func (a *DefaultRuleResolver) GetRoleBindings(ctx kapi.Context) ([]authorizationinterfaces.RoleBinding, error) { namespace := kapi.NamespaceValue(ctx) if len(namespace) == 0 { policyBindingList, err := a.clusterBindingLister.List(kapi.ListOptions{}) if err != nil { return nil, err } ret := make([]authorizationinterfaces.RoleBinding, 0, len(policyBindingList.Items)) for _, policyBinding := range policyBindingList.Items { for _, value := range policyBinding.RoleBindings { ret = append(ret, authorizationinterfaces.NewClusterRoleBindingAdapter(value)) } } return ret, nil } if a.bindingLister == nil { return nil, nil } policyBindingList, err := a.bindingLister.PolicyBindings(namespace).List(kapi.ListOptions{}) if err != nil { return nil, err } ret := make([]authorizationinterfaces.RoleBinding, 0, len(policyBindingList.Items)) for _, policyBinding := range policyBindingList.Items { for _, value := range policyBinding.RoleBindings { ret = append(ret, authorizationinterfaces.NewLocalRoleBindingAdapter(value)) } } return ret, nil }
func (m *VirtualStorage) validateReferentialIntegrity(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error { if _, err := m.RuleResolver.GetRole(authorizationinterfaces.NewLocalRoleBindingAdapter(roleBinding)); err != nil { return err } return nil }
func (m *VirtualStorage) confirmNoEscalation(ctx kapi.Context, roleBinding *authorizationapi.RoleBinding) error { modifyingRole, err := m.RuleResolver.GetRole(authorizationinterfaces.NewLocalRoleBindingAdapter(roleBinding)) if err != nil { return err } return rulevalidation.ConfirmNoEscalation(ctx, authorizationapi.Resource("rolebinding"), roleBinding.Name, m.RuleResolver, modifyingRole) }
func (a *DefaultRuleResolver) GetRoleBindings(namespace string) ([]authorizationinterfaces.RoleBinding, error) { clusterBindings, clusterErr := a.clusterBindingLister.List(kapi.ListOptions{}) var namespaceBindings *authorizationapi.PolicyBindingList var namespaceErr error if a.bindingLister != nil && len(namespace) > 0 { namespaceBindings, namespaceErr = a.bindingLister.PolicyBindings(namespace).List(kapi.ListOptions{}) } // return all loaded bindings expect := 0 if clusterBindings != nil { expect += len(clusterBindings.Items) } if namespaceBindings != nil { expect += len(namespaceBindings.Items) } bindings := make([]authorizationinterfaces.RoleBinding, 0, expect) if clusterBindings != nil { for _, policyBinding := range clusterBindings.Items { for _, value := range policyBinding.RoleBindings { bindings = append(bindings, authorizationinterfaces.NewClusterRoleBindingAdapter(value)) } } } if namespaceBindings != nil { for _, policyBinding := range namespaceBindings.Items { for _, value := range policyBinding.RoleBindings { bindings = append(bindings, authorizationinterfaces.NewLocalRoleBindingAdapter(value)) } } } // return all errors var errs []error if clusterErr != nil { errs = append(errs, clusterErr) } if namespaceErr != nil { errs = append(errs, namespaceErr) } return bindings, kerrors.NewAggregate(errs) }
func TestPolicyCommands(t *testing.T) { _, clusterAdminKubeConfig, err := testserver.StartTestMaster() if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig) if err != nil { t.Fatalf("unexpected error: %v", err) } const projectName = "hammer-project" haroldClient, err := testserver.CreateNewProject(clusterAdminClient, *clusterAdminClientConfig, projectName, "harold") if err != nil { t.Fatalf("unexpected error: %v", err) } addViewer := policy.RoleModificationOptions{ RoleName: bootstrappolicy.ViewRoleName, RoleBindingAccessor: policy.NewLocalRoleBindingAccessor(projectName, haroldClient), Users: []string{"valerie"}, Groups: []string{"my-group"}, } if err := addViewer.AddRole(); err != nil { t.Fatalf("unexpected error: %v", err) } viewers, err := haroldClient.RoleBindings(projectName).Get("view") if err != nil { t.Fatalf("unexpected error: %v", err) } binding := authorizationinterfaces.NewLocalRoleBindingAdapter(viewers) if !binding.Users().Has("valerie") { t.Errorf("expected valerie in users: %v", binding.Users()) } if !binding.Groups().Has("my-group") { t.Errorf("expected my-group in groups: %v", binding.Groups()) } removeValerie := policy.RemoveFromProjectOptions{ BindingNamespace: projectName, Client: haroldClient, Users: []string{"valerie"}, Out: ioutil.Discard, } if err := removeValerie.Run(); err != nil { t.Fatalf("unexpected error: %v", err) } viewers, err = haroldClient.RoleBindings(projectName).Get("view") if err != nil { t.Fatalf("unexpected error: %v", err) } binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers) if binding.Users().Has("valerie") { t.Errorf("unexpected valerie in users: %v", binding.Users()) } if !binding.Groups().Has("my-group") { t.Errorf("expected my-group in groups: %v", binding.Groups()) } removeMyGroup := policy.RemoveFromProjectOptions{ BindingNamespace: projectName, Client: haroldClient, Groups: []string{"my-group"}, Out: ioutil.Discard, } if err := removeMyGroup.Run(); err != nil { t.Fatalf("unexpected error: %v", err) } viewers, err = haroldClient.RoleBindings(projectName).Get("view") if err != nil { t.Fatalf("unexpected error: %v", err) } binding = authorizationinterfaces.NewLocalRoleBindingAdapter(viewers) if binding.Users().Has("valerie") { t.Errorf("unexpected valerie in users: %v", binding.Users()) } if binding.Groups().Has("my-group") { t.Errorf("unexpected my-group in groups: %v", binding.Groups()) } }