/
rbac.go
128 lines (112 loc) · 3.93 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
// Copyright 2019 Canonical Ltd.
// Licensed under the AGPLv3, see LICENCE file for details.
package specs
import (
"fmt"
"github.com/juju/collections/set"
"github.com/juju/errors"
)
// PolicyRule defines a rule policy for a role or cluster role.
type PolicyRule struct {
Verbs []string `json:"verbs" yaml:"verbs"`
APIGroups []string `json:"apiGroups,omitempty" yaml:"apiGroups,omitempty"`
Resources []string `json:"resources,omitempty" yaml:"resources,omitempty"`
ResourceNames []string `json:"resourceNames,omitempty" yaml:"resourceNames,omitempty"`
NonResourceURLs []string `json:"nonResourceURLs,omitempty" yaml:"nonResourceURLs,omitempty"`
}
// ServiceAccountSpecV2 defines spec for referencing or creating RBAC resource for the application for version 2.
type ServiceAccountSpecV2 struct {
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty" yaml:"automountServiceAccountToken,omitempty"`
Global bool `json:"global,omitempty" yaml:"global,omitempty"`
Rules []PolicyRule `json:"rules,omitempty" yaml:"rules,omitempty"`
}
// Validate returns an error if the spec is not valid.
func (sa ServiceAccountSpecV2) Validate() error {
if len(sa.Rules) == 0 {
return errors.NewNotValid(nil, "rules is required")
}
return nil
}
// ToLatest converts ServiceAccountSpecV2 to the latest version.
func (sa ServiceAccountSpecV2) ToLatest() *PrimeServiceAccountSpecV3 {
return &PrimeServiceAccountSpecV3{
ServiceAccountSpecV3: ServiceAccountSpecV3{
AutomountServiceAccountToken: sa.AutomountServiceAccountToken,
Roles: []Role{
{
Global: sa.Global,
Rules: sa.Rules,
},
},
},
}
}
// Role defines role spec for version 3.
type Role struct {
Name string `json:"name" yaml:"name"`
Global bool `json:"global,omitempty" yaml:"global,omitempty"`
Rules []PolicyRule `json:"rules,omitempty" yaml:"rules,omitempty"`
}
// Validate returns an error if the spec is not valid.
func (r Role) Validate() error {
if len(r.Rules) == 0 {
return errors.NewNotValid(nil, "rules is required")
}
return nil
}
// ServiceAccountSpecV3 defines spec for creating RBAC resource for the application for version 3.
type ServiceAccountSpecV3 struct {
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty" yaml:"automountServiceAccountToken,omitempty"`
Roles []Role `json:"roles" yaml:"roles"`
}
// Validate returns an error if the spec is not valid.
func (sa ServiceAccountSpecV3) Validate() error {
if len(sa.Roles) == 0 {
return errors.NewNotValid(nil, "roles is required")
}
for _, r := range sa.Roles {
if err := r.Validate(); err != nil {
return errors.Trace(err)
}
}
roleNames := set.NewStrings()
for _, r := range sa.Roles {
if err := r.Validate(); err != nil {
return errors.Trace(err)
}
if r.Name == "" {
continue
}
if roleNames.Contains(r.Name) {
return errors.NotValidf("duplicated role name %q", r.Name)
}
roleNames.Add(r.Name)
}
if roleNames.Size() == 0 || len(sa.Roles) == roleNames.Size() {
// All good.
return nil
}
return errors.NewNotValid(nil, "either all or none of the roles should have a name set")
}
// PrimeServiceAccountSpecV3 defines spec for creating the prime RBAC resources for version 3.
type PrimeServiceAccountSpecV3 struct {
name string
ServiceAccountSpecV3 `json:",inline" yaml:",inline"`
}
// GetName returns the service accout name.
func (psa PrimeServiceAccountSpecV3) GetName() string {
return psa.name
}
// SetName sets the service accout name.
func (psa *PrimeServiceAccountSpecV3) SetName(name string) {
psa.name = name
}
// Validate returns an error if the spec is not valid.
func (psa PrimeServiceAccountSpecV3) Validate() error {
err := psa.ServiceAccountSpecV3.Validate()
msg := "invalid primary service account"
if psa.name != "" {
msg = fmt.Sprintf("%s %q", msg, psa.name)
}
return errors.Annotatef(err, msg)
}