func resourceMatches(p api.Policy, a authorizer.Attributes) bool { // A resource policy cannot match a non-resource request if a.IsResourceRequest() { if p.Spec.Namespace == "*" || p.Spec.Namespace == a.GetNamespace() { if p.Spec.Resource == "*" || p.Spec.Resource == a.GetResource() { if p.Spec.APIGroup == "*" || p.Spec.APIGroup == a.GetAPIGroup() { return true } } } } return false }
func nonResourceMatches(p api.Policy, a authorizer.Attributes) bool { // A non-resource policy cannot match a resource request if !a.IsResourceRequest() { // Allow wildcard match if p.Spec.NonResourcePath == "*" { return true } // Allow exact match if p.Spec.NonResourcePath == a.GetPath() { return true } // Allow a trailing * subpath match if strings.HasSuffix(p.Spec.NonResourcePath, "*") && strings.HasPrefix(a.GetPath(), strings.TrimRight(p.Spec.NonResourcePath, "*")) { return true } } return false }