Commit b5a90bb7 authored by baldwinlouie's avatar baldwinlouie Committed by Yas Naoi
Browse files

Issue #3282167 by baldwinlouie, yas, kumikoono: Add 'view any k8s namespace... 

Issue #3282167 by baldwinlouie, yas, kumikoono: Add 'view any k8s namespace entities'  to the remaining K8s checks
parent a735a7fb

modules/cloud_service_providers/k8s/k8s.module

+2 −2
Original line number Diff line number Diff line
@@ -654,7 +654,7 @@ function k8s_form_views_exposed_form_alter(array &$form, FormStateInterface $for 
  // Push titles into select list.

  $account = \Drupal::currentUser();

  foreach ($namespaces ?: [] as $namespace) {

    if ($account->hasPermission('view k8s namespace ' . $namespace->getName())) {

    if ($account->hasPermission('view any k8s namespace entities') || $account->hasPermission('view k8s namespace ' . $namespace->getName())) {

      $options[$namespace->getName()] = $namespace->getName();

    }

  }
@@ -766,7 +766,7 @@ function k8s_namespace_allowed_values_function(FieldStorageConfig $definition, C 
      $namespace = $namespace->toArray();

    }

    $name = $namespace['metadata']['name'] ?? '';

    if (!$account->hasPermission('view k8s namespace ' . $name)) {

    if (!$account->hasPermission('view any k8s namespace entities') && !$account->hasPermission('view k8s namespace ' . $name)) {

      continue;

    }

modules/cloud_service_providers/k8s/src/Controller/K8sAccessControlHandler.php

0 → 100644
+182 −0
Original line number Diff line number Diff line 
<?php



namespace Drupal\k8s\Controller;



use Drupal\cloud\Traits\AccessCheckTrait;

use Drupal\cloud\Traits\CloudContentEntityTrait;

use Drupal\Core\Access\AccessResult;

use Drupal\Core\Access\AccessResultInterface;

use Drupal\Core\Entity\EntityAccessControlHandler;

use Drupal\Core\Entity\EntityInterface;

use Drupal\Core\Session\AccountInterface;



/**

 * Access controller for the K8s entity.

 */

class K8sAccessControlHandler extends EntityAccessControlHandler {



  use AccessCheckTrait;

  use CloudContentEntityTrait;



  /**

   * Checks simple view access to an entity.

   *

   * @param \Drupal\Core\Entity\EntityInterface $entity

   *   The entity for which to check access.

   * @param string $operation

   *   The operation access should be checked for.

   *   Usually one of "view", "view label", "update" or "delete".

   * @param \Drupal\Core\Session\AccountInterface $account

   *   (optional) The user session for which to check access, or NULL to check

   *   access for the current user. Defaults to NULL.

   * @param string $entity_name

   *   The permission name.

   *

   * @return \Drupal\Core\Access\AccessResultInterface

   *   The access result. Returns a boolean if $return_as_object is FALSE (this

   *   is the default) and otherwise an AccessResultInterface object.

   *   When a boolean is returned, the result of AccessInterface::isAllowed() is

   *   returned, i.e. TRUE means access is explicitly allowed, FALSE means

   *   access is either explicitly forbidden or "no opinion".

   */

  private function checkSimpleAccess(EntityInterface $entity, string $operation, AccountInterface $account, string $entity_name): AccessResultInterface {

    if ($operation === 'view') {

      return $this->allowedIfCanAccessCloudConfig(

        $entity,

        $account,

        "view ${entity_name}"

      );

    }

    // Unknown operation, no opinion.

    return AccessResult::neutral();

  }



  /**

   * Checks any/own access to an entity.

   *

   * @param \Drupal\Core\Entity\EntityInterface $entity

   *   The entity for which to check access.

   * @param string $operation

   *   The operation access should be checked for.

   *   Usually one of "view", "view label", "update" or "delete".

   * @param \Drupal\Core\Session\AccountInterface $account

   *   (optional) The user session for which to check access, or NULL to check

   *   access for the current user. Defaults to NULL.

   * @param string $entity_name

   *   The permission name.

