Merge pull request kubernetes#39729 from sttts/sttts-split-server-side-rbac-validation

Automatic merge from submit-queue

Split out server-only code from api packages shared with the client

Fixes staging/copy.sh.

Author: Kubernetes Submit Queue

pkg/api/BUILD

@@ -29,11 +29,9 @@ go_library(
     deps = [
         "//pkg/api/resource:go_default_library",
         "//pkg/fields:go_default_library",
-        "//pkg/genericapiserver/api/request:go_default_library",
         "//pkg/util/intstr:go_default_library",
         "//pkg/util/labels:go_default_library",
         "//pkg/util/rand:go_default_library",
-        "//pkg/util/uuid:go_default_library",
         "//vendor:github.com/davecgh/go-spew/spew",
         "//vendor:k8s.io/apimachinery/pkg/api/meta",
         "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
@@ -88,8 +86,6 @@ go_test(
         "//pkg/apis/batch/v2alpha1:go_default_library",
         "//pkg/apis/extensions:go_default_library",
         "//pkg/apis/extensions/v1beta1:go_default_library",
-        "//pkg/genericapiserver/api/request:go_default_library",
-        "//pkg/util/uuid:go_default_library",
         "//vendor:github.com/davecgh/go-spew/spew",
         "//vendor:github.com/gogo/protobuf/proto",
         "//vendor:github.com/golang/protobuf/proto",

pkg/api/meta.go

@@ -22,23 +22,8 @@ import (
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-	genericapirequest "k8s.io/kubernetes/pkg/genericapiserver/api/request"
-	"k8s.io/kubernetes/pkg/util/uuid"
 )
 
-// FillObjectMetaSystemFields populates fields that are managed by the system on ObjectMeta.
-func FillObjectMetaSystemFields(ctx genericapirequest.Context, meta *ObjectMeta) {
-	meta.CreationTimestamp = metav1.Now()
-	// allows admission controllers to assign a UID earlier in the request processing
-	// to support tracking resources pending creation.
-	uid, found := genericapirequest.UIDFrom(ctx)
-	if !found {
-		uid = uuid.NewUUID()
-	}
-	meta.UID = uid
-	meta.SelfLink = ""
-}
-
 // HasObjectMetaSystemFieldValues returns true if fields that are managed by the system on ObjectMeta have values.
 func HasObjectMetaSystemFieldValues(meta *ObjectMeta) bool {
 	return !meta.CreationTimestamp.Time.IsZero() ||

pkg/api/meta_test.go

@@ -28,45 +28,10 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/api"
-	genericapirequest "k8s.io/kubernetes/pkg/genericapiserver/api/request"
-	"k8s.io/kubernetes/pkg/util/uuid"
 )
 
 var _ meta.Object = &api.ObjectMeta{}
 
-// TestFillObjectMetaSystemFields validates that system populated fields are set on an object
-func TestFillObjectMetaSystemFields(t *testing.T) {
-	ctx := genericapirequest.NewDefaultContext()
-	resource := api.ObjectMeta{}
-	api.FillObjectMetaSystemFields(ctx, &resource)
-	if resource.CreationTimestamp.Time.IsZero() {
-		t.Errorf("resource.CreationTimestamp is zero")
-	} else if len(resource.UID) == 0 {
-		t.Errorf("resource.UID missing")
-	}
-	// verify we can inject a UID
-	uid := uuid.NewUUID()
-	ctx = genericapirequest.WithUID(ctx, uid)
-	resource = api.ObjectMeta{}
-	api.FillObjectMetaSystemFields(ctx, &resource)
-	if resource.UID != uid {
-		t.Errorf("resource.UID expected: %v, actual: %v", uid, resource.UID)
-	}
-}
-
-// TestHasObjectMetaSystemFieldValues validates that true is returned if and only if all fields are populated
-func TestHasObjectMetaSystemFieldValues(t *testing.T) {
-	ctx := genericapirequest.NewDefaultContext()
-	resource := api.ObjectMeta{}
-	if api.HasObjectMetaSystemFieldValues(&resource) {
-		t.Errorf("the resource does not have all fields yet populated, but incorrectly reports it does")
-	}
-	api.FillObjectMetaSystemFields(ctx, &resource)
-	if !api.HasObjectMetaSystemFieldValues(&resource) {
-		t.Errorf("the resource does have all fields populated, but incorrectly reports it does not")
-	}
-}
-
 func getObjectMetaAndOwnerReferences() (objectMeta api.ObjectMeta, metaOwnerReferences []metav1.OwnerReference) {
 	fuzz.New().NilChance(.5).NumElements(1, 5).Fuzz(&objectMeta)
 	references := objectMeta.OwnerReferences

pkg/api/resource_helpers.go

@@ -21,7 +21,6 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/kubernetes/pkg/api/resource"
-	genericapirequest "k8s.io/kubernetes/pkg/genericapiserver/api/request"
 )
 
