add helper methods for SA token secret checks

2015-09-16 16:04:26 -04:00 · 2015-09-16 16:04:26 -04:00 · 32a495acb6
parent e83bf49f86
commit 32a495acb6
3 changed files with 57 additions and 35 deletions
--- a/pkg/controller/serviceaccount/tokens_controller.go
+++ b/pkg/controller/serviceaccount/tokens_controller.go
@ -417,7 +417,7 @@ func (e *TokensController) removeSecretReferenceIfNeeded(serviceAccount *api.Ser
 // getServiceAccount returns the ServiceAccount referenced by the given secret. If the secret is not
 // of type ServiceAccountToken, or if the referenced ServiceAccount does not exist, nil is returned
 func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMiss bool) (*api.ServiceAccount, error) {
-	name, uid := serviceAccountNameAndUID(secret)
+	name, _ := serviceAccountNameAndUID(secret)
 	if len(name) == 0 {
 		return nil, nil
 	}
@ -430,15 +430,10 @@ func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMis

 	for _, obj := range namespaceAccounts {
 		serviceAccount := obj.(*api.ServiceAccount)
-		if name != serviceAccount.Name {
-			// Name must match
-			continue
+
+		if IsServiceAccountToken(secret, serviceAccount) {
+			return serviceAccount, nil
 		}
-		if len(uid) > 0 && uid != string(serviceAccount.UID) {
-			// If UID is specified, it must match
-			continue
-		}
-		return serviceAccount, nil
 	}

 	if fetchOnCacheMiss {
@ -449,11 +444,10 @@ func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMis
 		if err != nil {
 			return nil, err
 		}
-		if len(uid) > 0 && uid != string(serviceAccount.UID) {
-			// If UID is specified, it must match
-			return nil, nil
+
+		if IsServiceAccountToken(secret, serviceAccount) {
+			return serviceAccount, nil
 		}
-		return serviceAccount, nil
 	}

 	return nil, nil
@ -471,16 +465,10 @@ func (e *TokensController) listTokenSecrets(serviceAccount *api.ServiceAccount)
 	items := []*api.Secret{}
 	for _, obj := range namespaceSecrets {
 		secret := obj.(*api.Secret)
-		name, uid := serviceAccountNameAndUID(secret)
-		if name != serviceAccount.Name {
-			// Name must match
-			continue
+
+		if IsServiceAccountToken(secret, serviceAccount) {
+			items = append(items, secret)
 		}
-		if len(uid) > 0 && uid != string(serviceAccount.UID) {
-			// If UID is specified, it must match
-			continue
-		}
-		items = append(items, secret)
 	}
 	return items, nil
 }
--- a/pkg/controller/serviceaccount/util.go
+++ b/pkg/controller/serviceaccount/util.go
@ -20,8 +20,12 @@ import (
 	"fmt"
 	"strings"

+	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/validation"
 	"k8s.io/kubernetes/pkg/auth/user"
+	client "k8s.io/kubernetes/pkg/client/unversioned"
+	"k8s.io/kubernetes/pkg/fields"
+	"k8s.io/kubernetes/pkg/labels"
 )

 const (
@ -81,3 +85,42 @@ func UserInfo(namespace, name, uid string) user.Info {
 		Groups: MakeGroupNames(namespace, name),
 	}
 }
+
+// GetServiceAccountTokens returns all ServiceAccountToken secrets for the given ServiceAccount
+func GetServiceAccountTokens(secretsNamespacer client.SecretsNamespacer, sa *api.ServiceAccount) ([]*api.Secret, error) {
+	tokenSelector := fields.SelectorFromSet(map[string]string{client.SecretType: string(api.SecretTypeServiceAccountToken)})
+	secrets, err := secretsNamespacer.Secrets(sa.Namespace).List(labels.Everything(), tokenSelector)
+	if err != nil {
+		return nil, err
+	}
+
+	tokenSecrets := []*api.Secret{}
+	for i := range secrets.Items {
+		secret := &secrets.Items[i]
+		if IsServiceAccountToken(secret, sa) {
+			tokenSecrets = append(tokenSecrets, secret)
+		}
+	}
+
+	return tokenSecrets, nil
+}
+
+// IsServiceAccountToken returns true if the secret is a valid api token for the service account
+func IsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool {
+	if secret.Type != api.SecretTypeServiceAccountToken {
+		return false
+	}
+
+	name := secret.Annotations[api.ServiceAccountNameKey]
+	uid := secret.Annotations[api.ServiceAccountUIDKey]
+	if name != sa.Name {
+		// Name must match
+		return false
+	}
+	if len(uid) > 0 && uid != string(sa.UID) {
+		// If UID is specified, it must match
+		return false
+	}
+
+	return true
+}
--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
@ -27,6 +27,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/errors"
 	"k8s.io/kubernetes/pkg/client/cache"
 	client "k8s.io/kubernetes/pkg/client/unversioned"
+	"k8s.io/kubernetes/pkg/controller/serviceaccount"
 	"k8s.io/kubernetes/pkg/fields"
 	"k8s.io/kubernetes/pkg/kubelet"
 	"k8s.io/kubernetes/pkg/labels"
@ -273,20 +274,10 @@ func (s *serviceAccount) getServiceAccountTokens(serviceAccount *api.ServiceAcco
 	tokens := []*api.Secret{}
 	for _, obj := range index {
 		token := obj.(*api.Secret)
-		if token.Type != api.SecretTypeServiceAccountToken {
-			continue
+
+		if serviceaccount.IsServiceAccountToken(token, serviceAccount) {
+			tokens = append(tokens, token)
 		}
-		name := token.Annotations[api.ServiceAccountNameKey]
-		uid := token.Annotations[api.ServiceAccountUIDKey]
-		if name != serviceAccount.Name {
-			// Name must match
-			continue
-		}
-		if len(uid) > 0 && uid != string(serviceAccount.UID) {
-			// If UID is set, it must match
-			continue
-		}
-		tokens = append(tokens, token)
 	}
 	return tokens, nil
 }