forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
authz_helpers.go
54 lines (43 loc) · 1.45 KB
/
authz_helpers.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package policy
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
)
func buildSubjects(users, groups []string) []corev1.ObjectReference {
subjects := []corev1.ObjectReference{}
for _, user := range users {
saNamespace, saName, err := serviceaccount.SplitUsername(user)
if err == nil {
subjects = append(subjects, corev1.ObjectReference{Kind: "ServiceAccount", Namespace: saNamespace, Name: saName})
continue
}
subjects = append(subjects, corev1.ObjectReference{Kind: "User", Name: user})
}
for _, group := range groups {
subjects = append(subjects, corev1.ObjectReference{Kind: "Group", Name: group})
}
return subjects
}
// stringSubjectsFor returns users and groups for comparison against user.Info. currentNamespace is used to
// to create usernames for service accounts where namespace=="".
func stringSubjectsFor(currentNamespace string, subjects []corev1.ObjectReference) ([]string, []string) {
// these MUST be nil to indicate empty
var users, groups []string
for _, subject := range subjects {
switch subject.Kind {
case "ServiceAccount":
namespace := currentNamespace
if len(subject.Namespace) > 0 {
namespace = subject.Namespace
}
if len(namespace) > 0 {
users = append(users, serviceaccount.MakeUsername(namespace, subject.Name))
}
case "User":
users = append(users, subject.Name)
case "Group":
groups = append(groups, subject.Name)
}
}
return users, groups
}