2024-08-27 14:31:29 +08:00
|
|
|
package team
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2025-10-03 22:52:00 +08:00
|
|
|
"fmt"
|
2024-08-27 14:31:29 +08:00
|
|
|
"strconv"
|
2025-10-07 22:45:18 +08:00
|
|
|
"strings"
|
2024-08-27 14:31:29 +08:00
|
|
|
"time"
|
|
|
|
|
|
2025-10-03 22:52:00 +08:00
|
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
2024-08-27 14:31:29 +08:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/internalversion"
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
|
"k8s.io/apiserver/pkg/registry/rest"
|
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
claims "github.com/grafana/authlib/types"
|
2025-07-04 17:07:48 +08:00
|
|
|
iamv0alpha1 "github.com/grafana/grafana/apps/iam/pkg/apis/iam/v0alpha1"
|
2024-09-05 19:43:54 +08:00
|
|
|
iamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
|
2024-09-05 14:43:54 +08:00
|
|
|
"github.com/grafana/grafana/pkg/registry/apis/iam/common"
|
|
|
|
|
"github.com/grafana/grafana/pkg/registry/apis/iam/legacy"
|
2024-08-27 14:31:29 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/team"
|
|
|
|
|
)
|
|
|
|
|
|
2025-08-28 18:32:15 +08:00
|
|
|
var bindingResource = iamv0alpha1.TeamBindingResourceInfo
|
2024-08-27 14:31:29 +08:00
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
_ rest.Storage = (*LegacyBindingStore)(nil)
|
|
|
|
|
_ rest.Scoper = (*LegacyBindingStore)(nil)
|
|
|
|
|
_ rest.SingularNameProvider = (*LegacyBindingStore)(nil)
|
|
|
|
|
_ rest.Getter = (*LegacyBindingStore)(nil)
|
|
|
|
|
_ rest.Lister = (*LegacyBindingStore)(nil)
|
2025-10-03 22:52:00 +08:00
|
|
|
_ rest.Creater = (*LegacyBindingStore)(nil)
|
2025-10-06 17:37:18 +08:00
|
|
|
_ rest.Updater = (*LegacyBindingStore)(nil)
|
|
|
|
|
_ rest.GracefulDeleter = (*LegacyBindingStore)(nil)
|
|
|
|
|
_ rest.CollectionDeleter = (*LegacyBindingStore)(nil)
|
2024-08-27 14:31:29 +08:00
|
|
|
)
|
|
|
|
|
|
2025-10-03 22:52:00 +08:00
|
|
|
func NewLegacyBindingStore(store legacy.LegacyIdentityStore, enableAuthnMutation bool) *LegacyBindingStore {
|
|
|
|
|
return &LegacyBindingStore{store, enableAuthnMutation}
|
2024-08-27 14:31:29 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type LegacyBindingStore struct {
|
2025-10-03 22:52:00 +08:00
|
|
|
store legacy.LegacyIdentityStore
|
|
|
|
|
enableAuthnMutation bool
|
2024-08-27 14:31:29 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Destroy implements rest.Storage.
|
|
|
|
|
func (l *LegacyBindingStore) Destroy() {}
|
|
|
|
|
|
|
|
|
|
// New implements rest.Storage.
|
|
|
|
|
func (l *LegacyBindingStore) New() runtime.Object {
|
|
|
|
|
return bindingResource.NewFunc()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewList implements rest.Lister.
|
|
|
|
|
func (l *LegacyBindingStore) NewList() runtime.Object {
|
|
|
|
|
return bindingResource.NewListFunc()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NamespaceScoped implements rest.Scoper.
|
|
|
|
|
func (l *LegacyBindingStore) NamespaceScoped() bool {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetSingularName implements rest.SingularNameProvider.
|
|
|
|
|
func (l *LegacyBindingStore) GetSingularName() string {
|
|
|
|
|
return bindingResource.GetSingularName()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ConvertToTable implements rest.Lister.