   *

   * @return \Drupal\Core\Access\AccessResultInterface

   *   The access result. Returns a boolean if $return_as_object is FALSE (this

   *   is the default) and otherwise an AccessResultInterface object.

   *   When a boolean is returned, the result of AccessInterface::isAllowed() is

   *   returned, i.e. TRUE means access is explicitly allowed, FALSE means

   *   access is either explicitly forbidden or "no opinion".

   */

  private function checkAnyOwnAccess(EntityInterface $entity, string $operation, AccountInterface $account, string $entity_name): AccessResultInterface {

    $namespace_permission = '';

    // Not all K8s entities have namespace field.

    if (method_exists($entity, 'getNamespace')) {

      $namespace = $entity->getNamespace();

      $namespace_permission = $account->hasPermission('view any k8s namespace entities')

        ? 'view any k8s namespace entities'

        : "view k8s namespace ${namespace}";

    }



    switch ($operation) {

      case 'view':

      case 'log':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          $this->getPermssionArray($namespace_permission, $entity_name, 'view own'),

          $this->getPermssionArray($namespace_permission, $entity_name, 'view any'),

        );



      case 'update':

      case 'edit':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          $this->getPermssionArray($namespace_permission, $entity_name, 'edit own'),

          $this->getPermssionArray($namespace_permission, $entity_name, 'edit any'),

        );



      case 'delete':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          $this->getPermssionArray($namespace_permission, $entity_name, 'delete own'),

          $this->getPermssionArray($namespace_permission, $entity_name, 'delete any'),

        );

    }



    // Unknown operation, no opinion.

    return AccessResult::neutral();

  }



  /**

   * {@inheritdoc}

   */

  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account): AccessResultInterface {

    $entity_name = $this->getPermissionName($entity->getEntityTypeId());



    // Add any simple view access check entities here.

    $simple_check = [

      'k8s_node',

      'k8s_event',

    ];

    if (\in_array($entity->getEntityTypeId(), $simple_check) === TRUE) {

      return $this->checkSimpleAccess($entity, $operation, $account, $entity_name);

    }



    return $this->checkAnyOwnAccess($entity, $operation, $account, $entity_name);

  }



  /**

   * {@inheritdoc}

   */

  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL): AccessResultInterface {

    $entity_name = $this->getPermissionName($this->entityTypeId);

    return $this->allowedIfCanAccessCloudConfig(

      NULL,

      $account,

      "add ${entity_name}"

    );

  }



  /**

   * Helper function to get permission name.

   *

   * @param string $entity_type_id

   *   Entity type id string.

   *

   * @return string

   *   Permission name.

   */

  private function getPermissionName(string $entity_type_id): string {

    return self::convertUnderscoreToWhitespace($entity_type_id);

  }



  /**

   * Helper that determines if namespace permission is added to the array.

   *

   * @param string $namespace_permission

   *   Namespace permission.  If empty, do not add to permission array.

   * @param string $entity_name

   *   Entity name.

   * @param string $permission_prefix

   *   Permission prefix.

   *

   * @return array

   *   Array of permissions.

   */

  private function getPermssionArray(string $namespace_permission, string $entity_name, string $permission_prefix): array {

    $permissions = [];

    if (!empty($namespace_permission)) {

      $permissions[] = $namespace_permission;

    }

    $permissions[] = "${permission_prefix} ${entity_name}";

    return $permissions;

  }



}

modules/cloud_service_providers/k8s/src/Controller/K8sApiServiceAccessControlHandler.php

deleted100644 → 0
+0 −68
Original line number Diff line number Diff line 
<?php



namespace Drupal\k8s\Controller;



use Drupal\cloud\Traits\AccessCheckTrait;

use Drupal\Core\Access\AccessResult;

use Drupal\Core\Access\AccessResultInterface;

use Drupal\Core\Entity\EntityAccessControlHandler;

use Drupal\Core\Entity\EntityInterface;

use Drupal\Core\Session\AccountInterface;



/**

 * Access controller for the API service entity.

 *

 * @see \Drupal\k8s\Entity\K8sApiService.

