forked from kubernetes/cloud-provider-openstack
/
policy.go
95 lines (74 loc) · 2.33 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
Copyright 2015 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package keystone
import (
"bufio"
"encoding/json"
"os"
)
type policy struct {
ResourceSpec *resourcePolicySpec `json:"resource,omitempty"`
NonResourceSpec *nonResourcePolicySpec `json:"nonresource,omitempty"`
Match []policyMatch `json:"match"`
}
// Supported types for policy match.
const (
TypeUser string = "user"
TypeGroup string = "group"
TypeProject string = "project"
TypeRole string = "role"
)
type policyMatch struct {
Type string `json:"type"`
Values []string `json:"values"`
}
type resourcePolicySpec struct {
// Kubernetes resource API verb like: get, list, watch, create, update, delete, proxy.
// ["*"] matches all verbs.
Verbs []string `json:"verbs"`
// Resources is the list of resource names.
// ["*"] matches all resources
Resources []string `json:"resources"`
// APIGroup is the name of an API group.
// "*" matches all API groups
APIGroup *string `json:"version"`
// Namespace is the name of a namespace.
// "*" matches all namespaces (including unnamespaced requests)
Namespace *string `json:"namespace"`
}
type nonResourcePolicySpec struct {
// Kubernetes resource API verb like: get, list, watch, create, update, delete, proxy.
// "*" matches all verbs.
Verbs []string `json:"verbs"`
// NonResourcePath matches non-resource request paths.
// "*" matches all paths
// "/foo/*" matches all subpaths of foo
NonResourcePath *string `json:"path"`
}
type policyList []*policy
// newFromFile loads a list of policies from a file
func newFromFile(path string) (policyList, error) {
file, err := os.Open(path)
if err != nil {
return nil, err
}
defer file.Close()
var data policyList
reader := bufio.NewReader(file)
decoder := json.NewDecoder(reader)
err = decoder.Decode(&data)
if err != nil {
return nil, err
}
return data, nil
}