From be9b9469bf10faeabb9ba60a8591aad2b5f73f41 Mon Sep 17 00:00:00 2001 From: Leo Ryu Date: Tue, 28 Dec 2021 11:44:36 +0800 Subject: [PATCH] fix(busniss): admin checker for ldap case (#1731) --- pkg/auth/util/user.go | 17 ++++++++++++++++- pkg/business/registry/util/auth.go | 2 +- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/pkg/auth/util/user.go b/pkg/auth/util/user.go index 6b07779e0..1da773363 100644 --- a/pkg/auth/util/user.go +++ b/pkg/auth/util/user.go @@ -32,9 +32,11 @@ import ( "github.com/casbin/casbin/v2" apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/util/errors" + authversionedclient "tkestack.io/tke/api/client/clientset/versioned/typed/auth/v1" ) const ( @@ -245,10 +247,23 @@ func SetAdministrator(enforcer *casbin.SyncedEnforcer, localIdentity *auth.Local } } -func IsPlatformAdministrator(user authv1.User) bool { +func IsPlatformAdministrator(authClient authversionedclient.AuthV1Interface, user authv1.User) bool { if user.Spec.Extra != nil && user.Spec.Extra[administratorKey] == "true" { return true } + if authClient != nil { + idp, err := authClient.IdentityProviders().Get(context.TODO(), user.Spec.TenantID, metav1.GetOptions{}) + if err != nil { + log.Errorf("get IdentityProviders failed: %v", err) + return false + } + administrators := idp.Spec.Administrators + for _, admin := range administrators { + if admin == user.Spec.Name { + return true + } + } + } return false } diff --git a/pkg/business/registry/util/auth.go b/pkg/business/registry/util/auth.go index d58f4d4ed..488f2d630 100644 --- a/pkg/business/registry/util/auth.go +++ b/pkg/business/registry/util/auth.go @@ -70,7 +70,7 @@ func FilterWithUser(ctx context.Context, if user.Spec.Name == userName { log.Info("user", log.Any("user", user)) userID = user.Name - if authutil.IsPlatformAdministrator(user) { + if authutil.IsPlatformAdministrator(authClient, user) { isAdmin = true } break