diff --git a/pkg/apis/authorization/deep_copy_generated.go b/pkg/apis/authorization/deep_copy_generated.go index 7f671dfee70..bc40fb33ea3 100644 --- a/pkg/apis/authorization/deep_copy_generated.go +++ b/pkg/apis/authorization/deep_copy_generated.go @@ -147,6 +147,19 @@ func DeepCopy_authorization_SubjectAccessReviewSpec(in SubjectAccessReviewSpec, } else { out.Groups = nil } + if in.Extra != nil { + in, out := in.Extra, &out.Extra + *out = make(map[string][]string) + for key, val := range in { + if newVal, err := c.DeepCopy(val); err != nil { + return err + } else { + (*out)[key] = newVal.([]string) + } + } + } else { + out.Extra = nil + } return nil } diff --git a/pkg/apis/authorization/types.generated.go b/pkg/apis/authorization/types.generated.go index 9f00bf014d7..e4f92c8c5bf 100644 --- a/pkg/apis/authorization/types.generated.go +++ b/pkg/apis/authorization/types.generated.go @@ -1551,14 +1551,14 @@ func (x *SubjectAccessReviewSpec) CodecEncodeSelf(e *codec1978.Encoder) { } else { yysep2 := !z.EncBinary() yy2arr2 := z.EncBasicHandle().StructToArray - var yyq2 [4]bool + var yyq2 [5]bool _, _, _ = yysep2, yyq2, yy2arr2 const yyr2 bool = false var yynn2 int if yyr2 || yy2arr2 { - r.EncodeArrayStart(4) + r.EncodeArrayStart(5) } else { - yynn2 = 4 + yynn2 = 5 for _, b := range yyq2 { if b { yynn2++ @@ -1647,6 +1647,33 @@ func (x *SubjectAccessReviewSpec) CodecEncodeSelf(e *codec1978.Encoder) { } } } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + if x.Extra == nil { + r.EncodeNil() + } else { + yym16 := z.EncBinary() + _ = yym16 + if false { + } else { + h.encMapstringSlicestring((map[string][]string)(x.Extra), e) + } + } + } else { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("Extra")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + if x.Extra == nil { + r.EncodeNil() + } else { + yym17 := z.EncBinary() + _ = yym17 + if false { + } else { + h.encMapstringSlicestring((map[string][]string)(x.Extra), e) + } + } + } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayEnd1234) } else { @@ -1748,6 +1775,18 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromMap(l int, d *codec1978.Dec z.F.DecSliceStringX(yyv7, false, d) } } + case "Extra": + if r.TryDecodeAsNil() { + x.Extra = nil + } else { + yyv9 := &x.Extra + yym10 := z.DecBinary() + _ = yym10 + if false { + } else { + h.decMapstringSlicestring((*map[string][]string)(yyv9), d) + } + } default: z.DecStructFieldNotFound(-1, yys3) } // end switch yys3 @@ -1759,16 +1798,16 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D var h codecSelfer1234 z, r := codec1978.GenHelperDecoder(d) _, _, _ = h, z, r - var yyj9 int - var yyb9 bool - var yyhl9 bool = l >= 0 - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + var yyj11 int + var yyb11 bool + var yyhl11 bool = l >= 0 + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1783,13 +1822,13 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D } x.ResourceAttributes.CodecDecodeSelf(d) } - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1804,13 +1843,13 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D } x.NonResourceAttributes.CodecDecodeSelf(d) } - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1820,13 +1859,13 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D } else { x.User = string(r.DecodeString()) } - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1834,26 +1873,48 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D if r.TryDecodeAsNil() { x.Groups = nil } else { - yyv13 := &x.Groups - yym14 := z.DecBinary() - _ = yym14 + yyv15 := &x.Groups + yym16 := z.DecBinary() + _ = yym16 if false { } else { - z.F.DecSliceStringX(yyv13, false, d) + z.F.DecSliceStringX(yyv15, false, d) + } + } + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l + } else { + yyb11 = r.CheckBreak() + } + if yyb11 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.Extra = nil + } else { + yyv17 := &x.Extra + yym18 := z.DecBinary() + _ = yym18 + if false { + } else { + h.decMapstringSlicestring((*map[string][]string)(yyv17), d) } } for { - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { break } z.DecSendContainerState(codecSelfer_containerArrayElem1234) - z.DecStructFieldNotFound(yyj9-1, "") + z.DecStructFieldNotFound(yyj11-1, "") } z.DecSendContainerState(codecSelfer_containerArrayEnd1234) } @@ -2279,3 +2340,231 @@ func (x *SubjectAccessReviewStatus) codecDecodeSelfFromArray(l int, d *codec1978 } z.DecSendContainerState(codecSelfer_containerArrayEnd1234) } + +func (x codecSelfer1234) encMapstringSlicestring(v map[string][]string, e *codec1978.Encoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperEncoder(e) + _, _, _ = h, z, r + r.EncodeMapStart(len(v)) + for yyk1, yyv1 := range v { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + yym2 := z.EncBinary() + _ = yym2 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(yyk1)) + } + z.EncSendContainerState(codecSelfer_containerMapValue1234) + if yyv1 == nil { + r.EncodeNil() + } else { + yym3 := z.EncBinary() + _ = yym3 + if false { + } else { + z.F.EncSliceStringV(yyv1, false, e) + } + } + } + z.EncSendContainerState(codecSelfer_containerMapEnd1234) +} + +func (x codecSelfer1234) decMapstringSlicestring(v *map[string][]string, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + + yyv1 := *v + yyl1 := r.ReadMapStart() + yybh1 := z.DecBasicHandle() + if yyv1 == nil { + yyrl1, _ := z.DecInferLen(yyl1, yybh1.MaxInitLen, 40) + yyv1 = make(map[string][]string, yyrl1) + *v = yyv1 + } + var yymk1 string + var yymv1 []string + var yymg1 bool + if yybh1.MapValueReset { + yymg1 = true + } + if yyl1 > 0 { + for yyj1 := 0; yyj1 < yyl1; yyj1++ { + z.DecSendContainerState(codecSelfer_containerMapKey1234) + if r.TryDecodeAsNil() { + yymk1 = "" + } else { + yymk1 = string(r.DecodeString()) + } + + if yymg1 { + yymv1 = yyv1[yymk1] + } else { + yymv1 = nil + } + z.DecSendContainerState(codecSelfer_containerMapValue1234) + if r.TryDecodeAsNil() { + yymv1 = nil + } else { + yyv3 := &yymv1 + yym4 := z.DecBinary() + _ = yym4 + if false { + } else { + z.F.DecSliceStringX(yyv3, false, d) + } + } + + if yyv1 != nil { + yyv1[yymk1] = yymv1 + } + } + } else if yyl1 < 0 { + for yyj1 := 0; !r.CheckBreak(); yyj1++ { + z.DecSendContainerState(codecSelfer_containerMapKey1234) + if r.TryDecodeAsNil() { + yymk1 = "" + } else { + yymk1 = string(r.DecodeString()) + } + + if yymg1 { + yymv1 = yyv1[yymk1] + } else { + yymv1 = nil + } + z.DecSendContainerState(codecSelfer_containerMapValue1234) + if r.TryDecodeAsNil() { + yymv1 = nil + } else { + yyv6 := &yymv1 + yym7 := z.DecBinary() + _ = yym7 + if false { + } else { + z.F.DecSliceStringX(yyv6, false, d) + } + } + + if yyv1 != nil { + yyv1[yymk1] = yymv1 + } + } + } // else len==0: TODO: Should we clear map entries? + z.DecSendContainerState(codecSelfer_containerMapEnd1234) +} + +func (x codecSelfer1234) encSlicestring(v []string, e *codec1978.Encoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperEncoder(e) + _, _, _ = h, z, r + r.EncodeArrayStart(len(v)) + for _, yyv1 := range v { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + yym2 := z.EncBinary() + _ = yym2 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(yyv1)) + } + } + z.EncSendContainerState(codecSelfer_containerArrayEnd1234) +} + +func (x codecSelfer1234) decSlicestring(v *[]string, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + + yyv1 := *v + yyh1, yyl1 := z.DecSliceHelperStart() + var yyc1 bool + _ = yyc1 + if yyl1 == 0 { + if yyv1 == nil { + yyv1 = []string{} + yyc1 = true + } else if len(yyv1) != 0 { + yyv1 = yyv1[:0] + yyc1 = true + } + } else if yyl1 > 0 { + var yyrr1, yyrl1 int + var yyrt1 bool + _, _ = yyrl1, yyrt1 + yyrr1 = yyl1 // len(yyv1) + if yyl1 > cap(yyv1) { + + yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16) + if yyrt1 { + if yyrl1 <= cap(yyv1) { + yyv1 = yyv1[:yyrl1] + } else { + yyv1 = make([]string, yyrl1) + } + } else { + yyv1 = make([]string, yyrl1) + } + yyc1 = true + yyrr1 = len(yyv1) + } else if yyl1 != len(yyv1) { + yyv1 = yyv1[:yyl1] + yyc1 = true + } + yyj1 := 0 + for ; yyj1 < yyrr1; yyj1++ { + yyh1.ElemContainerState(yyj1) + if r.TryDecodeAsNil() { + yyv1[yyj1] = "" + } else { + yyv1[yyj1] = string(r.DecodeString()) + } + + } + if yyrt1 { + for ; yyj1 < yyl1; yyj1++ { + yyv1 = append(yyv1, "") + yyh1.ElemContainerState(yyj1) + if r.TryDecodeAsNil() { + yyv1[yyj1] = "" + } else { + yyv1[yyj1] = string(r.DecodeString()) + } + + } + } + + } else { + yyj1 := 0 + for ; !r.CheckBreak(); yyj1++ { + + if yyj1 >= len(yyv1) { + yyv1 = append(yyv1, "") // var yyz1 string + yyc1 = true + } + yyh1.ElemContainerState(yyj1) + if yyj1 < len(yyv1) { + if r.TryDecodeAsNil() { + yyv1[yyj1] = "" + } else { + yyv1[yyj1] = string(r.DecodeString()) + } + + } else { + z.DecSwallow() + } + + } + if yyj1 < len(yyv1) { + yyv1 = yyv1[:yyj1] + yyc1 = true + } else if yyj1 == 0 && yyv1 == nil { + yyv1 = []string{} + yyc1 = true + } + } + yyh1.End() + if yyc1 { + *v = yyv1 + } +} diff --git a/pkg/apis/authorization/types.go b/pkg/apis/authorization/types.go index 5feb0e5468d..8cfdfbe9775 100644 --- a/pkg/apis/authorization/types.go +++ b/pkg/apis/authorization/types.go @@ -101,6 +101,9 @@ type SubjectAccessReviewSpec struct { User string // Groups is the groups you're testing for. Groups []string + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + Extra map[string][]string } // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes diff --git a/pkg/apis/authorization/v1beta1/conversion_generated.go b/pkg/apis/authorization/v1beta1/conversion_generated.go index ce31550cf0e..71119a76ace 100644 --- a/pkg/apis/authorization/v1beta1/conversion_generated.go +++ b/pkg/apis/authorization/v1beta1/conversion_generated.go @@ -321,6 +321,20 @@ func autoConvert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessR } else { out.Groups = nil } + if in.Extra != nil { + in, out := &in.Extra, &out.Extra + *out = make(map[string][]string, len(*in)) + for key, val := range *in { + newVal := new([]string) + // TODO: Inefficient conversion - can we improve it? + if err := s.Convert(&val, newVal, 0); err != nil { + return err + } + (*out)[key] = *newVal + } + } else { + out.Extra = nil + } return nil } @@ -358,6 +372,20 @@ func autoConvert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessR } else { out.Groups = nil } + if in.Extra != nil { + in, out := &in.Extra, &out.Extra + *out = make(map[string][]string, len(*in)) + for key, val := range *in { + newVal := new([]string) + // TODO: Inefficient conversion - can we improve it? + if err := s.Convert(&val, newVal, 0); err != nil { + return err + } + (*out)[key] = *newVal + } + } else { + out.Extra = nil + } return nil } diff --git a/pkg/apis/authorization/v1beta1/deep_copy_generated.go b/pkg/apis/authorization/v1beta1/deep_copy_generated.go index 5c4ad6fd91b..94a35650cb4 100644 --- a/pkg/apis/authorization/v1beta1/deep_copy_generated.go +++ b/pkg/apis/authorization/v1beta1/deep_copy_generated.go @@ -147,6 +147,19 @@ func DeepCopy_v1beta1_SubjectAccessReviewSpec(in SubjectAccessReviewSpec, out *S } else { out.Groups = nil } + if in.Extra != nil { + in, out := in.Extra, &out.Extra + *out = make(map[string][]string) + for key, val := range in { + if newVal, err := c.DeepCopy(val); err != nil { + return err + } else { + (*out)[key] = newVal.