Update membership role filter to use new annotation

app/scripts/filters/resources.js

@@ -37,7 +37,8 @@ angular.module('openshiftConsole')
       "jenkinsLogURL":            ["openshift.io/jenkins-log-url"],
       "jenkinsStatus":            ["openshift.io/jenkins-status-json"],
       "idledAt":                  ["idling.alpha.openshift.io/idled-at"],
-      "idledPreviousScale":       ["idling.alpha.openshift.io/previous-scale"]
+      "idledPreviousScale":       ["idling.alpha.openshift.io/previous-scale"],
+      "systemOnly":               ["authorization.openshift.io/system-only"]
     };
     return function(annotationKey) {
       return annotationMap[annotationKey] || null;

app/scripts/services/membership/membership.js

@@ -114,18 +114,10 @@ angular
       return _.sortBy(roles, 'metadata.name');
     };
 
-    // TODO: follow-on PR, there will be an annotation for this
     var filterRoles = function(roles) {
       return _.filter(roles, function(item) {
-        // image-puller & image-pusher ok, other system: prob no
-        return (_.isEqual(item.metadata.name, 'system:image-puller')   ||
-                _.isEqual(item.metadata.name, 'system:image-pusher')   ||
-                _.isEqual(item.metadata.name, 'system:image-builder')  ||
-                _.isEqual(item.metadata.name, 'system:deployer')     ) ||
-                ! _.startsWith(item.metadata.name, 'cluster-') &&
-                ! _.startsWith(item.metadata.name, 'system:') &&
-                ! _.startsWith(item.metadata.name, 'registry-') &&
-                ! _.startsWith(item.metadata.name, 'self-');
+        // system-only must be explicitly <string> 'true' to hide the annotation
+        return annotation(item, 'systemOnly') !== 'true';
       });
     };
 

dist/scripts/scripts.js

@@ -2777,17 +2777,17 @@ b[a.tag] = b[a.tag] || {}, b[a.tag].name = a.tag, b[a.tag].status = angular.copy
 }
 };
 }), angular.module("openshiftConsole").factory("MembershipService", [ "$filter", function(a) {
-var b = (a("annotation"), function(a, b) {
+var b = a("annotation"), c = function(a, b) {
 return 1 === _.filter(b, function(b) {
 return _.some(b.subjects, {
 name:a
 });
 }).length;
-}), c = function() {
+}, d = function() {
 return _.reduce(_.slice(arguments), function(a, b, c) {
 return b ? _.isEqual(c, 0) ? b :a + "-" + b :a;
 }, "");
-}, d = function() {
+}, e = function() {
 return {
 User:{
 kind:"User",
@@ -2826,39 +2826,39 @@ name:"SystemGroup",
 subjects:{}
 }
 };
-}, e = function(a, b) {
-var e = _.reduce(a, function(a, d) {
-var e = c(d.roleRef.namespace ? "Role" :"ClusterRole", d.roleRef.name);
-return _.each(d.subjects, function(d) {
-var f = c(d.namespace, d.name);
-a[d.kind].subjects[f] || (a[d.kind].subjects[f] = {
-name:d.name,
-namespace:d.namespace,
+}, f = function(a, b) {
+var c = _.reduce(a, function(a, c) {
+var e = d(c.roleRef.namespace ? "Role" :"ClusterRole", c.roleRef.name);
+return _.each(c.subjects, function(c) {
+var f = d(c.namespace, c.name);
+a[c.kind].subjects[f] || (a[c.kind].subjects[f] = {
+name:c.name,
+namespace:c.namespace,
 roles:{}
-}), _.includes(a[d.kind].subjects[f].roles, e) || (a[d.kind].subjects[f].roles[e] = b[e]);
+}), _.includes(a[c.kind].subjects[f].roles, e) || (a[c.kind].subjects[f].roles[e] = b[e]);
 }), a;
-}, d());
-return _.sortBy(e, "sortOrder");
-}, f = function(a) {
-return _.sortBy(a, "metadata.name");
+}, e());
+return _.sortBy(c, "sortOrder");
 }, g = function(a) {
+return _.sortBy(a, "metadata.name");
+}, h = function(a) {
 return _.filter(a, function(a) {
-return _.isEqual(a.metadata.name, "system:image-puller") || _.isEqual(a.metadata.name, "system:image-pusher") || _.isEqual(a.metadata.name, "system:image-builder") || _.isEqual(a.metadata.name, "system:deployer") || !_.startsWith(a.metadata.name, "cluster-") && !_.startsWith(a.metadata.name, "system:") && !_.startsWith(a.metadata.name, "registry-") && !_.startsWith(a.metadata.name, "self-");
+return "true" !== b(a, "systemOnly");
 });
-}, h = function(a) {
+}, i = function(a) {
 return _.reduce(a, function(a, b) {
-return a[c(b.kind, b.metadata.name)] = b, a;
+return a[d(b.kind, b.metadata.name)] = b, a;
 }, {});
-}, i = function(a, b) {
-return _.merge(h(a), h(b));
+}, j = function(a, b) {
+return _.merge(i(a), i(b));
 };
 return {
-sortRoles:f,
-filterRoles:g,
-mapRolesForUI:i,
-isLastRole:b,
-getSubjectKinds:d,
-mapRolebindingsForUI:e
+sortRoles:g,
+filterRoles:h,
+mapRolesForUI:j,
+isLastRole:c,
+getSubjectKinds:e,
+mapRolebindingsForUI:f
 };
 } ]), angular.module("openshiftConsole").factory("RolesService", [ "$q", "DataService", function(a, b) {
 var c = function(c) {
@@ -13639,7 +13639,8 @@ jenkinsBuildURL:[ "openshift.io/jenkins-build-uri" ],
 jenkinsLogURL:[ "openshift.io/jenkins-log-url" ],
 jenkinsStatus:[ "openshift.io/jenkins-status-json" ],
 idledAt:[ "idling.alpha.openshift.io/idled-at" ],
-idledPreviousScale:[ "idling.alpha.openshift.io/previous-scale" ]
+idledPreviousScale:[ "idling.alpha.openshift.io/previous-scale" ],
+systemOnly:[ "authorization.openshift.io/system-only" ]
 };
 return function(b) {
 return a[b] || null;

