Implement support for verbs in PermissionClaims

Signed-off-by: Marko Mudrinić <[email protected]>
On-behalf-of: @SAP [email protected]

Author: xmudrii

cli/pkg/workspace/plugin/use.go

@@ -30,6 +30,7 @@ import (
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -442,20 +443,27 @@ func getAPIBindings(ctx context.Context, kcpClusterClient kcpclientset.ClusterIn
 func findUnresolvedPermissionClaims(out io.Writer, apiBindings []apisv1alpha2.APIBinding) error {
 	for _, binding := range apiBindings {
 		for _, exportedClaim := range binding.Status.ExportPermissionClaims {
-			var found, ack bool
+			var found, ack, verbsMatch bool
+			var verbsExpected, verbsActual sets.Set[string]
 			for _, specClaim := range binding.Spec.PermissionClaims {
 				if !exportedClaim.Equal(specClaim.PermissionClaim) {
 					continue
 				}
 				found = true
 				ack = (specClaim.State == apisv1alpha2.ClaimAccepted) || specClaim.State == apisv1alpha2.ClaimRejected
+				verbsExpected = sets.New(exportedClaim.Verbs...)
+				verbsActual = sets.New(specClaim.Verbs...)
+				verbsMatch = verbsActual.Difference(verbsExpected).Len() == 0 && verbsExpected.Difference(verbsActual).Len() == 0
 			}
 			if !found {
 				fmt.Fprintf(out, "Warning: claim for %s exported but not specified on APIBinding %s\nAdd this claim to the APIBinding's Spec.\n", exportedClaim.String(), binding.Name)
 			}
 			if !ack {
 				fmt.Fprintf(out, "Warning: claim for %s specified on APIBinding %s but not accepted or rejected.\n", exportedClaim.String(), binding.Name)
 			}
+			if !verbsMatch {
+				fmt.Fprintf(out, "Warning: allowed verbs (%s) on claim for %s on APIBinding %s do not match expected verbs (%s).\n", strings.Join(verbsActual.UnsortedList(), ","), exportedClaim.String(), binding.Name, strings.Join(verbsExpected.UnsortedList(), ","))
+			}
 		}
 	}
 	return nil

config/crds/apis.kcp.io_apibindings.yaml

@@ -535,9 +535,20 @@ spec:
                       - Accepted
                       - Rejected
                       type: string
+                    verbs:
+                      description: |-
+                        verbs is a list of supported API operation types (this includes
+                        but is not limited to get, list, watch, create, update, patch,
+                        delete, deletecollection, and proxy).
+                      items:
+                        type: string
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-type: set
                   required:
                   - resource
                   - state
+                  - verbs
                   type: object
                   x-kubernetes-validations:
                   - message: either "all" or "resourceSelector" must be set
@@ -641,8 +652,19 @@ spec:
                         - message: at least one field must be set
                           rule: has(self.__namespace__) || has(self.name)
                       type: array
+                    verbs:
+                      description: |-
+                        verbs is a list of supported API operation types (this includes
+                        but is not limited to get, list, watch, create, update, patch,
+                        delete, deletecollection, and proxy).
+                      items:
+                        type: string
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-type: set
                   required:
                   - resource
+                  - verbs
                   type: object
                   x-kubernetes-validations:
                   - message: either "all" or "resourceSelector" must be set
@@ -821,8 +843,19 @@ spec:
                         - message: at least one field must be set
                           rule: has(self.__namespace__) || has(self.name)
                       type: array
+                    verbs:
+                      description: |-
+                        verbs is a list of supported API operation types (this includes
+                        but is not limited to get, list, watch, create, update, patch,
+                        delete, deletecollection, and proxy).
+                      items:
+                        type: string
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-type: set
                   required:
                   - resource
+                  - verbs
                   type: object
                   x-kubernetes-validations:
                   - message: either "all" or "resourceSelector" must be set

config/crds/apis.kcp.io_apiexports.yaml

@@ -443,8 +443,19 @@ spec:
                         - message: at least one field must be set
                           rule: has(self.__namespace__) || has(self.name)
                       type: array
+                    verbs:
+                      description: |-
+                        verbs is a list of supported API operation types (this includes
+                        but is not limited to get, list, watch, create, update, patch,
+                        delete, deletecollection, and proxy).
+                      items:
+                        type: string
+                      minItems: 1
+                      type: array
+                      x-kubernetes-list-type: set
                   required:
                   - resource
+                  - verbs
                   type: object
                   x-kubernetes-validations:
                   - message: either "all" or "resourceSelector" must be set

pkg/openapi/zz_generated.openapi.go

@@ -22,7 +22,9 @@ import (
 	"slices"
 	"strings"
 
