From e6249a4c9095a1ff6ab9c62a33af73ab539effba Mon Sep 17 00:00:00 2001 From: David Eads Date: Wed, 31 Jan 2018 16:11:14 -0500 Subject: [PATCH 1/2] UPSTREAM: : hack out the oapi for restmapping resources when more than one is present --- .../pkg/api/meta/patch_priority.go | 93 +++++++++++++++++++ .../apimachinery/pkg/api/meta/priority.go | 26 ++++++ 2 files changed, 119 insertions(+) create mode 100644 vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/patch_priority.go diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/patch_priority.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/patch_priority.go new file mode 100644 index 000000000000..6124e4c6fa8b --- /dev/null +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/patch_priority.go @@ -0,0 +1,93 @@ +package meta + +import ( + "strings" + + "k8s.io/apimachinery/pkg/runtime/schema" +) + +var oapiResources = map[schema.GroupVersionResource]bool{ + {Resource: "appliedclusterresourcequotas"}: true, + {Resource: "appliedclusterresourcequota"}: true, + {Resource: "buildconfigs"}: true, + {Resource: "buildconfig"}: true, + {Resource: "bc"}: true, + {Resource: "builds"}: true, + {Resource: "build"}: true, + {Resource: "clusternetworks"}: true, + {Resource: "clusternetwork"}: true, + {Resource: "clusterresourcequotas"}: true, + {Resource: "clusterresourcequota"}: true, + {Resource: "clusterquota"}: true, + {Resource: "clusterrolebindings"}: true, + {Resource: "clusterrolebinding"}: true, + {Resource: "clusterroles"}: true, + {Resource: "clusterrole"}: true, + {Resource: "deploymentconfigrollbacks"}: true, + {Resource: "deploymentconfigrollback"}: true, + {Resource: "deploymentconfigs"}: true, + {Resource: "deploymentconfig"}: true, + {Resource: "dc"}: true, + {Resource: "egressnetworkpolicies"}: true, + {Resource: "egressnetworkpolicy"}: true, + {Resource: "groups"}: true, + {Resource: "group"}: true, + {Resource: "hostsubnets"}: true, + {Resource: "hostsubnet"}: true, + {Resource: "identities"}: true, + {Resource: "identity"}: true, + {Resource: "images"}: true, + {Resource: "image"}: true, + {Resource: "imagesignatures"}: true, + {Resource: "imagesignature"}: true, + {Resource: "imagestreamimages"}: true, + {Resource: "imagestreamimage"}: true, + {Resource: "isimage"}: true, + {Resource: "imagestreamimports"}: true, + {Resource: "imagestreamimport"}: true, + {Resource: "imagestreammappings"}: true, + {Resource: "imagestreammapping"}: true, + {Resource: "imagestreams"}: true, + {Resource: "imagestream"}: true, + {Resource: "is"}: true, + {Resource: "imagestreamtags"}: true, + {Resource: "imagestreamtag"}: true, + {Resource: "istag"}: true, + {Resource: "netnamespaces"}: true, + {Resource: "netnamespace"}: true, + {Resource: "oauthaccesstokens"}: true, + {Resource: "oauthaccesstoken"}: true, + {Resource: "oauthauthorizetokens"}: true, + {Resource: "oauthauthorizetoken"}: true, + {Resource: "oauthclientauthorizations"}: true, + {Resource: "oauthclientauthorization"}: true, + {Resource: "oauthclients"}: true, + {Resource: "oauthclient"}: true, + {Resource: "processedtemplates"}: true, + {Resource: "processedtemplate"}: true, + {Resource: "projects"}: true, + {Resource: "project"}: true, + {Resource: "rolebindingrestrictions"}: true, + {Resource: "rolebindingrestriction"}: true, + {Resource: "rolebindings"}: true, + {Resource: "rolebinding"}: true, + {Resource: "roles"}: true, + {Resource: "role"}: true, + {Resource: "routes"}: true, + {Resource: "route"}: true, + {Resource: "securitycontextconstraints"}: true, + {Resource: "securitycontextconstraint"}: true, + {Resource: "scc"}: true, + {Resource: "templates"}: true, + {Resource: "template"}: true, + {Resource: "useridentitymappings"}: true, + {Resource: "useridentitymapping"}: true, + {Resource: "users"}: true, + {Resource: "user"}: true, +} + +func isOAPIResource(resource schema.GroupVersionResource) bool { + // modify our copy to be sure we match our map + resource.Resource = strings.ToLower(resource.Resource) + return oapiResources[resource] +} diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/priority.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/priority.go index 2a14aa7ab179..e9565dd4b047 100644 --- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/priority.go +++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/apimachinery/pkg/api/meta/priority.go @@ -63,6 +63,19 @@ func (m PriorityRESTMapper) ResourceFor(partiallySpecifiedResource schema.GroupV } remainingGVRs := append([]schema.GroupVersionResource{}, originalGVRs...) + // if we're requesting an oapi resource, strip the oapi resource from this list so the groupified one is the only one that can match. + // if we're requesting an exact match, we will already have returned, so the reference file cases *should* return before this. + if isOAPIResource(partiallySpecifiedResource) { + keep := []schema.GroupVersionResource{} + for _, gvr := range remainingGVRs { + if len(gvr.Group) == 0 { + continue + } + keep = append(keep, gvr) + } + remainingGVRs = keep + } + for _, pattern := range m.ResourcePriority { matchedGVRs := []schema.GroupVersionResource{} for _, gvr := range