add rbac action to subjects type

2026-01-05 15:37:24 +00:00 · 2016-10-21 12:14:04 -04:00
parent dbc4121e16
commit 252d8b7066
6 changed files with 295 additions and 19 deletions
--- a/pkg/apis/rbac/validation/rulevalidation.go
+++ b/pkg/apis/rbac/validation/rulevalidation.go
@@ -190,28 +190,29 @@ func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool
 }

 // NewTestRuleResolver returns a rule resolver from lists of role objects.
-func NewTestRuleResolver(roles []*rbac.Role, roleBindings []*rbac.RoleBinding, clusterRoles []*rbac.ClusterRole, clusterRoleBindings []*rbac.ClusterRoleBinding) AuthorizationRuleResolver {
-	r := staticRoles{
+func NewTestRuleResolver(roles []*rbac.Role, roleBindings []*rbac.RoleBinding, clusterRoles []*rbac.ClusterRole, clusterRoleBindings []*rbac.ClusterRoleBinding) (AuthorizationRuleResolver, *StaticRoles) {
+	r := StaticRoles{
 		roles:               roles,
 		roleBindings:        roleBindings,
 		clusterRoles:        clusterRoles,
 		clusterRoleBindings: clusterRoleBindings,
 	}
-	return newMockRuleResolver(&r)
+	return newMockRuleResolver(&r), &r
 }

-func newMockRuleResolver(r *staticRoles) AuthorizationRuleResolver {
+func newMockRuleResolver(r *StaticRoles) AuthorizationRuleResolver {
 	return NewDefaultRuleResolver(r, r, r, r)
 }

-type staticRoles struct {
+// StaticRoles is a rule resolver that resolves from lists of role objects.
+type StaticRoles struct {
 	roles               []*rbac.Role
 	roleBindings        []*rbac.RoleBinding
 	clusterRoles        []*rbac.ClusterRole
 	clusterRoleBindings []*rbac.ClusterRoleBinding
 }

-func (r *staticRoles) GetRole(namespace, name string) (*rbac.Role, error) {
+func (r *StaticRoles) GetRole(namespace, name string) (*rbac.Role, error) {
 	if len(namespace) == 0 {
 		return nil, errors.New("must provide namespace when getting role")
 	}
@@ -223,7 +224,7 @@ func (r *staticRoles) GetRole(namespace, name string) (*rbac.Role, error) {
 	return nil, errors.New("role not found")
 }

-func (r *staticRoles) GetClusterRole(name string) (*rbac.ClusterRole, error) {
+func (r *StaticRoles) GetClusterRole(name string) (*rbac.ClusterRole, error) {
 	for _, clusterRole := range r.clusterRoles {
 		if clusterRole.Name == name {
 			return clusterRole, nil
@@ -232,7 +233,7 @@ func (r *staticRoles) GetClusterRole(name string) (*rbac.ClusterRole, error) {
 	return nil, errors.New("role not found")
 }

-func (r *staticRoles) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
+func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
 	if len(namespace) == 0 {
 		return nil, errors.New("must provide namespace when listing role bindings")
 	}
@@ -248,6 +249,6 @@ func (r *staticRoles) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, e
 	return roleBindingList, nil
 }

-func (r *staticRoles) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
+func (r *StaticRoles) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
 	return r.clusterRoleBindings, nil
 }
--- a/pkg/apis/rbac/validation/rulevalidation_test.go
+++ b/pkg/apis/rbac/validation/rulevalidation_test.go
@@ -72,7 +72,7 @@ func TestDefaultRuleResolver(t *testing.T) {
 		Resources: []string{"*"},
 	}

-	staticRoles1 := staticRoles{
+	staticRoles1 := StaticRoles{
 		roles: []*rbac.Role{
 			{
 				ObjectMeta: api.ObjectMeta{Namespace: "namespace1", Name: "readthings"},
@@ -111,7 +111,7 @@ func TestDefaultRuleResolver(t *testing.T) {
 	}

 	tests := []struct {
-		staticRoles
+		StaticRoles

 		// For a given context, what are the rules that apply?
 		user           user.Info
@@ -119,32 +119,32 @@ func TestDefaultRuleResolver(t *testing.T) {
 		effectiveRules []rbac.PolicyRule
 	}{
 		{
-			staticRoles:    staticRoles1,
+			StaticRoles:    staticRoles1,
 			user:           &user.DefaultInfo{Name: "foobar"},
 			namespace:      "namespace1",
 			effectiveRules: []rbac.PolicyRule{ruleReadPods, ruleReadServices},
 		},
 		{
-			staticRoles:    staticRoles1,
+			StaticRoles:    staticRoles1,
 			user:           &user.DefaultInfo{Name: "foobar"},
 			namespace:      "namespace2",
 			effectiveRules: []rbac.PolicyRule{},
 		},
 		{
-			staticRoles: staticRoles1,
+			StaticRoles: staticRoles1,
 			// Same as above but without a namespace. Only cluster rules should apply.
 			user:           &user.DefaultInfo{Name: "foobar", Groups: []string{"admin"}},
 			effectiveRules: []rbac.PolicyRule{ruleAdmin},
 		},
 		{
-			staticRoles:    staticRoles1,
+			StaticRoles:    staticRoles1,
 			user:           &user.DefaultInfo{},
 			effectiveRules: []rbac.PolicyRule{},
 		},
 	}

 	for i, tc := range tests {
-		ruleResolver := newMockRuleResolver(&tc.staticRoles)
+		ruleResolver := newMockRuleResolver(&tc.StaticRoles)
 		rules, err := ruleResolver.RulesFor(tc.user, tc.namespace)
 		if err != nil {
 			t.Errorf("case %d: GetEffectivePolicyRules(context)=%v", i, err)