|
|
|
|
|
func (l *LegacyBindingStore) ConvertToTable(ctx context.Context, object runtime.Object, tableOptions runtime.Object) (*metav1.Table, error) {
|
|
|
|
|
return bindingResource.TableConverter().ConvertToTable(ctx, object, tableOptions)
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-06 17:37:18 +08:00
|
|
|
func (l *LegacyBindingStore) Update(ctx context.Context, name string, objInfo rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options *metav1.UpdateOptions) (runtime.Object, bool, error) {
|
|
|
|
|
return nil, false, apierrors.NewMethodNotSupported(resource.GroupResource(), "update")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *LegacyBindingStore) Delete(ctx context.Context, name string, deleteValidation rest.ValidateObjectFunc, options *metav1.DeleteOptions) (runtime.Object, bool, error) {
|
|
|
|
|
return nil, false, apierrors.NewMethodNotSupported(resource.GroupResource(), "delete")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *LegacyBindingStore) DeleteCollection(ctx context.Context, deleteValidation rest.ValidateObjectFunc, options *metav1.DeleteOptions, listOptions *internalversion.ListOptions) (runtime.Object, error) {
|
|
|
|
|
return nil, apierrors.NewMethodNotSupported(resource.GroupResource(), "deleteCollection")
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-03 22:52:00 +08:00
|
|
|
func (l *LegacyBindingStore) Create(ctx context.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) {
|
|
|
|
|
if !l.enableAuthnMutation {
|
|
|
|
|
return nil, apierrors.NewMethodNotSupported(resource.GroupResource(), "create")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ns, err := request.NamespaceInfoFrom(ctx, true)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
teamMemberObj, ok := obj.(*iamv0alpha1.TeamBinding)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, fmt.Errorf("expected TeamBinding object, got %T", obj)
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-07 22:45:18 +08:00
|
|
|
if createValidation != nil {
|
|
|
|
|
if err := createValidation(ctx, teamMemberObj); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-03 22:52:00 +08:00
|
|
|
// Fetch the user by ID
|
|
|
|
|
userObj, err := l.store.GetUserInternalID(ctx, ns, legacy.GetUserInternalIDQuery{
|
|
|
|
|
UID: teamMemberObj.Spec.Subject.Name,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to fetch user by id %s: %w", teamMemberObj.Spec.Subject.Name, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Fetch the team by ID
|
|
|
|
|
teamObj, err := l.store.GetTeamInternalID(ctx, ns, legacy.GetTeamInternalIDQuery{
|
|
|
|
|
UID: teamMemberObj.Spec.TeamRef.Name,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to fetch team by id %s: %w", teamMemberObj.Spec.TeamRef.Name, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var permission team.PermissionType
|
|
|
|
|
switch teamMemberObj.Spec.Permission {
|
|
|
|
|
case iamv0alpha1.TeamBindingTeamPermissionAdmin:
|
|
|
|
|
permission = team.PermissionTypeAdmin
|
|
|
|
|
case iamv0alpha1.TeamBindingTeamPermissionMember:
|
|
|
|
|
permission = team.PermissionTypeMember
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
createCmd := legacy.CreateTeamMemberCommand{
|
|
|
|
|
TeamID: teamObj.ID,
|
2025-10-07 22:45:18 +08:00
|
|
|
TeamUID: teamMemberObj.Spec.TeamRef.Name,
|
2025-10-03 22:52:00 +08:00
|
|
|
UserID: userObj.ID,
|
2025-10-07 22:45:18 +08:00
|
|
|
UserUID: teamMemberObj.Spec.Subject.Name,
|
2025-10-03 22:52:00 +08:00
|
|
|
Permission: permission,
|
2025-10-06 17:37:18 +08:00
|
|
|
External: false,
|
2025-10-03 22:52:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result, err := l.store.CreateTeamMember(ctx, ns, createCmd)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
iamTeam := mapToBindingObject(ns, result.TeamMember)
|
|
|
|
|
return &iamTeam, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-08-27 14:31:29 +08:00
|
|
|
// Get implements rest.Getter.
|
|
|
|
|
func (l *LegacyBindingStore) Get(ctx context.Context, name string, options *metav1.GetOptions) (runtime.Object, error) {
|
|
|
|
|
ns, err := request.NamespaceInfoFrom(ctx, true)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-07 22:45:18 +08:00
|
|
|
teamID, userID := mapFromBindingName(name)
|
|
|
|
|
|
2024-08-27 14:31:29 +08:00
|
|
|
res, err := l.store.ListTeamBindings(ctx, ns, legacy.ListTeamBindingsQuery{
|
2025-10-07 22:45:18 +08:00
|
|
|
TeamID: teamID,
|
|
|
|
|
UserID: userID,
|
2024-08-28 16:30:23 +08:00
|
|
|
Pagination: common.Pagination{Limit: 1},
|
2024-08-27 14:31:29 +08:00
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(res.Bindings) != 1 {
|
|
|
|
|
// FIXME: maybe empty result?
|
|
|
|
|
return nil, resource.NewNotFound(name)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
obj := mapToBindingObject(ns, res.Bindings[0])
|
|
|
|
|
return &obj, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// List implements rest.Lister.
