Add authorization checking to Kubernetes package

[ebaron]

We are currently working on adding API that determines whether a user is authorized to call various WIT APIs. The goal of this is for the front-end to be able to selectively disable parts of the UI that the user cannot use successfully, rather than enabling them and showing the user an error when used.

This PR implements a portion of this API dealing with the Deployments API, in particular dealing with OpenShift permissions. Using the OpenShift SelfSubjectRulesReview API, we obtain a comprehensive list of actions that the user can perform [1]. This list is processed and cached for fast lookups, for the lifetime of a WIT/Deployments REST API call. There is a new interface which augments the kubernetes.KubeClientInterface with methods that answer whether KubeClientInterface methods can succeed (e.g. KubeAccessControl.CanGetSpace for KubeClientInterface.GetSpace).

When fitting into the larger access control API, we will have to decide how fine-grained we want these checks to be. Do we want to check whether the user can scale deployment X in namespace Y, or simply require that the user be able to scale all deployments in namespace Y. The latter is true for single-user cases, but a cluster admin could specify more fine-grained permissions.

Related issue: #2268

[1] https://docs.openshift.org/3.10/rest_api/oapi/v1.SelfSubjectRulesReview.html

[codecov-io]

Codecov Report

Merging #2207 into master will increase coverage by 0.13%.
The diff coverage is 83.18%.

@@            Coverage Diff             @@
##           master    #2207      +/-   ##
==========================================
+ Coverage   69.38%   69.51%   +0.13%     
==========================================
  Files         175      176       +1     
  Lines       16484    16670     +186     
==========================================
+ Hits        11437    11588     +151     
- Misses       3938     3962      +24     
- Partials     1109     1120      +11

Impacted Files	Coverage Δ
controller/deployments_urlprovider.go	47.12% <100%> (-0.61%)	⬇️
kubernetes/deployments_kubeclient.go	72.45% <65.38%> (-0.4%)	⬇️
kubernetes/deployments_access.go	88.23% <88.23%> (ø)
remoteworkitem/jira.go	75% <0%> (-25%)	⬇️
remoteworkitem/scheduler.go	53.65% <0%> (-7.32%)	⬇️
controller/workitem.go	78.83% <0%> (+0.56%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c2816aa...f596787. Read the comment docs.

[stooke]

I think we need to try to look at what OSIO will allow, and that's not yet been defined (to my knowledge).
What makes sense? A shared account might allow individual applications to be shared by different sets people, with varying degrees of access. This is why I suspect we need to tests for "deployment X in namespace Y" - i.e. if we can efficiently get answers we'll need that. Perhaps there are two levels to test - the space level (can the user even read or create an application) and the deployments level (for scaling)?

[stooke]

It's unclear to me what 'Get' means in "CanGetSpace". Comments and perhaps a more informative name would be great here.

[ebaron]

My intention here was that if CanGetSpace returns true, then you can successfully call KubeClientInterface.GetSpace. The same is true for the other methods in KubeAccessControl. I can add some documentation for each method explaining this.

[stooke]

We may eventually need to know if the user can modify the space or create an application - how would you extend the API?

[ebaron]

I have added some documentation for each of the API methods. Checking whether we can create an application and modify a space could be handled in the same fashion, by checking "create" and "patch" permissions respectively on the relevant OpenShift object types.

[stooke]

This is why 'Get' is unclear. Does it mean read space, read space and everything in it, can read space and can deploy to it?

[stooke]

Same comment about 'Get' here.

[stooke]

Is this a TODO or a comment about what's happening in the current code?

[ebaron]

This is a comment pertaining to the current code, but makes less sense after I extracted this to a helper method. I will change it.

[ebaron]

@stooke I hit a bit of a snag with checking permissions of objects with particular names, such as a named deployment config. Our deployments API deals with names of applications. The methods in deployments_kubeclient have to search through Build objects to determine the deployment config name from the application name, which may differ.

In order for our access control API to do the same, it would also have to look at builds to figure out the deployment config name. This would end up evaluating some of the functionality we're trying to determine whether we can invoke in the first place. Perhaps this would be overkill for the purposes of this API.

[stooke]

Maybe we can just leave it at the space level then for now.

[stooke]

please add a comment about avoiding getting irrelevant information

[ebaron]

Done

[stooke]

A suggestion: have two methods, one that works as the old one did, and a new one, something like GetDeployableEnvrionmentNamespace(envName), and avoid the bool, which seems to be false most of the time anyways, and just clutters up the code.

[ebaron]

Sure, the boolean parameter made the code less readable.

[ebaron]

I've added some additional processing for rules containing wildcard group/resources. This matches what is done in the web console.

[stooke]

I think this PR is good to go at this point.