validation

package
v0.0.0-...-d88c8b5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 9, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BreakdownRule

func BreakdownRule(rule rbacv1.PolicyRule) []rbacv1.PolicyRule

BreadownRule takes a rule and builds an equivalent list of rules that each have at most one verb, one resource, and one resource name

func CompactRules

func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error)

CompactRules combines rules that contain a single APIGroup/Resource, differ only by verb, and contain no other attributes. this is a fast check, and works well with the decomposed "missing rules" list from a Covers check.

func ConfirmNoEscalation

func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, rules []rbacv1.PolicyRule) error

ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.

func ConfirmNoEscalationInternal

func ConfirmNoEscalationInternal(ctx context.Context, ruleResolver AuthorizationRuleResolver, inRules []rbac.PolicyRule) error

func Covers

func Covers(ownerRules, servantRules []rbacv1.PolicyRule) (bool, []rbacv1.PolicyRule)

Covers determines whether or not the ownerRules cover the servantRules in terms of allowed actions. It returns whether or not the ownerRules cover and a list of the rules that the ownerRules do not cover.

func NewTestRuleResolver

func NewTestRuleResolver(roles []*rbacv1.Role, roleBindings []*rbacv1.RoleBinding, clusterRoles []*rbacv1.ClusterRole, clusterRoleBindings []*rbacv1.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles)

NewTestRuleResolver returns a rule resolver from lists of role objects.

Types

type AuthorizationRuleResolver

type AuthorizationRuleResolver interface {
	// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding.  The passed namespace should be the namespace
	// of the role binding, the empty string if a cluster role binding.
	GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) ([]rbacv1.PolicyRule, error)

	// RulesFor returns the list of rules that apply to a given user in a given namespace and error.  If an error is returned, the slice of
	// PolicyRules may not be complete, but it contains all retrievable rules.  This is done because policy rules are purely additive and policy determinations
	// can be made on the basis of those rules that are found.
	RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

	// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace, and each error encountered resolving those rules.
	// If visitor() returns false, visiting is short-circuited.
	VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
}

type ClusterRoleBindingLister

type ClusterRoleBindingLister interface {
	ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
}

type ClusterRoleGetter

type ClusterRoleGetter interface {
	GetClusterRole(name string) (*rbacv1.ClusterRole, error)
}

type DefaultRuleResolver

type DefaultRuleResolver struct {
	// contains filtered or unexported fields
}

func NewDefaultRuleResolver

func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBindingLister, clusterRoleGetter ClusterRoleGetter, clusterRoleBindingLister ClusterRoleBindingLister) *DefaultRuleResolver

func (*DefaultRuleResolver) GetRoleReferenceRules

func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbacv1.RoleRef, bindingNamespace string) ([]rbacv1.PolicyRule, error)

GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.

func (*DefaultRuleResolver) RulesFor

func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbacv1.PolicyRule, error)

func (*DefaultRuleResolver) VisitRulesFor

func (r *DefaultRuleResolver) VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)

type RoleBindingLister

type RoleBindingLister interface {
	ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
}

type RoleGetter

type RoleGetter interface {
	GetRole(namespace, name string) (*rbacv1.Role, error)
}

type StaticRoles

type StaticRoles struct {
	// contains filtered or unexported fields
}

StaticRoles is a rule resolver that resolves from lists of role objects.

func (*StaticRoles) GetClusterRole

func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error)

func (*StaticRoles) GetRole

func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error)

func (*StaticRoles) ListClusterRoleBindings

func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)

func (*StaticRoles) ListRoleBindings

func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL