func nonResourceMatches(p api.Policy, a authorizer.Attributes) bool { // A non-resource policy cannot match a resource request if !a.IsResourceRequest() { // Allow wildcard match if p.Spec.NonResourcePath == "*" { return true } // Allow exact match if p.Spec.NonResourcePath == a.GetPath() { return true } // Allow a trailing * subpath match if strings.HasSuffix(p.Spec.NonResourcePath, "*") && strings.HasPrefix(a.GetPath(), strings.TrimRight(p.Spec.NonResourcePath, "*")) { return true } } return false }