Merge branch 'dev' into devops-refactor

7a6b27d7 · runzexia · GitHub · 2aa34346 · 3c73471f · 7a6b27d7
9 changed file
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -155,4 +155,7 @@ const (
 	ResourceKindeS2iRun                  = "s2iruns"
 	ResourceKindS2iBuilder               = "s2ibuilders"
 	ResourceKindApplication              = "applications"
+
+	WorkspaceNone = ""
+	ClusterNone   = ""
 )
--- a/pkg/apis/tower/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/tower/v1alpha1/zz_generated.deepcopy.go
 // +build !ignore_autogenerated

 /*
+Copyright 2019 The KubeSphere authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -124,6 +125,11 @@ func (in *AgentStatus) DeepCopyInto(out *AgentStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.KubeConfig != nil {
+		in, out := &in.KubeConfig, &out.KubeConfig
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AgentStatus.

--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -27,6 +27,7 @@ import (
 	ksruntime "kubesphere.io/kubesphere/pkg/apiserver/runtime"
 	"kubesphere.io/kubesphere/pkg/informers"
 	devopsv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/devops/v1alpha2"
+	configv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/config/v1alpha2"
 	iamv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/iam/v1alpha2"
 	loggingv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/logging/v1alpha2"
 	monitoringv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/monitoring/v1alpha2"
@@ -35,7 +36,6 @@ import (
 	operationsv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/operations/v1alpha2"
 	resourcesv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/resources/v1alpha2"
 	resourcev1alpha3 "kubesphere.io/kubesphere/pkg/kapis/resources/v1alpha3"
-	"kubesphere.io/kubesphere/pkg/kapis/serverconfig/v1alpha2"
 	servicemeshv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/servicemesh/metrics/v1alpha2"
 	terminalv1alpha2 "kubesphere.io/kubesphere/pkg/kapis/terminal/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/models/iam/am"
@@ -134,7 +134,7 @@ func (s *APIServer) PrepareRun() error {
 }

 func (s *APIServer) installKubeSphereAPIs() {
-	urlruntime.Must(v1alpha2.AddToContainer(s.container, s.Config))
+	urlruntime.Must(configv1alpha2.AddToContainer(s.container, s.Config))
 	urlruntime.Must(resourcev1alpha3.AddToContainer(s.container, s.InformerFactory))
 	urlruntime.Must(loggingv1alpha2.AddToContainer(s.container, s.KubernetesClient, s.LoggingClient))
 	urlruntime.Must(monitoringv1alpha2.AddToContainer(s.container, s.KubernetesClient, s.MonitoringClient))
@@ -184,20 +184,20 @@ func (s *APIServer) buildHandlerChain() {
 	}

 	handler := s.Server.Handler
-
 	handler = filters.WithKubeAPIServer(handler, s.KubernetesClient.Config(), &errorResponder{})
 	handler = filters.WithMultipleClusterDispatcher(handler, dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Tower().V1alpha1().Agents().Lister()))

 	excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*"}
 	pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
-	authorizer := unionauthorizer.New(pathAuthorizer,
-		authorizerfactory.NewOPAAuthorizer(am.NewFakeAMOperator()))
-	handler = filters.WithAuthorization(handler, authorizer)

+	// union authorizers are ordered, don't change the order here
+	authorizers := unionauthorizer.New(pathAuthorizer, authorizerfactory.NewOPAAuthorizer(am.NewFakeAMOperator()))
+	handler = filters.WithAuthorization(handler, authorizers)
+
+	// authenticators are unordered
 	authn := unionauth.New(anonymous.NewAuthenticator(),
 		basictoken.New(basic.NewBasicAuthenticator(im.NewFakeOperator())),
-		bearertoken.New(jwttoken.NewTokenAuthenticator(
-			token.NewJwtTokenIssuer(token.DefaultIssuerName, s.Config.AuthenticationOptions, s.CacheClient))))
+		bearertoken.New(jwttoken.NewTokenAuthenticator(token.NewJwtTokenIssuer(token.DefaultIssuerName, s.Config.AuthenticationOptions, s.CacheClient))))
 	handler = filters.WithAuthentication(handler, authn)
 	handler = filters.WithRequestInfo(handler, requestInfoResolver)
 	s.Server.Handler = handler

--- a/pkg/apiserver/authorization/path/path.go
+++ b/pkg/apiserver/authorization/path/path.go
@@ -47,10 +47,6 @@ func NewAuthorizer(alwaysAllowPaths []string) (authorizer.Authorizer, error) {
 	}

 	return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) {
-		if a.IsResourceRequest() {
-			return authorizer.DecisionNoOpinion, "", nil
-		}
-
 		pth := strings.TrimPrefix(a.GetPath(), "/")
 		if paths.Has(pth) {
 			return authorizer.DecisionAllow, "", nil

--- a/pkg/apiserver/dispatch/dispatch.go
+++ b/pkg/apiserver/dispatch/dispatch.go
@@ -54,7 +54,7 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
 	}

 	u := *req.URL
-	u.Host = agent.Spec.Proxy
+	u.Host = fmt.Sprintf("%s:%d", agent.Spec.Proxy, agent.Spec.KubeSphereAPIServerPort)
 	u.Path = strings.Replace(u.Path, fmt.Sprintf("/clusters/%s", info.Cluster), "", 1)

 	httpProxy := proxy.NewUpgradeAwareHandler(&u, http.DefaultTransport, true, false, c)

