From 895d8b838f9f3957cb83d81d701d6dc4123401d7 Mon Sep 17 00:00:00 2001 From: shaowenchen Date: Fri, 10 Jul 2020 17:42:00 +0800 Subject: [PATCH] add interface for iam Signed-off-by: shaowenchen --- cmd/controller-manager/app/controllers.go | 3 +- .../globalrolebinding_controller.go | 15 +- pkg/models/devops/common.go | 251 ++++++++++++++++++ pkg/simple/client/devops/fake/fakedevops.go | 36 +++ pkg/simple/client/devops/interface.go | 2 + pkg/simple/client/devops/jenkins/jenkins.go | 144 ++++++++-- pkg/simple/client/devops/jenkins/role.go | 71 +---- pkg/simple/client/devops/role.go | 89 +++++++ 8 files changed, 523 insertions(+), 88 deletions(-) create mode 100644 pkg/simple/client/devops/role.go diff --git a/cmd/controller-manager/app/controllers.go b/cmd/controller-manager/app/controllers.go index 56aa07f8..1403e245 100644 --- a/cmd/controller-manager/app/controllers.go +++ b/cmd/controller-manager/app/controllers.go @@ -230,8 +230,7 @@ func addControllers( kubesphereInformer.Tenant().V1alpha2().WorkspaceTemplates(), multiClusterEnabled) globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(), - kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(), - fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController, multiClusterEnabled) + kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(), fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController, multiClusterEnabled, devopsClient) workspaceRoleBindingController := workspacerolebinding.NewController(client.Kubernetes(), client.KubeSphere(), kubesphereInformer.Iam().V1alpha2().WorkspaceRoleBindings(), diff --git a/pkg/controller/globalrolebinding/globalrolebinding_controller.go b/pkg/controller/globalrolebinding/globalrolebinding_controller.go index 48f3b535..f7d80f4e 100644 --- a/pkg/controller/globalrolebinding/globalrolebinding_controller.go +++ b/pkg/controller/globalrolebinding/globalrolebinding_controller.go @@ -39,6 +39,9 @@ import ( iamv1alpha2informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions/iam/v1alpha2" iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/constants" + modeldevops "kubesphere.io/kubesphere/pkg/models/devops" + devops "kubesphere.io/kubesphere/pkg/simple/client/devops" + "reflect" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "time" @@ -70,10 +73,11 @@ type Controller struct { // Kubernetes API. recorder record.EventRecorder multiClusterEnabled bool + devopsClient devops.Interface } func NewController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface, globalRoleBindingInformer iamv1alpha2informers.GlobalRoleBindingInformer, - fedGlobalRoleBindingCache cache.Store, fedGlobalRoleBindingCacheController cache.Controller, multiClusterEnabled bool) *Controller { + fedGlobalRoleBindingCache cache.Store, fedGlobalRoleBindingCacheController cache.Controller, multiClusterEnabled bool, devopsClient devops.Interface) *Controller { // Create event broadcaster // Add sample-controller types to the default Kubernetes Scheme so Events can be // logged for sample-controller types. @@ -94,6 +98,7 @@ func NewController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "GlobalRoleBinding"), recorder: recorder, multiClusterEnabled: multiClusterEnabled, + devopsClient: devopsClient, } klog.Info("Setting up event handlers") globalRoleBindingInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ @@ -228,6 +233,14 @@ func (c *Controller) reconcile(key string) error { klog.Error(err) return err } + if c.devopsClient != nil { + username := findExpectUsername(globalRoleBinding) + err = c.devopsClient.AssignGlobalRole(modeldevops.JenkinsAdminRoleName, username) + if err != nil { + klog.Errorf("%+v", err) + return err + } + } } if c.multiClusterEnabled { diff --git a/pkg/models/devops/common.go b/pkg/models/devops/common.go index f6701215..a15ba20b 100644 --- a/pkg/models/devops/common.go +++ b/pkg/models/devops/common.go @@ -17,7 +17,9 @@ limitations under the License. package devops import ( + "fmt" "github.com/fatih/structs" + "kubesphere.io/kubesphere/pkg/simple/client/devops" "kubesphere.io/kubesphere/pkg/utils/stringutils" ) @@ -64,3 +66,252 @@ const ( const ( KS_ADMIN = "admin" ) + +// define roles of DevOps +const ( + ProjectOwner = "owner" + ProjectMaintainer = "maintainer" + ProjectDeveloper = "developer" + ProjectReporter = "reporter" +) + +const ( + JenkinsAllUserRoleName = "kubesphere-user" + JenkinsAdminRoleName = "admin" +) + +type Role struct { + Name string `json:"name" description:"role's name e.g. owner'"` + Description string `json:"description" description:"role 's description'"` +} + +var DefaultRoles = []*Role{ + { + Name: ProjectOwner, + Description: "Owner have access to do all the operations of a DevOps project and own the highest permissions as well.", + }, + { + Name: ProjectMaintainer, + Description: "Maintainer have access to manage pipeline and credential configuration in a DevOps project.", + }, + { + Name: ProjectDeveloper, + Description: "Developer is able to view and trigger the pipeline.", + }, + { + Name: ProjectReporter, + Description: "Reporter is only allowed to view the status of the pipeline.", + }, +} + +var AllRoleSlice = []string{ProjectDeveloper, ProjectReporter, ProjectMaintainer, ProjectOwner} + +// define the permission matrix of owner +var JenkinsOwnerProjectPermissionIds = &devops.ProjectPermissionIds{ + CredentialCreate: true, + CredentialDelete: true, + CredentialManageDomains: true, + CredentialUpdate: true, + CredentialView: true, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: true, + ItemCreate: true, + ItemDelete: true, + ItemDiscover: true, + ItemMove: true, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: true, +} + +// define the permission matrix of DevOps, including owner, maintainer, developer, reporter +var JenkinsProjectPermissionMap = map[string]devops.ProjectPermissionIds{ + ProjectOwner: { + CredentialCreate: true, + CredentialDelete: true, + CredentialManageDomains: true, + CredentialUpdate: true, + CredentialView: true, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: true, + ItemCreate: true, + ItemDelete: true, + ItemDiscover: true, + ItemMove: true, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: true, + }, + ProjectMaintainer: { + CredentialCreate: true, + CredentialDelete: true, + CredentialManageDomains: true, + CredentialUpdate: true, + CredentialView: true, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: false, + ItemCreate: true, + ItemDelete: false, + ItemDiscover: true, + ItemMove: false, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: true, + }, + ProjectDeveloper: { + CredentialCreate: false, + CredentialDelete: false, + CredentialManageDomains: false, + CredentialUpdate: false, + CredentialView: false, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: false, + ItemCreate: false, + ItemDelete: false, + ItemDiscover: true, + ItemMove: false, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: false, + }, + ProjectReporter: { + CredentialCreate: false, + CredentialDelete: false, + CredentialManageDomains: false, + CredentialUpdate: false, + CredentialView: false, + ItemBuild: false, + ItemCancel: false, + ItemConfigure: false, + ItemCreate: false, + ItemDelete: false, + ItemDiscover: true, + ItemMove: false, + ItemRead: true, + ItemWorkspace: false, + RunDelete: false, + RunReplay: false, + RunUpdate: false, + SCMTag: false, + }, +} + +// define the permission matrix of pipeline, including owner, maintainer, developer, reporter +var JenkinsPipelinePermissionMap = map[string]devops.ProjectPermissionIds{ + ProjectOwner: { + CredentialCreate: true, + CredentialDelete: true, + CredentialManageDomains: true, + CredentialUpdate: true, + CredentialView: true, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: true, + ItemCreate: true, + ItemDelete: true, + ItemDiscover: true, + ItemMove: true, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: true, + }, + ProjectMaintainer: { + CredentialCreate: true, + CredentialDelete: true, + CredentialManageDomains: true, + CredentialUpdate: true, + CredentialView: true, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: true, + ItemCreate: true, + ItemDelete: true, + ItemDiscover: true, + ItemMove: true, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: true, + }, + ProjectDeveloper: { + CredentialCreate: false, + CredentialDelete: false, + CredentialManageDomains: false, + CredentialUpdate: false, + CredentialView: false, + ItemBuild: true, + ItemCancel: true, + ItemConfigure: false, + ItemCreate: false, + ItemDelete: false, + ItemDiscover: true, + ItemMove: false, + ItemRead: true, + ItemWorkspace: true, + RunDelete: