func adminCan(client *osclient.Client, action authorizationapi.AuthorizationAttributes) (bool, error) {
if resp, err := client.SubjectAccessReviews().Create(&authorizationapi.SubjectAccessReview{Action: action}); err != nil {
return false, err
} else if resp.Allowed {
return true, nil
}
return false, nil
}
// WaitForPolicyUpdate checks if the given client can perform the named verb and action.
// If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned
func WaitForPolicyUpdate(c *client.Client, namespace, verb, resource string, allowed bool) error {
review := &authorizationapi.SubjectAccessReview{Verb: verb, Resource: resource}
err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) {
response, err := c.SubjectAccessReviews(namespace).Create(review)
if err != nil {
return false, err
}
if response.Allowed != allowed {
return false, nil
}
return true, nil
})
return err
}
// WaitForClusterPolicyUpdate checks if the given client can perform the named verb and action.
// If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned
func WaitForClusterPolicyUpdate(c *client.Client, verb string, resource unversioned.GroupResource, allowed bool) error {
review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: verb, Group: resource.Group, Resource: resource.Resource}}
err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) {
response, err := c.SubjectAccessReviews().Create(review)
if err != nil {
return false, err
}
if response.Allowed != allowed {
return false, nil
}
return true, nil
})
return err
}
func verifyImageStreamAccess(namespace, imageRepo, verb string, client *client.Client) error {
sar := authorizationapi.SubjectAccessReview{
Verb: verb,
Resource: "imagestreams/layers",
ResourceName: imageRepo,
}
response, err := client.SubjectAccessReviews(namespace).Create(&sar)
if err != nil {
log.Errorf("OpenShift client error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
if !response.Allowed {
log.Errorf("OpenShift access denied: %s", response.Reason)
return ErrOpenShiftAccessDenied
}
return nil
}
func verifyPruneAccess(ctx context.Context, client *client.Client) error {
sar := authorizationapi.SubjectAccessReview{
Action: authorizationapi.AuthorizationAttributes{
Verb: "delete",
Resource: "images",
},
}
response, err := client.SubjectAccessReviews().Create(&sar)
if err != nil {
context.GetLogger(ctx).Errorf("OpenShift client error: %s", err)
if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) {
return ErrOpenShiftAccessDenied
}
return err
}
if !response.Allowed {
context.GetLogger(ctx).Errorf("OpenShift access denied: %s", response.Reason)
return ErrOpenShiftAccessDenied
}
return nil
}