forked from openshift/origin
/
reviewer.go
66 lines (54 loc) · 1.49 KB
/
reviewer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package auth
import (
kauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
"github.com/openshift/origin/pkg/authorization/authorizer"
)
// Review is a list of users and groups that can access a resource
type Review interface {
Users() []string
Groups() []string
EvaluationError() string
}
type defaultReview struct {
users []string
groups []string
evaluationError string
}
func (r *defaultReview) Users() []string {
return r.users
}
// Groups returns the groups that can access a resource
func (r *defaultReview) Groups() []string {
return r.groups
}
func (r *defaultReview) EvaluationError() string {
return r.evaluationError
}
// Reviewer performs access reviews for a project by name
type Reviewer interface {
Review(name string) (Review, error)
}
type authorizerReviewer struct {
policyChecker authorizer.SubjectLocator
}
func NewAuthorizerReviewer(policyChecker authorizer.SubjectLocator) Reviewer {
return &authorizerReviewer{policyChecker: policyChecker}
}
func (r *authorizerReviewer) Review(namespaceName string) (Review, error) {
attributes := kauthorizer.AttributesRecord{
Verb: "get",
Namespace: namespaceName,
Resource: "namespaces",
Name: namespaceName,
ResourceRequest: true,
}
users, groups, err := r.policyChecker.GetAllowedSubjects(attributes)
review := &defaultReview{
users: users.List(),
groups: groups.List(),
}
if err != nil {
review.evaluationError = err.Error()
}
return review, nil
}