forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
unbind.go
81 lines (68 loc) · 3.03 KB
/
unbind.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package servicebroker
import (
"net/http"
"github.com/golang/glog"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/kubernetes/pkg/apis/authorization"
"github.com/openshift/origin/pkg/authorization/util"
templateapi "github.com/openshift/origin/pkg/template/apis/template"
"github.com/openshift/origin/pkg/templateservicebroker/openservicebroker/api"
)
// Unbind is the reverse of Bind. Currently it simply removes the binding ID
// from the BrokerTemplateInstance, if found.
func (b *Broker) Unbind(u user.Info, instanceID, bindingID string) *api.Response {
glog.V(4).Infof("Template service broker: Unbind: instanceID %s, bindingID %s", instanceID, bindingID)
brokerTemplateInstance, err := b.templateclient.BrokerTemplateInstances().Get(instanceID, metav1.GetOptions{})
if err != nil {
if kerrors.IsNotFound(err) {
return api.BadRequest(err)
}
return api.InternalServerError(err)
}
namespace := brokerTemplateInstance.Spec.TemplateInstance.Namespace
//TODO - when https://github.com/kubernetes-incubator/service-catalog/pull/939 sufficiently progresses, remove the user name empty string checks
if u.GetName() != "" {
if err := util.Authorize(b.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{
Namespace: namespace,
Verb: "get",
Group: templateapi.GroupName,
Resource: "templateinstances",
Name: brokerTemplateInstance.Spec.TemplateInstance.Name,
}); err != nil {
return api.Forbidden(err)
}
}
// The OSB API requires this function to be idempotent (restartable). If
// any actual change was made, per the spec, StatusOK is returned, else
// StatusGone.
status := http.StatusGone
for i := 0; i < len(brokerTemplateInstance.Spec.BindingIDs); i++ {
for i < len(brokerTemplateInstance.Spec.BindingIDs) && brokerTemplateInstance.Spec.BindingIDs[i] == bindingID {
brokerTemplateInstance.Spec.BindingIDs = append(brokerTemplateInstance.Spec.BindingIDs[:i], brokerTemplateInstance.Spec.BindingIDs[i+1:]...)
status = http.StatusOK
}
}
if status == http.StatusOK { // binding found; remove it
//TODO - when https://github.com/kubernetes-incubator/service-catalog/pull/939 sufficiently progresses, remove the user name empty string checks
if u.GetName() != "" {
// end users are not expected to have access to BrokerTemplateInstance
// objects; SAR on the TemplateInstance instead.
if err := util.Authorize(b.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{
Namespace: namespace,
Verb: "update",
Group: templateapi.GroupName,
Resource: "templateinstances",
Name: brokerTemplateInstance.Spec.TemplateInstance.Name,
}); err != nil {
return api.Forbidden(err)
}
}
brokerTemplateInstance, err = b.templateclient.BrokerTemplateInstances().Update(brokerTemplateInstance)
if err != nil {
return api.InternalServerError(err)
}
}
return api.NewResponse(status, &api.UnbindResponse{}, nil)
}