diff --git a/pkg/authorization/api/deep_copy_generated.go b/pkg/authorization/api/deep_copy_generated.go index 96dd1b2e006a..20afd7be9cf8 100644 --- a/pkg/authorization/api/deep_copy_generated.go +++ b/pkg/authorization/api/deep_copy_generated.go @@ -14,7 +14,7 @@ import ( func init() { if err := api.Scheme.AddGeneratedDeepCopyFuncs( - DeepCopy_api_AuthorizationAttributes, + DeepCopy_api_Action, DeepCopy_api_ClusterPolicy, DeepCopy_api_ClusterPolicyBinding, DeepCopy_api_ClusterPolicyBindingList, @@ -48,7 +48,7 @@ func init() { } } -func DeepCopy_api_AuthorizationAttributes(in AuthorizationAttributes, out *AuthorizationAttributes, c *conversion.Cloner) error { +func DeepCopy_api_Action(in Action, out *Action, c *conversion.Cloner) error { out.Namespace = in.Namespace out.Verb = in.Verb out.Group = in.Group @@ -77,7 +77,7 @@ func DeepCopy_api_ClusterPolicy(in ClusterPolicy, out *ClusterPolicy, c *convers } if in.Roles != nil { in, out := in.Roles, &out.Roles - *out = make(map[string]*ClusterRole) + *out = make(ClusterRolesByName) for key, val := range in { if newVal, err := c.DeepCopy(val); err != nil { return err @@ -106,7 +106,7 @@ func DeepCopy_api_ClusterPolicyBinding(in ClusterPolicyBinding, out *ClusterPoli } if in.RoleBindings != nil { in, out := in.RoleBindings, &out.RoleBindings - *out = make(map[string]*ClusterRoleBinding) + *out = make(ClusterRoleBindingsByName) for key, val := range in { if newVal, err := c.DeepCopy(val); err != nil { return err @@ -260,7 +260,7 @@ func DeepCopy_api_LocalResourceAccessReview(in LocalResourceAccessReview, out *L if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil { + if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil { return err } return nil @@ -270,7 +270,7 @@ func DeepCopy_api_LocalSubjectAccessReview(in LocalSubjectAccessReview, out *Loc if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil { + if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil { return err } out.User = in.User @@ -309,7 +309,7 @@ func DeepCopy_api_Policy(in Policy, out *Policy, c *conversion.Cloner) error { } if in.Roles != nil { in, out := in.Roles, &out.Roles - *out = make(map[string]*Role) + *out = make(RolesByName) for key, val := range in { if newVal, err := c.DeepCopy(val); err != nil { return err @@ -338,7 +338,7 @@ func DeepCopy_api_PolicyBinding(in PolicyBinding, out *PolicyBinding, c *convers } if in.RoleBindings != nil { in, out := in.RoleBindings, &out.RoleBindings - *out = make(map[string]*RoleBinding) + *out = make(RoleBindingsByName) for key, val := range in { if newVal, err := c.DeepCopy(val); err != nil { return err @@ -468,7 +468,7 @@ func DeepCopy_api_ResourceAccessReview(in ResourceAccessReview, out *ResourceAcc if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil { + if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil { return err } return nil @@ -624,7 +624,7 @@ func DeepCopy_api_SubjectAccessReview(in SubjectAccessReview, out *SubjectAccess if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil { + if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil { return err } out.User = in.User diff --git a/pkg/authorization/api/types.go b/pkg/authorization/api/types.go index c0e423dc8426..6d3c6d6a166d 100644 --- a/pkg/authorization/api/types.go +++ b/pkg/authorization/api/types.go @@ -105,6 +105,8 @@ type RoleBinding struct { RoleRef kapi.ObjectReference } +type RolesByName map[string]*Role + // +genclient=true // Policy is a object that holds all the Roles for a particular namespace. There is at most @@ -117,9 +119,11 @@ type Policy struct { LastModified unversioned.Time // Roles holds all the Roles held by this Policy, mapped by Role.Name - Roles map[string]*Role + Roles RolesByName } +type RoleBindingsByName map[string]*RoleBinding + // PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is // one PolicyBinding document per referenced Policy namespace type PolicyBinding struct { @@ -133,7 +137,7 @@ type PolicyBinding struct { // PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference PolicyRef kapi.ObjectReference // RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name - RoleBindings map[string]*RoleBinding + RoleBindings RoleBindingsByName } // SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace @@ -171,8 +175,10 @@ type ResourceAccessReviewResponse struct { // Namespace is the namespace used for the access review Namespace string // Users is the list of users who can perform the action + // +genconversion=false Users sets.String // Groups is the list of groups who can perform the action + // +genconversion=false Groups sets.String // EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. @@ -187,7 +193,7 @@ type ResourceAccessReview struct { unversioned.TypeMeta // Action describes the action being tested - Action AuthorizationAttributes + Action } // SubjectAccessReviewResponse describes whether or not a user or group can perform an action @@ -207,10 +213,11 @@ type SubjectAccessReview struct { unversioned.TypeMeta // Action describes the action being tested - Action AuthorizationAttributes + Action // User is optional. If both User and Groups are empty, the current authenticated user is used. User string // Groups is optional. Groups is the list of groups to which the User belongs. + // +genconversion=false Groups sets.String // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". @@ -223,7 +230,7 @@ type LocalResourceAccessReview struct { unversioned.TypeMeta // Action describes the action being tested - Action AuthorizationAttributes + Action } // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace @@ -231,10 +238,11 @@ type LocalSubjectAccessReview struct { unversioned.TypeMeta // Action describes the action being tested. The Namespace element is FORCED to the current namespace. - Action AuthorizationAttributes + Action // User is optional. If both User and Groups are empty, the current authenticated user is used. User string // Groups is optional. Groups is the list of groups to which the User belongs. + // +genconversion=false Groups sets.String // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". @@ -242,8 +250,8 @@ type LocalSubjectAccessReview struct { Scopes []string } -// AuthorizationAttributes describes a request to be authorized -type AuthorizationAttributes struct { +// Action describes a request to be authorized +type Action struct { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces Namespace string // Verb is one of: get, list, watch, create, update, delete @@ -327,6 +335,8 @@ type ClusterRoleBinding struct { RoleRef kapi.ObjectReference } +type ClusterRolesByName map[string]*ClusterRole + // ClusterPolicy is a object that holds all the ClusterRoles for a particular namespace. There is at most // one ClusterPolicy document per namespace. type ClusterPolicy struct { @@ -338,9 +348,11 @@ type ClusterPolicy struct { LastModified unversioned.Time // Roles holds all the ClusterRoles held by this ClusterPolicy, mapped by Role.Name - Roles map[string]*ClusterRole + Roles ClusterRolesByName } +type ClusterRoleBindingsByName map[string]*ClusterRoleBinding + // ClusterPolicyBinding is a object that holds all the ClusterRoleBindings for a particular namespace. There is // one ClusterPolicyBinding document per referenced ClusterPolicy namespace type ClusterPolicyBinding struct { @@ -354,7 +366,7 @@ type ClusterPolicyBinding struct { // ClusterPolicyRef is a reference to the ClusterPolicy that contains all the ClusterRoles that this ClusterPolicyBinding's RoleBindings may reference PolicyRef kapi.ObjectReference // RoleBindings holds all the RoleBindings held by this ClusterPolicyBinding, mapped by RoleBinding.Name - RoleBindings map[string]*ClusterRoleBinding + RoleBindings ClusterRoleBindingsByName } // ClusterPolicyList is a collection of ClusterPolicies diff --git a/pkg/authorization/api/v1/conversion.go b/pkg/authorization/api/v1/conversion.go index db94ab15177c..a87673332134 100644 --- a/pkg/authorization/api/v1/conversion.go +++ b/pkg/authorization/api/v1/conversion.go @@ -8,126 +8,63 @@ import ( "k8s.io/kubernetes/pkg/util/sets" oapi "github.com/openshift/origin/pkg/api" - "github.com/openshift/origin/pkg/api/extension" newer "github.com/openshift/origin/pkg/authorization/api" uservalidation "github.com/openshift/origin/pkg/user/api/validation" ) -func Convert_v1_ResourceAccessReview_To_api_ResourceAccessReview(in *ResourceAccessReview, out *newer.ResourceAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil { - return err - } - - return nil -} - -func Convert_api_ResourceAccessReview_To_v1_ResourceAccessReview(in *newer.ResourceAccessReview, out *ResourceAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil { - return err - } - - return nil -} - -func Convert_v1_LocalResourceAccessReview_To_api_LocalResourceAccessReview(in *LocalResourceAccessReview, out *newer.LocalResourceAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil { - return err - } - - return nil -} - -func Convert_api_LocalResourceAccessReview_To_v1_LocalResourceAccessReview(in *newer.LocalResourceAccessReview, out *LocalResourceAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil { - return err - } - - return nil -} - func Convert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in *SubjectAccessReview, out *newer.SubjectAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil { + if err := autoConvert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in, out, s); err != nil { return err } out.Groups = sets.NewString(in.GroupsSlice...) - return nil } func Convert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in *newer.SubjectAccessReview, out *SubjectAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil { + if err := autoConvert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in, out, s); err != nil { return err } out.GroupsSlice = in.Groups.List() - return nil } func Convert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in *LocalSubjectAccessReview, out *newer.LocalSubjectAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil { + if err := autoConvert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in, out, s); err != nil { return err } out.Groups = sets.NewString(in.GroupsSlice...) - return nil } func Convert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in *newer.LocalSubjectAccessReview, out *LocalSubjectAccessReview, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { - return err - } - if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil { + if err := autoConvert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in, out, s); err != nil { return err } out.GroupsSlice = in.Groups.List() - return nil } func Convert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in *ResourceAccessReviewResponse, out *newer.ResourceAccessReviewResponse, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { + if err := autoConvert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in, out, s); err != nil { return err } out.Users = sets.NewString(in.UsersSlice...) out.Groups = sets.NewString(in.GroupsSlice...) - return nil } func Convert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in *newer.ResourceAccessReviewResponse, out *ResourceAccessReviewResponse, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil { + if err := autoConvert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in, out, s); err != nil { return err } out.UsersSlice = in.Users.List() out.GroupsSlice = in.Groups.List() - return nil } @@ -173,19 +110,17 @@ func Convert_api_PolicyRule_To_v1_PolicyRule(in *newer.PolicyRule, out *PolicyRu } func Convert_v1_Policy_To_api_Policy(in *Policy, out *newer.Policy, s conversion.Scope) error { - out.LastModified = in.LastModified - out.Roles = make(map[string]*newer.Role) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) -} - -func Convert_api_Policy_To_v1_Policy(in *newer.Policy, out *Policy, s conversion.Scope) error { - out.LastModified = in.LastModified - out.Roles = make([]NamedRole, 0, 0) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) + if err := autoConvert_v1_Policy_To_api_Policy(in, out, s); err != nil { + return err + } + if out.Roles == nil { + out.Roles = make(map[string]*newer.Role) + } + return nil } func Convert_v1_RoleBinding_To_api_RoleBinding(in *RoleBinding, out *newer.RoleBinding, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil { + if err := autoConvert_v1_RoleBinding_To_api_RoleBinding(in, out, s); err != nil { return err } @@ -200,7 +135,7 @@ func Convert_v1_RoleBinding_To_api_RoleBinding(in *RoleBinding, out *newer.RoleB } func Convert_api_RoleBinding_To_v1_RoleBinding(in *newer.RoleBinding, out *RoleBinding, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil { + if err := autoConvert_api_RoleBinding_To_v1_RoleBinding(in, out, s); err != nil { return err } @@ -210,32 +145,28 @@ func Convert_api_RoleBinding_To_v1_RoleBinding(in *newer.RoleBinding, out *RoleB } func Convert_v1_PolicyBinding_To_api_PolicyBinding(in *PolicyBinding, out *newer.PolicyBinding, s conversion.Scope) error { - out.LastModified = in.LastModified - out.RoleBindings = make(map[string]*newer.RoleBinding) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) -} - -func Convert_api_PolicyBinding_To_v1_PolicyBinding(in *newer.PolicyBinding, out *PolicyBinding, s conversion.Scope) error { - out.LastModified = in.LastModified - out.RoleBindings = make([]NamedRoleBinding, 0, 0) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) + if err := autoConvert_v1_PolicyBinding_To_api_PolicyBinding(in, out, s); err != nil { + return err + } + if out.RoleBindings == nil { + out.RoleBindings = make(map[string]*newer.RoleBinding) + } + return nil } // and now the globals func Convert_v1_ClusterPolicy_To_api_ClusterPolicy(in *ClusterPolicy, out *newer.ClusterPolicy, s conversion.Scope) error { - out.LastModified = in.LastModified - out.Roles = make(map[string]*newer.ClusterRole) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) -} - -func Convert_api_ClusterPolicy_To_v1_ClusterPolicy(in *newer.ClusterPolicy, out *ClusterPolicy, s conversion.Scope) error { - out.LastModified = in.LastModified - out.Roles = make([]NamedClusterRole, 0, 0) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) + if err := autoConvert_v1_ClusterPolicy_To_api_ClusterPolicy(in, out, s); err != nil { + return err + } + if out.Roles == nil { + out.Roles = make(map[string]*newer.ClusterRole) + } + return nil } func Convert_v1_ClusterRoleBinding_To_api_ClusterRoleBinding(in *ClusterRoleBinding, out *newer.ClusterRoleBinding, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil { + if err := autoConvert_v1_ClusterRoleBinding_To_api_ClusterRoleBinding(in, out, s); err != nil { return err } @@ -250,7 +181,7 @@ func Convert_v1_ClusterRoleBinding_To_api_ClusterRoleBinding(in *ClusterRoleBind } func Convert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in *newer.ClusterRoleBinding, out *ClusterRoleBinding, s conversion.Scope) error { - if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil { + if err := autoConvert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in, out, s); err != nil { return err } @@ -260,21 +191,23 @@ func Convert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in *newer.ClusterRo } func Convert_v1_ClusterPolicyBinding_To_api_ClusterPolicyBinding(in *ClusterPolicyBinding, out *newer.ClusterPolicyBinding, s conversion.Scope) error { - out.LastModified = in.LastModified - out.RoleBindings = make(map[string]*newer.ClusterRoleBinding) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) + if err := autoConvert_v1_ClusterPolicyBinding_To_api_ClusterPolicyBinding(in, out, s); err != nil { + return err + } + if out.RoleBindings == nil { + out.RoleBindings = make(map[string]*newer.ClusterRoleBinding) + } + return nil } -func Convert_api_ClusterPolicyBinding_To_v1_ClusterPolicyBinding(in *newer.ClusterPolicyBinding, out *ClusterPolicyBinding, s conversion.Scope) error { - out.LastModified = in.LastModified - out.RoleBindings = make([]NamedClusterRoleBinding, 0, 0) - return s.DefaultConvert(in, out, conversion.IgnoreMissingFields) -} +func Convert_v1_NamedRoles_To_api_RolesByName(in *NamedRoles, out *newer.RolesByName, s conversion.Scope) error { + if *out == nil { + *out = make(newer.RolesByName) + } -func Convert_v1_NamedRoleArray_to_api_RoleArray(in *[]NamedRole, out *map[string]*newer.Role, s conversion.Scope) error { for _, curr := range *in { newRole := &newer.Role{} - if err := s.Convert(&curr.Role, newRole, 0); err != nil { + if err := Convert_v1_Role_To_api_Role(&curr.Role, newRole, s); err != nil { return err } (*out)[curr.Name] = newRole @@ -282,7 +215,7 @@ func Convert_v1_NamedRoleArray_to_api_RoleArray(in *[]NamedRole, out *map[string return nil } -func Convert_api_NamedRoleArray_to_v1_RoleArray(in *map[string]*newer.Role, out *[]NamedRole, s conversion.Scope) error { +func Convert_api_RolesByName_To_v1_NamedRoles(in *newer.RolesByName, out *NamedRoles, s conversion.Scope) error { allKeys := make([]string, 0, len(*in)) for key := range *in { allKeys = append(allKeys, key) @@ -292,7 +225,7 @@ func Convert_api_NamedRoleArray_to_v1_RoleArray(in *map[string]*newer.Role, out for _, key := range allKeys { newRole := (*in)[key] oldRole := &Role{} - if err := s.Convert(newRole, oldRole, 0); err != nil { + if err := Convert_api_Role_To_v1_Role(newRole, oldRole, s); err != nil { return err } @@ -303,10 +236,13 @@ func Convert_api_NamedRoleArray_to_v1_RoleArray(in *map[string]*newer.Role, out return nil } -func Convert_v1_NamedRoleBindingArray_to_api_RoleBindingArray(in *[]NamedRoleBinding, out *map[string]*newer.RoleBinding, s conversion.Scope) error { +func Convert_v1_NamedRoleBindings_To_api_RoleBindingsByName(in *NamedRoleBindings, out *newer.RoleBindingsByName, s conversion.Scope) error { + if *out == nil { + *out = make(newer.RoleBindingsByName) + } for _, curr := range *in { newRoleBinding := &newer.RoleBinding{} - if err := s.Convert(&curr.RoleBinding, newRoleBinding, 0); err != nil { + if err := Convert_v1_RoleBinding_To_api_RoleBinding(&curr.RoleBinding, newRoleBinding, s); err != nil { return err } (*out)[curr.Name] = newRoleBinding @@ -314,7 +250,7 @@ func Convert_v1_NamedRoleBindingArray_to_api_RoleBindingArray(in *[]NamedRoleBin return nil } -func Convert_api_RoleBindingArray_to_v1_NamedRoleBindingArray(in *map[string]*newer.RoleBinding, out *[]NamedRoleBinding, s conversion.Scope) error { +func Convert_api_RoleBindingsByName_To_v1_NamedRoleBindings(in *newer.RoleBindingsByName, out *NamedRoleBindings, s conversion.Scope) error { allKeys := make([]string, 0, len(*in)) for key := range *in { allKeys = append(allKeys, key) @@ -324,7 +260,7 @@ func Convert_api_RoleBindingArray_to_v1_NamedRoleBindingArray(in *map[string]*ne for _, key := range allKeys { newRoleBinding := (*in)[key] oldRoleBinding := &RoleBinding{} - if err := s.Convert(newRoleBinding, oldRoleBinding, 0); err != nil { + if err := Convert_api_RoleBinding_To_v1_RoleBinding(newRoleBinding, oldRoleBinding, s); err != nil { return err } @@ -335,10 +271,13 @@ func Convert_api_RoleBindingArray_to_v1_NamedRoleBindingArray(in *map[string]*ne return nil } -func Convert_v1_NamedClusterRoleArray_to_api_ClusterRoleArray(in *[]NamedClusterRole, out *map[string]*newer.ClusterRole, s conversion.Scope) error { +func Convert_v1_NamedClusterRoles_To_api_ClusterRolesByName(in *NamedClusterRoles, out *newer.ClusterRolesByName, s conversion.Scope) error { + if *out == nil { + *out = make(newer.ClusterRolesByName) + } for _, curr := range *in { newRole := &newer.ClusterRole{} - if err := s.Convert(&curr.Role, newRole, 0); err != nil { + if err := Convert_v1_ClusterRole_To_api_ClusterRole(&curr.Role, newRole, s); err != nil { return err } (*out)[curr.Name] = newRole @@ -346,7 +285,7 @@ func Convert_v1_NamedClusterRoleArray_to_api_ClusterRoleArray(in *[]NamedCluster return nil } -func Convert_api_ClusterRoleArray_to_v1_NamedClusterRoleArray(in *map[string]*newer.ClusterRole, out *[]NamedClusterRole, s conversion.Scope) error { +func Convert_api_ClusterRolesByName_To_v1_NamedClusterRoles(in *newer.ClusterRolesByName, out *NamedClusterRoles, s conversion.Scope) error { allKeys := make([]string, 0, len(*in)) for key := range *in { allKeys = append(allKeys, key) @@ -356,7 +295,7 @@ func Convert_api_ClusterRoleArray_to_v1_NamedClusterRoleArray(in *map[string]*ne for _, key := range allKeys { newRole := (*in)[key] oldRole := &ClusterRole{} - if err := s.Convert(newRole, oldRole, 0); err != nil { + if err := Convert_api_ClusterRole_To_v1_ClusterRole(newRole, oldRole, s); err != nil { return err } @@ -366,18 +305,20 @@ func Convert_api_ClusterRoleArray_to_v1_NamedClusterRoleArray(in *map[string]*ne return nil } -func Convert_v1_NamedClusterRoleBindingArray_to_ClusterRoleBindingArray(in *[]NamedClusterRoleBinding, out *map[string]*newer.ClusterRoleBinding, s conversion.Scope) error { +func Convert_v1_NamedClusterRoleBindings_To_api_ClusterRoleBindingsByName(in *NamedClusterRoleBindings, out *newer.ClusterRoleBindingsByName, s conversion.Scope) error { + if *out == nil { + *out = make(newer.ClusterRoleBindingsByName) + } for _, curr := range *in { newRoleBinding := &newer.ClusterRoleBinding{} - if err := s.Convert(&curr.RoleBinding, newRoleBinding, 0); err != nil { + if err := Convert_v1_ClusterRoleBinding_To_api_ClusterRoleBinding(&curr.RoleBinding, newRoleBinding, s); err != nil { return err } (*out)[curr.Name] = newRoleBinding } - return nil } -func Convert_api_ClusterRoleBindingArray_to_v1_NamedClusterRoleBindingArray(in *map[string]*newer.ClusterRoleBinding, out *[]NamedClusterRoleBinding, s conversion.Scope) error { +func Convert_api_ClusterRoleBindingsByName_To_v1_NamedClusterRoleBindings(in *newer.ClusterRoleBindingsByName, out *NamedClusterRoleBindings, s conversion.Scope) error { allKeys := make([]string, 0, len(*in)) for key := range *in { allKeys = append(allKeys, key) @@ -387,7 +328,7 @@ func Convert_api_ClusterRoleBindingArray_to_v1_NamedClusterRoleBindingArray(in * for _, key := range allKeys { newRoleBinding := (*in)[key] oldRoleBinding := &ClusterRoleBinding{} - if err := s.Convert(newRoleBinding, oldRoleBinding, 0); err != nil { + if err := Convert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(newRoleBinding, oldRoleBinding, s); err != nil { return err } @@ -400,15 +341,6 @@ func Convert_api_ClusterRoleBindingArray_to_v1_NamedClusterRoleBindingArray(in * func addConversionFuncs(scheme *runtime.Scheme) { err := scheme.AddConversionFuncs( - Convert_v1_NamedRoleArray_to_api_RoleArray, - Convert_api_NamedRoleArray_to_v1_RoleArray, - Convert_v1_NamedRoleBindingArray_to_api_RoleBindingArray, - Convert_api_RoleBindingArray_to_v1_NamedRoleBindingArray, - Convert_v1_NamedClusterRoleArray_to_api_ClusterRoleArray, - Convert_api_ClusterRoleArray_to_v1_NamedClusterRoleArray, - Convert_v1_NamedClusterRoleBindingArray_to_ClusterRoleBindingArray, - Convert_api_ClusterRoleBindingArray_to_v1_NamedClusterRoleBindingArray, - Convert_v1_SubjectAccessReview_To_api_SubjectAccessReview, Convert_api_SubjectAccessReview_To_v1_SubjectAccessReview, Convert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview, @@ -475,196 +407,3 @@ func addConversionFuncs(scheme *runtime.Scheme) { panic(err) } } - -var _ runtime.NestedObjectDecoder = &PolicyRule{} -var _ runtime.NestedObjectEncoder = &PolicyRule{} - -func (c *PolicyRule) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - extension.DecodeNestedRawExtensionOrUnknown(d, &c.AttributeRestrictions) - return nil -} -func (c *PolicyRule) EncodeNestedObjects(e runtime.Encoder) error { - return extension.EncodeNestedRawExtension(e, &c.AttributeRestrictions) -} - -var _ runtime.NestedObjectDecoder = &SelfSubjectRulesReview{} -var _ runtime.NestedObjectEncoder = &SelfSubjectRulesReview{} - -func (c *SelfSubjectRulesReview) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Status.Rules { - c.Status.Rules[i].DecodeNestedObjects(d) - } - return nil -} -func (c *SelfSubjectRulesReview) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Status.Rules { - if err := c.Status.Rules[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &ClusterRole{} -var _ runtime.NestedObjectEncoder = &ClusterRole{} - -func (c *ClusterRole) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Rules { - c.Rules[i].DecodeNestedObjects(d) - } - return nil -} -func (c *ClusterRole) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Rules { - if err := c.Rules[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &Role{} -var _ runtime.NestedObjectEncoder = &Role{} - -func (c *Role) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Rules { - c.Rules[i].DecodeNestedObjects(d) - } - return nil -} -func (c *Role) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Rules { - if err := c.Rules[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &ClusterRoleList{} -var _ runtime.NestedObjectEncoder = &ClusterRoleList{} - -func (c *ClusterRoleList) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Items { - c.Items[i].DecodeNestedObjects(d) - } - return nil -} -func (c *ClusterRoleList) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Items { - if err := c.Items[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &RoleList{} -var _ runtime.NestedObjectEncoder = &RoleList{} - -func (c *RoleList) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Items { - c.Items[i].DecodeNestedObjects(d) - } - return nil -} -func (c *RoleList) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Items { - if err := c.Items[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &ClusterPolicy{} -var _ runtime.NestedObjectEncoder = &ClusterPolicy{} - -func (c *ClusterPolicy) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Roles { - c.Roles[i].Role.DecodeNestedObjects(d) - } - return nil -} -func (c *ClusterPolicy) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Roles { - if err := c.Roles[i].Role.EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &Policy{} -var _ runtime.NestedObjectEncoder = &Policy{} - -func (c *Policy) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Roles { - c.Roles[i].Role.DecodeNestedObjects(d) - } - return nil -} -func (c *Policy) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Roles { - if err := c.Roles[i].Role.EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &ClusterPolicyList{} -var _ runtime.NestedObjectEncoder = &ClusterPolicyList{} - -func (c *ClusterPolicyList) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Items { - c.Items[i].DecodeNestedObjects(d) - } - return nil -} -func (c *ClusterPolicyList) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Items { - if err := c.Items[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} - -var _ runtime.NestedObjectDecoder = &PolicyList{} -var _ runtime.NestedObjectEncoder = &PolicyList{} - -func (c *PolicyList) DecodeNestedObjects(d runtime.Decoder) error { - // decoding failures result in a runtime.Unknown object being created in Object and passed - // to conversion - for i := range c.Items { - c.Items[i].DecodeNestedObjects(d) - } - return nil -} -func (c *PolicyList) EncodeNestedObjects(e runtime.Encoder) error { - for i := range c.Items { - if err := c.Items[i].EncodeNestedObjects(e); err != nil { - return err - } - } - return nil -} diff --git a/pkg/authorization/api/v1/conversion_generated.go b/pkg/authorization/api/v1/conversion_generated.go index b9255b643fd8..3f5bf9649474 100644 --- a/pkg/authorization/api/v1/conversion_generated.go +++ b/pkg/authorization/api/v1/conversion_generated.go @@ -14,8 +14,8 @@ import ( func init() { if err := api.Scheme.AddGeneratedConversionFuncs( - Convert_v1_AuthorizationAttributes_To_api_AuthorizationAttributes, - Convert_api_AuthorizationAttributes_To_v1_AuthorizationAttributes, + Convert_v1_Action_To_api_Action, + Convert_api_Action_To_v1_Action, Convert_v1_ClusterPolicy_To_api_ClusterPolicy, Convert_api_ClusterPolicy_To_v1_ClusterPolicy, Convert_v1_ClusterPolicyBinding_To_api_ClusterPolicyBinding, @@ -76,7 +76,7 @@ func init() { } } -func autoConvert_v1_AuthorizationAttributes_To_api_AuthorizationAttributes(in *AuthorizationAttributes, out *authorization_api.AuthorizationAttributes, s conversion.Scope) error { +func autoConvert_v1_Action_To_api_Action(in *Action, out *authorization_api.Action, s conversion.Scope) error { out.Namespace = in.Namespace out.Verb = in.Verb out.Group = in.Group @@ -89,11 +89,11 @@ func autoConvert_v1_AuthorizationAttributes_To_api_AuthorizationAttributes(in *A