registry: refactor verification to share common helper

openshift · Jan 20, 2017 · 03d2e03 · 03d2e03
1 parent adfa878
commit 03d2e03
Showing 1 changed file with 11 additions and 27 deletions.
diff --git a/pkg/dockerregistry/server/auth.go b/pkg/dockerregistry/server/auth.go
@@ -451,13 +451,13 @@ func verifyOpenShiftUser(ctx context.Context, client client.UsersInterface) erro
 	return nil
 }
 
-func verifyImageStreamAccess(ctx context.Context, namespace, imageRepo, verb string, client client.LocalSubjectAccessReviewsNamespacer) error {
+func verifyWithSAR(ctx context.Context, resource, namespace, name, verb string, client client.LocalSubjectAccessReviewsNamespacer) error {
 	sar := authorizationapi.LocalSubjectAccessReview{
 		Action: authorizationapi.Action{
 			Verb:         verb,
 			Group:        imageapi.GroupName,
-			Resource:     "imagestreams/layers",
-			ResourceName: imageRepo,
+			Resource:     resource,
+			ResourceName: name,
 		},
 	}
 	response, err := client.LocalSubjectAccessReviews(namespace).Create(&sar)
@@ -478,6 +478,14 @@ func verifyImageStreamAccess(ctx context.Context, namespace, imageRepo, verb str
 	return nil
 }
 
+func verifyImageStreamAccess(ctx context.Context, namespace, imageRepo, verb string, client client.LocalSubjectAccessReviewsNamespacer) error {
+	return verifyWithSAR(ctx, "imagestreams/layers", namespace, imageRepo, verb, client)
+}
+
+func verifyImageSignatureAccess(ctx context.Context, namespace, imageRepo string, client client.LocalSubjectAccessReviewsNamespacer) error {
+	return verifyWithSAR(ctx, "imagesignatures", namespace, imageRepo, "create", client)
+}
+
 func verifyPruneAccess(ctx context.Context, client client.SubjectAccessReviews) error {
 	sar := authorizationapi.SubjectAccessReview{
 		Action: authorizationapi.Action{
@@ -500,27 +508,3 @@ func verifyPruneAccess(ctx context.Context, client client.SubjectAccessReviews)
 	}
 	return nil
 }
-
-func verifyImageSignatureAccess(ctx context.Context, namespace, imageRepo string, client client.LocalSubjectAccessReviewsNamespacer) error {
-	sar := authorizationapi.LocalSubjectAccessReview{
-		Action: authorizationapi.Action{
-			Verb:         "create",
-			Group:        imageapi.GroupName,
-			Resource:     "imagesignatures",
-			ResourceName: imageRepo,
-		},
-	}
-	response, err := client.LocalSubjectAccessReviews(namespace).Create(&sar)
-	if err != nil {
-		context.GetLogger(ctx).Errorf("OpenShift client error: %s", err)
-		if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
-			return ErrOpenShiftAccessDenied
-		}
-		return err
-	}
-	if !response.Allowed {
-		context.GetLogger(ctx).Errorf("OpenShift access denied: %s", response.Reason)
-		return ErrOpenShiftAccessDenied
-	}
-	return nil
-}