Azure authz uses v1beta1 instead of v1 for SubjectAccessReview (#259)

authz/providers/azure/azure.go

@@ -27,7 +27,7 @@ import (
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/golang/glog"
 	"github.com/pkg/errors"
-	authzv1 "k8s.io/api/authorization/v1"
+	authzv1beta1 "k8s.io/api/authorization/v1beta1"
 )
 
 const (
@@ -75,48 +75,48 @@ func newAuthzClient(opts authzOpts.Options, authopts auth.Options) (authz.Interf
 	return c, nil
 }
 
-func (s Authorizer) Check(request *authzv1.SubjectAccessReviewSpec, store authz.Store) (*authzv1.SubjectAccessReviewStatus, error) {
+func (s Authorizer) Check(request *authzv1beta1.SubjectAccessReviewSpec, store authz.Store) (*authzv1beta1.SubjectAccessReviewStatus, error) {
 	if request == nil {
 		return nil, errors.New("subject access review is nil")
 	}
 
 	// check if user is system accounts
 	if strings.HasPrefix(strings.ToLower(request.User), "system:") {
 		glog.V(3).Infof("returning no op to system accounts")
-		return &authzv1.SubjectAccessReviewStatus{Allowed: false, Reason: rbac.NoOpinionVerdict}, nil
+		return &authzv1beta1.SubjectAccessReviewStatus{Allowed: false, Reason: rbac.NoOpinionVerdict}, nil
 	}
 
 	if s.rbacClient.SkipAuthzCheck(request) {
 		glog.V(3).Infof("user %s is part of skip authz list. returning no op.", request.User)
-		return &authzv1.SubjectAccessReviewStatus{Allowed: false, Reason: rbac.NoOpinionVerdict}, nil
+		return &authzv1beta1.SubjectAccessReviewStatus{Allowed: false, Reason: rbac.NoOpinionVerdict}, nil
 	}
 
 	if _, ok := request.Extra["oid"]; !ok {
 		if s.rbacClient.ShouldSkipAuthzCheckForNonAADUsers() {
 			glog.V(3).Infof("Skip RBAC is set for non AAD users. Returning no opinion for user %s. You may observe this for AAD users for 'can-i' requests.", request.User)
-			return &authzv1.SubjectAccessReviewStatus{Allowed: false, Reason: rbac.NoOpinionVerdict}, nil
+			return &authzv1beta1.SubjectAccessReviewStatus{Allowed: false, Reason: rbac.NoOpinionVerdict}, nil
 		} else {
 			glog.V(3).Infof("Skip RBAC for non AAD user is not set. Returning deny access for non AAD user %s. You may observe this for AAD users for 'can-i' requests.", request.User)
-			return &authzv1.SubjectAccessReviewStatus{Allowed: false, Denied: true, Reason: rbac.NotAllowedForNonAADUsers}, nil
+			return &authzv1beta1.SubjectAccessReviewStatus{Allowed: false, Denied: true, Reason: rbac.NotAllowedForNonAADUsers}, nil
 		}
 	}
 
 	exist, result := s.rbacClient.GetResultFromCache(request, store)
 	if exist {
 		if result {
 			glog.V(3).Infof("cache hit: returning allowed to user %s", request.User)
-			return &authzv1.SubjectAccessReviewStatus{Allowed: result, Reason: rbac.AccessAllowedVerdict}, nil
+			return &authzv1beta1.SubjectAccessReviewStatus{Allowed: result, Reason: rbac.AccessAllowedVerdict}, nil
 		} else {
 			glog.V(3).Infof("cache hit: returning denied to user %s", request.User)
-			return &authzv1.SubjectAccessReviewStatus{Allowed: result, Denied: true, Reason: rbac.AccessNotAllowedVerdict}, nil
+			return &authzv1beta1.SubjectAccessReviewStatus{Allowed: result, Denied: true, Reason: rbac.AccessNotAllowedVerdict}, nil
 		}
 	}
 
 	// if set true, webhook will allow access to discovery APIs for authenticated users. If false, access check will be performed on Azure.
 	if s.rbacClient.AllowNonResPathDiscoveryAccess(request) {
 		glog.V(3).Infof("Allowing user %s access for discovery check.", request.User)
 		_ = s.rbacClient.SetResultInCache(request, true, store)
-		return &authzv1.SubjectAccessReviewStatus{Allowed: true, Reason: rbac.AccessAllowedVerdict}, nil
+		return &authzv1beta1.SubjectAccessReviewStatus{Allowed: true, Reason: rbac.AccessAllowedVerdict}, nil
 	}
 
 	if s.rbacClient.IsTokenExpired() {

authz/providers/azure/azure_test.go

@@ -31,7 +31,7 @@ import (
 	"github.com/appscode/pat"
 
