From 028f2e4e8dc90b4cbc3e7486c089f6ac07912f36 Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Mon, 16 Jun 2025 19:19:57 +0300 Subject: [PATCH] Add helper function to generate subjects Signed-off-by: Timofei Larkin --- packages/apps/tenant/charts/cozy-lib | 1 + packages/library/cozy-lib/templates/_rbac.tpl | 86 +++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 120000 packages/apps/tenant/charts/cozy-lib create mode 100644 packages/library/cozy-lib/templates/_rbac.tpl diff --git a/packages/apps/tenant/charts/cozy-lib b/packages/apps/tenant/charts/cozy-lib new file mode 120000 index 00000000..e1813509 --- /dev/null +++ b/packages/apps/tenant/charts/cozy-lib @@ -0,0 +1 @@ +../../../library/cozy-lib \ No newline at end of file diff --git a/packages/library/cozy-lib/templates/_rbac.tpl b/packages/library/cozy-lib/templates/_rbac.tpl new file mode 100644 index 00000000..b1e3e7fd --- /dev/null +++ b/packages/library/cozy-lib/templates/_rbac.tpl @@ -0,0 +1,86 @@ +{{- define "cozy-lib.rbac.accessLevelMap" }} +view: 0 +use: 1 +admin: 2 +super-admin: 3 +{{- end }} + +{{- define "cozy-lib.rbac.accessLevelToInt" }} +{{- $accessMap := include "cozy-lib.rbac.accessLevelMap" "" | fromYaml }} +{{- $accessLevel := dig . -1 $accessMap | int }} +{{- if eq $accessLevel -1 }} +{{- printf "encountered access level of %s, allowed values are %s" . ($accessMap | keys) | fail }} +{{- end }} +{{- $accessLevel }} +{{- end }} + +{{- define "cozy-lib.rbac.accessLevelsAtOrAbove" }} +{{- $minLevelInt := include "cozy-lib.rbac.accessLevelToInt" . | int }} +{{- range $k, $v := (include "cozy-lib.rbac.accessLevelMap" "" | fromYaml) }} +{{- if ge (int $v) $minLevelInt }} +- {{ $k }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "cozy-lib.rbac.allParentTenantsAndThis" }} +{{- if not (hasPrefix "tenant-" .) }} +{{- printf "'%s' is not a valid tenant identifier" . | fail }} +{{- end }} +{{- $parts := append (splitList "-" .) "" }} +{{- $tenants := list }} +{{- range untilStep 2 (len $parts) 1 }} +{{- $tenants = append $tenants (slice $parts 0 . | join "-") }} +{{- end }} +{{- range $tenants }} +- {{ . }} +{{- end }} +{{- end }} + +{{- define "cozy-lib.rbac.groupSubject" -}} +- kind: Group + name: {{ . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} + +{{- /* + A helper function to get a list of groups that should have access, given a + minimal access level and the tenant. Invoked as: + {{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" $) }} + For an example input of (list "use" $) and a .Release.Namespace of + tenant-abc-def it will return: + --- + - kind: Group + name: tenant-abc-admin + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: tenant-abc-def-admin + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: tenant-abc-super-admin + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: tenant-abc-def-super-admin + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: tenant-abc-use + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: tenant-abc-def-use + apiGroup: rbac.authorization.k8s.io + + in other words, all roles including use and higher and for tenant-abc-def, as + well as all parent, grandparent, etc. tenants. +*/}} +{{- define "cozy-lib.rbac.subjectsForTenantAndAccessLevel" }} +{{- include "cozy-lib.checkInput" . }} +{{- $level := index . 0 }} +{{- $global := index . 1 }} +{{- $levels := include "cozy-lib.rbac.accessLevelsAtOrAbove" $level | fromYamlArray }} +{{- $tenants := include "cozy-lib.rbac.allParentTenantsAndThis" $global.Release.Namespace | fromYamlArray }} +{{- range $l := $levels }} +{{- range $t := $tenants }} +{{- include "cozy-lib.rbac.groupSubject" (printf "%s-%s" $t $l) }}{{ printf "\n" }} +{{- end }} +{{- end}} +{{- end }}