return nil } -func Convert_v1_AuthorizationAttributes_To_api_AuthorizationAttributes(in *AuthorizationAttributes, out *authorization_api.AuthorizationAttributes, s conversion.Scope) error { - return autoConvert_v1_AuthorizationAttributes_To_api_AuthorizationAttributes(in, out, s) +func Convert_v1_Action_To_api_Action(in *Action, out *authorization_api.Action, s conversion.Scope) error { + return autoConvert_v1_Action_To_api_Action(in, out, s) } -func autoConvert_api_AuthorizationAttributes_To_v1_AuthorizationAttributes(in *authorization_api.AuthorizationAttributes, out *AuthorizationAttributes, s conversion.Scope) error { +func autoConvert_api_Action_To_v1_Action(in *authorization_api.Action, out *Action, s conversion.Scope) error { out.Namespace = in.Namespace out.Verb = in.Verb out.Group = in.Group @@ -106,8 +106,86 @@ func autoConvert_api_AuthorizationAttributes_To_v1_AuthorizationAttributes(in *a return nil } -func Convert_api_AuthorizationAttributes_To_v1_AuthorizationAttributes(in *authorization_api.AuthorizationAttributes, out *AuthorizationAttributes, s conversion.Scope) error { - return autoConvert_api_AuthorizationAttributes_To_v1_AuthorizationAttributes(in, out, s) +func Convert_api_Action_To_v1_Action(in *authorization_api.Action, out *Action, s conversion.Scope) error { + return autoConvert_api_Action_To_v1_Action(in, out, s) +} + +func autoConvert_v1_ClusterPolicy_To_api_ClusterPolicy(in *ClusterPolicy, out *authorization_api.ClusterPolicy, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := Convert_v1_NamedClusterRoles_To_api_ClusterRolesByName(&in.Roles, &out.Roles, s); err != nil { + return err + } + return nil +} + +func autoConvert_api_ClusterPolicy_To_v1_ClusterPolicy(in *authorization_api.ClusterPolicy, out *ClusterPolicy, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_api_ObjectMeta_To_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := Convert_api_ClusterRolesByName_To_v1_NamedClusterRoles(&in.Roles, &out.Roles, s); err != nil { + return err + } + return nil +} + +func Convert_api_ClusterPolicy_To_v1_ClusterPolicy(in *authorization_api.ClusterPolicy, out *ClusterPolicy, s conversion.Scope) error { + return autoConvert_api_ClusterPolicy_To_v1_ClusterPolicy(in, out, s) +} + +func autoConvert_v1_ClusterPolicyBinding_To_api_ClusterPolicyBinding(in *ClusterPolicyBinding, out *authorization_api.ClusterPolicyBinding, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectReference_To_api_ObjectReference(&in.PolicyRef, &out.PolicyRef, s); err != nil { + return err + } + if err := Convert_v1_NamedClusterRoleBindings_To_api_ClusterRoleBindingsByName(&in.RoleBindings, &out.RoleBindings, s); err != nil { + return err + } + return nil +} + +func autoConvert_api_ClusterPolicyBinding_To_v1_ClusterPolicyBinding(in *authorization_api.ClusterPolicyBinding, out *ClusterPolicyBinding, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_api_ObjectMeta_To_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := api_v1.Convert_api_ObjectReference_To_v1_ObjectReference(&in.PolicyRef, &out.PolicyRef, s); err != nil { + return err + } + if err := Convert_api_ClusterRoleBindingsByName_To_v1_NamedClusterRoleBindings(&in.RoleBindings, &out.RoleBindings, s); err != nil { + return err + } + return nil +} + +func Convert_api_ClusterPolicyBinding_To_v1_ClusterPolicyBinding(in *authorization_api.ClusterPolicyBinding, out *ClusterPolicyBinding, s conversion.Scope) error { + return autoConvert_api_ClusterPolicyBinding_To_v1_ClusterPolicyBinding(in, out, s) } func autoConvert_v1_ClusterPolicyBindingList_To_api_ClusterPolicyBindingList(in *ClusterPolicyBindingList, out *authorization_api.ClusterPolicyBindingList, s conversion.Scope) error { @@ -260,6 +338,30 @@ func Convert_api_ClusterRole_To_v1_ClusterRole(in *authorization_api.ClusterRole return autoConvert_api_ClusterRole_To_v1_ClusterRole(in, out, s) } +func autoConvert_v1_ClusterRoleBinding_To_api_ClusterRoleBinding(in *ClusterRoleBinding, out *authorization_api.ClusterRoleBinding, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if in.Subjects != nil { + in, out := &in.Subjects, &out.Subjects + *out = make([]api.ObjectReference, len(*in)) + for i := range *in { + if err := api_v1.Convert_v1_ObjectReference_To_api_ObjectReference(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Subjects = nil + } + if err := api_v1.Convert_v1_ObjectReference_To_api_ObjectReference(&in.RoleRef, &out.RoleRef, s); err != nil { + return err + } + return nil +} + func autoConvert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in *authorization_api.ClusterRoleBinding, out *ClusterRoleBinding, s conversion.Scope) error { if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { return err @@ -406,6 +508,148 @@ func Convert_api_IsPersonalSubjectAccessReview_To_v1_IsPersonalSubjectAccessRevi return autoConvert_api_IsPersonalSubjectAccessReview_To_v1_IsPersonalSubjectAccessReview(in, out, s) } +func autoConvert_v1_LocalResourceAccessReview_To_api_LocalResourceAccessReview(in *LocalResourceAccessReview, out *authorization_api.LocalResourceAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_v1_Action_To_api_Action(&in.Action, &out.Action, s); err != nil { + return err + } + return nil +} + +func Convert_v1_LocalResourceAccessReview_To_api_LocalResourceAccessReview(in *LocalResourceAccessReview, out *authorization_api.LocalResourceAccessReview, s conversion.Scope) error { + return autoConvert_v1_LocalResourceAccessReview_To_api_LocalResourceAccessReview(in, out, s) +} + +func autoConvert_api_LocalResourceAccessReview_To_v1_LocalResourceAccessReview(in *authorization_api.LocalResourceAccessReview, out *LocalResourceAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_api_Action_To_v1_Action(&in.Action, &out.Action, s); err != nil { + return err + } + return nil +} + +func Convert_api_LocalResourceAccessReview_To_v1_LocalResourceAccessReview(in *authorization_api.LocalResourceAccessReview, out *LocalResourceAccessReview, s conversion.Scope) error { + return autoConvert_api_LocalResourceAccessReview_To_v1_LocalResourceAccessReview(in, out, s) +} + +func autoConvert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in *LocalSubjectAccessReview, out *authorization_api.LocalSubjectAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_v1_Action_To_api_Action(&in.Action, &out.Action, s); err != nil { + return err + } + out.User = in.User + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]string, len(*in)) + copy(*out, *in) + } else { + out.Scopes = nil + } + return nil +} + +func autoConvert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in *authorization_api.LocalSubjectAccessReview, out *LocalSubjectAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_api_Action_To_v1_Action(&in.Action, &out.Action, s); err != nil { + return err + } + out.User = in.User + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make(OptionalScopes, len(*in)) + copy(*out, *in) + } else { + out.Scopes = nil + } + return nil +} + +func autoConvert_v1_Policy_To_api_Policy(in *Policy, out *authorization_api.Policy, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := Convert_v1_NamedRoles_To_api_RolesByName(&in.Roles, &out.Roles, s); err != nil { + return err + } + return nil +} + +func autoConvert_api_Policy_To_v1_Policy(in *authorization_api.Policy, out *Policy, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_api_ObjectMeta_To_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := Convert_api_RolesByName_To_v1_NamedRoles(&in.Roles, &out.Roles, s); err != nil { + return err + } + return nil +} + +func Convert_api_Policy_To_v1_Policy(in *authorization_api.Policy, out *Policy, s conversion.Scope) error { + return autoConvert_api_Policy_To_v1_Policy(in, out, s) +} + +func autoConvert_v1_PolicyBinding_To_api_PolicyBinding(in *PolicyBinding, out *authorization_api.PolicyBinding, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectReference_To_api_ObjectReference(&in.PolicyRef, &out.PolicyRef, s); err != nil { + return err + } + if err := Convert_v1_NamedRoleBindings_To_api_RoleBindingsByName(&in.RoleBindings, &out.RoleBindings, s); err != nil { + return err + } + return nil +} + +func autoConvert_api_PolicyBinding_To_v1_PolicyBinding(in *authorization_api.PolicyBinding, out *PolicyBinding, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_api_ObjectMeta_To_v1_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if err := api.Convert_unversioned_Time_To_unversioned_Time(&in.LastModified, &out.LastModified, s); err != nil { + return err + } + if err := api_v1.Convert_api_ObjectReference_To_v1_ObjectReference(&in.PolicyRef, &out.PolicyRef, s); err != nil { + return err + } + if err := Convert_api_RoleBindingsByName_To_v1_NamedRoleBindings(&in.RoleBindings, &out.RoleBindings, s); err != nil { + return err + } + return nil +} + +func Convert_api_PolicyBinding_To_v1_PolicyBinding(in *authorization_api.PolicyBinding, out *PolicyBinding, s conversion.Scope) error { + return autoConvert_api_PolicyBinding_To_v1_PolicyBinding(in, out, s) +} + func autoConvert_v1_PolicyBindingList_To_api_PolicyBindingList(in *PolicyBindingList, out *authorization_api.PolicyBindingList, s conversion.Scope) error { if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { return err @@ -506,6 +750,50 @@ func Convert_api_PolicyList_To_v1_PolicyList(in *authorization_api.PolicyList, o return autoConvert_api_PolicyList_To_v1_PolicyList(in, out, s) } +func autoConvert_v1_ResourceAccessReview_To_api_ResourceAccessReview(in *ResourceAccessReview, out *authorization_api.ResourceAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_v1_Action_To_api_Action(&in.Action, &out.Action, s); err != nil { + return err + } + return nil +} + +func Convert_v1_ResourceAccessReview_To_api_ResourceAccessReview(in *ResourceAccessReview, out *authorization_api.ResourceAccessReview, s conversion.Scope) error { + return autoConvert_v1_ResourceAccessReview_To_api_ResourceAccessReview(in, out, s) +} + +func autoConvert_api_ResourceAccessReview_To_v1_ResourceAccessReview(in *authorization_api.ResourceAccessReview, out *ResourceAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_api_Action_To_v1_Action(&in.Action, &out.Action, s); err != nil { + return err + } + return nil +} + +func Convert_api_ResourceAccessReview_To_v1_ResourceAccessReview(in *authorization_api.ResourceAccessReview, out *ResourceAccessReview, s conversion.Scope) error { + return autoConvert_api_ResourceAccessReview_To_v1_ResourceAccessReview(in, out, s) +} + +func autoConvert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in *ResourceAccessReviewResponse, out *authorization_api.ResourceAccessReviewResponse, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + out.Namespace = in.Namespace + return nil +} + +func autoConvert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in *authorization_api.ResourceAccessReviewResponse, out *ResourceAccessReviewResponse, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + out.Namespace = in.Namespace + return nil +} + func autoConvert_v1_Role_To_api_Role(in *Role, out *authorization_api.Role, s conversion.Scope) error { if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { return err @@ -556,6 +844,30 @@ func Convert_api_Role_To_v1_Role(in *authorization_api.Role, out *Role, s conver return autoConvert_api_Role_To_v1_Role(in, out, s) } +func autoConvert_v1_RoleBinding_To_api_RoleBinding(in *RoleBinding, out *authorization_api.RoleBinding, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := api_v1.Convert_v1_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil { + return err + } + if in.Subjects != nil { + in, out := &in.Subjects, &out.Subjects + *out = make([]api.ObjectReference, len(*in)) + for i := range *in { + if err := api_v1.Convert_v1_ObjectReference_To_api_ObjectReference(&(*in)[i], &(*out)[i], s); err != nil { + return err + } + } + } else { + out.Subjects = nil + } + if err := api_v1.Convert_v1_ObjectReference_To_api_ObjectReference(&in.RoleRef, &out.RoleRef, s); err != nil { + return err + } + return nil +} + func autoConvert_api_RoleBinding_To_v1_RoleBinding(in *authorization_api.RoleBinding, out *RoleBinding, s conversion.Scope) error { if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { return err @@ -715,7 +1027,13 @@ func Convert_api_SelfSubjectRulesReview_To_v1_SelfSubjectRulesReview(in *authori } func autoConvert_v1_SelfSubjectRulesReviewSpec_To_api_SelfSubjectRulesReviewSpec(in *SelfSubjectRulesReviewSpec, out *authorization_api.SelfSubjectRulesReviewSpec, s conversion.Scope) error { - out.Scopes = in.Scopes + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]string, len(*in)) + copy(*out, *in) + } else { + out.Scopes = nil + } return nil } @@ -724,7 +1042,13 @@ func Convert_v1_SelfSubjectRulesReviewSpec_To_api_SelfSubjectRulesReviewSpec(in } func autoConvert_api_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(in *authorization_api.SelfSubjectRulesReviewSpec, out *SelfSubjectRulesReviewSpec, s conversion.Scope) error { - out.Scopes = in.Scopes + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make(OptionalScopes, len(*in)) + copy(*out, *in) + } else { + out.Scopes = nil + } return nil } @@ -732,6 +1056,42 @@ func Convert_api_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(in return autoConvert_api_SelfSubjectRulesReviewSpec_To_v1_SelfSubjectRulesReviewSpec(in, out, s) } +func autoConvert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in *SubjectAccessReview, out *authorization_api.SubjectAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_v1_Action_To_api_Action(&in.Action, &out.Action, s); err != nil { + return err + } + out.User = in.User + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make([]string, len(*in)) + copy(*out, *in) + } else { + out.Scopes = nil + } + return nil +} + +func autoConvert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in *authorization_api.SubjectAccessReview, out *SubjectAccessReview, s conversion.Scope) error { + if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { + return err + } + if err := Convert_api_Action_To_v1_Action(&in.Action, &out.Action, s); err != nil { + return err + } + out.User = in.User + if in.Scopes != nil { + in, out := &in.Scopes, &out.Scopes + *out = make(OptionalScopes, len(*in)) + copy(*out, *in) + } else { + out.Scopes = nil + } + return nil +} + func autoConvert_v1_SubjectAccessReviewResponse_To_api_SubjectAccessReviewResponse(in *SubjectAccessReviewResponse, out *authorization_api.SubjectAccessReviewResponse, s conversion.Scope) error { if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil { return err diff --git a/pkg/authorization/api/v1/deep_copy_generated.go b/pkg/authorization/api/v1/deep_copy_generated.go index 75eabecf2898..462e2f03cdb2 100644 --- a/pkg/authorization/api/v1/deep_copy_generated.go +++ b/pkg/authorization/api/v1/deep_copy_generated.go @@ -14,7 +14,7 @@ import ( func init() { if err := api.Scheme.AddGeneratedDeepCopyFuncs( - DeepCopy_v1_AuthorizationAttributes, + DeepCopy_v1_Action, DeepCopy_v1_ClusterPolicy, DeepCopy_v1_ClusterPolicyBinding, DeepCopy_v1_ClusterPolicyBindingList, @@ -52,7 +52,7 @@ func init() { } } -func DeepCopy_v1_AuthorizationAttributes(in AuthorizationAttributes, out *AuthorizationAttributes, c *conversion.Cloner) error { +func DeepCopy_v1_Action(in Action, out *Action, c *conversion.Cloner) error { out.Namespace = in.Namespace out.Verb = in.Verb out.Group = in.Group @@ -77,7 +77,7 @@ func DeepCopy_v1_ClusterPolicy(in ClusterPolicy, out *ClusterPolicy, c *conversi } if in.Roles != nil { in, out := in.Roles, &out.Roles - *out = make([]NamedClusterRole, len(in)) + *out = make(NamedClusterRoles, len(in)) for i := range in { if err := DeepCopy_v1_NamedClusterRole(in[i], &(*out)[i], c); err != nil { return err @@ -104,7 +104,7 @@ func DeepCopy_v1_ClusterPolicyBinding(in ClusterPolicyBinding, out *ClusterPolic } if in.RoleBindings != nil { in, out := in.RoleBindings, &out.RoleBindings - *out = make([]NamedClusterRoleBinding, len(in)) + *out = make(NamedClusterRoleBindings, len(in)) for i := range in { if err := DeepCopy_v1_NamedClusterRoleBinding(in[i], &(*out)[i], c); err != nil { return err @@ -188,14 +188,14 @@ func DeepCopy_v1_ClusterRoleBinding(in ClusterRoleBinding, out *ClusterRoleBindi } if in.UserNames != nil { in, out := in.UserNames, &out.UserNames - *out = make([]string, len(in)) + *out = make(OptionalNames, len(in)) copy(*out, in) } else { out.UserNames = nil } if in.GroupNames != nil { in, out := in.GroupNames, &out.GroupNames - *out = make([]string, len(in)) + *out = make(OptionalNames, len(in)) copy(*out, in) } else { out.GroupNames = nil @@ -270,7 +270,7 @@ func DeepCopy_v1_LocalResourceAccessReview(in LocalResourceAccessReview, out *Lo if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_v1_AuthorizationAttributes(in.AuthorizationAttributes, &out.AuthorizationAttributes, c); err != nil { + if err := DeepCopy_v1_Action(in.Action, &out.Action, c); err != nil { return err } return nil @@ -280,7 +280,7 @@ func DeepCopy_v1_LocalSubjectAccessReview(in LocalSubjectAccessReview, out *Loca if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_v1_AuthorizationAttributes(in.AuthorizationAttributes, &out.AuthorizationAttributes, c); err != nil { + if err := DeepCopy_v1_Action(in.Action, &out.Action, c); err != nil { return err } out.User = in.User @@ -293,7 +293,7 @@ func DeepCopy_v1_LocalSubjectAccessReview(in LocalSubjectAccessReview, out *Loca } if in.Scopes != nil { in, out := in.Scopes, &out.Scopes - *out = make([]string, len(in)) + *out = make(OptionalScopes, len(in)) copy(*out, in) } else { out.Scopes = nil @@ -345,7 +345,7 @@ func DeepCopy_v1_Policy(in Policy, out *Policy, c *conversion.Cloner) error { } if in.Roles != nil { in, out := in.Roles, &out.Roles - *out = make([]NamedRole, len(in)) + *out = make(NamedRoles, len(in)) for i := range in { if err := DeepCopy_v1_NamedRole(in[i], &(*out)[i], c); err != nil { return err @@ -372,7 +372,7 @@ func DeepCopy_v1_PolicyBinding(in PolicyBinding, out *PolicyBinding, c *conversi } if in.RoleBindings != nil { in, out := in.RoleBindings, &out.RoleBindings - *out = make([]NamedRoleBinding, len(in)) + *out = make(NamedRoleBindings, len(in)) for i := range in { if err := DeepCopy_v1_NamedRoleBinding(in[i], &(*out)[i], c); err != nil { return err @@ -472,7 +472,7 @@ func DeepCopy_v1_ResourceAccessReview(in ResourceAccessReview, out *ResourceAcce if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_v1_AuthorizationAttributes(in.AuthorizationAttributes, &out.AuthorizationAttributes, c); err != nil { + if err := DeepCopy_v1_Action(in.Action, &out.Action, c); err != nil { return err } return nil @@ -531,14 +531,14 @@ func DeepCopy_v1_RoleBinding(in RoleBinding, out *RoleBinding, c *conversion.Clo } if in.UserNames != nil { in, out := in.UserNames, &out.UserNames - *out = make([]string, len(in)) + *out = make(OptionalNames, len(in)) copy(*out, in) } else { out.UserNames = nil } if in.GroupNames != nil { in, out := in.GroupNames, &out.GroupNames - *out = make([]string, len(in)) + *out = make(OptionalNames, len(in)) copy(*out, in) } else { out.GroupNames = nil @@ -618,7 +618,7 @@ func DeepCopy_v1_SelfSubjectRulesReview(in SelfSubjectRulesReview, out *SelfSubj func DeepCopy_v1_SelfSubjectRulesReviewSpec(in SelfSubjectRulesReviewSpec, out *SelfSubjectRulesReviewSpec, c *conversion.Cloner) error { if in.Scopes != nil { in, out := in.Scopes, &out.Scopes - *out = make([]string, len(in)) + *out = make(OptionalScopes, len(in)) copy(*out, in) } else { out.Scopes = nil @@ -630,7 +630,7 @@ func DeepCopy_v1_SubjectAccessReview(in SubjectAccessReview, out *SubjectAccessR if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil { return err } - if err := DeepCopy_v1_AuthorizationAttributes(in.AuthorizationAttributes, &out.AuthorizationAttributes, c); err != nil { + if err := DeepCopy_v1_Action(in.Action, &out.Action, c); err != nil { return err } out.User = in.User @@ -643,7 +643,7 @@ func DeepCopy_v1_SubjectAccessReview(in SubjectAccessReview, out *SubjectAccessR } if in.Scopes != nil { in, out := in.Scopes, &out.Scopes - *out = make([]string, len(in)) + *out = make(OptionalScopes, len(in)) copy(*out, in) } else { out.Scopes = nil diff --git a/pkg/authorization/api/v1/swagger_doc.go b/pkg/authorization/api/v1/swagger_doc.go index f8e7fcf15534..23f7d490d01b 100644 --- a/pkg/authorization/api/v1/swagger_doc.go +++ b/pkg/authorization/api/v1/swagger_doc.go @@ -5,8 +5,8 @@ package v1 // by hack/update-generated-swagger-descriptions.sh and should be run after a full build of OpenShift. // ==== DO NOT EDIT THIS FILE MANUALLY ==== -var map_AuthorizationAttributes = map[string]string{ - "": "AuthorizationAttributes describes a request to the API server", +var map_Action = map[string]string{ + "": "Action describes a request to the API server", "namespace": "Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces", "verb": "Verb is one of: get, list, watch, create, update, delete", "resourceAPIGroup": "Group is the API group of the resource Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined", @@ -16,8 +16,8 @@ var map_AuthorizationAttributes = map[string]string{ "content": "Content is the actual content of the request for create and update", } -func (AuthorizationAttributes) SwaggerDoc() map[string]string { - return map_AuthorizationAttributes +func (Action) SwaggerDoc() map[string]string { + return map_Action } var map_ClusterPolicy = map[string]string{ diff --git a/pkg/authorization/api/v1/types.go b/pkg/authorization/api/v1/types.go index e451219ad45a..6ffd3de1ee9c 100644 --- a/pkg/authorization/api/v1/types.go +++ b/pkg/authorization/api/v1/types.go @@ -49,6 +49,10 @@ type Role struct { Rules []PolicyRule `json:"rules"` } +// OptionalNames is an array of strings that may either be empty or unspecified (null). +// +protobuf.nullable=true +type OptionalNames []string + // RoleBinding references a Role, but not contain it. It can reference any Role in the same namespace or in the global namespace. // It adds who information via Users and Groups and namespace information by which namespace it exists in. RoleBindings in a given // namespace only have effect in that namespace (excepting the master namespace which has power in all namespaces). @@ -58,9 +62,11 @@ type RoleBinding struct { kapi.ObjectMeta `json:"metadata,omitempty"` // UserNames holds all the usernames directly bound to the role - UserNames []string `json:"userNames"` + // +genconversion=false + UserNames OptionalNames `json:"userNames"` // GroupNames holds all the groups directly bound to the role - GroupNames []string `json:"groupNames"` + // +genconversion=false + GroupNames OptionalNames `json:"groupNames"` // Subjects hold object references to authorize with this rule Subjects []kapi.ObjectReference `json:"subjects"` @@ -70,6 +76,8 @@ type RoleBinding struct { RoleRef kapi.ObjectReference `json:"roleRef"` } +type NamedRoles []NamedRole + // +genclient=true // Policy is a object that holds all the Roles for a particular namespace. There is at most @@ -83,9 +91,11 @@ type Policy struct { LastModified unversioned.Time `json:"lastModified"` // Roles holds all the Roles held by this Policy, mapped by Role.Name - Roles []NamedRole `json:"roles"` + Roles NamedRoles `json:"roles"` } +type NamedRoleBindings []NamedRoleBinding + // PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is // one PolicyBinding document per referenced Policy namespace type PolicyBinding struct { @@ -99,7 +109,7 @@ type PolicyBinding struct { // PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference PolicyRef kapi.ObjectReference `json:"policyRef"` // RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name - RoleBindings []NamedRoleBinding `json:"roleBindings"` + RoleBindings NamedRoleBindings `json:"roleBindings"` } // NamedRole relates a Role with a name @@ -133,7 +143,7 @@ type SelfSubjectRulesReview struct { type SelfSubjectRulesReviewSpec struct { // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil means "use the scopes on this request". - Scopes []string `json:"scopes"` + Scopes OptionalScopes `json:"scopes"` } // SubjectRulesReviewStatus is contains the result of a rules check @@ -152,8 +162,10 @@ type ResourceAccessReviewResponse struct { // Namespace is the namespace used for the access review Namespace string `json:"namespace,omitempty"` // UsersSlice is the list of users who can perform the action + // +genconversion=false UsersSlice []string `json:"users"` // GroupsSlice is the list of groups who can perform the action + // +genconversion=false GroupsSlice []string `json:"groups"` // EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. @@ -167,8 +179,8 @@ type ResourceAccessReviewResponse struct { type ResourceAccessReview struct { unversioned.TypeMeta `json:",inline"` - // AuthorizationAttributes describes the action being tested. - AuthorizationAttributes `json:",inline"` + // Action describes the action being tested. + Action `json:",inline"` } // SubjectAccessReviewResponse describes whether or not a user or group can perform an action @@ -183,48 +195,54 @@ type SubjectAccessReviewResponse struct { Reason string `json:"reason,omitempty"` } +// OptionalScopes is an array that may also be left nil to distinguish between set and unset. +// +protobuf.nullable=true +type OptionalScopes []string + // SubjectAccessReview is an object for requesting information about whether a user or group can perform an action type SubjectAccessReview struct { unversioned.TypeMeta `json:",inline"` - // AuthorizationAttributes describes the action being tested. - AuthorizationAttributes `json:",inline"` + // Action describes the action being tested. + Action `json:",inline"` // User is optional. If both User and Groups are empty, the current authenticated user is used. User string `json:"user"` // GroupsSlice is optional. Groups is the list of groups to which the User belongs. + // +genconversion=false GroupsSlice []string `json:"groups"` // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". // Nil for a regular SAR, means the same as empty. - Scopes []string `json:"scopes"` + Scopes OptionalScopes `json:"scopes"` } // LocalResourceAccessReview is a means to request a list of which users and groups are authorized to perform the action specified by spec in a particular namespace type LocalResourceAccessReview struct { unversioned.TypeMeta `json:",inline"` - // AuthorizationAttributes describes the action being tested. The Namespace element is FORCED to the current namespace. - AuthorizationAttributes `json:",inline"` + // Action describes the action being tested. The Namespace element is FORCED to the current namespace. + Action `json:",inline"` } // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace type LocalSubjectAccessReview struct { unversioned.TypeMeta `json:",inline"` - // AuthorizationAttributes describes the action being tested. The Namespace element is FORCED to the current namespace. - AuthorizationAttributes `json:",inline"` + // Action describes the action being tested. The Namespace element is FORCED to the current namespace. + Action `json:",inline"` // User is optional. If both User and Groups are empty, the current authenticated user is used. User string `json:"user"` // Groups is optional. Groups is the list of groups to which the User belongs. + // +genconversion=false GroupsSlice []string `json:"groups"` // Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". // Nil for a self-SAR, means "use the scopes on this request". // Nil for a regular SAR, means the same as empty. - Scopes []string `json:"scopes"` + Scopes OptionalScopes `json:"scopes"` } -// AuthorizationAttributes describes a request to the API server -type AuthorizationAttributes struct { +// Action describes a request to the API server +type Action struct { // Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces Namespace string `json:"namespace"` // Verb is one of: get, list, watch, create, update, delete @@ -302,9 +320,11 @@ type ClusterRoleBinding struct { kapi.ObjectMeta `json:"metadata,omitempty"` // UserNames holds all the usernames directly bound to the role - UserNames []string `json:"userNames"` + // +genconversion=false + UserNames OptionalNames `json:"userNames"` // GroupNames holds all the groups directly bound to the role - GroupNames []string `json:"groupNames"` + // +genconversion=false + GroupNames OptionalNames `json:"groupNames"` // Subjects hold object references to