 // Returns string version of ResourceName.
@@ -228,13 +227,3 @@ func PodRequestsAndLimits(pod *Pod) (reqs map[ResourceName]resource.Quantity, li
 	}
 	return
 }
-
-// ValidNamespace returns false if the namespace on the context differs from the resource.  If the resource has no namespace, it is set to the value in the context.
-// TODO(sttts): move into pkg/genericapiserver/api
-func ValidNamespace(ctx genericapirequest.Context, resource *ObjectMeta) bool {
-	ns, ok := genericapirequest.NamespaceFrom(ctx)
-	if len(resource.Namespace) == 0 {
-		resource.Namespace = ns
-	}
-	return ns == resource.Namespace && ok
-}

pkg/api/rest/BUILD

@@ -5,6 +5,7 @@ licenses(["notice"])
 load(
     "@io_bazel_rules_go//go:def.bzl",
     "go_library",
+    "go_test",
 )
 
 go_library(
@@ -14,6 +15,7 @@ go_library(
         "delete.go",
         "doc.go",
         "export.go",
+        "meta.go",
         "rest.go",
         "types.go",
         "update.go",
@@ -25,6 +27,7 @@ go_library(
         "//pkg/api/validation/genericvalidation:go_default_library",
         "//pkg/api/validation/path:go_default_library",
         "//pkg/genericapiserver/api/request:go_default_library",
+        "//pkg/util/uuid:go_default_library",
         "//vendor:k8s.io/apimachinery/pkg/api/meta",
         "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
         "//vendor:k8s.io/apimachinery/pkg/runtime",
@@ -49,3 +52,15 @@ filegroup(
     ],
     tags = ["automanaged"],
 )
+
+go_test(
+    name = "go_default_test",
+    srcs = ["meta_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/genericapiserver/api/request:go_default_library",
+        "//pkg/util/uuid:go_default_library",
+    ],
+)

pkg/api/rest/create.go

@@ -23,7 +23,7 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/api/validation/genericvalidation"
-	path "k8s.io/kubernetes/pkg/api/validation/path"
+	"k8s.io/kubernetes/pkg/api/validation/path"
 	genericapirequest "k8s.io/kubernetes/pkg/genericapiserver/api/request"
 )
 
@@ -61,7 +61,7 @@ func BeforeCreate(strategy RESTCreateStrategy, ctx genericapirequest.Context, ob
 	}
 
 	if strategy.NamespaceScoped() {
-		if !api.ValidNamespace(ctx, objectMeta) {
+		if !ValidNamespace(ctx, objectMeta) {
 			return errors.NewBadRequest("the namespace of the provided object does not match the namespace sent on the request")
 		}
 	} else {
@@ -70,7 +70,7 @@ func BeforeCreate(strategy RESTCreateStrategy, ctx genericapirequest.Context, ob
 	objectMeta.DeletionTimestamp = nil
 	objectMeta.DeletionGracePeriodSeconds = nil
 	strategy.PrepareForCreate(ctx, obj)
-	api.FillObjectMetaSystemFields(ctx, objectMeta)
+	FillObjectMetaSystemFields(ctx, objectMeta)
 	api.GenerateName(strategy, objectMeta)
 