true, + RunReplay: true, + RunUpdate: true, + SCMTag: false, + }, + ProjectReporter: { + CredentialCreate: false, + CredentialDelete: false, + CredentialManageDomains: false, + CredentialUpdate: false, + CredentialView: false, + ItemBuild: false, + ItemCancel: false, + ItemConfigure: false, + ItemCreate: false, + ItemDelete: false, + ItemDiscover: true, + ItemMove: false, + ItemRead: true, + ItemWorkspace: false, + RunDelete: false, + RunReplay: false, + RunUpdate: false, + SCMTag: false, + }, +} + +// get roleName of the project +func GetProjectRoleName(projectId, role string) string { + return fmt.Sprintf("%s-%s-project", projectId, role) +} + +// get roleName of the pipeline +func GetPipelineRoleName(projectId, role string) string { + return fmt.Sprintf("%s-%s-pipeline", projectId, role) +} + +// get pattern string of the project +func GetProjectRolePattern(projectId string) string { + return fmt.Sprintf("^%s$", projectId) +} + +// get pattern string of the project +func GetPipelineRolePattern(projectId string) string { + return fmt.Sprintf("^%s/.*", projectId) +} diff --git a/pkg/simple/client/devops/fake/fakedevops.go b/pkg/simple/client/devops/fake/fakedevops.go index 7d901208..be744b65 100644 --- a/pkg/simple/client/devops/fake/fakedevops.go +++ b/pkg/simple/client/devops/fake/fakedevops.go @@ -540,3 +540,39 @@ func (d *Devops) GetProjectPipelineConfig(projectId, pipelineId string) (*devops return d.Pipelines[projectId][pipelineId], nil } + +func (d *Devops) AddGlobalRole(roleName string, ids devops.GlobalPermissionIds, overwrite bool) error { + return nil +} + +func (d *Devops) AddProjectRole(roleName string, pattern string, ids devops.ProjectPermissionIds, overwrite bool) error { + return nil +} + +func (d *Devops) DeleteProjectRoles(roleName ...string) error { + return nil +} + +func (d *Devops) AssignProjectRole(roleName string, sid string) error { + return nil +} + +func (d *Devops) UnAssignProjectRole(roleName string, sid string) error { + return nil +} + +func (d *Devops) AssignGlobalRole(roleName string, sid string) error { + return nil +} + +func (d *Devops) UnAssignGlobalRole(roleName string, sid string) error { + return nil +} + +func (d *Devops) DeleteUserInProject(sid string) error { + return nil +} + +func (d *Devops) GetGlobalRole(roleName string) (string, error) { + return "", nil +} diff --git a/pkg/simple/client/devops/interface.go b/pkg/simple/client/devops/interface.go index 2cf85ca4..671dcf08 100644 --- a/pkg/simple/client/devops/interface.go +++ b/pkg/simple/client/devops/interface.go @@ -17,6 +17,8 @@ type Interface interface { ProjectPipelineOperator ProjectOperator + + RoleOperator } func GetDevOpsStatusCode(devopsErr error) int { diff --git a/pkg/simple/client/devops/jenkins/jenkins.go b/pkg/simple/client/devops/jenkins/jenkins.go index 04f32b23..70440a07 100644 --- a/pkg/simple/client/devops/jenkins/jenkins.go +++ b/pkg/simple/client/devops/jenkins/jenkins.go @@ -214,7 +214,9 @@ func (j *Jenkins) Poll() (int, error) { return resp.StatusCode, nil } -func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) { +// query roleName exist or not +// if return roleName means exist +func (j *Jenkins) GetGlobalRole(roleName string) (string, error) { roleResponse := &GlobalRoleResponse{ RoleName: roleName, } @@ -226,15 +228,29 @@ func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) { "type": GLOBAL_ROLE, }) if err != nil { - return nil, err + return "", err } if response.StatusCode != http.StatusOK { - return nil, errors.New(strconv.Itoa(response.StatusCode)) + return "", errors.New(strconv.Itoa(response.StatusCode)) } if stringResponse == "{}" { - return nil, nil + return "", nil } err = json.Unmarshal([]byte(stringResponse), roleResponse) + if err != nil { + return "", err + } + return roleResponse.RoleName, nil +} + +func (j *Jenkins) GetGlobalRoleHandler(roleName string) (*GlobalRole, error) { + name, err := j.GetGlobalRole(roleName) + if err != nil { + return nil, err + } + roleResponse := &GlobalRoleResponse{ + RoleName: name, + } if err != nil { return nil, err } @@ -244,6 +260,50 @@ func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) { }, nil } +// assign a global roleName to username(sid) +func (j *Jenkins) AssignGlobalRole(roleName string, sid string) error { + globalRole, err := j.GetGlobalRoleHandler(roleName) + if err != nil { + return err + } + param := map[string]string{ + "type": GLOBAL_ROLE, + "roleName": globalRole.Raw.RoleName, + "sid": sid, + } + responseString := "" + response, err := j.Requester.Post("/role-strategy/strategy/assignRole", nil, &responseString, param) + if err != nil { + return err + } + if response.StatusCode != http.StatusOK { + return errors.New(strconv.Itoa(response.StatusCode)) + } + return nil +} + +// unassign a global roleName to username(sid) +func (j *Jenkins) UnAssignGlobalRole(roleName string, sid string) error { + globalRole, err := j.GetGlobalRoleHandler(roleName) + if err != nil { + return err + } + param := map[string]string{ + "type": GLOBAL_ROLE, + "roleName": globalRole.Raw.RoleName, + "sid": sid, + } + responseString := "" + response, err := j.Requester.Post("/role-strategy/strategy/unassignRole", nil, &responseString, param) + if err != nil { + return err + } + if response.StatusCode != http.StatusOK { + return errors.New(strconv.Itoa(response.StatusCode)) + } + return nil +} + func (j *Jenkins) GetProjectRole(roleName string) (*ProjectRole, error) { roleResponse := &ProjectRoleResponse{ RoleName: roleName, @@ -274,13 +334,52 @@ func (j *Jenkins) GetProjectRole(roleName string) (*ProjectRole, error) { }, nil } -func (j *Jenkins) AddGlobalRole(roleName string, ids GlobalPermissionIds, overwrite bool) (*GlobalRole, error) { - responseRole := &GlobalRole{ - Jenkins: j, - Raw: GlobalRoleResponse{ - RoleName: roleName, - PermissionIds: ids, - }} +// assign a project roleName to username(sid) +func (j *Jenkins) AssignProjectRole(roleName string, sid string) error { + projectRole, err := j.GetProjectRole(roleName) + if err != nil { + return err + } + param := map[string]string{ + "type": PROJECT_ROLE, + "roleName": projectRole.Raw.RoleName, + "sid": sid, + } + responseString := "" + response, err := j.Requester.Post("/role-strategy/strategy/assignRole", nil, &responseString, param) + if err != nil { + return err + } + if response.StatusCode != http.StatusOK { + return errors.New(strconv.Itoa(response.StatusCode)) + } + return nil +} + +// unassign a project roleName to username(sid) +func (j *Jenkins) UnAssignProjectRole(roleName string, sid string) error { + projectRole, err := j.GetProjectRole(roleName) + if err != nil { + return err + } + param := map[string]string{ + "type": PROJECT_ROLE, + "roleName": projectRole.Raw.RoleName, + "sid": sid, + } + responseString := "" + response, err := j.Requester.Post("/role-strategy/strategy/unassignRole", nil, &responseString, param) + if err != nil { + return err + } + if response.StatusCode != http.StatusOK { + return errors.New(strconv.Itoa(response.StatusCode)) + } + return nil +} + +// add a global roleName +func (j *Jenkins) AddGlobalRole(roleName string, ids devops.GlobalPermissionIds, overwrite bool) error { var idArray []string values := reflect.ValueOf(ids) for i := 0; i < values.NumField(); i++ { @@ -298,14 +397,15 @@ func (j *Jenkins) AddGlobalRole(roleName string, ids GlobalPermissionIds, overwr responseString := "" response, err := j.Requester.Post("/role-strategy/strategy/addRole", nil, &responseString, param) if err != nil { - return nil, err + return err } if response.StatusCode != http.StatusOK { - return nil, errors.New(strconv.Itoa(response.StatusCode)) + return errors.New(strconv.Itoa(response.StatusCode)) } - return responseRole, nil + return nil } +// delete roleName from the project func (j *Jenkins) DeleteProjectRoles(roleName ...string) error { responseString := "" @@ -323,14 +423,8 @@ func (j *Jenkins) DeleteProjectRoles(roleName ...string) error { return nil } -func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids ProjectPermissionIds, overwrite bool) (*ProjectRole, error) { - responseRole := &ProjectRole{ - Jenkins: j, - Raw: ProjectRoleResponse{ - RoleName: roleName, - PermissionIds: ids, - Pattern: pattern, - }} +// add roleName for project +func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids devops.ProjectPermissionIds, overwrite bool) error { var idArray []string values := reflect.ValueOf(ids) for i := 0; i < values.NumField(); i++ { @@ -349,12 +443,12 @@ func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids ProjectPer responseString := "" response, err := j.Requester.Post("/role-strategy/strategy/addRole", nil, &responseString, param) if err != nil { - return nil, err + return err } if response.StatusCode != http.StatusOK { - return nil, errors.New(strconv.Itoa(response.StatusCode)) + return errors.New(strconv.Itoa(response.StatusCode)) } - return responseRole, nil + return nil } func (j *Jenkins) DeleteUserInProject(username string) error { diff --git a/pkg/simple/client/devops/jenkins/role.go b/pkg/simple/client/devops/jenkins/role.go index f8a7e643..c8be494d 100644 --- a/pkg/simple/client/devops/jenkins/role.go +++ b/pkg/simple/client/devops/jenkins/role.go @@ -2,6 +2,7 @@ package jenkins import ( "errors" + "kubesphere.io/kubesphere/pkg/simple/client/devops" "net/http" "reflect" "strconv" @@ -9,8 +10,8 @@ import ( ) type GlobalRoleResponse struct { - RoleName string `json:"roleName"` - PermissionIds GlobalPermissionIds `json:"permissionIds"` + RoleName string `json:"roleName"` + PermissionIds devops.GlobalPermissionIds `json:"permissionIds"` } type GlobalRole struct { @@ -18,71 +19,18 @@ type GlobalRole struct { Raw GlobalRoleResponse } -type GlobalPermissionIds struct { - Administer bool `json:"hudson.model.Hudson.Administer"` - GlobalRead bool `json:"hudson.model.Hudson.Read"` - CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"` - CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"` - CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"` - CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"` - CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"` - SlaveCreate bool `json:"hudson.model.Computer.Create"` - SlaveConfigure bool `json:"hudson.model.Computer.Configure"` - SlaveDelete bool `json:"hudson.model.Computer.Delete"` - SlaveBuild bool `json:"hudson.model.Computer.Build"` - SlaveConnect bool `json:"hudson.model.Computer.Connect"` - SlaveDisconnect bool `json:"hudson.model.Computer.Disconnect"` - ItemBuild bool `json:"hudson.model.Item.Build"` - ItemCreate bool `json:"hudson.model.Item.Create"` - ItemRead bool `json:"hudson.model.Item.Read"` - ItemConfigure bool `json:"hudson.model.Item.Configure"` - ItemCancel bool `json:"hudson.model.Item.Cancel"` - ItemMove bool `json:"hudson.model.Item.Move"` - ItemDiscover bool `json:"hudson.model.Item.Discover"` - ItemWorkspace bool `json:"hudson.model.Item.Workspace"` - ItemDelete bool `json:"hudson.model.Item.Delete"` - RunUpdate bool `json:"hudson.model.Run.Update"` - RunDelete bool `json:"hudson.model.Run.Delete"` - ViewCreate bool `json:"hudson.model.View.Create"` - ViewConfigure bool `json:"hudson.model.View.Configure"` - ViewRead bool `json:"hudson.model.View.Read"` - ViewDelete bool `json:"hudson.model.View.Delete"` - SCMTag bool `json:"hudson.scm.SCM.Tag"` -} - type ProjectRole struct { Jenkins *Jenkins Raw ProjectRoleResponse } type ProjectRoleResponse struct { - RoleName string `json:"roleName"` - PermissionIds ProjectPermissionIds `json:"permissionIds"` - Pattern string `json:"pattern"` -} - -type ProjectPermissionIds struct { - CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"` - CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"` - CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"` - CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"` - CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"` - ItemBuild bool `json:"hudson.model.Item.Build"` - ItemCreate bool `json:"hudson.model.Item.Create"` - ItemRead bool `json:"hudson.model.Item.Read"` - ItemConfigure bool `json:"hudson.model.Item.Configure"` - ItemCancel bool `json:"hudson.model.Item.Cancel"` - ItemMove bool `json:"hudson.model.Item.Move"` - ItemDiscover bool `json:"hudson.model.Item.Discover"` - ItemWorkspace bool `json:"hudson.model.Item.Workspace"` - ItemDelete bool `json:"hudson.model.Item.Delete"` - RunUpdate bool `json:"hudson.model.Run.Update"` - RunDelete bool `json:"hudson.model.Run.Delete"` - RunReplay bool `json:"hudson.model.Run.Replay"` - SCMTag bool `json:"hudson.scm.SCM.Tag"` + RoleName string `json:"roleName"` + PermissionIds devops.ProjectPermissionIds `json:"permissionIds"` + Pattern string `json:"pattern"` } -func (j *GlobalRole) Update(ids GlobalPermissionIds) error { +func (j *GlobalRole) Update(ids devops.GlobalPermissionIds) error { var idArray []string values := reflect.ValueOf(ids) for i := 0; i < values.NumField(); i++ { @@ -108,6 +56,7 @@ func (j *GlobalRole) Update(ids GlobalPermissionIds) error { return nil } +// call jenkins api to update global role func (j *GlobalRole) AssignRole(sid string) error { param := map[string]string{ "type": GLOBAL_ROLE, @@ -142,7 +91,9 @@ func (j *GlobalRole) UnAssignRole(sid string) error { return nil } -func (j *ProjectRole) Update(pattern string, ids ProjectPermissionIds) error { +// update ProjectPermissionIds to Project +// pattern string means some project, like project-name/* +func (j *ProjectRole) Update(pattern string, ids devops.ProjectPermissionIds) error { var idArray []string values := reflect.ValueOf(ids) for i := 0; i < values.NumField(); i++ { diff --git a/pkg/simple/client/devops/role.go b/pkg/simple/client/devops/role.go new file mode 100644 index 00000000..abef9e2e --- /dev/null +++ b/pkg/simple/client/devops/role.go @@ -0,0 +1,89 @@ +/* +Copyright 2020 The KubeSphere Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package devops + +// define the id of global permission items +type GlobalPermissionIds struct { + Administer bool `json:"hudson.model.Hudson.Administer"` + GlobalRead bool `json:"hudson.model.Hudson.Read"` + CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"` + CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"` + CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"` + CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"` + CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"` + SlaveCreate bool `json:"hudson.model.Computer.Create"` + SlaveConfigure bool `json:"hudson.model.Computer.Configure"` + SlaveDelete bool `json:"hudson.model.Computer.Delete"` + SlaveBuild bool `json:"hudson.model.Computer.Build"` + SlaveConnect bool `json:"hudson.model.Computer.Connect"` + SlaveDisconnect bool `json:"hudson.model.Computer.Disconnect"` + ItemBuild bool `json:"hudson.model.Item.Build"` + ItemCreate bool `json:"hudson.model.Item.Create"` + ItemRead bool `json:"hudson.model.Item.Read"` + ItemConfigure bool `json:"hudson.model.Item.Configure"` + ItemCancel bool `json:"hudson.model.Item.Cancel"` + ItemMove bool `json:"hudson.model.Item.Move"` + ItemDiscover bool `json:"hudson.model.Item.Discover"` + ItemWorkspace bool `json:"hudson.model.Item.Workspace"` + ItemDelete bool `json:"hudson.model.Item.Delete"` + RunUpdate bool `json:"hudson.model.Run.Update"` + RunDelete bool `json:"hudson.model.Run.Delete"` + ViewCreate bool `json:"hudson.model.View.Create"` + ViewConfigure bool `json:"hudson.model.View.Configure"` + ViewRead bool `json:"hudson.model.View.Read"` + ViewDelete bool `json:"hudson.model.View.Delete"` + SCMTag bool `json:"hudson.scm.SCM.Tag"` +} + +// define the id of project permission items +type ProjectPermissionIds struct { + CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"` + CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"` + CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"` + CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"` + CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"` + ItemBuild bool `json:"hudson.model.Item.Build"` + ItemCreate bool `json:"hudson.model.Item.Create"` + ItemRead bool `json:"hudson.model.Item.Read"` + ItemConfigure bool `json:"hudson.model.Item.Configure"` + ItemCancel bool `json:"hudson.model.Item.Cancel"` + ItemMove bool `json:"hudson.model.Item.Move"` + ItemDiscover bool `json:"hudson.model.Item.Discover"` + ItemWorkspace bool `json:"hudson.model.Item.Workspace"` + ItemDelete bool `json:"hudson.model.Item.Delete"` + RunUpdate bool `json:"hudson.model.Run.Update"` + RunDelete bool `json:"hudson.model.Run.Delete"` + RunReplay bool `json:"hudson.model.Run.Replay"` + SCMTag bool `json:"hudson.scm.SCM.Tag"` +} + +// describe the interface of DevOps to operator role +type RoleOperator interface { + AddGlobalRole(roleName string, ids GlobalPermissionIds, overwrite bool) error + GetGlobalRole(roleName string) (string, error) + + AddProjectRole(roleName string, pattern string, ids ProjectPermissionIds, overwrite bool) error + DeleteProjectRoles(roleName ...string) error + + AssignProjectRole(roleName string, sid string) error + UnAssignProjectRole(roleName string, sid string) error + + AssignGlobalRole(roleName string, sid string) error + UnAssignGlobalRole(roleName string, sid string) error + + DeleteUserInProject(sid string) error +} -- GitLab