|
|
|
|
|
func (l *LegacyBindingStore) List(ctx context.Context, options *internalversion.ListOptions) (runtime.Object, error) {
|
|
|
|
|
ns, err := request.NamespaceInfoFrom(ctx, true)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res, err := l.store.ListTeamBindings(ctx, ns, legacy.ListTeamBindingsQuery{
|
2024-08-28 16:30:23 +08:00
|
|
|
Pagination: common.PaginationFromListOptions(options),
|
2024-08-27 14:31:29 +08:00
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-04 17:07:48 +08:00
|
|
|
list := iamv0alpha1.TeamBindingList{
|
|
|
|
|
Items: make([]iamv0alpha1.TeamBinding, 0, len(res.Bindings)),
|
2024-08-27 14:31:29 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, b := range res.Bindings {
|
|
|
|
|
list.Items = append(list.Items, mapToBindingObject(ns, b))
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-10 20:42:23 +08:00
|
|
|
list.Continue = common.OptionalFormatInt(res.Continue)
|
|
|
|
|
list.ResourceVersion = common.OptionalFormatInt(res.RV)
|
2024-08-27 14:31:29 +08:00
|
|
|
|
|
|
|
|
return &list, nil
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-03 21:48:51 +08:00
|
|
|
func mapToBindingObject(ns claims.NamespaceInfo, tm legacy.TeamMember) iamv0alpha1.TeamBinding {
|
2024-08-27 14:31:29 +08:00
|
|
|
rv := time.Time{}
|
|
|
|
|
ct := time.Now()
|
|
|
|
|
|
2025-10-03 21:48:51 +08:00
|
|
|
if tm.Updated.After(rv) {
|
|
|
|
|
rv = tm.Updated
|
|
|
|
|
}
|
|
|
|
|
if tm.Created.Before(ct) {
|
|
|
|
|
ct = tm.Created
|
2024-08-27 14:31:29 +08:00
|
|
|
}
|
|
|
|
|
|
2025-07-04 17:07:48 +08:00
|
|
|
return iamv0alpha1.TeamBinding{
|
2024-08-27 14:31:29 +08:00
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
2025-10-07 22:45:18 +08:00
|
|
|
Name: mapToBindingName(tm.TeamID, tm.UserID),
|
2024-08-27 14:31:29 +08:00
|
|
|
Namespace: ns.Value,
|
|
|
|
|
ResourceVersion: strconv.FormatInt(rv.UnixMilli(), 10),
|
|
|
|
|
CreationTimestamp: metav1.NewTime(ct),
|
|
|
|
|
},
|
2025-07-04 17:07:48 +08:00
|
|
|
Spec: iamv0alpha1.TeamBindingSpec{
|
|
|
|
|
TeamRef: iamv0alpha1.TeamBindingTeamRef{
|
2025-10-03 21:48:51 +08:00
|
|
|
Name: tm.TeamUID,
|
|
|
|
|
},
|
|
|
|
|
Subject: iamv0alpha1.TeamBindingspecSubject{
|
|
|
|
|
Name: tm.UserUID,
|
2024-08-27 14:31:29 +08:00
|
|
|
},
|
2025-10-03 21:48:51 +08:00
|
|
|
Permission: common.MapTeamPermission(tm.Permission),
|
2024-08-27 14:31:29 +08:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2025-10-07 22:45:18 +08:00
|
|
|
func mapToBindingName(teamID int64, userID int64) string {
|
|
|
|
|
return fmt.Sprintf("binding-%d-%d", teamID, userID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func mapFromBindingName(name string) (int64, int64) {
|
|
|
|
|
parts := strings.Split(name, "-")
|
|
|
|
|
if len(parts) != 3 {
|
|
|
|
|
return 0, 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if parts[0] != "binding" {
|
|
|
|
|
return 0, 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
teamID, err := strconv.ParseInt(parts[1], 10, 64)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userID, err := strconv.ParseInt(parts[2], 10, 64)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return 0, 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return teamID, userID
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-05 19:43:54 +08:00
|
|
|
func mapPermisson(p team.PermissionType) iamv0.TeamPermission {
|
2024-08-27 14:31:29 +08:00
|
|
|
if p == team.PermissionTypeAdmin {
|
2024-09-05 19:43:54 +08:00
|
|
|
return iamv0.TeamPermissionAdmin
|
2024-08-27 14:31:29 +08:00
|
|
|
} else {
|
2024-09-05 19:43:54 +08:00
|
|
|
return iamv0.TeamPermissionMember
|
2024-08-27 14:31:29 +08:00
|
|
|
}
|
|
|
|
|
}
|
