forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
rest.go
65 lines (54 loc) · 2.47 KB
/
rest.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package localsubjectaccessreview
import (
"context"
"fmt"
kapierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/validation/field"
apirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
authorization "github.com/openshift/api/authorization"
authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
authorizationvalidation "github.com/openshift/origin/pkg/authorization/apis/authorization/validation"
"github.com/openshift/origin/pkg/authorization/apiserver/registry/subjectaccessreview"
)
// REST implements the RESTStorage interface in terms of an Registry.
type REST struct {
clusterSARRegistry subjectaccessreview.Registry
}
var _ rest.Creater = &REST{}
var _ rest.Scoper = &REST{}
func NewREST(clusterSARRegistry subjectaccessreview.Registry) *REST {
return &REST{clusterSARRegistry}
}
func (r *REST) New() runtime.Object {
return &authorizationapi.LocalSubjectAccessReview{}
}
func (s *REST) NamespaceScoped() bool {
return true
}
// Create transforms a LocalSAR into an ClusterSAR that is requesting a namespace. That collapses the code paths.
// LocalSubjectAccessReview exists to allow clean expression of policy.
func (r *REST) Create(ctx context.Context, obj runtime.Object, _ rest.ValidateObjectFunc, _ bool) (runtime.Object, error) {
localSAR, ok := obj.(*authorizationapi.LocalSubjectAccessReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a localSubjectAccessReview: %#v", obj))
}
if errs := authorizationvalidation.ValidateLocalSubjectAccessReview(localSAR); len(errs) > 0 {
return nil, kapierrors.NewInvalid(authorization.Kind(localSAR.Kind), "", errs)
}
if namespace := apirequest.NamespaceValue(ctx); len(namespace) == 0 {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("namespace is required on this type: %v", namespace))
} else if (len(localSAR.Action.Namespace) > 0) && (namespace != localSAR.Action.Namespace) {
return nil, field.Invalid(field.NewPath("namespace"), localSAR.Action.Namespace, fmt.Sprintf("namespace must be: %v", namespace))
}
// transform this into a SubjectAccessReview
clusterSAR := &authorizationapi.SubjectAccessReview{
Action: localSAR.Action,
User: localSAR.User,
Groups: localSAR.Groups,
Scopes: localSAR.Scopes,
}
clusterSAR.Action.Namespace = apirequest.NamespaceValue(ctx)
return r.clusterSARRegistry.CreateSubjectAccessReview(apirequest.WithNamespace(ctx, ""), clusterSAR)
}