Merge pull request #8824 from deads2k/scoped-acting-as

Merged by openshift-bot

Author: OpenShift Bot

pkg/auth/api/types.go

@@ -13,6 +13,9 @@ const (
 	// This is useful when the immutable providerUserName is different than the login used to authenticate
 	// If present, this extra value is used as the preferred username
 	IdentityPreferredUsernameKey = "preferred_username"
+
+	ImpersonateUserHeader      = "Impersonate-User"
+	ImpersonateUserScopeHeader = "Impersonate-User-Scope"
 )
 
 // UserIdentityInfo contains information about an identity.  Identities are distinct from users.  An authentication server of

pkg/cmd/server/origin/handlers.go

@@ -22,6 +22,7 @@ import (
 	"k8s.io/kubernetes/pkg/serviceaccount"
 	"k8s.io/kubernetes/pkg/util/sets"
 
+	authenticationapi "github.com/openshift/origin/pkg/auth/api"
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
@@ -301,7 +302,7 @@ func assetServerRedirect(handler http.Handler, assetPublicURL string) http.Handl
 
 func (c *MasterConfig) impersonationFilter(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		requestedSubject := req.Header.Get("Impersonate-User")
+		requestedSubject := req.Header.Get(authenticationapi.ImpersonateUserHeader)
 		if len(requestedSubject) == 0 {
 			handler.ServeHTTP(w, req)
 			return
@@ -337,18 +338,25 @@ func (c *MasterConfig) impersonationFilter(handler http.Handler) http.Handler {
 			return
 		}
 
+		var extra map[string][]string
+		if requestScopes, ok := req.Header[authenticationapi.ImpersonateUserScopeHeader]; ok {
+			extra = map[string][]string{authorizationapi.ScopesKey: requestScopes}
+		}
+
 		switch resource {
 		case kapi.Resource(authorizationapi.ServiceAccountResource):
 			newUser := &user.DefaultInfo{
 				Name:   serviceaccount.MakeUsername(namespace, name),
 				Groups: serviceaccount.MakeGroupNames(namespace, name),
+				Extra:  extra,
 			}
 			newUser.Groups = append(newUser.Groups, bootstrappolicy.AuthenticatedGroup)
 			c.RequestContextMapper.Update(req, kapi.WithUser(ctx, newUser))
 
 		case userapi.Resource(authorizationapi.UserResource):
 			newUser := &user.DefaultInfo{
-				Name: name,
+				Name:  name,
+				Extra: extra,
 			}
 			groups, err := c.GroupCache.GroupsFor(name)
 			if err == nil {
@@ -362,7 +370,8 @@ func (c *MasterConfig) impersonationFilter(handler http.Handler) http.Handler {
 
 		case userapi.Resource(authorizationapi.SystemUserResource):
 			newUser := &user.DefaultInfo{
-				Name: name,
+				Name:  name,
+				Extra: extra,
 			}
 
 			if name == bootstrappolicy.UnauthenticatedUsername {

pkg/cmd/server/origin/handlers_test.go

@@ -15,6 +15,7 @@ import (
 	"k8s.io/kubernetes/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/watch"
 
+	authenticationapi "github.com/openshift/origin/pkg/auth/api"
 	"github.com/openshift/origin/pkg/authorization/authorizer"
 	configapi "github.com/openshift/origin/pkg/cmd/server/api"
 	userapi "github.com/openshift/origin/pkg/user/api"
@@ -222,7 +223,7 @@ func TestImpersonationFilter(t *testing.T) {
 			t.Errorf("%s: unexpected error: %v", tc.name, err)
 			continue
 		}
-		req.Header.Add("Impersonate-User", tc.impersonationString)
+		req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationString)
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil {
 			t.Errorf("%s: unexpected error: %v", tc.name, err)

test/integration/scopes_test.go

@@ -9,10 +9,13 @@ import (
 	kapierrors "k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 
+	authenticationapi "github.com/openshift/origin/pkg/auth/api"
 	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
+	buildapi "github.com/openshift/origin/pkg/build/api"
 	"github.com/openshift/origin/pkg/client"
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
 	oauthapi "github.com/openshift/origin/pkg/oauth/api"
+	userapi "github.com/openshift/origin/pkg/user/api"
 	testutil "github.com/openshift/origin/test/util"
 	testserver "github.com/openshift/origin/test/util/server"
 )
@@ -92,3 +95,47 @@ func TestScopedTokens(t *testing.T) {
 		t.Fatalf("missing error: %v got user %#v", err, impersonatedUser)
 	}
 }
+
+func TestScopedImpersonation(t *testing.T) {
+	testutil.RequireEtcd(t)
+	_, clusterAdminKubeConfig, err := testserver.StartTestMasterAPI()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	projectName := "hammer-project"
+	userName := "harold"
+	if _, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, userName); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	err = clusterAdminClient.Get().
+		SetHeader(authenticationapi.ImpersonateUserHeader, "harold").
+		SetHeader(authenticationapi.ImpersonateUserScopeHeader, "user:info").
+		Namespace(projectName).Resource("builds").Name("name").Do().Into(&buildapi.Build{})
+	if !kapierrors.IsForbidden(err) {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	user := &userapi.User{}
+	err = clusterAdminClient.Get().
+		SetHeader(authenticationapi.ImpersonateUserHeader, "harold").
+		SetHeader(authenticationapi.ImpersonateUserScopeHeader, "user:info").
+		Resource("users").Name("~").Do().Into(user)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if user.Name != "harold" {
+		t.Fatalf("expected %v, got %v", "harold", user.Name)
+	}
+}