 	// ClusterName is ignored and should not be saved

pkg/api/rest/meta.go

@@ -0,0 +1,47 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/pkg/api"
+	genericapirequest "k8s.io/kubernetes/pkg/genericapiserver/api/request"
+	"k8s.io/kubernetes/pkg/util/uuid"
+)
+
+// FillObjectMetaSystemFields populates fields that are managed by the system on ObjectMeta.
+func FillObjectMetaSystemFields(ctx genericapirequest.Context, meta *api.ObjectMeta) {
+	meta.CreationTimestamp = metav1.Now()
+	// allows admission controllers to assign a UID earlier in the request processing
+	// to support tracking resources pending creation.
+	uid, found := genericapirequest.UIDFrom(ctx)
+	if !found {
+		uid = uuid.NewUUID()
+	}
+	meta.UID = uid
+	meta.SelfLink = ""
+}
+
+// ValidNamespace returns false if the namespace on the context differs from the resource.  If the resource has no namespace, it is set to the value in the context.
+// TODO(sttts): move into pkg/genericapiserver/api
+func ValidNamespace(ctx genericapirequest.Context, resource *api.ObjectMeta) bool {
+	ns, ok := genericapirequest.NamespaceFrom(ctx)
+	if len(resource.Namespace) == 0 {
+		resource.Namespace = ns
+	}
+	return ns == resource.Namespace && ok
+}

pkg/api/rest/meta_test.go

@@ -0,0 +1,85 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	genericapirequest "k8s.io/kubernetes/pkg/genericapiserver/api/request"
+	"k8s.io/kubernetes/pkg/util/uuid"
+)
+
+// TestFillObjectMetaSystemFields validates that system populated fields are set on an object
+func TestFillObjectMetaSystemFields(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	resource := api.ObjectMeta{}
+	FillObjectMetaSystemFields(ctx, &resource)
+	if resource.CreationTimestamp.Time.IsZero() {
+		t.Errorf("resource.CreationTimestamp is zero")
+	} else if len(resource.UID) == 0 {
+		t.Errorf("resource.UID missing")
+	}
+	// verify we can inject a UID
+	uid := uuid.NewUUID()
+	ctx = genericapirequest.WithUID(ctx, uid)
+	resource = api.ObjectMeta{}
+	FillObjectMetaSystemFields(ctx, &resource)
+	if resource.UID != uid {
+		t.Errorf("resource.UID expected: %v, actual: %v", uid, resource.UID)
+	}
+}
+
+// TestHasObjectMetaSystemFieldValues validates that true is returned if and only if all fields are populated
+func TestHasObjectMetaSystemFieldValues(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	resource := api.ObjectMeta{}
+	if api.HasObjectMetaSystemFieldValues(&resource) {
+		t.Errorf("the resource does not have all fields yet populated, but incorrectly reports it does")
+	}
+	FillObjectMetaSystemFields(ctx, &resource)
+	if !api.HasObjectMetaSystemFieldValues(&resource) {
+		t.Errorf("the resource does have all fields populated, but incorrectly reports it does not")
+	}
+}
+
+// TestValidNamespace validates that namespace rules are enforced on a resource prior to create or update
+func TestValidNamespace(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	namespace, _ := genericapirequest.NamespaceFrom(ctx)
+	resource := api.ReplicationController{}
+	if !ValidNamespace(ctx, &resource.ObjectMeta) {
+		t.Fatalf("expected success")
+	}
+	if namespace != resource.Namespace {
+		t.Fatalf("expected resource to have the default namespace assigned during validation")
+	}
+	resource = api.ReplicationController{ObjectMeta: api.ObjectMeta{Namespace: "other"}}
+	if ValidNamespace(ctx, &resource.ObjectMeta) {
+		t.Fatalf("Expected error that resource and context errors do not match because resource has different namespace")
+	}
+	ctx = genericapirequest.NewContext()
+	if ValidNamespace(ctx, &resource.ObjectMeta) {
+		t.Fatalf("Expected error that resource and context errors do not match since context has no namespace")
+	}
+
+	ctx = genericapirequest.NewContext()
+	ns := genericapirequest.NamespaceValue(ctx)
+	if ns != "" {
+		t.Fatalf("Expected the empty string")
+	}
+}

pkg/api/rest/update.go

@@ -81,7 +81,7 @@ func BeforeUpdate(strategy RESTUpdateStrategy, ctx genericapirequest.Context, ob
 		return kerr
 	}
 	if strategy.NamespaceScoped() {
-		if !api.ValidNamespace(ctx, objectMeta) {
+		if !ValidNamespace(ctx, objectMeta) {
 			return errors.NewBadRequest("the namespace of the provided object does not match the namespace sent on the request")
 		}
 	} else {

pkg/apis/abac/v0/BUILD

@@ -22,7 +22,6 @@ go_library(
         "//vendor:k8s.io/apimachinery/pkg/conversion",
         "//vendor:k8s.io/apimachinery/pkg/runtime",
         "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
-        "//vendor:k8s.io/apiserver/pkg/authentication/user",
     ],
 )