Update resource summaries only if user has permission. (#301)

RokibulHasan7 · tamalsaha · web-flow · commit 643cf115bb1e · 2024-05-31T11:22:32.000+06:00
Signed-off-by: Rokibul Hasan &lt;mdrokibulhasan@appscode.com&gt;
Signed-off-by: Tamal Saha &lt;tamal@appscode.com&gt;
Co-authored-by: Tamal Saha &lt;tamal@appscode.com&gt;
diff --git a/go.mod b/go.mod
@@ -43,7 +43,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f
 	k8s.io/kube-state-metrics/v2 v2.7.0
 	kmodules.xyz/apiversion v0.2.0
-	kmodules.xyz/authorizer v0.29.0
+	kmodules.xyz/authorizer v0.29.1
 	kmodules.xyz/client-go v0.30.0
 	kmodules.xyz/custom-resources v0.29.1
 	kmodules.xyz/go-containerregistry v0.0.12
diff --git a/go.sum b/go.sum
@@ -907,8 +907,8 @@ k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCI
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk=
 kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80=
-kmodules.xyz/authorizer v0.29.0 h1:ND8YGeyzExdZ8Bq5Z6UdFO794I6+oPuXbUMWyjlsYgM=
-kmodules.xyz/authorizer v0.29.0/go.mod h1:UQmE3sNXeliebUqjEeD9QYiY+Na27/C5Bg/ekVRfQ3U=
+kmodules.xyz/authorizer v0.29.1 h1:uByGGoryKbZcfiEAhjcK/Y345I9mygNQP7DVpkMbNQQ=
+kmodules.xyz/authorizer v0.29.1/go.mod h1:kZRhclL8twzyt2bQuJQJbpYww2sc+qFr8I5PPoq/sWY=
 kmodules.xyz/client-go v0.30.0 h1:sEGX5DRXQwJiMxcN2DkDtXz9WsSA6fs9ye86RgbAxeo=
 kmodules.xyz/client-go v0.30.0/go.mod h1:ekDSUC0UFLI0Jq3A62myW7VG8TYLBqCwMjqWJM1SrqU=
 kmodules.xyz/crd-schema-fuzz v0.29.1 h1:zJTlWYOrT5dsVVHW8HGcnR/vaWfxQfNh11QwTtkYpcs=
diff --git a/pkg/registry/core/genericresource/storage.go b/pkg/registry/core/genericresource/storage.go
@@ -149,7 +149,6 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 	if !ok {
 		return nil, apierrors.NewBadRequest("missing namespace")
 	}
-
 	selector := shared.NewGroupKindSelector(options.LabelSelector)
 
 	user, ok := apirequest.UserFrom(ctx)
diff --git a/pkg/registry/core/resourcesummary/storage.go b/pkg/registry/core/resourcesummary/storage.go
@@ -157,6 +157,9 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		if err := r.kc.List(ctx, &list, client.InNamespace(ns)); err != nil {
 			return nil, err
 		}
+
+		// hasPermission to check if the user has permission to list the resources
+		hasPermission := false
 		for _, item := range list.Items {
 			attrs.Name = item.GetName()
 			attrs.Namespace = item.GetNamespace()
@@ -168,6 +171,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 				continue
 			}
 
+			hasPermission = true
 			content := item.UnstructuredContent()
 			{
 				rv, err := resourcemetrics.TotalResourceRequests(content)
@@ -199,7 +203,9 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 			}
 		}
 
-		summary.Spec.Count = len(list.Items)
+		if hasPermission {
+			summary.Spec.Count = len(list.Items)
+		}
 		items = append(items, summary)
 	}
 	sort.Slice(items, func(i, j int) bool {
diff --git a/vendor/kmodules.xyz/authorizer/Makefile b/vendor/kmodules.xyz/authorizer/Makefile
@@ -55,10 +55,10 @@ BIN_PLATFORMS    := $(DOCKER_PLATFORMS)
 OS   := $(if $(GOOS),$(GOOS),$(shell go env GOOS))
 ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 
-BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian11
-BASEIMAGE_DBG    ?= debian:bullseye
+BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
+BASEIMAGE_DBG    ?= debian:bookworm
 