 	"github.com/stretchr/testify/assert"
-	authzv1 "k8s.io/api/authorization/v1"
+	authzv1beta1 "k8s.io/api/authorization/v1beta1"
 )
 
 const (
@@ -131,10 +131,10 @@ func TestCheck(t *testing.T) {
 		defer srv.Close()
 		defer store.Close()
 
-		request := &authzv1.SubjectAccessReviewSpec{
+		request := &authzv1beta1.SubjectAccessReviewSpec{
 			User: "[email protected]",
-			ResourceAttributes: &authzv1.ResourceAttributes{Namespace: "dev", Group: "", Resource: "pods",
-				Subresource: "status", Version: "v1", Name: "test", Verb: "delete"}, Extra: map[string]authzv1.ExtraValue{"oid": {"00000000-0000-0000-0000-000000000000"}}}
+			ResourceAttributes: &authzv1beta1.ResourceAttributes{Namespace: "dev", Group: "", Resource: "pods",
+				Subresource: "status", Version: "v1", Name: "test", Verb: "delete"}, Extra: map[string]authzv1beta1.ExtraValue{"oid": {"00000000-0000-0000-0000-000000000000"}}}
 
 		resp, err := client.Check(request, store)
 		assert.Nilf(t, err, "Should not have got error")

authz/providers/azure/rbac/checkaccessreqhelper.go

@@ -23,7 +23,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
-	authzv1 "k8s.io/api/authorization/v1"
+	authzv1beta1 "k8s.io/api/authorization/v1beta1"
 )
 
 const (
@@ -123,7 +123,7 @@ type AuthorizationDecision struct {
 	TimeToLiveInMs      int                 `json:"timeToLiveInMs"`
 }
 
-func getScope(resourceId string, attr *authzv1.ResourceAttributes) string {
+func getScope(resourceId string, attr *authzv1beta1.ResourceAttributes) string {
 	if attr != nil && attr.Namespace != "" {
 		return path.Join(resourceId, namespaces, attr.Namespace)
 	}
@@ -189,7 +189,7 @@ func getActionName(verb string) string {
 	}
 }
 
-func getDataAction(subRevReq *authzv1.SubjectAccessReviewSpec, clusterType string) AuthorizationActionInfo {
+func getDataAction(subRevReq *authzv1beta1.SubjectAccessReviewSpec, clusterType string) AuthorizationActionInfo {
 	authInfo := AuthorizationActionInfo{
 		IsDataAction: true}
 
@@ -212,7 +212,7 @@ func defaultDir(s string) string {
 	return "-" // invalid for a namespace
 }
 
-func getResultCacheKey(subRevReq *authzv1.SubjectAccessReviewSpec) string {
+func getResultCacheKey(subRevReq *authzv1beta1.SubjectAccessReviewSpec) string {
 	cacheKey := subRevReq.User
 
 	if subRevReq.ResourceAttributes != nil {
@@ -226,7 +226,7 @@ func getResultCacheKey(subRevReq *authzv1.SubjectAccessReviewSpec) string {
 	return cacheKey
 }
 
-func prepareCheckAccessRequestBody(req *authzv1.SubjectAccessReviewSpec, clusterType, resourceId string, retrieveGroupMemberships bool) (*CheckAccessRequest, error) {
+func prepareCheckAccessRequestBody(req *authzv1beta1.SubjectAccessReviewSpec, clusterType, resourceId string, retrieveGroupMemberships bool) (*CheckAccessRequest, error) {
 	/* This is how sample SubjectAccessReview request will look like
 	{
 		"kind": "SubjectAccessReview",
@@ -303,7 +303,7 @@ func prepareCheckAccessRequestBody(req *authzv1.SubjectAccessReviewSpec, cluster
 	return &checkaccessreq, nil
 }
 
-func getNameSpaceScope(req *authzv1.SubjectAccessReviewSpec) (bool, string) {
+func getNameSpaceScope(req *authzv1beta1.SubjectAccessReviewSpec) (bool, string) {
 	var namespace string = ""
 	if req.ResourceAttributes != nil && req.ResourceAttributes.Namespace != "" {
 		namespace = path.Join(namespaces, req.ResourceAttributes.Namespace)
@@ -312,7 +312,7 @@ func getNameSpaceScope(req *authzv1.SubjectAccessReviewSpec) (bool, string) {
 	return false, namespace
 }
 
-func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus, error) {
+func ConvertCheckAccessResponse(body []byte) (*authzv1beta1.SubjectAccessReviewStatus, error) {
 	var (
 		response []AuthorizationDecision
 		allowed  bool
@@ -335,5 +335,5 @@ func ConvertCheckAccessResponse(body []byte) (*authzv1.SubjectAccessReviewStatus
 		verdict = AccessNotAllowedVerdict
 	}
 
-	return &authzv1.SubjectAccessReviewStatus{Allowed: allowed, Reason: verdict, Denied: denied}, nil
+	return &authzv1beta1.SubjectAccessReviewStatus{Allowed: allowed, Reason: verdict, Denied: denied}, nil
 }