// subjectMatches returns true if specified user and group properties in the policy match the attributes func subjectMatches(p api.Policy, a authorizer.Attributes) bool { matched := false // If the policy specified a user, ensure it matches if len(p.Spec.User) > 0 { if p.Spec.User == "*" { matched = true } else { matched = p.Spec.User == a.GetUserName() if !matched { return false } } } // If the policy specified a group, ensure it matches if len(p.Spec.Group) > 0 { if p.Spec.Group == "*" { matched = true } else { matched = false for _, group := range a.GetGroups() { if p.Spec.Group == group { matched = true } } if !matched { return false } } } return matched }