authorize with this rule Subjects []kapi.ObjectReference `json:"subjects"` @@ -314,6 +334,8 @@ type ClusterRoleBinding struct { RoleRef kapi.ObjectReference `json:"roleRef"` } +type NamedClusterRoles []NamedClusterRole + // ClusterPolicy is a object that holds all the ClusterRoles for a particular namespace. There is at most // one ClusterPolicy document per namespace. type ClusterPolicy struct { @@ -325,9 +347,11 @@ type ClusterPolicy struct { LastModified unversioned.Time `json:"lastModified"` // Roles holds all the ClusterRoles held by this ClusterPolicy, mapped by ClusterRole.Name - Roles []NamedClusterRole `json:"roles"` + Roles NamedClusterRoles `json:"roles"` } +type NamedClusterRoleBindings []NamedClusterRoleBinding + // ClusterPolicyBinding is a object that holds all the ClusterRoleBindings for a particular namespace. There is // one ClusterPolicyBinding document per referenced ClusterPolicy namespace type ClusterPolicyBinding struct { @@ -341,7 +365,7 @@ type ClusterPolicyBinding struct { // PolicyRef is a reference to the ClusterPolicy that contains all the ClusterRoles that this ClusterPolicyBinding's RoleBindings may reference PolicyRef kapi.ObjectReference `json:"policyRef"` // RoleBindings holds all the ClusterRoleBindings held by this ClusterPolicyBinding, mapped by ClusterRoleBinding.Name - RoleBindings []NamedClusterRoleBinding `json:"roleBindings"` + RoleBindings NamedClusterRoleBindings `json:"roleBindings"` } // NamedClusterRole relates a name with a cluster role diff --git a/pkg/authorization/authorizer/adapter/attributes.go b/pkg/authorization/authorizer/adapter/attributes.go index 36b1b20ac076..7e7c61be547b 100644 --- a/pkg/authorization/authorizer/adapter/attributes.go +++ b/pkg/authorization/authorizer/adapter/attributes.go @@ -17,12 +17,12 @@ type AdapterAttributes struct { namespace string userName string groups []string - authorizationAttributes oauthorizer.AuthorizationAttributes + authorizationAttributes oauthorizer.Action } // OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes // Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes -func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.AuthorizationAttributes) { +func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.Action) { // Build a context to hold the namespace and user info ctx := kapi.NewContext() ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace()) @@ -59,7 +59,7 @@ func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oa // KubernetesAuthorizerAttributes adapts Origin authorization attributes to Kubernetes authorization attributes // The returned attributes can be passed to OriginAuthorizerAttributes to access extra information from the Origin attributes interface -func KubernetesAuthorizerAttributes(namespace string, userName string, groups []string, oattrs oauthorizer.AuthorizationAttributes) kauthorizer.Attributes { +func KubernetesAuthorizerAttributes(namespace string, userName string, groups []string, oattrs oauthorizer.Action) kauthorizer.Attributes { return AdapterAttributes{ namespace: namespace, userName: userName, diff --git a/pkg/authorization/authorizer/adapter/attributes_test.go b/pkg/authorization/authorizer/adapter/attributes_test.go index d57c266ad8ff..3b3d238c8bcd 100644 --- a/pkg/authorization/authorizer/adapter/attributes_test.go +++ b/pkg/authorization/authorizer/adapter/attributes_test.go @@ -112,7 +112,7 @@ func TestAttributeIntersection(t *testing.T) { ) kattributesType := reflect.TypeOf((*kauthorizer.Attributes)(nil)).Elem() - oattributesType := reflect.TypeOf((*oauthorizer.AuthorizationAttributes)(nil)).Elem() + oattributesType := reflect.TypeOf((*oauthorizer.Action)(nil)).Elem() kattributesMethods := sets.NewString() for i := 0; i < kattributesType.NumMethod(); i++ { diff --git a/pkg/authorization/authorizer/attributes.go b/pkg/authorization/authorizer/attributes.go index 4a73d90b8865..5513aec596c6 100644 --- a/pkg/authorization/authorizer/attributes.go +++ b/pkg/authorization/authorizer/attributes.go @@ -21,9 +21,9 @@ type DefaultAuthorizationAttributes struct { URL string } -// ToDefaultAuthorizationAttributes coerces AuthorizationAttributes to DefaultAuthorizationAttributes. Namespace is not included +// ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes. Namespace is not included // because the authorizer takes that information on the context -func ToDefaultAuthorizationAttributes(in authorizationapi.AuthorizationAttributes) DefaultAuthorizationAttributes { +func ToDefaultAuthorizationAttributes(in authorizationapi.Action) DefaultAuthorizationAttributes { return DefaultAuthorizationAttributes{ Verb: in.Verb, APIGroup: in.Group, @@ -136,8 +136,8 @@ func splitPath(thePath string) []string { return strings.Split(thePath, "/") } -// DefaultAuthorizationAttributes satisfies the AuthorizationAttributes interface -var _ AuthorizationAttributes = DefaultAuthorizationAttributes{} +// DefaultAuthorizationAttributes satisfies the Action interface +var _ Action = DefaultAuthorizationAttributes{} func (a DefaultAuthorizationAttributes) GetAPIVersion() string { return a.APIVersion diff --git a/pkg/authorization/authorizer/attributes_builder.go b/pkg/authorization/authorizer/attributes_builder.go index 35e4181139ca..9ffe56eedea6 100644 --- a/pkg/authorization/authorizer/attributes_builder.go +++ b/pkg/authorization/authorizer/attributes_builder.go @@ -16,7 +16,7 @@ func NewAuthorizationAttributeBuilder(contextMapper kapi.RequestContextMapper, i return &openshiftAuthorizationAttributeBuilder{contextMapper, infoResolver} } -func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request) (AuthorizationAttributes, error) { +func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request) (Action, error) { requestInfo, err := a.infoResolver.GetRequestInfo(req) if err != nil { return nil, err diff --git a/pkg/authorization/authorizer/attributes_test.go b/pkg/authorization/authorizer/attributes_test.go index 3803e58b4018..e86a10a83855 100644 --- a/pkg/authorization/authorizer/attributes_test.go +++ b/pkg/authorization/authorizer/attributes_test.go @@ -7,13 +7,13 @@ import ( ) func TestAuthorizationAttributes(t *testing.T) { - // Wrapper to make sure additions to the AuthorizationAttributes interface get corresponding fields added in api.AuthorizationAttributes - // If an additional function is required to satisfy this interface, the data for it should come from the contained authorizationapi.AuthorizationAttributes - var _ AuthorizationAttributes = authorizationAttributesAdapter{} + // Wrapper to make sure additions to the Action interface get corresponding fields added in api.Action + // If an additional function is required to satisfy this interface, the data for it should come from the contained authorizationapi.Action + var _ Action = authorizationAttributesAdapter{} } type authorizationAttributesAdapter struct { - attrs authorizationapi.AuthorizationAttributes + attrs authorizationapi.Action } func (a authorizationAttributesAdapter) GetVerb() string { @@ -37,17 +37,17 @@ func (a authorizationAttributesAdapter) GetResourceName() string { } func (a authorizationAttributesAdapter) GetRequestAttributes() interface{} { - // AuthorizationAttributes doesn't currently support request attributes, + // Action doesn't currently support request attributes, // because they cannot be reliably serialized return nil } func (a authorizationAttributesAdapter) IsNonResourceURL() bool { - // AuthorizationAttributes currently only supports resource authorization checks + // Action currently only supports resource authorization checks return false } func (a authorizationAttributesAdapter) GetURL() string { - // AuthorizationAttributes currently only supports resource authorization checks + // Action currently only supports resource authorization checks return "" } diff --git a/pkg/authorization/authorizer/authorizer.go b/pkg/authorization/authorizer/authorizer.go index 7e1993c11bda..676e3eaad0e5 100644 --- a/pkg/authorization/authorizer/authorizer.go +++ b/pkg/authorization/authorizer/authorizer.go @@ -18,7 +18,7 @@ func NewAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, forbid return &openshiftAuthorizer{ruleResolver, forbiddenMessageMaker} } -func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) { +func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Action) (bool, string, error) { attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes) // keep track of errors in case we are unable to authorize the action. @@ -63,7 +63,7 @@ func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Autho // If we got an error, then the list of subjects may not be complete, but it does not contain any incorrect names. // This is done because policy rules are purely additive and policy determinations // can be made on the basis of those rules that are found. -func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes Action) (sets.String, sets.String, error) { errs := []error{} masterContext := kapi.WithNamespace(ctx, kapi.NamespaceNone) @@ -87,7 +87,7 @@ func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes Au return users, groups, kerrors.NewAggregate(errs) } -func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.Context, passedAttributes AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.Context, passedAttributes Action) (sets.String, sets.String, error) { attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes) errs := []error{} @@ -129,7 +129,7 @@ func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.C // authorizeWithNamespaceRules returns isAllowed, reason, and error. If an error is returned, isAllowed and reason are still valid. This seems strange // but errors are not always fatal to the authorization process. It is entirely possible to get an error and be able to continue determine authorization // status in spite of it. This is most common when a bound role is missing, but enough roles are still present and bound to authorize the request. -func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) { +func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, passedAttributes Action) (bool, string, error) { attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes) allRules, ruleRetrievalError := a.ruleResolver.GetEffectivePolicyRules(ctx) @@ -153,7 +153,7 @@ func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, pass // TODO this may or may not be the behavior we want for managing rules. As a for instance, a verb might be specified // that our attributes builder will never satisfy. For now, I think gets us close. Maybe a warning message of some kind? -func CoerceToDefaultAuthorizationAttributes(passedAttributes AuthorizationAttributes) *DefaultAuthorizationAttributes { +func CoerceToDefaultAuthorizationAttributes(passedAttributes Action) *DefaultAuthorizationAttributes { attributes, ok := passedAttributes.(*DefaultAuthorizationAttributes) if !ok { attributes = &DefaultAuthorizationAttributes{ diff --git a/pkg/authorization/authorizer/cache/authorizer.go b/pkg/authorization/authorizer/cache/authorizer.go index f1f8116f101d..964b77fd3978 100644 --- a/pkg/authorization/authorizer/cache/authorizer.go +++ b/pkg/authorization/authorizer/cache/authorizer.go @@ -59,7 +59,7 @@ func NewAuthorizer(a authorizer.Authorizer, ttl time.Duration, cacheSize int) (a }, nil } -func (c *CacheAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { +func (c *CacheAuthorizer) Authorize(ctx kapi.Context, a authorizer.Action) (allowed bool, reason string, err error) { key, err := cacheKey(ctx, a) if err != nil { glog.V(5).Infof("could not build cache key for %#v: %v", a, err) @@ -91,7 +91,7 @@ func (c *CacheAuthorizer) Authorize(ctx kapi.Context, a authorizer.Authorization return allowed, reason, err } -func (c *CacheAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (c *CacheAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) { key, err := cacheKey(ctx, attributes) if err != nil { glog.V(5).Infof("could not build cache key for %#v: %v", attributes, err) @@ -122,7 +122,7 @@ func (c *CacheAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes author return users, groups, err } -func cacheKey(ctx kapi.Context, a authorizer.AuthorizationAttributes) (string, error) { +func cacheKey(ctx kapi.Context, a authorizer.Action) (string, error) { if a.GetRequestAttributes() != nil { // TODO: see if we can serialize this? return "", errors.New("cannot cache request attributes") diff --git a/pkg/authorization/authorizer/cache/authorizer_test.go b/pkg/authorization/authorizer/cache/authorizer_test.go index b5aac46a8661..90515bda3dcb 100644 --- a/pkg/authorization/authorizer/cache/authorizer_test.go +++ b/pkg/authorization/authorizer/cache/authorizer_test.go @@ -21,7 +21,7 @@ func TestAuthorizer(t *testing.T) { func TestCacheKey(t *testing.T) { tests := map[string]struct { Context kapi.Context - Attrs authorizer.AuthorizationAttributes + Attrs authorizer.Action ExpectedKey string ExpectedErr bool @@ -80,7 +80,7 @@ func TestCacheKeyFields(t *testing.T) { // These are results we don't expect to be in the cache key expectedMissingKeys := sets.NewString("requestattributes") - attrType := reflect.TypeOf((*authorizer.AuthorizationAttributes)(nil)).Elem() + attrType := reflect.TypeOf((*authorizer.Action)(nil)).Elem() for i := 0; i < attrType.NumMethod(); i++ { name := attrType.Method(i).Name name = strings.TrimPrefix(name, "Get") diff --git a/pkg/authorization/authorizer/interfaces.go b/pkg/authorization/authorizer/interfaces.go index 81b64eb6197f..54441b6357c3 100644 --- a/pkg/authorization/authorizer/interfaces.go +++ b/pkg/authorization/authorizer/interfaces.go @@ -10,19 +10,19 @@ import ( ) type Authorizer interface { - Authorize(ctx kapi.Context, a AuthorizationAttributes) (allowed bool, reason string, err error) - GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (sets.String, sets.String, error) + Authorize(ctx kapi.Context, a Action) (allowed bool, reason string, err error) + GetAllowedSubjects(ctx kapi.Context, attributes Action) (sets.String, sets.String, error) } type AuthorizationAttributeBuilder interface { - GetAttributes(request *http.Request) (AuthorizationAttributes, error) + GetAttributes(request *http.Request) (Action, error) } type RequestInfoResolver interface { GetRequestInfo(req *http.Request) (kapiserver.RequestInfo, error) } -type AuthorizationAttributes interface { +type Action interface { GetVerb() string GetAPIVersion() string GetAPIGroup() string @@ -46,5 +46,5 @@ type ForbiddenMessageMaker interface { type MessageContext struct { User user.Info Namespace string - Attributes AuthorizationAttributes + Attributes Action } diff --git a/pkg/authorization/authorizer/personal_subjectaccessreview.go b/pkg/authorization/authorizer/personal_subjectaccessreview.go index 3bd6b3ec2cb7..40b37840757a 100644 --- a/pkg/authorization/authorizer/personal_subjectaccessreview.go +++ b/pkg/authorization/authorizer/personal_subjectaccessreview.go @@ -12,7 +12,7 @@ import ( authorizationapi "github.com/openshift/origin/pkg/authorization/api" ) -func IsPersonalAccessReview(a AuthorizationAttributes) (bool, error) { +func IsPersonalAccessReview(a Action) (bool, error) { switch extendedAttributes := a.GetRequestAttributes().