oracle
diff --git a/‎kubernetes/internal/generate-security-policy.sh
Lines changed: 16 additions & 4 deletions b/‎kubernetes/internal/generate-security-policy.sh
Lines changed: 16 additions & 4 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/Main.java
Lines changed: 1 addition & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/Main.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthenticationProxy.java
Lines changed: 1 addition & 1 deletion b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthenticationProxy.java
Lines changed: 1 addition & 1 deletion
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java
Lines changed: 96 additions & 37 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/AuthorizationProxy.java
Lines changed: 96 additions & 37 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java
Lines changed: 72 additions & 0 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/CallBuilder.java
Lines changed: 72 additions & 0 deletions
diff --git a/‎operator/src/main/java/oracle/kubernetes/operator/helpers/ClientFactory.java
Lines changed: 12 additions & 0 deletions b/‎operator/src/main/java/oracle/kubernetes/operator/helpers/ClientFactory.java
Lines changed: 12 additions & 0 deletions
@@ -94,8 +94,11 @@ metadata:
     weblogic.operatorName: ${NAMESPACE}
 rules:
 - apiGroups: [""]
-  resources: ["namespaces", "persistentvolumes"]
+  resources: ["namespaces"]
   verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
 - apiGroups: ["apiextensions.k8s.io"]
   resources: ["customresourcedefinitions"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
@@ -108,6 +111,12 @@ rules:
 - apiGroups: ["extensions"]
   resources: ["ingresses"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["selfsubjectaccessreviews", "localsubjectaccessreviews", "subjectaccessreviews", "selfsubjectrulesreviews"]
+  verbs: ["create"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -197,20 +206,23 @@ metadata:
     weblogic.operatorName: ${NAMESPACE}
 rules:
 - apiGroups: [""]
-  resources: ["secrets", "persistentvolumeclaims"]
+  resources: ["secrets"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["storage.k8s.io"]
   resources: ["storageclasses"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
-  resources: ["services", "configmaps", "pods", "jobs", "events"]
+  resources: ["services", "configmaps", "pods", "podtemplates", "events", "persistentvolumeclaims"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
 - apiGroups: [""]
   resources: ["pods/logs"]
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods/exec"]
   verbs: ["create"]
+- apiGroups: ["batch"]
+  resources: ["jobs", "cronjobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
 - apiGroups: ["settings.k8s.io"]
   resources: ["podpresets"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"]
@@ -253,4 +265,4 @@ EOF
 #
 echo "Create the WebLogic Operator Security configuration using kubectl as follows: kubectl create -f ${SCRIPT}"
 #
-echo "Ensure you start the API server with the --authorization-mode=RBAC option."
+echo "Ensure you start the API server with the --authorization-mode=RBAC option."
@@ -220,7 +220,7 @@ private static void begin() {
         HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);
         version = healthCheck.performK8sVersionCheck();
         healthCheck.performNonSecurityChecks();
-        healthCheck.performSecurityChecks(serviceAccountName);
+        healthCheck.performSecurityChecks(version);
       } catch (ApiException e) {
         LOGGER.warning(MessageKeys.EXCEPTION, e);
       }
 
@@ -36,7 +36,7 @@ public V1TokenReviewStatus check(String principal, String token) {
     try {
       boolean allowed = authorizationProxy.check(principal,
           AuthorizationProxy.Operation.create,
-          AuthorizationProxy.Resource.tokenreviews,
+          AuthorizationProxy.Resource.TOKENREVIEWS,
           null,
           AuthorizationProxy.Scope.cluster,
           null);
 
@@ -8,6 +8,10 @@
 import io.kubernetes.client.ApiException;
 import io.kubernetes.client.models.V1ObjectMeta;
 import io.kubernetes.client.models.V1ResourceAttributes;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectAccessReviewSpec;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReview;
 import io.kubernetes.client.models.V1SubjectAccessReviewSpec;
 import io.kubernetes.client.models.V1SubjectAccessReviewStatus;
@@ -37,18 +41,50 @@ public enum Operation {
   }
 
