// UserHasRole checks if the given user has the given role
// if the userName is empty, the current user will be used
func (c *Context) UserHasRole(userName string, roleName string) (bool, error) {
	roleBindings, err := c.GetRoleBindingsForRole(roleName)
	if err != nil {
		return false, err
	}
	if len(roleBindings) == 0 {
		return false, fmt.Errorf("Could not find a Role Binding for role '%s'", roleName)
	}

	if len(userName) == 0 {
		user, err := c.GetCurrentUser()
		if err != nil {
			return false, err
		}
		userName = user.Name
	}

	namespace, err := c.Namespace()
	if err != nil {
		return false, err
	}

	allUsers := []string{}
	for _, rb := range roleBindings {
		users, _ := authapi.StringSubjectsFor(namespace, rb.Subjects)
		allUsers = append(allUsers, users...)
	}

	return contains(userName, allUsers), nil
}
예제 #2
0
func convert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in *newer.ClusterRoleBinding, out *ClusterRoleBinding, s conversion.Scope) error {
	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields|conversion.AllowDifferentFieldTypeNames); err != nil {
		return err
	}

	out.UserNames, out.GroupNames = newer.StringSubjectsFor(in.Namespace, in.Subjects)

	return nil
}
예제 #3
0
func Convert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in *newer.ClusterRoleBinding, out *ClusterRoleBinding, s conversion.Scope) error {
	if err := autoConvert_api_ClusterRoleBinding_To_v1_ClusterRoleBinding(in, out, s); err != nil {
		return err
	}

	out.UserNames, out.GroupNames = newer.StringSubjectsFor(in.Namespace, in.Subjects)

	return nil
}
예제 #4
0
func (o *SCCModificationOptions) RemoveSCC() error {
	scc, err := o.SCCInterface.SecurityContextConstraints().Get(o.SCCName)
	if err != nil {
		return err
	}

	users, groups := authorizationapi.StringSubjectsFor(o.DefaultSubjectNamespace, o.Subjects)
	_, remainingUsers := diff(users, scc.Users)
	_, remainingGroups := diff(groups, scc.Groups)

	scc.Users = remainingUsers
	scc.Groups = remainingGroups

	_, err = o.SCCInterface.SecurityContextConstraints().Update(scc)
	if err != nil {
		return err
	}

	return nil
}
예제 #5
0
func (o *SCCModificationOptions) AddSCC() error {
	scc, err := o.SCCInterface.SecurityContextConstraints().Get(o.SCCName)
	if err != nil {
		return err
	}

	users, groups := authorizationapi.StringSubjectsFor(o.DefaultSubjectNamespace, o.Subjects)
	usersToAdd, _ := diff(users, scc.Users)
	groupsToAdd, _ := diff(groups, scc.Groups)

	scc.Users = append(scc.Users, usersToAdd...)
	scc.Groups = append(scc.Groups, groupsToAdd...)

	_, err = o.SCCInterface.SecurityContextConstraints().Update(scc)
	if err != nil {
		return err
	}

	return nil
}
// GroupHasRole checks that the given group has the given role
func (c *Context) GroupHasRole(groupName string, roleName string) (bool, error) {
	roleBindings, err := c.GetRoleBindingsForRole(roleName)
	if err != nil {
		return false, err
	}
	if len(roleBindings) == 0 {
		return false, fmt.Errorf("Could not find a Role Binding for role '%s'", roleName)
	}

	namespace, err := c.Namespace()
	if err != nil {
		return false, err
	}

	allGroups := []string{}
	for _, rb := range roleBindings {
		_, groups := authapi.StringSubjectsFor(namespace, rb.Subjects)
		allGroups = append(allGroups, groups...)
	}

	return contains(groupName, allGroups), nil
}
예제 #7
0
func (a ClusterRoleBindingAdapter) Groups() sets.String {
	_, groups := authorizationapi.StringSubjectsFor(a.roleBinding.Namespace, a.roleBinding.Subjects)

	return sets.NewString(groups...)
}
예제 #8
0
func (a ClusterRoleBindingAdapter) Users() sets.String {
	users, _ := authorizationapi.StringSubjectsFor(a.roleBinding.Namespace, a.roleBinding.Subjects)

	return sets.NewString(users...)
}
예제 #9
0
func (a RoleBindingAdapter) Groups() util.StringSet {
	_, groups := authorizationapi.StringSubjectsFor(a.roleBinding.Namespace, a.roleBinding.Subjects)

	return util.NewStringSet(groups...)
}
예제 #10
0
func (a RoleBindingAdapter) Users() util.StringSet {
	users, _ := authorizationapi.StringSubjectsFor(a.roleBinding.Namespace, a.roleBinding.Subjects)

	return util.NewStringSet(users...)
}