...
1
16
17 package util
18
19 import (
20 "k8s.io/apiserver/pkg/authentication/user"
21 "k8s.io/apiserver/pkg/authorization/authorizer"
22 authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
23 )
24
25
26 func ResourceAttributesFrom(user user.Info, in authorizationapi.ResourceAttributes) authorizer.AttributesRecord {
27 return authorizer.AttributesRecord{
28 User: user,
29 Verb: in.Verb,
30 Namespace: in.Namespace,
31 APIGroup: in.Group,
32 APIVersion: matchAllVersionIfEmpty(in.Version),
33 Resource: in.Resource,
34 Subresource: in.Subresource,
35 Name: in.Name,
36 ResourceRequest: true,
37 }
38 }
39
40
41 func NonResourceAttributesFrom(user user.Info, in authorizationapi.NonResourceAttributes) authorizer.AttributesRecord {
42 return authorizer.AttributesRecord{
43 User: user,
44 ResourceRequest: false,
45 Path: in.Path,
46 Verb: in.Verb,
47 }
48 }
49
50 func convertToUserInfoExtra(extra map[string]authorizationapi.ExtraValue) map[string][]string {
51 if extra == nil {
52 return nil
53 }
54 ret := map[string][]string{}
55 for k, v := range extra {
56 ret[k] = []string(v)
57 }
58
59 return ret
60 }
61
62
63 func AuthorizationAttributesFrom(spec authorizationapi.SubjectAccessReviewSpec) authorizer.AttributesRecord {
64 userToCheck := &user.DefaultInfo{
65 Name: spec.User,
66 Groups: spec.Groups,
67 UID: spec.UID,
68 Extra: convertToUserInfoExtra(spec.Extra),
69 }
70
71 var authorizationAttributes authorizer.AttributesRecord
72 if spec.ResourceAttributes != nil {
73 authorizationAttributes = ResourceAttributesFrom(userToCheck, *spec.ResourceAttributes)
74 } else {
75 authorizationAttributes = NonResourceAttributesFrom(userToCheck, *spec.NonResourceAttributes)
76 }
77
78 return authorizationAttributes
79 }
80
81
82 func matchAllVersionIfEmpty(version string) string {
83 if len(version) == 0 {
84 return "*"
85 }
86 return version
87 }
88
View as plain text