test/spec/services/membership/membershipSpec.js

@@ -86,28 +86,26 @@ describe('MembershipService', function() {
   describe('#filterRoles', function() {
     it('should filter out system-only roles', function() {
       var fakeList = [
-        // specific roles filter will explicitly pass
-        {metadata: {name: 'system:image-puller'}},
-        {metadata: {name: 'system:image-pusher'}},
-        {metadata: {name: 'system:image-builder'}},
-        {metadata: {name: 'system:deployer'}},
-        // roles the filter will explicitly reject
-        {metadata: {name: 'cluster-magical-scary-role'}},
-        {metadata: {name: 'system:special-scary-role'}},
-        {metadata: {name: 'registry-ninja'}},
-        {metadata: {name: 'self-destruction'}},
-        // ignored
-        {metadata: {name: 'admin'}},
-        {metadata: {name: 'edit'}}
+        // the string 'true' is the only acceptable value for 'authorization.openshift.io/system-only'
+        {metadata: {name: 'system-only-role', annotations: {'authorization.openshift.io/system-only': 'true'}}},
+        // the rest of these will not be filtered
+        {metadata: {name: 'system-only-role2', annotations: {'authorization.openshift.io/system-only': 'false'}}},
+        {metadata: {name: 'system-only-role3', annotations: {'authorization.openshift.io/system-only': 'show'}}},
+        {metadata: {name: 'system-only-role4', annotations: {'authorization.openshift.io/system-only': ''}}},
+        {metadata: {name: 'system-only-role5', annotations: {'authorization.openshift.io/system-only': undefined}}},
+        {metadata: {name: 'system-only-role6', annotations: {'authorization.openshift.io/system-only': null}}},
+        {metadata : {name : 'not-system-only'}},
+        {metadata : {name : 'the-other-not-system-only' }}
       ];
 
       expect(MembershipService.filterRoles(fakeList)).toEqual([
-        {metadata : {name : 'system:image-puller'}},
-        {metadata : {name : 'system:image-pusher' }},
-        {metadata : {name : 'system:image-builder'}},
-        {metadata : {name : 'system:deployer'}},
-        {metadata : {name : 'admin'}},
-        {metadata : {name : 'edit'}}
+        {metadata: {name: 'system-only-role2', annotations: {'authorization.openshift.io/system-only': 'false'}}},
+        {metadata: {name: 'system-only-role3', annotations: {'authorization.openshift.io/system-only': 'show'}}},
+        {metadata: {name: 'system-only-role4', annotations: {'authorization.openshift.io/system-only': ''}}},
+        {metadata: {name: 'system-only-role5', annotations: {'authorization.openshift.io/system-only': undefined}}},
+        {metadata: {name: 'system-only-role6', annotations: {'authorization.openshift.io/system-only': null}}},
+        {metadata : {name : 'not-system-only'}},
+        {metadata : {name : 'the-other-not-system-only' }}
       ]);
     });
   });