func (a *DefaultRuleResolver) GetRoleBindings(ctx kapi.Context) ([]authorizationinterfaces.RoleBinding, error) {
namespace := kapi.NamespaceValue(ctx)
if len(namespace) == 0 {
policyBindingList, err := a.clusterBindingLister.List(kapi.ListOptions{})
if err != nil {
return nil, err
}
ret := make([]authorizationinterfaces.RoleBinding, 0, len(policyBindingList.Items))
for _, policyBinding := range policyBindingList.Items {
for _, value := range policyBinding.RoleBindings {
ret = append(ret, authorizationinterfaces.NewClusterRoleBindingAdapter(value))
}
}
return ret, nil
}
if a.bindingLister == nil {
return nil, nil
}
policyBindingList, err := a.bindingLister.PolicyBindings(namespace).List(kapi.ListOptions{})
if err != nil {
return nil, err
}
ret := make([]authorizationinterfaces.RoleBinding, 0, len(policyBindingList.Items))
for _, policyBinding := range policyBindingList.Items {
for _, value := range policyBinding.RoleBindings {
ret = append(ret, authorizationinterfaces.NewLocalRoleBindingAdapter(value))
}
}
return ret, nil
}
func (m *VirtualStorage) validateReferentialIntegrity(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
if _, err := m.RuleResolver.GetRole(authorizationinterfaces.NewLocalRoleBindingAdapter(roleBinding)); err != nil {
return err
}
return nil
}
func (m *VirtualStorage) confirmNoEscalation(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error {
modifyingRole, err := m.RuleResolver.GetRole(authorizationinterfaces.NewLocalRoleBindingAdapter(roleBinding))
if err != nil {
return err
}
return rulevalidation.ConfirmNoEscalation(ctx, authorizationapi.Resource("rolebinding"), roleBinding.Name, m.RuleResolver, modifyingRole)
}
func (a *DefaultRuleResolver) GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error) {
clusterBindings, clusterErr := a.clusterBindingLister.List(kapi.ListOptions{})
var namespaceBindings *authorizationapi.PolicyBindingList
var namespaceErr error
if a.bindingLister != nil && len(namespace) > 0 {
namespaceBindings, namespaceErr = a.bindingLister.PolicyBindings(namespace).List(kapi.ListOptions{})
}
// return all loaded bindings
expect := 0
if clusterBindings != nil {
expect += len(clusterBindings.Items)
}
if namespaceBindings != nil {
expect += len(namespaceBindings.Items)
}
bindings := make([]authorizationinterfaces.RoleBinding, 0, expect)
if clusterBindings != nil {
for _, policyBinding := range clusterBindings.Items {
for _, value := range policyBinding.RoleBindings {
bindings = append(bindings, authorizationinterfaces.NewClusterRoleBindingAdapter(value))
}
}
}
if namespaceBindings != nil {
for _, policyBinding := range namespaceBindings.Items {
for _, value := range policyBinding.RoleBindings {
bindings = append(bindings, authorizationinterfaces.NewLocalRoleBindingAdapter(value))
}
}
}
// return all errors
var errs []error
if clusterErr != nil {
errs = append(errs, clusterErr)
}
if namespaceErr != nil {
errs = append(errs, namespaceErr)
}
return bindings, kerrors.NewAggregate(errs)
}
func TestPolicyCommands(t *testing.T) {
_, clusterAdminKubeConfig, err := testserver.StartTestMaster()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
const projectName = "hammer-project"
haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, "harold")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
addViewer := policy.RoleModificationOptions{
RoleName: bootstrappolicy.ViewRoleName,
RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(projectName, haroldClient),
Users: []string{"valerie"},
Groups: []string{"my-group"},
}
if err := addViewer.AddRole(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
viewers, err := haroldClient.RoleBindings(projectName).Get("view")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
binding := authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)
if !binding.Users().Has("valerie") {
t.Errorf("expected valerie in users: %v", binding.Users())
}
if !binding.Groups().Has("my-group") {
t.Errorf("expected my-group in groups: %v", binding.Groups())
}
removeValerie := policy.RemoveFromProjectOptions{
BindingNamespace: projectName,
Client: haroldClient,
Users: []string{"valerie"},
Out: ioutil.Discard,
}
if err := removeValerie.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
viewers, err = haroldClient.RoleBindings(projectName).Get("view")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)
if binding.Users().Has("valerie") {
t.Errorf("unexpected valerie in users: %v", binding.Users())
}
if !binding.Groups().Has("my-group") {
t.Errorf("expected my-group in groups: %v", binding.Groups())
}
removeMyGroup := policy.RemoveFromProjectOptions{
BindingNamespace: projectName,
Client: haroldClient,
Groups: []string{"my-group"},
Out: ioutil.Discard,
}
if err := removeMyGroup.Run(); err != nil {
t.Fatalf("unexpected error: %v", err)
}
viewers, err = haroldClient.RoleBindings(projectName).Get("view")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers)
if binding.Users().Has("valerie") {
t.Errorf("unexpected valerie in users: %v", binding.Users())
}
if binding.Groups().Has("my-group") {
t.Errorf("unexpected my-group in groups: %v", binding.Groups())
}
}