@jfvilas/plugin-kubelog-backend
Version:
Backstage backend plugin for Kubelog
120 lines (116 loc) • 3.97 kB
JavaScript
;
var KubelogStaticData = require('../model/KubelogStaticData.cjs.js');
var KWIRTH_SCOPE = /* @__PURE__ */ ((KWIRTH_SCOPE2) => {
KWIRTH_SCOPE2[KWIRTH_SCOPE2["filter"] = 1] = "filter";
KWIRTH_SCOPE2[KWIRTH_SCOPE2["view"] = 2] = "view";
KWIRTH_SCOPE2[KWIRTH_SCOPE2["restart"] = 3] = "restart";
KWIRTH_SCOPE2[KWIRTH_SCOPE2["api"] = 4] = "api";
KWIRTH_SCOPE2[KWIRTH_SCOPE2["cluster"] = 5] = "cluster";
return KWIRTH_SCOPE2;
})(KWIRTH_SCOPE || {});
const debug = (a) => {
if (process.env.KUBELOGDEBUG) console.log(a);
};
const checkNamespaceAccess = (cluster, podData, userEntityRef, userGroups) => {
var namespacePermissions = KubelogStaticData.KubelogStaticData.clusterKubelogData.get(cluster.name)?.namespacePermissions;
var allowedToNamespace = false;
var rule = namespacePermissions?.find((ns) => ns.namespace === podData.namespace);
if (rule) {
debug("CNA rule found " + rule.namespace);
if (rule.identityRefs.includes(userEntityRef.toLowerCase())) {
allowedToNamespace = true;
} else {
var groupResult = rule.identityRefs.some((identityRef) => userGroups.includes(identityRef));
if (groupResult) {
allowedToNamespace = true;
}
}
} else {
debug("CNA rule NOT found for " + podData.namespace);
allowedToNamespace = true;
}
return allowedToNamespace;
};
const checkPodPermissionRule = (ppr, entityName, userEntityRef, userGroups) => {
var refMatch = false;
for (var podNameRegex of ppr.pods) {
if (podNameRegex.test(entityName)) {
for (var refRegex of ppr.refs) {
refMatch = refRegex.test(userEntityRef.toLowerCase());
if (refMatch) {
break;
} else {
refMatch = userGroups.some((g) => refRegex.test(g));
if (refMatch) {
break;
}
}
}
}
if (refMatch) break;
}
return refMatch;
};
const getPodPermissionSet = (reqScope, cluster) => {
switch (reqScope) {
case 2 /* view */:
return cluster.viewPermissions;
case 3 /* restart */:
return cluster.restartPermissions;
}
return void 0;
};
const checkPodAccess = (reqPod, podPermissionSet, entityName, userEntityRef, userGroups) => {
for (var podPermission of podPermissionSet.filter((pp) => pp.namespace === reqPod.namespace)) {
if (podPermission.allow) {
var allowMatches = false;
var exceptMatches = false;
for (var prr of podPermission.allow) {
allowMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
}
if (allowMatches) {
if (podPermission.except) {
for (var prr of podPermission.except) {
exceptMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
if (exceptMatches) {
break;
}
}
}
}
if (allowMatches && !exceptMatches) {
if (podPermission.deny) {
var denyMatches = false;
var unlessMatches = false;
for (var prr of podPermission.deny) {
denyMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
if (denyMatches) {
break;
}
}
if (denyMatches && podPermission.unless) {
for (var prr of podPermission.unless) {
unlessMatches = checkPodPermissionRule(prr, entityName, userEntityRef, userGroups);
if (unlessMatches) {
break;
}
}
}
if (!denyMatches || denyMatches && unlessMatches) {
return true;
}
} else {
return true;
}
}
} else {
return true;
}
}
return false;
};
exports.KWIRTH_SCOPE = KWIRTH_SCOPE;
exports.checkNamespaceAccess = checkNamespaceAccess;
exports.checkPodAccess = checkPodAccess;
exports.getPodPermissionSet = getPodPermissionSet;
//# sourceMappingURL=permissions.cjs.js.map