   public enum Resource {
-    pods,
-    services,
-    namespaces,
-    customresources,
-    customresourcedefinitions,
-    domains,
-    tokenreviews,
-    networkpolicies,
-    secrets,
-    persistentvolumes,
-    persistentvolumeclaims,
-    ingresses
+    CONFIGMAPS ("configmaps", ""),
+    PODS ("pods", ""),
+    LOGS ("pods", "logs", ""),
+    EXEC ("pods", "exec", ""),
+    PODTEMPLATES ("podtemplates", ""),
+    EVENTS ("events", ""),
+    SERVICES ("services", ""),
+    NAMESPACES ("namespaces", ""),
+    JOBS ("jobs", "batch"),
+    CRONJOBS ("cronjobs", "batch"),
+    CRDS ("customresourcedefinitions", "apiextensions.k8s.io"),
+    DOMAINS ("domains", "weblogic.oracle"),
+    DOMAINSTATUSS ("domains", "status", "weblogic.oracle"),
+    SUBJECTACCESSREVIEWS ("subjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTACCESSREVIEWS ("selfsubjectaccessreviews", "authorization.k8s.io"),
+    LOCALSUBJECTACCESSREVIEWS ("localsubjectaccessreviews", "authorization.k8s.io"),
+    SELFSUBJECTRULESREVIEWS ("selfsubjectrulesreviews", "authorization.k8s.io"),
+    TOKENREVIEWS ("tokenreviews", "authentication.k8s.io"),
+    SECRETS ("secrets", ""),
+    PERSISTENTVOLUMES ("persistentvolumes", ""),
+    PERSISTENTVOLUMECLAIMS ("persistentvolumeclaims", ""),
+    STORAGECLASSES ("storageclasses", "storage.k8s.io"),
+    PODPRESETS ("podpresets" , "settings.k8s.io"),
+    INGRESSES ("ingresses", "extensions"),
+    NETWORKPOLICIES ("networkpolicies", "extensions"),
+    PODSECURITYPOLICIES ("podsecuritypolicies", "extensions");
+    
+    private final String resource;
+    private final String subResource;
+    private final String apiGroup;
+    
+    Resource(String resource, String apiGroup) {
+      this(resource, "", apiGroup);
+    }
+    
+    Resource(String resource, String subResource, String apiGroup) {
+      this.resource = resource;
+      this.subResource = subResource;
+      this.apiGroup = apiGroup;
+    }
+    
+    public String getResource() { return resource; }
+    public String getSubResource() { return subResource; }
+    public String getAPIGroup() { return apiGroup; }
   }
 
   public enum Scope {
@@ -104,6 +140,24 @@ public boolean check(String principal, final List<String> groups, Operation oper
     return result;
   }
 
+  public boolean check(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReview subjectAccessReview = prepareSelfSubjectAccessReview(operation, resource, resourceName, scope, namespaceName);
+    try {
+      CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+      subjectAccessReview = factory.create().createSelfSubjectAccessReview(subjectAccessReview);
+    } catch (ApiException e) {
+      LOGGER.severe(MessageKeys.APIEXCEPTION_FROM_SUBJECT_ACCESS_REVIEW, e);
+      LOGGER.exiting(Boolean.FALSE);
+      return Boolean.FALSE;
+
+    }
+    V1SubjectAccessReviewStatus subjectAccessReviewStatus = subjectAccessReview.getStatus();
+    Boolean result = subjectAccessReviewStatus.isAllowed();
+    LOGGER.exiting(result);
+    return result;
+  }
+
   /**
    * Prepares an instance of SubjectAccessReview and returns same.
    *
@@ -133,6 +187,21 @@ private V1SubjectAccessReview prepareSubjectAccessReview(String principal, final
     return subjectAccessReview;
   }
 
+  private V1SelfSubjectAccessReview prepareSelfSubjectAccessReview(Operation operation, Resource resource, String resourceName, Scope scope, String namespaceName) {
+    LOGGER.entering();
+    V1SelfSubjectAccessReviewSpec subjectAccessReviewSpec = new V1SelfSubjectAccessReviewSpec();
+
+    subjectAccessReviewSpec.setResourceAttributes(prepareResourceAttributes(operation, resource, resourceName, scope, namespaceName));
+
+    V1SelfSubjectAccessReview subjectAccessReview = new V1SelfSubjectAccessReview();
+    subjectAccessReview.setApiVersion("authorization.k8s.io/v1");
+    subjectAccessReview.setKind("SelfSubjectAccessReview");
+    subjectAccessReview.setMetadata(new V1ObjectMeta());
+    subjectAccessReview.setSpec(subjectAccessReviewSpec);
+    LOGGER.exiting(subjectAccessReview);
+    return subjectAccessReview;
+  }
+
   /**
    * Prepares an instance of ResourceAttributes and returns same.
    *
@@ -150,12 +219,9 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
       resourceAttributes.setVerb(operation.toString());
     }
     if (null != resource) {
-      resourceAttributes.setResource(resource.toString());
-    }
-
-    String apiGroup = getApiGroup(resource);
-    if (apiGroup != null) {
-      resourceAttributes.setGroup(apiGroup);
+      resourceAttributes.setResource(resource.resource);
+      resourceAttributes.setSubresource(resource.subResource);
+      resourceAttributes.setGroup(resource.apiGroup);
     }
 