 */

class K8sApiServiceAccessControlHandler extends EntityAccessControlHandler {



  use AccessCheckTrait;



  /**

   * {@inheritdoc}

   */

  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account): AccessResultInterface {



    switch ($operation) {

      case 'view':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['view own k8s api service'],

          ['view any k8s api service']

        );



      case 'update':

      case 'edit':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['edit own k8s api service'],

          ['edit any k8s api service']

        );



      case 'delete':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['delete own k8s api service'],

          ['delete any k8s api service']

        );

    }



    // Unknown operation, no opinion.

    return AccessResult::neutral();

  }



  /**

   * {@inheritdoc}

   */

  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL): AccessResultInterface {

    return $this->allowedIfCanAccessCloudConfig(

      NULL,

      $account,

      'add k8s api service'

    );

  }



}

modules/cloud_service_providers/k8s/src/Controller/K8sClusterRoleAccessControlHandler.php

deleted100644 → 0
+0 −68
Original line number Diff line number Diff line 
<?php



namespace Drupal\k8s\Controller;



use Drupal\cloud\Traits\AccessCheckTrait;

use Drupal\Core\Access\AccessResult;

use Drupal\Core\Access\AccessResultInterface;

use Drupal\Core\Entity\EntityAccessControlHandler;

use Drupal\Core\Entity\EntityInterface;

use Drupal\Core\Session\AccountInterface;



/**

 * Access controller for the cluster role entity.

 *

 * @see \Drupal\k8s\Entity\K8sClusterRole.

 */

class K8sClusterRoleAccessControlHandler extends EntityAccessControlHandler {



  use AccessCheckTrait;



  /**

   * {@inheritdoc}

   */

  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account): AccessResultInterface {



    switch ($operation) {

      case 'view':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['view own k8s cluster role'],

          ['view any k8s cluster role']

        );



      case 'update':

      case 'edit':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['edit own k8s cluster role'],

          ['edit any k8s cluster role']

        );



      case 'delete':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['delete own k8s cluster role'],

          ['delete any k8s cluster role']

        );

    }



    // Unknown operation, no opinion.

    return AccessResult::neutral();

  }



  /**

   * {@inheritdoc}

   */

  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL): AccessResultInterface {

    return $this->allowedIfCanAccessCloudConfig(

      NULL,

      $account,

      'add k8s cluster role'

    );

  }



}

modules/cloud_service_providers/k8s/src/Controller/K8sClusterRoleBindingAccessControlHandler.php

deleted100644 → 0
+0 −68
Original line number Diff line number Diff line 
<?php



namespace Drupal\k8s\Controller;



use Drupal\Core\Entity\EntityAccessControlHandler;

use Drupal\Core\Entity\EntityInterface;

use Drupal\Core\Session\AccountInterface;

use Drupal\Core\Access\AccessResult;

use Drupal\Core\Access\AccessResultInterface;

use Drupal\cloud\Traits\AccessCheckTrait;



/**

 * Access controller for the cluster role binding entity.

 *

 * @see \Drupal\k8s\Entity\K8sClusterRoleBinding.

 */

class K8sClusterRoleBindingAccessControlHandler extends EntityAccessControlHandler {



  use AccessCheckTrait;



  /**

   * {@inheritdoc}

   */

  protected function checkAccess(EntityInterface $entity, $operation, AccountInterface $account): AccessResultInterface {



    switch ($operation) {

      case 'view':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['view own k8s cluster role binding'],

          ['view any k8s cluster role binding']

        );



      case 'update':

      case 'edit':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['edit own k8s cluster role binding'],

          ['edit any k8s cluster role binding']

        );



      case 'delete':

        return $this->allowedIfCanAccessCloudConfigWithOwner(

          $entity,

          $account,

          ['delete own k8s cluster role binding'],

          ['delete any k8s cluster role binding']

        );

    }



    // Unknown operation, no opinion.

    return AccessResult::neutral();

  }



  /**

   * {@inheritdoc}

   */

  protected function checkCreateAccess(AccountInterface $account, array $context, $entity_bundle = NULL): AccessResultInterface {

    return $this->allowedIfCanAccessCloudConfig(

      NULL,

      $account,

      'add k8s cluster role binding'

    );

  }



}