-
Notifications
You must be signed in to change notification settings - Fork 1.4k
/
mapping.go
146 lines (123 loc) · 3.57 KB
/
mapping.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
package iam
import (
"errors"
"fmt"
)
const (
// ResourceTypeAccount is the resource type of Accounts
ResourceTypeAccount = "account"
)
var (
// ErrNeitherUserNorRole is the error returned when an identity is missing both UserARN
// and RoleARN.
ErrNeitherUserNorRole = errors.New("arn is neither user nor role")
// ErrNoKubernetesIdentity is the error returned when an identity has neither a Kubernetes
// username nor a list of groups.
ErrNoKubernetesIdentity = errors.New("neither username nor group are set for iam identity")
)
// Identity represents an IAM identity and its corresponding Kubernetes identity
type Identity interface {
ARN() string
Type() string
Username() string
Groups() []string
Account() string
}
// KubernetesIdentity represents a kubernetes identity to be used in iam mappings
type KubernetesIdentity struct {
KubernetesUsername string `json:"username,omitempty"`
KubernetesGroups []string `json:"groups,omitempty"`
}
// UserIdentity represents a mapping from an IAM user to a kubernetes identity
type UserIdentity struct {
UserARN string `json:"userarn,omitempty"`
KubernetesIdentity
}
// RoleIdentity represents a mapping from an IAM role to a kubernetes identity
type RoleIdentity struct {
RoleARN string `json:"rolearn,omitempty"`
KubernetesIdentity
}
// AccountIdentity represents a mapping from an IAM role to a kubernetes identity
type AccountIdentity struct {
KubernetesAccount string `json:"account,omitempty"`
KubernetesIdentity
}
// ARN returns the ARN of the iam mapping
func (a AccountIdentity) ARN() string {
return ""
}
// Account returns the Account of the iam mapping
func (a AccountIdentity) Account() string {
return a.KubernetesAccount
}
// Type returns the resource type of the iam mapping
func (a AccountIdentity) Type() string {
return ResourceTypeAccount
}
// Username returns the Kubernetes username
func (k KubernetesIdentity) Username() string {
return k.KubernetesUsername
}
// Groups returns the Kubernetes groups
func (k KubernetesIdentity) Groups() []string {
return k.KubernetesGroups
}
// ARN returns the ARN of the iam mapping
func (u UserIdentity) ARN() string {
return u.UserARN
}
// Type returns the resource type of the iam mapping
func (u UserIdentity) Type() string {
return ResourceTypeUser
}
// Account returns the Account of the iam mapping
func (u UserIdentity) Account() string {
return ""
}
// ARN returns the ARN of the iam mapping
func (r RoleIdentity) ARN() string {
return r.RoleARN
}
// Account returns the Account of the iam mapping
func (r RoleIdentity) Account() string {
return ""
}
// Type returns the resource type of the iam mapping
func (r RoleIdentity) Type() string {
return ResourceTypeRole
}
// NewIdentity determines into which field the given arn goes and returns the new identity
// alongside any error resulting for checking its validity.
func NewIdentity(arn string, username string, groups []string) (Identity, error) {
if arn == "" {
return nil, fmt.Errorf("expected a valid arn but got empty string")
}
if username == "" && len(groups) == 0 {
return nil, ErrNoKubernetesIdentity
}
parsedARN, err := Parse(arn)
if err != nil {
return nil, err
}
switch {
case parsedARN.IsUser():
return &UserIdentity{
UserARN: arn,
KubernetesIdentity: KubernetesIdentity{
KubernetesUsername: username,
KubernetesGroups: groups,
},
}, nil
case parsedARN.IsRole():
return &RoleIdentity{
RoleARN: arn,
KubernetesIdentity: KubernetesIdentity{
KubernetesUsername: username,
KubernetesGroups: groups,
},
}, nil
default:
return nil, ErrNeitherUserNorRole
}
}