-GO_VERSION       ?= 1.21
+GO_VERSION       ?= 1.22
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)
@@ -225,7 +225,7 @@ test: $(BUILD_DIRS)
 	        ./hack/test.sh $(SRC_PKGS)                          \
 	    "
 
-ADDTL_LINTERS   := goconst,gofmt,goimports,unparam
+ADDTL_LINTERS   := gofmt,goimports,unparam
 
 .PHONY: lint
 lint: $(BUILD_DIRS)
diff --git a/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go b/vendor/kmodules.xyz/authorizer/apiserver/authorizer.go
@@ -75,5 +75,8 @@ func (a APIAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attribute
 	if sar.Status.Denied {
 		return authorizer.DecisionDeny, sar.Status.Reason, nil
 	}
-	return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError)
+	if sar.Status.EvaluationError != "" {
+		return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError)
+	}
+	return authorizer.DecisionNoOpinion, sar.Status.Reason, nil
 }
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -1913,8 +1913,8 @@ k8s.io/utils/trace
 # kmodules.xyz/apiversion v0.2.0
 ## explicit; go 1.14
 kmodules.xyz/apiversion
-# kmodules.xyz/authorizer v0.29.0
-## explicit; go 1.21.5
+# kmodules.xyz/authorizer v0.29.1
+## explicit; go 1.22.0
 kmodules.xyz/authorizer
 kmodules.xyz/authorizer/apiserver
 kmodules.xyz/authorizer/rbac

Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,6 @@ func (r Storage) List(ctx context.Context, options internalversion.ListOptions`
`149`	`149`	`if !ok {`
`150`	`150`	`return nil, apierrors.NewBadRequest("missing namespace")`
`151`	`151`	`}`
`152`		`-`
`153`	`152`	`selector := shared.NewGroupKindSelector(options.LabelSelector)`
`154`	`153`
`155`	`154`	`user, ok := apirequest.UserFrom(ctx)`
Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,9 @@ func (r Storage) List(ctx context.Context, options internalversion.ListOptions`
`157`	`157`	`if err := r.kc.List(ctx, &list, client.InNamespace(ns)); err != nil {`
`158`	`158`	`return nil, err`
`159`	`159`	`}`
	`160`	`+`
	`161`	`+ // hasPermission to check if the user has permission to list the resources`
	`162`	`+ hasPermission := false`
`160`	`163`	`for _, item := range list.Items {`
`161`	`164`	`attrs.Name = item.GetName()`
`162`	`165`	`attrs.Namespace = item.GetNamespace()`
`@@ -168,6 +171,7 @@ func (r Storage) List(ctx context.Context, options internalversion.ListOptions`
`168`	`171`	`continue`
`169`	`172`	`}`
`170`	`173`
	`174`	`+ hasPermission = true`
`171`	`175`	`content := item.UnstructuredContent()`
`172`	`176`	`{`
`173`	`177`	`rv, err := resourcemetrics.TotalResourceRequests(content)`
`@@ -199,7 +203,9 @@ func (r Storage) List(ctx context.Context, options internalversion.ListOptions`
`199`	`203`	`}`
`200`	`204`	`}`
`201`	`205`
`202`		`- summary.Spec.Count = len(list.Items)`
	`206`	`+ if hasPermission {`
	`207`	`+ summary.Spec.Count = len(list.Items)`
	`208`	`+ }`
`203`	`209`	`items = append(items, summary)`
`204`	`210`	`}`
`205`	`211`	`sort.Slice(items, func(i, j int) bool {`
Original file line number	Diff line number	Diff line change
`@@ -75,5 +75,8 @@ func (a APIAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attribute`
`75`	`75`	`if sar.Status.Denied {`
`76`	`76`	`return authorizer.DecisionDeny, sar.Status.Reason, nil`
`77`	`77`	`}`
`78`		`- return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError)`
	`78`	`+ if sar.Status.EvaluationError != "" {`
	`79`	`+ return authorizer.DecisionNoOpinion, sar.Status.Reason, errors.New(sar.Status.EvaluationError)`
	`80`	`+ }`
	`81`	`+ return authorizer.DecisionNoOpinion, sar.Status.Reason, nil`
`79`	`82`	`}`