remainingGVRs { @@ -99,6 +112,19 @@ func (m PriorityRESTMapper) KindFor(partiallySpecifiedResource schema.GroupVersi } remainingGVKs := append([]schema.GroupVersionKind{}, originalGVKs...) + // if we're requesting an oapi kind, strip the oapi kind from this list so the groupified one is the only one that can match. + // if we're requesting an exact match, we will already have returned, so the reference file cases *should* return before this. + if isOAPIResource(partiallySpecifiedResource) { + keep := []schema.GroupVersionKind{} + for _, gvk := range remainingGVKs { + if len(gvk.Group) == 0 { + continue + } + keep = append(keep, gvk) + } + remainingGVKs = keep + } + for _, pattern := range m.KindPriority { matchedGVKs := []schema.GroupVersionKind{} for _, gvr := range remainingGVKs { From 422b02672d826d93e6c5c327e999654c3330d551 Mon Sep 17 00:00:00 2001 From: David Eads Date: Thu, 1 Feb 2018 11:42:07 -0500 Subject: [PATCH 2/2] updates for finding groupified first --- pkg/oc/cli/describe/describer.go | 2 +- test/cmd/admin.sh | 2 +- test/cmd/authentication.sh | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/oc/cli/describe/describer.go b/pkg/oc/cli/describe/describer.go index f6196541748e..be4d9d7c83a3 100644 --- a/pkg/oc/cli/describe/describer.go +++ b/pkg/oc/cli/describe/describer.go @@ -127,7 +127,7 @@ func describerMap(clientConfig *rest.Config, kclient kclientset.Interface, host authorizationapi.Kind("ClusterRole"): &ClusterRoleDescriber{oauthorizationClient}, authorizationapi.Kind("RoleBindingRestriction"): &RoleBindingRestrictionDescriber{oauthorizationClient}, oauthapi.Kind("OAuthAccessToken"): &OAuthAccessTokenDescriber{oauthClient}, - authorizationapi.Kind("Identity"): &IdentityDescriber{userClient}, + userapi.Kind("Identity"): &IdentityDescriber{userClient}, userapi.Kind("User"): &UserDescriber{userClient}, userapi.Kind("Group"): &GroupDescriber{userClient}, userapi.Kind("UserIdentityMapping"): &UserIdentityMappingDescriber{userClient}, diff --git a/test/cmd/admin.sh b/test/cmd/admin.sh index b2324b7848a1..506536acdad0 100755 --- a/test/cmd/admin.sh +++ b/test/cmd/admin.sh @@ -120,7 +120,7 @@ os::test::junit::declare_suite_start "cmd/admin/groups" os::cmd::expect_success_and_text 'oc adm groups new shortoutputgroup -o name' 'groups/shortoutputgroup' os::cmd::expect_failure_and_text 'oc adm groups new shortoutputgroup' 'groups.user.openshift.io "shortoutputgroup" already exists' os::cmd::expect_failure_and_text 'oc adm groups new errorgroup -o blah' 'error: output format "blah" not recognized' -os::cmd::expect_failure_and_text 'oc get groups/errorgroup' 'groups "errorgroup" not found' +os::cmd::expect_failure_and_text 'oc get groups/errorgroup' 'groups.user.openshift.io "errorgroup" not found' os::cmd::expect_success_and_text 'oc adm groups new group1 foo bar' 'group1.*foo, bar' os::cmd::expect_success_and_text 'oc get groups/group1 --no-headers' 'foo, bar' os::cmd::expect_success 'oc adm groups add-users group1 baz' diff --git a/test/cmd/authentication.sh b/test/cmd/authentication.sh index 57cc571e91e7..1ef7776aa633 100755 --- a/test/cmd/authentication.sh +++ b/test/cmd/authentication.sh @@ -53,14 +53,14 @@ listprojecttoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scope # this token doesn't have rights to see any projects even though it can hit the list endpoint, so an empty list is correct # we'll add another scope that allows listing all known projects even if this token has no other powers in them. os::cmd::expect_success_and_not_text "oc get projects --token='${listprojecttoken}'" "${project}" -os::cmd::expect_failure_and_text "oc get user/~ --token='${listprojecttoken}'" 'prevent this action; User "scoped-user" cannot get users at the cluster scope' +os::cmd::expect_failure_and_text "oc get user/~ --token='${listprojecttoken}'" 'prevent this action; User "scoped-user" cannot get users.user.openshift.io at the cluster scope' os::cmd::expect_failure_and_text "oc get pods --token='${listprojecttoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\"" listprojecttoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=listallprojects SCOPE=user:list-projects USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" os::cmd::expect_success_and_text "oc get projects --token='${listprojecttoken}'" "${project}" adminnonescalatingpowerstoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=admin SCOPE=role:admin:* USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')" -os::cmd::expect_failure_and_text "oc get user/~ --token='${adminnonescalatingpowerstoken}'" 'prevent this action; User "scoped-user" cannot get users at the cluster scope' +os::cmd::expect_failure_and_text "oc get user/~ --token='${adminnonescalatingpowerstoken}'" 'prevent this action; User "scoped-user" cannot get users.user.openshift.io at the cluster scope' os::cmd::expect_failure_and_text "oc get secrets --token='${adminnonescalatingpowerstoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list secrets in project \"${project}\"" os::cmd::expect_success_and_text "oc get 'projects/${project}' --token='${adminnonescalatingpowerstoken}' -n '${project}'" "${project}"