forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
reviewer.go
110 lines (90 loc) · 2.74 KB
/
reviewer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package auth
import (
kapi "k8s.io/kubernetes/pkg/api"
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
"github.com/openshift/origin/pkg/authorization/authorizer"
"github.com/openshift/origin/pkg/client"
)
// Review is a list of users and groups that can access a resource
type Review interface {
Users() []string
Groups() []string
}
type defaultReview struct {
users []string
groups []string
}
func (r *defaultReview) Users() []string {
return r.users
}
// Groups returns the groups that can access a resource
func (r *defaultReview) Groups() []string {
return r.groups
}
type review struct {
response *authorizationapi.ResourceAccessReviewResponse
}
// Users returns the users that can access a resource
func (r *review) Users() []string {
return r.response.Users.List()
}
// Groups returns the groups that can access a resource
func (r *review) Groups() []string {
return r.response.Groups.List()
}
// Reviewer performs access reviews for a project by name
type Reviewer interface {
Review(name string) (Review, error)
}
// reviewer performs access reviews for a project by name
type reviewer struct {
resourceAccessReviewsNamespacer client.LocalResourceAccessReviewsNamespacer
}
// NewReviewer knows how to make access control reviews for a resource by name
func NewReviewer(resourceAccessReviewsNamespacer client.LocalResourceAccessReviewsNamespacer) Reviewer {
return &reviewer{
resourceAccessReviewsNamespacer: resourceAccessReviewsNamespacer,
}
}
// Review performs a resource access review for the given resource by name
func (r *reviewer) Review(name string) (Review, error) {
resourceAccessReview := &authorizationapi.LocalResourceAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "get",
Group: kapi.GroupName,
Resource: "namespaces",
ResourceName: name,
},
}
response, err := r.resourceAccessReviewsNamespacer.LocalResourceAccessReviews(name).Create(resourceAccessReview)
if err != nil {
return nil, err
}
review := &review{
response: response,
}
return review, nil
}
type authorizerReviewer struct {
policyChecker authorizer.Authorizer
}
func NewAuthorizerReviewer(policyChecker authorizer.Authorizer) Reviewer {
return &authorizerReviewer{policyChecker: policyChecker}
}
func (r *authorizerReviewer) Review(namespaceName string) (Review, error) {
attributes := authorizer.DefaultAuthorizationAttributes{
Verb: "get",
Resource: "namespaces",
ResourceName: namespaceName,
}
ctx := kapi.WithNamespace(kapi.NewContext(), namespaceName)
users, groups, err := r.policyChecker.GetAllowedSubjects(ctx, attributes)
if err != nil {
return nil, err
}
review := &defaultReview{
users: users.List(),
groups: groups.List(),
}
return review, nil
}