func GetEffectivePolicyRules(ctx kapi.Context, ruleResolver rulevalidation.AuthorizationRuleResolver, clusterPolicyGetter client.ClusterPolicyLister) ([]authorizationapi.PolicyRule, []error) {
namespace := kapi.NamespaceValue(ctx)
if len(namespace) == 0 {
return nil, []error{kapierrors.NewBadRequest(fmt.Sprintf("namespace is required on this type: %v", namespace))}
}
user, exists := kapi.UserFrom(ctx)
if !exists {
return nil, []error{kapierrors.NewBadRequest(fmt.Sprintf("user missing from context"))}
}
var errors []error
var rules []authorizationapi.PolicyRule
namespaceRules, err := ruleResolver.RulesFor(user, namespace)
if err != nil {
errors = append(errors, err)
}
for _, rule := range namespaceRules {
rules = append(rules, rulevalidation.BreakdownRule(rule)...)
}
if scopes := user.GetExtra()[authorizationapi.ScopesKey]; len(scopes) > 0 {
rules, err = filterRulesByScopes(rules, scopes, namespace, clusterPolicyGetter)
if err != nil {
return nil, []error{kapierrors.NewInternalError(err)}
}
}
if compactedRules, err := rulevalidation.CompactRules(rules); err == nil {
rules = compactedRules
}
sort.Sort(authorizationapi.SortableRuleSlice(rules))
return rules, errors
}
// Create registers a given new ResourceAccessReview instance to r.registry.
func (r *REST) Create(ctx kapi.Context, obj runtime.Object) (runtime.Object, error) {
rulesReview, ok := obj.(*authorizationapi.SelfSubjectRulesReview)
if !ok {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectRulesReview: %#v", obj))
}
namespace := kapi.NamespaceValue(ctx)
if len(namespace) == 0 {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("namespace is required on this type: %v", namespace))
}
user, exists := kapi.UserFrom(ctx)
if !exists {
return nil, kapierrors.NewBadRequest(fmt.Sprintf("user missing from context"))
}
errors := []error{}
rules := []authorizationapi.PolicyRule{}
namespaceRules, err := r.ruleResolver.GetEffectivePolicyRules(ctx)
if err != nil {
errors = append(errors, err)
}
for _, rule := range namespaceRules {
rules = append(rules, rulevalidation.BreakdownRule(rule)...)
}
if len(namespace) != 0 {
masterContext := kapi.WithNamespace(ctx, kapi.NamespaceNone)
clusterRules, err := r.ruleResolver.GetEffectivePolicyRules(masterContext)
if err != nil {
errors = append(errors, err)
}
for _, rule := range clusterRules {
rules = append(rules, rulevalidation.BreakdownRule(rule)...)
}
}
switch {
case rulesReview.Spec.Scopes == nil:
if scopes, _ := user.GetExtra()[authorizationapi.ScopesKey]; len(scopes) > 0 {
rules, err = r.filterRulesByScopes(rules, scopes, namespace)
if err != nil {
return nil, kapierrors.NewInternalError(err)
}
}
case len(rulesReview.Spec.Scopes) > 0:
rules, err = r.filterRulesByScopes(rules, rulesReview.Spec.Scopes, namespace)
if err != nil {
return nil, kapierrors.NewInternalError(err)
}
}
if compactedRules, err := rulevalidation.CompactRules(rules); err == nil {
rules = compactedRules
}
sort.Sort(authorizationapi.SortableRuleSlice(rules))
ret := &authorizationapi.SelfSubjectRulesReview{
Status: authorizationapi.SubjectRulesReviewStatus{
Rules: rules,
},
}
if len(errors) != 0 {
ret.Status.EvaluationError = kutilerrors.NewAggregate(errors).Error()
}
return ret, nil
}