Expand RBAC role to be able to create application events. Fix username claims extraction. (#479)

2026-04-21 17:07:16 +00:00 · 2018-07-31 11:15:44 -07:00 · 2018-07-31 11:15:44 -07:00 · 00299707e5
commit 00299707e5
parent 9f5a718323
6 changed files with 46 additions and 20 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.7.0
+0.7.1
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@ -90,7 +90,7 @@ func NewApplicationController(
 		statusRefreshTimeout:  appResyncPeriod,
 		forceRefreshApps:      make(map[string]bool),
 		forceRefreshAppsMutex: &sync.Mutex{},
-		auditLogger:           argo.NewAuditLogger(namespace, kubeClientset, "appcontroller"),
+		auditLogger:           argo.NewAuditLogger(namespace, kubeClientset, "application-controller"),
 	}
 }

--- a/manifests/components/03b_application-controller-role.yaml
+++ b/manifests/components/03b_application-controller-role.yaml
@ -27,3 +27,11 @@ rules:
  - update
  - patch
  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - list
+  
--- a/manifests/components/04b_argocd-server-role.yaml
+++ b/manifests/components/04b_argocd-server-role.yaml
@ -30,3 +30,10 @@ rules:
  - update
  - delete
  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - list
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@ -126,6 +126,14 @@ rules:
  - update
  - patch
  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - list
+  
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@ -194,6 +202,13 @@ rules:
  - update
  - delete
  - patch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - list
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
--- a/util/session/sessionmanager.go
+++ b/util/session/sessionmanager.go
@ -17,6 +17,7 @@ import (
 	"google.golang.org/grpc/status"

 	"github.com/argoproj/argo-cd/common"
+	jwtutil "github.com/argoproj/argo-cd/util/jwt"
 	passwordutil "github.com/argoproj/argo-cd/util/password"
 	"github.com/argoproj/argo-cd/util/settings"
 )
@ -166,26 +167,21 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) {
 	}
 }

-func stringFromMap(input map[string]interface{}, key string) string {
-	if val, ok := input[key]; ok {
-		if res, ok := val.(string); ok {
-			return res
-		}
-	}
-	return ""
-}
-
 func Username(ctx context.Context) string {
-	if claims, ok := ctx.Value("claims").(*jwt.MapClaims); ok {
-		mapClaims := *claims
-		switch stringFromMap(mapClaims, "iss") {
-		case SessionManagerClaimsIssuer:
-			return stringFromMap(mapClaims, "sub")
-		default:
-			return stringFromMap(mapClaims, "email")
-		}
+	claims, ok := ctx.Value("claims").(jwt.Claims)
+	if !ok {
+		return ""
+	}
+	mapClaims, err := jwtutil.MapClaims(claims)
+	if err != nil {
+		return ""
+	}
+	switch jwtutil.GetField(mapClaims, "iss") {
+	case SessionManagerClaimsIssuer:
+		return jwtutil.GetField(mapClaims, "sub")
+	default:
+		return jwtutil.GetField(mapClaims, "email")
 	}
-	return ""
 }

 // MakeCookieMetadata generates a string representing a Web cookie.  Yum!
 @ -1 +1 @@
 .7.0
 .7.1