Added VO to service definition

grycap · Nov 23, 2023 · 45c0e7c · 45c0e7c
1 parent 632c86f
commit 45c0e7c
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 2 deletions.
diff --git a/pkg/backends/k8s.go b/pkg/backends/k8s.go
@@ -85,6 +85,14 @@ func (k *KubeBackend) CreateService(service types.Service) error {
 		return err
 	}
 
+	if service.VO != "" {
+		for _, vo := range k.config.OIDCGroups {
+			if vo == service.VO {
+				service.Labels["vo"] = service.VO
+			}
+		}
+	}
+
 	// Create podSpec from the service
 	podSpec, err := service.ToPodSpec(k.config)
 	if err != nil {

diff --git a/pkg/backends/knative.go b/pkg/backends/knative.go
@@ -102,6 +102,14 @@ func (kn *KnativeBackend) CreateService(service types.Service) error {
 		return err
 	}
 
+	if service.VO != "" {
+		for _, vo := range kn.config.OIDCGroups {
+			if vo == service.VO {
+				service.Labels["vo"] = service.VO
+			}
+		}
+	}
+
 	// Create the Knative service definition
 	knSvc, err := kn.createKNServiceDefinition(&service)
 	if err != nil {

diff --git a/pkg/handlers/create.go b/pkg/handlers/create.go
@@ -31,6 +31,7 @@ import (
 	"github.com/grycap/cdmi-client-go"
 	"github.com/grycap/oscar/v2/pkg/types"
 	"github.com/grycap/oscar/v2/pkg/utils"
+	"github.com/grycap/oscar/v2/pkg/utils/auth"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
@@ -46,6 +47,22 @@ var errInput = errors.New("unrecognized input (valid inputs are MinIO and dCache
 func MakeCreateHandler(cfg *types.Config, back types.ServerlessBackend) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		var service types.Service
+		oidcManager, _ := auth.NewOIDCManager(cfg.OIDCIssuer, cfg.OIDCSubject, cfg.OIDCGroups)
+
+		authHeader := c.GetHeader("Authorization")
+		rawToken := strings.TrimPrefix(authHeader, "Bearer ")
+		hasVO, err2 := oidcManager.UserHasVO(rawToken, service.VO)
+
+		if err2 != nil {
+			c.String(http.StatusInternalServerError, err2.Error())
+			return
+		}
+
+		if !hasVO {
+			c.String(http.StatusBadRequest, fmt.Sprintf("This user isn't enrrolled on the vo: %v", service.VO))
+			return
+		}
+
 		if err := c.ShouldBindJSON(&service); err != nil {
 			c.String(http.StatusBadRequest, fmt.Sprintf("The service specification is not valid: %v", err))
 			return
@@ -120,6 +137,10 @@ func checkValues(service *types.Service, cfg *types.Config) {
 	service.Labels[types.YunikornApplicationIDLabel] = service.Name
 	service.Labels[types.YunikornQueueLabel] = fmt.Sprintf("%s.%s.%s", types.YunikornRootQueue, types.YunikornOscarQueue, service.Name)
 
+	if service.VO != "" {
+		service.Labels["vo"] = service.VO
+	}
+
 	// Create default annotations map
 	if service.Annotations == nil {
 		service.Annotations = make(map[string]string)

diff --git a/pkg/types/service.go b/pkg/types/service.go
@@ -224,6 +224,10 @@ type Service struct {
 	// Optional
 	Annotations map[string]string `json:"annotations"`
 
+	// Parameter to specify the VO from the user creating the service
+	// Optional
+	VO string `json:"vo"`
+
 	// Labels user-defined Kubernetes labels to be set in job's definition
 	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 	// Optional

diff --git a/pkg/utils/auth/oidc.go b/pkg/utils/auth/oidc.go
@@ -45,7 +45,7 @@ type userInfo struct {
 }
 
 // newOIDCManager returns a new oidcManager or error if the oidc.Provider can't be created
-func newOIDCManager(issuer string, subject string, groups []string) (*oidcManager, error) {
+func NewOIDCManager(issuer string, subject string, groups []string) (*oidcManager, error) {
 	provider, err := oidc.NewProvider(context.TODO(), issuer)
 	if err != nil {
 		return nil, err
@@ -66,7 +66,7 @@ func newOIDCManager(issuer string, subject string, groups []string) (*oidcManage
 
 // getIODCMiddleware returns the Gin's handler middleware to validate OIDC-based auth
 func getOIDCMiddleware(issuer string, subject string, groups []string) gin.HandlerFunc {
-	oidcManager, err := newOIDCManager(issuer, subject, groups)
+	oidcManager, err := NewOIDCManager(issuer, subject, groups)
 	if err != nil {
 		return func(c *gin.Context) {
 			c.AbortWithStatus(http.StatusUnauthorized)
@@ -140,6 +140,19 @@ func getGroups(urns []string) []string {
 	return groups
 }
 
+func (om *oidcManager) UserHasVO(rawToken string, vo string) (bool, error) {
+	ui, err := om.getUserInfo(rawToken)
+	if err != nil {
+		return false, err
+	}
+	for _, gr := range ui.groups {
+		if vo == gr {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // isAuthorised checks if a token is authorised to access the API
 func (om *oidcManager) isAuthorised(rawToken string) bool {
 	// Check if the token is valid