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 
@@ -35,18 +37,25 @@ import (
 )
 
 type boundAPIAuthorizer struct {
+	getAPIExport          func(clusterName, apiExportName string) (*apisv1alpha2.APIExport, error)
 	getAPIBindingByExport func(clusterName, apiExportName, apiExportCluster string) (*apisv1alpha2.APIBinding, error)
 
 	delegate authorizer.Authorizer
 }
 
+const wildcardVerb = "*"
+
 var readOnlyVerbs = []string{"get", "list", "watch"}
 
-func NewBoundAPIAuthorizer(delegate authorizer.Authorizer, apiBindingInformer apisv1alpha2informers.APIBindingClusterInformer, kubeClusterClient kcpkubernetesclientset.ClusterInterface) authorizer.Authorizer {
+func NewBoundAPIAuthorizer(delegate authorizer.Authorizer, apiBindingInformer apisv1alpha2informers.APIBindingClusterInformer, apiExportInformer apisv1alpha2informers.APIExportClusterInformer, kubeClusterClient kcpkubernetesclientset.ClusterInterface) authorizer.Authorizer {
+	apiExportLister := apiExportInformer.Lister()
 	apiBindingLister := apiBindingInformer.Lister()
 
 	return &boundAPIAuthorizer{
 		delegate: delegate,
+		getAPIExport: func(clusterName, apiExportName string) (*apisv1alpha2.APIExport, error) {
+			return apiExportLister.Cluster(logicalcluster.Name(clusterName)).Get(apiExportName)
+		},
 		getAPIBindingByExport: func(clusterName, apiExportName, apiExportCluster string) (*apisv1alpha2.APIBinding, error) {
 			bindings, err := apiBindingLister.Cluster(logicalcluster.Name(clusterName)).List(labels.Everything())
 			if err != nil {
@@ -87,6 +96,14 @@ func (a *boundAPIAuthorizer) Authorize(ctx context.Context, attr authorizer.Attr
 	}
 	apiExportCluster, apiExportName := parts[0], parts[1]
 
+	apiExport, err := a.getAPIExport(apiExportCluster, apiExportName)
+	if kerrors.IsNotFound(err) {
+		return authorizer.DecisionNoOpinion, "", fmt.Errorf("API export not found: %w", err)
+	}
+	if err != nil {
+		return authorizer.DecisionNoOpinion, "", err
+	}
+
 	apiBinding, err := a.getAPIBindingByExport(targetCluster.Name.String(), apiExportName, apiExportCluster)
 	if err != nil {
 		return authorizer.DecisionDeny, "could not find suitable APIBinding in target logical cluster", nil //nolint:nilerr // this is on purpose, we want to deny, not return a server error
@@ -99,14 +116,32 @@ func (a *boundAPIAuthorizer) Authorize(ctx context.Context, attr authorizer.Attr
 		}
 	}
 
-	// check if a resource claim for this resource has been accepted.
+	// check if a resource claim for this resource has been accepted and has correct verbs.
 	for _, permissionClaim := range apiBinding.Spec.PermissionClaims {
 		if permissionClaim.State != apisv1alpha2.ClaimAccepted {
 			// if the claim is not accepted it cannot be used.
 			continue
 		}
 
 		if permissionClaim.Group == attr.GetAPIGroup() && permissionClaim.Resource == attr.GetResource() {
+			apiBindingVerbs := sets.New(permissionClaim.Verbs...)
+			apiExportVerbs := sets.New[string]()
+
+			for _, exportPermpermissionClaim := range apiExport.Spec.PermissionClaims {
+				if exportPermpermissionClaim.Equal(permissionClaim.PermissionClaim) {
+					apiExportVerbs.Insert(exportPermpermissionClaim.Verbs...)
+
+					break
+				}
+			}
+
+			allowedVerbs := apiBindingVerbs.Intersection(apiExportVerbs)
+
+			if !allowedVerbs.HasAny(attr.GetVerb(), wildcardVerb) {
+				// if the requested verb is not found, the claim cannot be used.
+				continue
+			}
+
 			return a.delegate.Authorize(ctx, attr)
 		}
 	}