects'],
-              resourceName: ['foo']
-            },
-            {
-              verbs: ['create'],
-              apiGroups: ['core.gardener.cloud'],
-              resources: ['projects']
-            }
+            verbs: ['get'],
+            apiGroups: ['core.gardener.cloud'],
+            resources: ['projects'],
+            resourceName: ['foo']
+          },
+          {
+            verbs: ['create'],
+            apiGroups: ['core.gardener.cloud'],
+            resources: ['projects']
+          }
           ])
         } else {
           resourceRules = resourceRules.concat([{
@@ -1405,7 +1423,7 @@ const stub = {
             resources: ['projects'],
             resourceName: ['foo']
           }
-        ])
+          ])
         }
         return {
           status: { resourceRules, nonResourceRules, incomplete }
@@ -1416,6 +1434,23 @@ const stub = {
     const adminScope = nockWithAuthorization(auth.bearer)
     reviewToken(adminScope)
     return adminScope
+  },
+  getShootDefinition (bearer) {
+    const scope = nockWithAuthorization(bearer)
+    canGetOpenAPI(scope)
+    const body = {
+      definitions: {
+        'com.github.gardener.gardener.pkg.apis.core.v1beta1.Shoot': {
+          type: 'object'
+        }
+      }
+    }
+    return [
+      scope,
+      nockWithAuthorization(auth.bearer)
+        .get('/openapi/v2')
+        .reply(200, body)
+    ]
   }
 }