--- a/pkg/apiserver/filters/authorization.go
+++ b/pkg/apiserver/filters/authorization.go
@@ -13,23 +13,23 @@ import (
 )

 // WithAuthorization passes all authorized requests on to handler, and returns forbidden error otherwise.
-func WithAuthorization(handler http.Handler, a authorizer.Authorizer) http.Handler {
-	if a == nil {
+func WithAuthorization(handler http.Handler, authorizers authorizer.Authorizer) http.Handler {
+	if authorizers == nil {
 		klog.Warningf("Authorization is disabled")
 		return handler
 	}

-	serializer := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion()
+	defaultSerializer := serializer.NewCodecFactory(runtime.NewScheme()).WithoutConversion()

 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()

-		attributes, err := GetAuthorizerAttributes(ctx)
+		attributes, err := getAuthorizerAttributes(ctx)
 		if err != nil {
 			responsewriters.InternalError(w, req, err)
 		}

-		authorized, reason, err := a.Authorize(attributes)
+		authorized, reason, err := authorizers.Authorize(attributes)
 		if authorized == authorizer.DecisionAllow {
 			handler.ServeHTTP(w, req)
 			return
@@ -41,11 +41,11 @@ func WithAuthorization(handler http.Handler, a authorizer.Authorizer) http.Handl
 		}

 		klog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason)
-		responsewriters.Forbidden(ctx, attributes, w, req, reason, serializer)
+		responsewriters.Forbidden(ctx, attributes, w, req, reason, defaultSerializer)
 	})
 }

-func GetAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error) {
+func getAuthorizerAttributes(ctx context.Context) (authorizer.Attributes, error) {
 	attribs := authorizer.AttributesRecord{}

 	user, ok := request.UserFrom(ctx)

--- a/pkg/apiserver/request/requestinfo.go
+++ b/pkg/apiserver/request/requestinfo.go
@@ -8,6 +8,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog"
+	"kubesphere.io/kubesphere/pkg/api"
 	"net/http"
 	"strings"

@@ -88,6 +89,8 @@ func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, er
 			Path: req.URL.Path,
 			Verb: req.Method,
 		},
+		Workspace: api.WorkspaceNone,
+		Cluster:   api.ClusterNone,
 	}

 	defer func() {
@@ -123,16 +126,6 @@ func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, er
 	requestInfo.APIVersion = currentParts[0]
 	currentParts = currentParts[1:]

-	if currentParts[0] == "clusters" {
-		requestInfo.Cluster = currentParts[1]
-		currentParts = currentParts[2:]
-	}
-
-	if currentParts[0] == "workspaces" {
-		requestInfo.Workspace = currentParts[1]
-		currentParts = currentParts[2:]
-	}
-
 	if specialVerbs.Has(currentParts[0]) {
 		if len(currentParts) < 2 {
 			return &requestInfo, fmt.Errorf("unable to determine kind and namespace from url: %v", req.URL)
@@ -157,6 +150,26 @@ func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, er
 		}
 	}

+	// URL forms: /clusters/{cluster}/*
+	if currentParts[0] == "clusters" {
+		if len(currentParts) > 1 {
+			requestInfo.Cluster = currentParts[1]
+		}
+		if len(currentParts) > 2 {
+			currentParts = currentParts[2:]
+		}
+	}
+
+	// URL forms: /workspaces/{workspace}/*
+	if currentParts[0] == "workspaces" {
+		if len(currentParts) > 1 {
+			requestInfo.Workspace = currentParts[1]
+		}
+		if len(currentParts) > 2 {
+			currentParts = currentParts[2:]
+		}
+	}
+
 	// URL forms: /namespaces/{namespace}/{kind}/*, where parts are adjusted to be relative to kind
 	if currentParts[0] == "namespaces" {
 		if len(currentParts) > 1 {

--- a/pkg/apiserver/request/requestinfo_test.go
+++ b/pkg/apiserver/request/requestinfo_test.go
@@ -162,6 +162,19 @@ func TestRequestInfoFactory_NewRequestInfo(t *testing.T) {
 			expectedCluster:           "",
 			expectedKubernetesRequest: false,
 		},
+		{
+			name:                      "",
+			url:                       "/kapis/tenant.kubesphere.io/v1alpha2/workspaces",
+			method:                    http.MethodGet,
+			expectedErr:               nil,
+			expectedVerb:              "list",
+			expectedNamespace:         "",
+			expectedCluster:           "",
+			expectedWorkspace:         "",
+			expectedKubernetesRequest: false,
+			expectedIsResourceRequest: true,
+			expectedResource:          "workspaces",
+		},
 		{
 			name:                      "kubesphere api without clusters",
 			url:                       "/kapis/foo/bar/",
@@ -180,6 +193,7 @@ func TestRequestInfoFactory_NewRequestInfo(t *testing.T) {
 	requestInfoResolver := newTestRequestInfoResolver()

 	for _, test := range tests {
+		t.Run(test.url, func(t *testing.T) {
 			req, err := http.NewRequest(test.method, test.url, nil)
 			if err != nil {
 				t.Fatal(err)
@@ -214,5 +228,7 @@ func TestRequestInfoFactory_NewRequestInfo(t *testing.T) {
 					t.Errorf("%s: expected kubernetes request %v, actual %+v", test.name, test.expectedKubernetesRequest, requestInfo.IsKubernetesRequest)
 				}
 			}
+		})
+
 	}
 }
--- a/pkg/kapis/serverconfig/v1alpha2/register.go
+++ b/pkg/kapis/serverconfig/v1alpha2/register.go