     if (null != resourceName) {
@@ -168,25 +234,18 @@ private V1ResourceAttributes prepareResourceAttributes(Operation operation, Reso
     LOGGER.exiting(resourceAttributes);
     return resourceAttributes;
   }
-
-  private String getApiGroup(Resource resource) {
-    if (resource == Resource.domains) {
-      return "weblogic.oracle";
-    }
-
-    if (resource == Resource.customresourcedefinitions) {
-      return "apiextensions.k8s.io";
-    }
-
-    if (resource == Resource.tokenreviews) {
-      return "authentication.k8s.io";
-    }
-    
-    if (resource == Resource.ingresses) {
-      return "extensions";
+  
+  public V1SelfSubjectRulesReview review(String namespace) {
+    V1SelfSubjectRulesReview subjectRulesReview = new V1SelfSubjectRulesReview();
+    V1SelfSubjectRulesReviewSpec spec = new V1SelfSubjectRulesReviewSpec();
+    spec.setNamespace(namespace);
+    subjectRulesReview.setSpec(spec);
+    CallBuilderFactory factory = ContainerResolver.getInstance().getContainer().getSPI(CallBuilderFactory.class);
+    try {
+      return factory.create().createSelfSubjectRulesReview(subjectRulesReview);
+    } catch (ApiException e) {
+      LOGGER.warning(MessageKeys.EXCEPTION, e);
+      return null;
     }
-
-    // TODO - do we need to specify the api group for any of the other Resource values?
-    return null;
   }
 }
@@ -36,6 +36,8 @@
 import io.kubernetes.client.models.V1Pod;
 import io.kubernetes.client.models.V1PodList;
 import io.kubernetes.client.models.V1Secret;
+import io.kubernetes.client.models.V1SelfSubjectAccessReview;
+import io.kubernetes.client.models.V1SelfSubjectRulesReview;
 import io.kubernetes.client.models.V1Service;
 import io.kubernetes.client.models.V1ServiceList;
 import io.kubernetes.client.models.V1Status;
@@ -1384,6 +1386,76 @@ public Step createSubjectAccessReviewAsync(V1SubjectAccessReview body, ResponseS
     return createRequestAsync(responseStep, new RequestParams("createSubjectAccessReview", null, null, body), CREATE_SUBJECTACCESSREVIEW);
   }
 
+  /* Self Subject Access Review */
+  
+  /**
+   * Create self subject access review
+   * @param body Body
+   * @return Created self subject access review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectAccessReview createSelfSubjectAccessReview(V1SelfSubjectAccessReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectAccessReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectAccessReviewAsync(ApiClient client, V1SelfSubjectAccessReview body, ApiCallback<V1SelfSubjectAccessReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectAccessReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectAccessReview> CREATE_SELFSUBJECTACCESSREVIEW = (requestParams, usage, cont, callback) -> {
+    return createSelfSubjectAccessReviewAsync(usage, (V1SelfSubjectAccessReview) requestParams.body, callback);
+  };
+  
+  /**
+   * Asynchronous step for creating self subject access review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectAccessReviewAsync(V1SelfSubjectAccessReview body, ResponseStep<V1SelfSubjectAccessReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectAccessReview", null, null, body), CREATE_SELFSUBJECTACCESSREVIEW);
+  }
+  
+  /* Self Subject Rules Review */
+  
+  /**
+   * Create self subject rules review
+   * @param body Body
+   * @return Created self subject rules review
+   * @throws ApiException API Exception
+   */
+  public V1SelfSubjectRulesReview createSelfSubjectRulesReview(V1SelfSubjectRulesReview body) throws ApiException {
+    ApiClient client = helper.take();
+    try {
+      return new AuthorizationV1Api(client).createSelfSubjectRulesReview(body, pretty);
+    } finally {
+      helper.recycle(client);
+    }
+  }
+
+  private com.squareup.okhttp.Call createSelfSubjectRulesReviewAsync(ApiClient client, V1SelfSubjectRulesReview body, ApiCallback<V1SelfSubjectRulesReview> callback) throws ApiException {
+    return new AuthorizationV1Api(client).createSelfSubjectRulesReviewAsync(body, pretty, callback);
+  }
+
+  private final CallFactory<V1SelfSubjectRulesReview> CREATE_SELFSUBJECTRULESREVIEW = (requestParams, usage, cont, callback) -> {
+    return createSelfSubjectRulesReviewAsync(usage, (V1SelfSubjectRulesReview) requestParams.body, callback);
+  };
+  
+  /**
+   * Asynchronous step for creating self subject rules review
+   * @param body Body
+   * @param responseStep Response step for when call completes
+   * @return Asynchronous step
+   */
+  public Step createSelfSubjectRulesReviewAsync(V1SelfSubjectRulesReview body, ResponseStep<V1SelfSubjectRulesReview> responseStep) {
+    return createRequestAsync(responseStep, new RequestParams("createSelfSubjectRulesReview", null, null, body), CREATE_SELFSUBJECTRULESREVIEW);
+  }
+  
   /* Token Review */
 
   /**
 
@@ -0,0 +1,12 @@
+// Copyright 2018, Oracle Corporation and/or its affiliates.  All rights reserved.
+// Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+
+package oracle.kubernetes.operator.helpers;
+
+import java.util.function.Supplier;
+
+import io.kubernetes.client.ApiClient;
+
+public interface ClientFactory extends Supplier<ApiClient> {
+
+}
Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ private static void begin() {`
`220`	`220`	`HealthCheckHelper healthCheck = new HealthCheckHelper(namespace, targetNamespaces);`
`221`	`221`	`version = healthCheck.performK8sVersionCheck();`
`222`	`222`	`healthCheck.performNonSecurityChecks();`
`223`		`- healthCheck.performSecurityChecks(serviceAccountName);`
	`223`	`+ healthCheck.performSecurityChecks(version);`
`224`	`224`	`} catch (ApiException e) {`
`225`	`225`	`LOGGER.warning(MessageKeys.EXCEPTION, e);`
`226`	`226`	`}`