(type) { case *http.Request: return isPersonalAccessReviewFromRequest(a, extendedAttributes) @@ -30,7 +30,7 @@ func IsPersonalAccessReview(a AuthorizationAttributes) (bool, error) { } // isPersonalAccessReviewFromRequest this variant handles the case where we have an httpRequest -func isPersonalAccessReviewFromRequest(a AuthorizationAttributes, req *http.Request) (bool, error) { +func isPersonalAccessReviewFromRequest(a Action, req *http.Request) (bool, error) { // TODO once we're integrated with the api installer, we should have direct access to the deserialized content // for now, this only happens on subjectaccessreviews with a personal check, pay the double retrieve and decode cost body, err := ioutil.ReadAll(req.Body) diff --git a/pkg/authorization/authorizer/remote/authorizer.go b/pkg/authorization/authorizer/remote/authorizer.go index f75cbd773668..7d2ce9317f2b 100644 --- a/pkg/authorization/authorizer/remote/authorizer.go +++ b/pkg/authorization/authorizer/remote/authorizer.go @@ -30,7 +30,7 @@ func NewAuthorizer(client RemoteAuthorizerClient) (authorizer.Authorizer, error) return &RemoteAuthorizer{client}, nil } -func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (bool, string, error) { +func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.Action) (bool, string, error) { var ( result *authzapi.SubjectAccessReviewResponse err error @@ -70,7 +70,7 @@ func (r *RemoteAuthorizer) Authorize(ctx kapi.Context, a authorizer.Authorizatio return result.Allowed, result.Reason, nil } -func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) { var ( result *authzapi.ResourceAccessReviewResponse err error @@ -92,8 +92,8 @@ func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes autho return result.Users, result.Groups, nil } -func getAction(namespace string, attributes authorizer.AuthorizationAttributes) authzapi.AuthorizationAttributes { - return authzapi.AuthorizationAttributes{ +func getAction(namespace string, attributes authorizer.Action) authzapi.Action { + return authzapi.Action{ Namespace: namespace, Verb: attributes.GetVerb(), Group: attributes.GetAPIGroup(), @@ -101,10 +101,10 @@ func getAction(namespace string, attributes authorizer.AuthorizationAttributes) Resource: attributes.GetResource(), ResourceName: attributes.GetResourceName(), - // TODO: missing from authorizer.AuthorizationAttributes: + // TODO: missing from authorizer.Action: // Content - // TODO: missing from authzapi.AuthorizationAttributes + // TODO: missing from authzapi.Action // RequestAttributes (unserializable?) // IsNonResourceURL // URL (doesn't make sense for remote authz?) diff --git a/pkg/authorization/authorizer/scope/authorizer.go b/pkg/authorization/authorizer/scope/authorizer.go index cb4f2083e096..4fd5914a994f 100644 --- a/pkg/authorization/authorizer/scope/authorizer.go +++ b/pkg/authorization/authorizer/scope/authorizer.go @@ -23,7 +23,7 @@ func NewAuthorizer(delegate defaultauthorizer.Authorizer, clusterPolicyGetter cl return &scopeAuthorizer{delegate: delegate, clusterPolicyGetter: clusterPolicyGetter, forbiddenMessageMaker: forbiddenMessageMaker} } -func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.AuthorizationAttributes) (bool, string, error) { +func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.Action) (bool, string, error) { user, exists := kapi.UserFrom(ctx) if !exists { return false, "", fmt.Errorf("user missing from context") @@ -67,6 +67,6 @@ func (a *scopeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultau // TODO remove this. We don't logically need it, but it requires splitting our interface // GetAllowedSubjects returns the subjects it knows can perform the action. -func (a *scopeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *scopeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.Action) (sets.String, sets.String, error) { return a.delegate.GetAllowedSubjects(ctx, attributes) } diff --git a/pkg/authorization/authorizer/scope/authorizer_test.go b/pkg/authorization/authorizer/scope/authorizer_test.go index 35714c806d7f..6107c15f7478 100644 --- a/pkg/authorization/authorizer/scope/authorizer_test.go +++ b/pkg/authorization/authorizer/scope/authorizer_test.go @@ -113,11 +113,11 @@ type fakeAuthorizer struct { called bool } -func (a *fakeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.AuthorizationAttributes) (bool, string, error) { +func (a *fakeAuthorizer) Authorize(ctx kapi.Context, passedAttributes defaultauthorizer.Action) (bool, string, error) { a.called = true return a.allowed, "", nil } -func (a *fakeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *fakeAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes defaultauthorizer.Action) (sets.String, sets.String, error) { return nil, nil, nil } diff --git a/pkg/authorization/registry/localresourceaccessreview/rest_test.go b/pkg/authorization/registry/localresourceaccessreview/rest_test.go index 4f2a39612ec9..6ab2140e4060 100644 --- a/pkg/authorization/registry/localresourceaccessreview/rest_test.go +++ b/pkg/authorization/registry/localresourceaccessreview/rest_test.go @@ -27,7 +27,7 @@ type testAuthorizer struct { actualAttributes authorizer.DefaultAuthorizationAttributes } -func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { +func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Action) (allowed bool, reason string, err error) { // allow the initial check for "can I run this RAR at all" if attributes.GetResource() == "localresourceaccessreviews" { return true, "", nil @@ -35,7 +35,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Autho return false, "", errors.New("Unsupported") } -func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) { attributes, ok := passedAttributes.(authorizer.DefaultAuthorizationAttributes) if !ok { return nil, nil, errors.New("unexpected type for test") @@ -54,7 +54,7 @@ func TestNoNamespace(t *testing.T) { err: "namespace is required on this type: ", }, reviewRequest: &authorizationapi.LocalResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "", Verb: "get", Resource: "pods", @@ -68,7 +68,7 @@ func TestNoNamespace(t *testing.T) { func TestConflictingNamespace(t *testing.T) { authorizer := &testAuthorizer{} reviewRequest := &authorizationapi.LocalResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "foo", Verb: "get", Resource: "pods", @@ -93,7 +93,7 @@ func TestEmptyReturn(t *testing.T) { groups: sets.String{}, }, reviewRequest: &authorizationapi.LocalResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "get", Resource: "pods", @@ -111,7 +111,7 @@ func TestNoErrors(t *testing.T) { groups: sets.NewString("three", "four"), }, reviewRequest: &authorizationapi.LocalResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "delete", Resource: "deploymentConfig", diff --git a/pkg/authorization/registry/localsubjectaccessreview/rest_test.go b/pkg/authorization/registry/localsubjectaccessreview/rest_test.go index 3b3aa2c2918d..cc5ed953eedd 100644 --- a/pkg/authorization/registry/localsubjectaccessreview/rest_test.go +++ b/pkg/authorization/registry/localsubjectaccessreview/rest_test.go @@ -32,7 +32,7 @@ type testAuthorizer struct { actualUserInfo user.Info } -func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { +func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.Action) (allowed bool, reason string, err error) { a.actualUserInfo, _ = kapi.UserFrom(ctx) // allow the initial check for "can I run this SAR at all" @@ -52,7 +52,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer } return a.allowed, a.reason, errors.New(a.err) } -func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) { return sets.String{}, sets.String{}, nil } @@ -63,7 +63,7 @@ func TestNoNamespace(t *testing.T) { err: "namespace is required on this type: ", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "", Verb: "get", Resource: "pods", @@ -81,7 +81,7 @@ func TestConflictingNamespace(t *testing.T) { allowed: false, } reviewRequest := &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "foo", Verb: "get", Resource: "pods", @@ -108,7 +108,7 @@ func TestEmptyReturn(t *testing.T) { reason: "because reasons", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "get", Resource: "pods", @@ -133,7 +133,7 @@ func TestNoErrors(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "delete", Resource: "deploymentConfigs", @@ -156,7 +156,7 @@ func TestErrors(t *testing.T) { err: "some-random-failure", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "get", Resource: "pods", @@ -176,7 +176,7 @@ func TestRegularWithScopes(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "delete", Resource: "deploymentConfigs", @@ -205,7 +205,7 @@ func TestSelfWithDefaultScopes(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "delete", Resource: "deploymentConfigs", @@ -233,7 +233,7 @@ func TestSelfWithClearedScopes(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "unittest", Verb: "delete", Resource: "deploymentConfigs", diff --git a/pkg/authorization/registry/resourceaccessreview/rest_test.go b/pkg/authorization/registry/resourceaccessreview/rest_test.go index f85fb1b68e26..18b7ab827933 100644 --- a/pkg/authorization/registry/resourceaccessreview/rest_test.go +++ b/pkg/authorization/registry/resourceaccessreview/rest_test.go @@ -27,7 +27,7 @@ type testAuthorizer struct { actualAttributes authorizer.DefaultAuthorizationAttributes } -func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { +func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Action) (allowed bool, reason string, err error) { // allow the initial check for "can I run this RAR at all" if attributes.GetResource() == "localresourceaccessreviews" { if len(a.deniedNamespaces) != 0 && a.deniedNamespaces.Has(kapi.NamespaceValue(ctx)) { @@ -39,7 +39,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, attributes authorizer.Autho return false, "", errors.New("unsupported") } -func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) { attributes, ok := passedAttributes.(authorizer.DefaultAuthorizationAttributes) if !ok { return nil, nil, errors.New("unexpected type for test") @@ -61,7 +61,7 @@ func TestDeniedNamespace(t *testing.T) { deniedNamespaces: sets.NewString("foo"), }, reviewRequest: &authorizationapi.ResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "foo", Verb: "get", Resource: "pods", @@ -79,7 +79,7 @@ func TestEmptyReturn(t *testing.T) { groups: sets.String{}, }, reviewRequest: &authorizationapi.ResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "pods", }, @@ -96,7 +96,7 @@ func TestNoErrors(t *testing.T) { groups: sets.NewString("three", "four"), }, reviewRequest: &authorizationapi.ResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "delete", Resource: "deploymentConfig", }, diff --git a/pkg/authorization/registry/subjectaccessreview/rest_test.go b/pkg/authorization/registry/subjectaccessreview/rest_test.go index 38750a2665b7..5159ca2114b3 100644 --- a/pkg/authorization/registry/subjectaccessreview/rest_test.go +++ b/pkg/authorization/registry/subjectaccessreview/rest_test.go @@ -32,7 +32,7 @@ type testAuthorizer struct { actualUserInfo user.Info } -func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { +func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.Action) (allowed bool, reason string, err error) { a.actualUserInfo, _ = kapi.UserFrom(ctx) // allow the initial check for "can I run this SAR at all" @@ -56,7 +56,7 @@ func (a *testAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer } return a.allowed, a.reason, errors.New(a.err) } -func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *testAuthorizer) GetAllowedSubjects(ctx kapi.Context, passedAttributes authorizer.Action) (sets.String, sets.String, error) { return sets.String{}, sets.String{}, nil } @@ -68,7 +68,7 @@ func TestDeniedNamespace(t *testing.T) { deniedNamespaces: sets.NewString("foo"), }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "foo", Verb: "get", Resource: "pods", @@ -88,7 +88,7 @@ func TestEmptyReturn(t *testing.T) { reason: "because reasons", }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "pods", }, @@ -112,7 +112,7 @@ func TestNoErrors(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "delete", Resource: "deploymentConfigs", }, @@ -134,7 +134,7 @@ func TestErrors(t *testing.T) { err: "some-random-failure", }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "pods", }, @@ -153,7 +153,7 @@ func TestRegularWithScopes(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "delete", Resource: "deploymentConfigs", }, @@ -181,7 +181,7 @@ func TestSelfWithDefaultScopes(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "delete", Resource: "deploymentConfigs", }, @@ -208,7 +208,7 @@ func TestSelfWithClearedScopes(t *testing.T) { reason: "because good things", }, reviewRequest: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "delete", Resource: "deploymentConfigs", }, diff --git a/pkg/build/admission/strategyrestrictions/admission.go b/pkg/build/admission/strategyrestrictions/admission.go index 85cc5f3b3459..505865a97abb 100644 --- a/pkg/build/admission/strategyrestrictions/admission.go +++ b/pkg/build/admission/strategyrestrictions/admission.go @@ -104,7 +104,7 @@ func (a *buildByStrategy) checkBuildAuthorization(build *buildapi.Build, attr ad } subjectAccessReview := authorizationapi.AddUserToLSAR(attr.GetUserInfo(), &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "create", Group: resource.Group, Resource: resource.Resource, @@ -123,7 +123,7 @@ func (a *buildByStrategy) checkBuildConfigAuthorization(buildConfig *buildapi.Bu } subjectAccessReview := authorizationapi.AddUserToLSAR(attr.GetUserInfo(), &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "create", Group: resource.Group, Resource: resource.Resource, diff --git a/pkg/cmd/admin/diagnostics/cluster.go b/pkg/cmd/admin/diagnostics/cluster.go index 62f2cd217324..ce413b6fa669 100644 --- a/pkg/cmd/admin/diagnostics/cluster.go +++ b/pkg/cmd/admin/diagnostics/cluster.go @@ -117,7 +117,7 @@ func (o DiagnosticsOptions) makeClusterClients(rawConfig *clientcmdapi.Config, c o.Logger.Debug("CED1006", fmt.Sprintf("Error creating client for context '%s':\n%v", contextName, err)) return nil, nil, false, "", nil } else { - subjectAccessReview := authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{ + subjectAccessReview := authorizationapi.SubjectAccessReview{Action: authorizationapi.Action{ // if you can do everything, you're the cluster admin. Verb: "*", Group: "*", diff --git a/pkg/cmd/admin/policy/cani.go b/pkg/cmd/admin/policy/cani.go index 5c039e36a68a..3e56509007d0 100644 --- a/pkg/cmd/admin/policy/cani.go +++ b/pkg/cmd/admin/policy/cani.go @@ -139,7 +139,7 @@ func (o *canIOptions) Run() (bool, error) { } sar := &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: o.Namespace, Verb: o.Verb, Group: o.Resource.Group, diff --git a/pkg/cmd/admin/policy/who_can.go b/pkg/cmd/admin/policy/who_can.go index 1f323b8ebfe0..40f942146f13 100644 --- a/pkg/cmd/admin/policy/who_can.go +++ b/pkg/cmd/admin/policy/who_can.go @@ -94,7 +94,7 @@ func resourceFor(mapper meta.RESTMapper, resourceArg string) unversioned.GroupVe } func (o *whoCanOptions) run() error { - authorizationAttributes := authorizationapi.AuthorizationAttributes{ + authorizationAttributes := authorizationapi.Action{ Verb: o.verb, Group: o.resource.Group, Resource: o.resource.Resource, diff --git a/pkg/cmd/server/origin/ensure.go b/pkg/cmd/server/origin/ensure.go index ce2409230e77..c3bb9195bb38 100644 --- a/pkg/cmd/server/origin/ensure.go +++ b/pkg/cmd/server/origin/ensure.go @@ -232,7 +232,7 @@ func (c *MasterConfig) ensureComponentAuthorizationRules() { } // Wait until the policy cache has caught up before continuing - review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: authorizationapi.GroupName, Resource: "clusterpolicies"}} + review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.Action{Verb: "get", Group: authorizationapi.GroupName, Resource: "clusterpolicies"}} err = wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (done bool, err error) { result, err := c.PolicyClient().SubjectAccessReviews().Create(review) if err == nil && result.Allowed { diff --git a/pkg/cmd/server/origin/handlers.go b/pkg/cmd/server/origin/handlers.go index 5d63cdd8cfd7..696ec3f590ff 100644 --- a/pkg/cmd/server/origin/handlers.go +++ b/pkg/cmd/server/origin/handlers.go @@ -105,7 +105,7 @@ func (c *MasterConfig) authorizationFilter(handler http.Handler) http.Handler { } // forbidden renders a simple forbidden error -func forbidden(reason string, attributes authorizer.AuthorizationAttributes, w http.ResponseWriter, req *http.Request) { +func forbidden(reason string, attributes authorizer.Action, w http.ResponseWriter, req *http.Request) { kind := "" resource := "" group := "" diff --git a/pkg/cmd/server/origin/handlers_test.go b/pkg/cmd/server/origin/handlers_test.go index f683b6eb0a31..40773949b719 100644 --- a/pkg/cmd/server/origin/handlers_test.go +++ b/pkg/cmd/server/origin/handlers_test.go @@ -24,7 +24,7 @@ import ( type impersonateAuthorizer struct{} -func (impersonateAuthorizer) Authorize(ctx kapi.Context, a authorizer.AuthorizationAttributes) (allowed bool, reason string, err error) { +func (impersonateAuthorizer) Authorize(ctx kapi.Context, a authorizer.Action) (allowed bool, reason string, err error) { user, exists := kapi.UserFrom(ctx) if !exists { return false, "missing user", nil @@ -63,7 +63,7 @@ func (impersonateAuthorizer) Authorize(ctx kapi.Context, a authorizer.Authorizat return false, "deny by default", nil } -func (impersonateAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (impersonateAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) { return nil, nil, nil } diff --git a/pkg/diagnostics/cluster/master_node.go b/pkg/diagnostics/cluster/master_node.go index 930c7c8b1001..758875a3ba07 100644 --- a/pkg/diagnostics/cluster/master_node.go +++ b/pkg/diagnostics/cluster/master_node.go @@ -77,7 +77,7 @@ func (d *MasterNode) CanRun() (bool, error) { } } - can, err := userCan(d.OsClient, authorizationapi.AuthorizationAttributes{ + can, err := userCan(d.OsClient, authorizationapi.Action{ Verb: "list", Group: kapi.GroupName, Resource: "nodes", diff --git a/pkg/diagnostics/cluster/node_definitions.go b/pkg/diagnostics/cluster/node_definitions.go index 6af287e47eab..361b23331317 100644 --- a/pkg/diagnostics/cluster/node_definitions.go +++ b/pkg/diagnostics/cluster/node_definitions.go @@ -65,7 +65,7 @@ func (d *NodeDefinitions) CanRun() (bool, error) { if d.KubeClient == nil || d.OsClient == nil { return false, errors.New("must have kube and os client") } - can, err := userCan(d.OsClient, authorizationapi.AuthorizationAttributes{ + can, err := userCan(d.OsClient, authorizationapi.Action{ Verb: "list", Group: kapi.GroupName, Resource: "nodes", diff --git a/pkg/diagnostics/cluster/registry.go b/pkg/diagnostics/cluster/registry.go index 36ea6268a754..31ebb764f4c8 100644 --- a/pkg/diagnostics/cluster/registry.go +++ b/pkg/diagnostics/cluster/registry.go @@ -156,7 +156,7 @@ func (d *ClusterRegistry) CanRun() (bool, error) { if d.OsClient == nil || d.KubeClient == nil { return false, fmt.Errorf("must have kube and os clients") } - return userCan(d.OsClient, authorizationapi.AuthorizationAttributes{ + return userCan(d.OsClient, authorizationapi.Action{ Namespace: kapi.NamespaceDefault, Verb: "get", Group: kapi.GroupName, diff --git a/pkg/diagnostics/cluster/rolebindings.go b/pkg/diagnostics/cluster/rolebindings.go index 02b3a1fa261e..5050a0f0aa48 100644 --- a/pkg/diagnostics/cluster/rolebindings.go +++ b/pkg/diagnostics/cluster/rolebindings.go @@ -38,7 +38,7 @@ func (d *ClusterRoleBindings) CanRun() (bool, error) { return false, fmt.Errorf("must have client.SubjectAccessReviews") } - return userCan(d.SARClient, authorizationapi.AuthorizationAttributes{ + return userCan(d.SARClient, authorizationapi.Action{ Verb: "list", Group: authorizationapi.GroupName, Resource: "clusterrolebindings", diff --git a/pkg/diagnostics/cluster/roles.go b/pkg/diagnostics/cluster/roles.go index a1b459b4a6e3..58dbe12f60b8 100644 --- a/pkg/diagnostics/cluster/roles.go +++ b/pkg/diagnostics/cluster/roles.go @@ -39,7 +39,7 @@ func (d *ClusterRoles) CanRun() (bool, error) { return false, fmt.Errorf("must have client.SubjectAccessReviews") } - return userCan(d.SARClient, authorizationapi.AuthorizationAttributes{ + return userCan(d.SARClient, authorizationapi.Action{ Verb: "list", Group: authorizationapi.GroupName, Resource: "clusterroles", diff --git a/pkg/diagnostics/cluster/router.go b/pkg/diagnostics/cluster/router.go index 3d0662e14528..11c2ae5cd5ce 100644 --- a/pkg/diagnostics/cluster/router.go +++ b/pkg/diagnostics/cluster/router.go @@ -94,7 +94,7 @@ func (d *ClusterRouter) CanRun() (bool, error) { if d.KubeClient == nil || d.OsClient == nil { return false, errors.New("must have kube and os client") } - can, err := userCan(d.OsClient, authorizationapi.AuthorizationAttributes{ + can, err := userCan(d.OsClient, authorizationapi.Action{ Namespace: kapi.NamespaceDefault, Verb: "get", Group: deployapi.GroupName, diff --git a/pkg/diagnostics/cluster/util.go b/pkg/diagnostics/cluster/util.go index c33f96fd9617..01969fd58feb 100644 --- a/pkg/diagnostics/cluster/util.go +++ b/pkg/diagnostics/cluster/util.go @@ -5,7 +5,7 @@ import ( osclient "github.com/openshift/origin/pkg/client" ) -func userCan(sarClient osclient.SubjectAccessReviews, action authorizationapi.AuthorizationAttributes) (bool, error) { +func userCan(sarClient osclient.SubjectAccessReviews, action authorizationapi.Action) (bool, error) { resp, err := sarClient.SubjectAccessReviews().Create(&authorizationapi.SubjectAccessReview{Action: action}) if err != nil { return false, err diff --git a/pkg/dockerregistry/server/auth.go b/pkg/dockerregistry/server/auth.go index a391ded9604c..42e3cb849b15 100644 --- a/pkg/dockerregistry/server/auth.go +++ b/pkg/dockerregistry/server/auth.go @@ -337,7 +337,7 @@ func verifyOpenShiftUser(ctx context.Context, client client.UsersInterface) erro func verifyImageStreamAccess(ctx context.Context, namespace, imageRepo, verb string, client client.LocalSubjectAccessReviewsNamespacer) error { sar := authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: verb, Group: imageapi.GroupName, Resource: "imagestreams/layers", @@ -364,7 +364,7 @@ func verifyImageStreamAccess(ctx context.Context, namespace, imageRepo, verb str func verifyPruneAccess(ctx context.Context, client client.SubjectAccessReviews) error { sar := authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "delete", Group: imageapi.GroupName, Resource: "images", diff --git a/pkg/gitserver/gitserver.go b/pkg/gitserver/gitserver.go index ec3ce2162ca7..eb99b4bfb6a9 100644 --- a/pkg/gitserver/gitserver.go +++ b/pkg/gitserver/gitserver.go @@ -238,7 +238,7 @@ func NewEnvironmentConfig() (*Config, error) { return true, nil } req := &authapi.LocalSubjectAccessReview{ - Action: authapi.AuthorizationAttributes{ + Action: authapi.Action{ Verb: "get", Group: kapi.GroupName, Resource: "pods", diff --git a/pkg/image/registry/imagestream/strategy.go b/pkg/image/registry/imagestream/strategy.go index 626f007611c0..e50ae3959a7a 100644 --- a/pkg/image/registry/imagestream/strategy.go +++ b/pkg/image/registry/imagestream/strategy.go @@ -434,7 +434,7 @@ func (v *TagVerifier) Verify(old, stream *api.ImageStream, user user.Info) field } subjectAccessReview := authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Group: api.GroupName, Resource: "imagestreams", diff --git a/pkg/image/registry/imagestream/strategy_test.go b/pkg/image/registry/imagestream/strategy_test.go index 0e57310ed0f7..701f26153e9f 100644 --- a/pkg/image/registry/imagestream/strategy_test.go +++ b/pkg/image/registry/imagestream/strategy_test.go @@ -309,7 +309,7 @@ func TestTagVerifier(t *testing.T) { t.Errorf("%s: sar namespace: expected %v, got %v", name, e, a) } expectedSar := &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "imagestreams", ResourceName: "otherstream", diff --git a/pkg/project/auth/reviewer.go b/pkg/project/auth/reviewer.go index 5d9400f0b5e2..0d4d74316d70 100644 --- a/pkg/project/auth/reviewer.go +++ b/pkg/project/auth/reviewer.go @@ -62,7 +62,7 @@ func NewReviewer(resourceAccessReviewsNamespacer client.LocalResourceAccessRevie // Review performs a resource access review for the given resource by name func (r *reviewer) Review(name string) (Review, error) { resourceAccessReview := &authorizationapi.LocalResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Group: kapi.GroupName, Resource: "namespaces", diff --git a/pkg/project/registry/projectrequest/delegated/delegated.go b/pkg/project/registry/projectrequest/delegated/delegated.go index b7f7a6377adb..3f6db3348eb7 100644 --- a/pkg/project/registry/projectrequest/delegated/delegated.go +++ b/pkg/project/registry/projectrequest/delegated/delegated.go @@ -204,7 +204,7 @@ func (r *REST) List(ctx kapi.Context, options *kapi.ListOptions) (runtime.Object // So we'll escalate for the subject access review to determine rights accessReview := authorizationapi.AddUserToSAR(userInfo, &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "create", Group: projectapi.GroupName, Resource: "projectrequests", diff --git a/pkg/scheduler/admission/podnodeconstraints/admission_test.go b/pkg/scheduler/admission/podnodeconstraints/admission_test.go index 127dd30bae57..ab10b8133d52 100644 --- a/pkg/scheduler/admission/podnodeconstraints/admission_test.go +++ b/pkg/scheduler/admission/podnodeconstraints/admission_test.go @@ -430,7 +430,7 @@ func fakeAuthorizer(t *testing.T) authorizer.Authorizer { } } -func (a *fakeTestAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.AuthorizationAttributes) (bool, string, error) { +func (a *fakeTestAuthorizer) Authorize(ctx kapi.Context, passedAttributes authorizer.Action) (bool, string, error) { a.t.Logf("Authorize: ctx: %#v", ctx) ui, ok := kapi.UserFrom(ctx) if !ok { @@ -444,7 +444,7 @@ func (a *fakeTestAuthorizer) Authorize(ctx kapi.Context, passedAttributes author return false, "", nil } -func (a *fakeTestAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.AuthorizationAttributes) (sets.String, sets.String, error) { +func (a *fakeTestAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes authorizer.Action) (sets.String, sets.String, error) { return nil, nil, nil } diff --git a/test/integration/authorization_test.go b/test/integration/authorization_test.go index b82c48c44ec4..8de462ab21ed 100644 --- a/test/integration/authorization_test.go +++ b/test/integration/authorization_test.go @@ -427,11 +427,11 @@ func TestAuthorizationResourceAccessReview(t *testing.T) { } requestWhoCanViewDeploymentConfigs := &authorizationapi.ResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "deploymentconfigs"}, + Action: authorizationapi.Action{Verb: "get", Resource: "deploymentconfigs"}, } localRequestWhoCanViewDeploymentConfigs := &authorizationapi.LocalResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "deploymentconfigs"}, + Action: authorizationapi.Action{Verb: "get", Resource: "deploymentconfigs"}, } { @@ -601,7 +601,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { localInterface: clusterAdminClient.LocalSubjectAccessReviews("hammer-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ User: "harold", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "extensions", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "extensions", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -614,7 +614,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { localInterface: clusterAdminClient.LocalSubjectAccessReviews("hammer-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ User: "harold", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, @@ -627,7 +627,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { localInterface: clusterAdminClient.LocalSubjectAccessReviews("hammer-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ User: "harold", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "foo", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "foo", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, @@ -640,7 +640,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { localInterface: clusterAdminClient.LocalSubjectAccessReviews("hammer-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ User: "harold", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "*", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "*", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, @@ -654,7 +654,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { description: "cluster admin told they can get extensions.horizontalpodautoscalers in project hammer-project", localInterface: clusterAdminClient.LocalSubjectAccessReviews("any-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "extensions", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "extensions", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -666,7 +666,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { description: "cluster admin told they can get horizontalpodautoscalers (with no API group) in project any-project", localInterface: clusterAdminClient.LocalSubjectAccessReviews("any-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -678,7 +678,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { description: "cluster admin told they can get horizontalpodautoscalers (with invalid API group) in project any-project", localInterface: clusterAdminClient.LocalSubjectAccessReviews("any-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "foo", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "foo", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -690,7 +690,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) { description: "cluster admin told they can get horizontalpodautoscalers (with * API group) in project any-project", localInterface: clusterAdminClient.LocalSubjectAccessReviews("any-project"), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: "*", Resource: "horizontalpodautoscalers"}, + Action: authorizationapi.Action{Verb: "get", Group: "*", Resource: "horizontalpodautoscalers"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -743,14 +743,14 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { } askCanDannyGetProject := &authorizationapi.SubjectAccessReview{ User: "danny", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"}, + Action: authorizationapi.Action{Verb: "get", Resource: "projects"}, } subjectAccessReviewTest{ description: "cluster admin told danny can get project default", localInterface: clusterAdminClient.LocalSubjectAccessReviews("default"), localReview: &authorizationapi.LocalSubjectAccessReview{ User: "danny", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"}, + Action: authorizationapi.Action{Verb: "get", Resource: "projects"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -797,7 +797,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { askCanValerieGetProject := &authorizationapi.LocalSubjectAccessReview{ User: "valerie", - Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "projects"}, + Action: authorizationapi.Action{Verb: "get", Resource: "projects"}, } subjectAccessReviewTest{ description: "harold told valerie can get project hammer-project", @@ -822,7 +822,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { askCanEdgarDeletePods := &authorizationapi.LocalSubjectAccessReview{ User: "edgar", - Action: authorizationapi.AuthorizationAttributes{Verb: "delete", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "delete", Resource: "pods"}, } subjectAccessReviewTest{ description: "mark told edgar can delete pods in mallet-project", @@ -843,7 +843,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { askCanHaroldUpdateProject := &authorizationapi.LocalSubjectAccessReview{ User: "harold", - Action: authorizationapi.AuthorizationAttributes{Verb: "update", Resource: "projects"}, + Action: authorizationapi.Action{Verb: "update", Resource: "projects"}, } subjectAccessReviewTest{ description: "harold told harold can update project hammer-project", @@ -858,7 +858,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { askCanClusterAdminsCreateProject := &authorizationapi.SubjectAccessReview{ Groups: sets.NewString("system:cluster-admins"), - Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "projects"}, + Action: authorizationapi.Action{Verb: "create", Resource: "projects"}, } subjectAccessReviewTest{ description: "cluster admin told cluster admins can create projects", @@ -878,7 +878,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { }.run(t) askCanICreatePods := &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "create", Resource: "pods"}, } subjectAccessReviewTest{ description: "harold told he can create pods in project hammer-project", @@ -891,7 +891,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { }, }.run(t) askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "policybindings"}, + Action: authorizationapi.Action{Verb: "create", Resource: "policybindings"}, } subjectAccessReviewTest{ description: "harold told he can create policybindings in project hammer-project", @@ -932,7 +932,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { description: "empty token impersonate can't see pods in namespace", localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("hammer-project", ""), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "list", Resource: "pods"}, }, err: `impersonating token may not be empty`, }.run(t) @@ -940,7 +940,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { description: "empty token impersonate can't see pods in cluster", clusterInterface: otherAdminClient.ImpersonateSubjectAccessReviews(""), clusterReview: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "list", Resource: "pods"}, }, err: `impersonating token may not be empty`, }.run(t) @@ -949,7 +949,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { description: "danny impersonate can't see pods in hammer namespace", localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("hammer-project", dannyConfig.BearerToken), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "list", Resource: "pods"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, @@ -961,7 +961,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { description: "danny impersonate can't see pods in cluster", clusterInterface: otherAdminClient.ImpersonateSubjectAccessReviews(dannyConfig.BearerToken), clusterReview: &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "list", Resource: "pods"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: false, @@ -972,7 +972,7 @@ func TestAuthorizationSubjectAccessReview(t *testing.T) { description: "danny impersonate can see pods in default", localInterface: otherAdminClient.ImpersonateLocalSubjectAccessReviews("default", dannyConfig.BearerToken), localReview: &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "list", Resource: "pods"}, + Action: authorizationapi.Action{Verb: "list", Resource: "pods"}, }, response: authorizationapi.SubjectAccessReviewResponse{ Allowed: true, @@ -1011,7 +1011,7 @@ func TestOldLocalSubjectAccessReviewEndpoint(t *testing.T) { // simple check { sar := &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "imagestreams/layers", }, @@ -1037,7 +1037,7 @@ func TestOldLocalSubjectAccessReviewEndpoint(t *testing.T) { // namespace forced to allowed namespace so we can't trick the server into leaking { sar := &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "sneaky-user", Verb: "get", Resource: "imagestreams/layers", @@ -1084,7 +1084,7 @@ func TestOldLocalSubjectAccessReviewEndpoint(t *testing.T) { } sar := &authorizationapi.SubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "imagestreams/layers", }, @@ -1138,7 +1138,7 @@ func TestOldLocalResourceAccessReviewEndpoint(t *testing.T) { // simple check { rar := &authorizationapi.ResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Verb: "get", Resource: "imagestreams/layers", }, @@ -1164,7 +1164,7 @@ func TestOldLocalResourceAccessReviewEndpoint(t *testing.T) { // namespace forced to allowed namespace so we can't trick the server into leaking { rar := &authorizationapi.ResourceAccessReview{ - Action: authorizationapi.AuthorizationAttributes{ + Action: authorizationapi.Action{ Namespace: "sneaky-user", Verb: "get", Resource: "imagestreams/layers", diff --git a/test/integration/bootstrap_policy_test.go b/test/integration/bootstrap_policy_test.go index 0283ebae85f3..24b6e572663f 100644 --- a/test/integration/bootstrap_policy_test.go +++ b/test/integration/bootstrap_policy_test.go @@ -153,7 +153,7 @@ func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { // can I get a subjectaccessreview on myself even if I have no rights to do it generally askCanICreatePolicyBindings := &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "policybindings"}, + Action: authorizationapi.Action{Verb: "create", Resource: "policybindings"}, } subjectAccessReviewTest{ localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"), @@ -168,7 +168,7 @@ func TestBootstrapPolicySelfSubjectAccessReviews(t *testing.T) { // I shouldn't be allowed to ask whether someone else can perform an action askCanClusterAdminsCreateProject := &authorizationapi.LocalSubjectAccessReview{ Groups: sets.NewString("system:cluster-admins"), - Action: authorizationapi.AuthorizationAttributes{Verb: "create", Resource: "projects"}, + Action: authorizationapi.Action{Verb: "create", Resource: "projects"}, } subjectAccessReviewTest{ localInterface: valerieOpenshiftClient.LocalSubjectAccessReviews("openshift"), @@ -207,7 +207,7 @@ func TestSelfSubjectAccessReviewsNonExistingNamespace(t *testing.T) { // ensure that a SAR for a non-exisitng namespace gives a SAR response and not a // namespace doesn't exist response from admisison. askCanICreatePodsInNonExistingNamespace := &authorizationapi.LocalSubjectAccessReview{ - Action: authorizationapi.AuthorizationAttributes{Namespace: "foo", Verb: "create", Resource: "pods"}, + Action: authorizationapi.Action{Namespace: "foo", Verb: "create", Resource: "pods"}, } subjectAccessReviewTest{ description: "ensure SAR for non-existing namespace does not leak namespace info", diff --git a/test/util/policy.go b/test/util/policy.go index a688cfeb830d..cb1c7f164bfd 100644 --- a/test/util/policy.go +++ b/test/util/policy.go @@ -18,7 +18,7 @@ const ( // WaitForPolicyUpdate checks if the given client can perform the named verb and action. // If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned func WaitForPolicyUpdate(c *client.Client, namespace, verb string, resource unversioned.GroupResource, allowed bool) error { - review := &authorizationapi.LocalSubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: verb, Group: resource.Group, Resource: resource.Resource}} + review := &authorizationapi.LocalSubjectAccessReview{Action: authorizationapi.Action{Verb: verb, Group: resource.Group, Resource: resource.Resource}} err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) { response, err := c.LocalSubjectAccessReviews(namespace).Create(review) if err != nil { @@ -32,7 +32,7 @@ func WaitForPolicyUpdate(c *client.Client, namespace, verb string, resource unve // WaitForClusterPolicyUpdate checks if the given client can perform the named verb and action. // If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned func WaitForClusterPolicyUpdate(c *client.Client, verb string, resource unversioned.GroupResource, allowed bool) error { - review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: verb, Group: resource.Group, Resource: resource.Resource}} + review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.Action{Verb: verb, Group: resource.Group, Resource: resource.Resource}} err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) { response, err := c.SubjectAccessReviews().Create(review) if err != nil { diff --git a/vendor/k8s.io/kubernetes/cmd/libs/go2idl/conversion-gen/generators/conversion.go b/vendor/k8s.io/kubernetes/cmd/libs/go2idl/conversion-gen/generators/conversion.go index 2f7832505893..0342845a93c0 100644 --- a/vendor/k8s.io/kubernetes/cmd/libs/go2idl/conversion-gen/generators/conversion.go +++ b/vendor/k8s.io/kubernetes/cmd/libs/go2idl/conversion-gen/generators/conversion.go @@ -338,16 +338,16 @@ func isDirectlyConvertible(in, out *types.Type, preexisting conversions) bool { case types.Struct: convertible := true for _, inMember := range in.Members { + // Check if the member doesn't have comment: + // "+ genconversion=false" + // comment to ignore this field for conversion. + // TODO: Switch to SecondClosestCommentLines. + if types.ExtractCommentTags("+", inMember.CommentLines)["genconversion"] == "false" { + continue + } // Check if there is an out member with that name. outMember, found := findMember(out, inMember.Name) if !found { - // Check if the member doesn't have comment: - // "+ genconversion=false" - // comment to ignore this field for conversion. - // TODO: Switch to SecondClosestCommentLines. - if types.ExtractCommentTags("+", inMember.CommentLines)["genconversion"] == "false" { - continue - } return false } convertible = convertible && isConvertible(inMember.Type, outMember.Type, preexisting) @@ -684,6 +684,12 @@ func (g *genConversion) doSlice(inType, outType *types.Type, sw *generator.Snipp func (g *genConversion) doStruct(inType, outType *types.Type, sw *generator.SnippetWriter) { for _, m := range inType.Members { + // Check if the member doesn't have comment: + // "+ genconversion=false" + // comment to ignore this field for conversion. + if types.ExtractCommentTags("+", m.CommentLines)["genconversion"] == "false" { + continue + } outMember, isOutMember := findMember(outType, m.Name) if !isOutMember { // Since this object wasn't filtered out, this means that