([]string) + } + } + } else { + out.Extra = nil + } return nil } diff --git a/pkg/apis/authorization/v1beta1/types.generated.go b/pkg/apis/authorization/v1beta1/types.generated.go index 906fcb57788..7a0175ac964 100644 --- a/pkg/apis/authorization/v1beta1/types.generated.go +++ b/pkg/apis/authorization/v1beta1/types.generated.go @@ -1635,16 +1635,17 @@ func (x *SubjectAccessReviewSpec) CodecEncodeSelf(e *codec1978.Encoder) { } else { yysep2 := !z.EncBinary() yy2arr2 := z.EncBasicHandle().StructToArray - var yyq2 [4]bool + var yyq2 [5]bool _, _, _ = yysep2, yyq2, yy2arr2 const yyr2 bool = false yyq2[0] = x.ResourceAttributes != nil yyq2[1] = x.NonResourceAttributes != nil yyq2[2] = x.User != "" yyq2[3] = len(x.Groups) != 0 + yyq2[4] = len(x.Extra) != 0 var yynn2 int if yyr2 || yy2arr2 { - r.EncodeArrayStart(4) + r.EncodeArrayStart(5) } else { yynn2 = 0 for _, b := range yyq2 { @@ -1759,6 +1760,39 @@ func (x *SubjectAccessReviewSpec) CodecEncodeSelf(e *codec1978.Encoder) { } } } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + if yyq2[4] { + if x.Extra == nil { + r.EncodeNil() + } else { + yym16 := z.EncBinary() + _ = yym16 + if false { + } else { + h.encMapstringSlicestring((map[string][]string)(x.Extra), e) + } + } + } else { + r.EncodeNil() + } + } else { + if yyq2[4] { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("extra")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + if x.Extra == nil { + r.EncodeNil() + } else { + yym17 := z.EncBinary() + _ = yym17 + if false { + } else { + h.encMapstringSlicestring((map[string][]string)(x.Extra), e) + } + } + } + } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayEnd1234) } else { @@ -1860,6 +1894,18 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromMap(l int, d *codec1978.Dec z.F.DecSliceStringX(yyv7, false, d) } } + case "extra": + if r.TryDecodeAsNil() { + x.Extra = nil + } else { + yyv9 := &x.Extra + yym10 := z.DecBinary() + _ = yym10 + if false { + } else { + h.decMapstringSlicestring((*map[string][]string)(yyv9), d) + } + } default: z.DecStructFieldNotFound(-1, yys3) } // end switch yys3 @@ -1871,16 +1917,16 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D var h codecSelfer1234 z, r := codec1978.GenHelperDecoder(d) _, _, _ = h, z, r - var yyj9 int - var yyb9 bool - var yyhl9 bool = l >= 0 - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + var yyj11 int + var yyb11 bool + var yyhl11 bool = l >= 0 + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1895,13 +1941,13 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D } x.ResourceAttributes.CodecDecodeSelf(d) } - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1916,13 +1962,13 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D } x.NonResourceAttributes.CodecDecodeSelf(d) } - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1932,13 +1978,13 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D } else { x.User = string(r.DecodeString()) } - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1946,26 +1992,48 @@ func (x *SubjectAccessReviewSpec) codecDecodeSelfFromArray(l int, d *codec1978.D if r.TryDecodeAsNil() { x.Groups = nil } else { - yyv13 := &x.Groups - yym14 := z.DecBinary() - _ = yym14 + yyv15 := &x.Groups + yym16 := z.DecBinary() + _ = yym16 if false { } else { - z.F.DecSliceStringX(yyv13, false, d) + z.F.DecSliceStringX(yyv15, false, d) + } + } + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l + } else { + yyb11 = r.CheckBreak() + } + if yyb11 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.Extra = nil + } else { + yyv17 := &x.Extra + yym18 := z.DecBinary() + _ = yym18 + if false { + } else { + h.decMapstringSlicestring((*map[string][]string)(yyv17), d) } } for { - yyj9++ - if yyhl9 { - yyb9 = yyj9 > l + yyj11++ + if yyhl11 { + yyb11 = yyj11 > l } else { - yyb9 = r.CheckBreak() + yyb11 = r.CheckBreak() } - if yyb9 { + if yyb11 { break } z.DecSendContainerState(codecSelfer_containerArrayElem1234) - z.DecStructFieldNotFound(yyj9-1, "") + z.DecStructFieldNotFound(yyj11-1, "") } z.DecSendContainerState(codecSelfer_containerArrayEnd1234) } @@ -2412,3 +2480,231 @@ func (x *SubjectAccessReviewStatus) codecDecodeSelfFromArray(l int, d *codec1978 } z.DecSendContainerState(codecSelfer_containerArrayEnd1234) } + +func (x codecSelfer1234) encMapstringSlicestring(v map[string][]string, e *codec1978.Encoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperEncoder(e) + _, _, _ = h, z, r + r.EncodeMapStart(len(v)) + for yyk1, yyv1 := range v { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + yym2 := z.EncBinary() + _ = yym2 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(yyk1)) + } + z.EncSendContainerState(codecSelfer_containerMapValue1234) + if yyv1 == nil { + r.EncodeNil() + } else { + yym3 := z.EncBinary() + _ = yym3 + if false { + } else { + z.F.EncSliceStringV(yyv1, false, e) + } + } + } + z.EncSendContainerState(codecSelfer_containerMapEnd1234) +} + +func (x codecSelfer1234) decMapstringSlicestring(v *map[string][]string, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + + yyv1 := *v + yyl1 := r.ReadMapStart() + yybh1 := z.DecBasicHandle() + if yyv1 == nil { + yyrl1, _ := z.DecInferLen(yyl1, yybh1.MaxInitLen, 40) + yyv1 = make(map[string][]string, yyrl1) + *v = yyv1 + } + var yymk1 string + var yymv1 []string + var yymg1 bool + if yybh1.MapValueReset { + yymg1 = true + } + if yyl1 > 0 { + for yyj1 := 0; yyj1 < yyl1; yyj1++ { + z.DecSendContainerState(codecSelfer_containerMapKey1234) + if r.TryDecodeAsNil() { + yymk1 = "" + } else { + yymk1 = string(r.DecodeString()) + } + + if yymg1 { + yymv1 = yyv1[yymk1] + } else { + yymv1 = nil + } + z.DecSendContainerState(codecSelfer_containerMapValue1234) + if r.TryDecodeAsNil() { + yymv1 = nil + } else { + yyv3 := &yymv1 + yym4 := z.DecBinary() + _ = yym4 + if false { + } else { + z.F.DecSliceStringX(yyv3, false, d) + } + } + + if yyv1 != nil { + yyv1[yymk1] = yymv1 + } + } + } else if yyl1 < 0 { + for yyj1 := 0; !r.CheckBreak(); yyj1++ { + z.DecSendContainerState(codecSelfer_containerMapKey1234) + if r.TryDecodeAsNil() { + yymk1 = "" + } else { + yymk1 = string(r.DecodeString()) + } + + if yymg1 { + yymv1 = yyv1[yymk1] + } else { + yymv1 = nil + } + z.DecSendContainerState(codecSelfer_containerMapValue1234) + if r.TryDecodeAsNil() { + yymv1 = nil + } else { + yyv6 := &yymv1 + yym7 := z.DecBinary() + _ = yym7 + if false { + } else { + z.F.DecSliceStringX(yyv6, false, d) + } + } + + if yyv1 != nil { + yyv1[yymk1] = yymv1 + } + } + } // else len==0: TODO: Should we clear map entries? + z.DecSendContainerState(codecSelfer_containerMapEnd1234) +} + +func (x codecSelfer1234) encSlicestring(v []string, e *codec1978.Encoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperEncoder(e) + _, _, _ = h, z, r + r.EncodeArrayStart(len(v)) + for _, yyv1 := range v { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + yym2 := z.EncBinary() + _ = yym2 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(yyv1)) + } + } + z.EncSendContainerState(codecSelfer_containerArrayEnd1234) +} + +func (x codecSelfer1234) decSlicestring(v *[]string, d *codec1978.Decoder) { + var h codecSelfer1234 + z, r := codec1978.GenHelperDecoder(d) + _, _, _ = h, z, r + + yyv1 := *v + yyh1, yyl1 := z.DecSliceHelperStart() + var yyc1 bool + _ = yyc1 + if yyl1 == 0 { + if yyv1 == nil { + yyv1 = []string{} + yyc1 = true + } else if len(yyv1) != 0 { + yyv1 = yyv1[:0] + yyc1 = true + } + } else if yyl1 > 0 { + var yyrr1, yyrl1 int + var yyrt1 bool + _, _ = yyrl1, yyrt1 + yyrr1 = yyl1 // len(yyv1) + if yyl1 > cap(yyv1) { + + yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 16) + if yyrt1 { + if yyrl1 <= cap(yyv1) { + yyv1 = yyv1[:yyrl1] + } else { + yyv1 = make([]string, yyrl1) + } + } else { + yyv1 = make([]string, yyrl1) + } + yyc1 = true + yyrr1 = len(yyv1) + } else if yyl1 != len(yyv1) { + yyv1 = yyv1[:yyl1] + yyc1 = true + } + yyj1 := 0 + for ; yyj1 < yyrr1; yyj1++ { + yyh1.ElemContainerState(yyj1) + if r.TryDecodeAsNil() { + yyv1[yyj1] = "" + } else { + yyv1[yyj1] = string(r.DecodeString()) + } + + } + if yyrt1 { + for ; yyj1 < yyl1; yyj1++ { + yyv1 = append(yyv1, "") + yyh1.ElemContainerState(yyj1) + if r.TryDecodeAsNil() { + yyv1[yyj1] = "" + } else { + yyv1[yyj1] = string(r.DecodeString()) + } + + } + } + + } else { + yyj1 := 0 + for ; !r.CheckBreak(); yyj1++ { + + if yyj1 >= len(yyv1) { + yyv1 = append(yyv1, "") // var yyz1 string + yyc1 = true + } + yyh1.ElemContainerState(yyj1) + if yyj1 < len(yyv1) { + if r.TryDecodeAsNil() { + yyv1[yyj1] = "" + } else { + yyv1[yyj1] = string(r.DecodeString()) + } + + } else { + z.DecSwallow() + } + + } + if yyj1 < len(yyv1) { + yyv1 = yyv1[:yyj1] + yyc1 = true + } else if yyj1 == 0 && yyv1 == nil { + yyv1 = []string{} + yyc1 = true + } + } + yyh1.End() + if yyc1 { + *v = yyv1 + } +} diff --git a/pkg/apis/authorization/v1beta1/types.go b/pkg/apis/authorization/v1beta1/types.go index 0a8cb69a74a..27078e9fc0e 100644 --- a/pkg/apis/authorization/v1beta1/types.go +++ b/pkg/apis/authorization/v1beta1/types.go @@ -100,6 +100,9 @@ type SubjectAccessReviewSpec struct { User string `json:"user,omitempty"` // Groups is the groups you're testing for. Groups []string `json:"group,omitempty"` + // Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer + // it needs a reflection here. + Extra map[string][]string `json:"extra,omitempty"` } // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes diff --git a/pkg/apis/authorization/v1beta1/types_swagger_doc_generated.go b/pkg/apis/authorization/v1beta1/types_swagger_doc_generated.go index d9910ef144e..9807b8fcddd 100644 --- a/pkg/apis/authorization/v1beta1/types_swagger_doc_generated.go +++ b/pkg/apis/authorization/v1beta1/types_swagger_doc_generated.go @@ -98,6 +98,7 @@ var map_SubjectAccessReviewSpec = map[string]string{ "nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request", "user": "User is the user you're testing for. If you specify \"User\" but not \"Group\", then is it interpreted as \"What if User were not a member of any groups", "group": "Groups is the groups you're testing for.", + "extra": "Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.", } func (SubjectAccessReviewSpec) SwaggerDoc() map[string]string { diff --git a/pkg/auth/user/user.go b/pkg/auth/user/user.go index ad7bccef9ff..c4a4c00d5bf 100644 --- a/pkg/auth/user/user.go +++ b/pkg/auth/user/user.go @@ -27,6 +27,16 @@ type Info interface { GetUID() string // GetGroups returns the names of the groups the user is a member of GetGroups() []string + + // GetExtra can contain any additional information that the authenticator + // thought was interesting. One example would be scopes on a token. + // Keys in this map should be namespaced to the authenticator or + // authenticator/authorizer pair making use of them. + // For instance: "example.org/foo" instead of "foo" + // This is a map[string][]string because it needs to be serializeable into + // a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization + // delegation flows + GetExtra() map[string][]string } // DefaultInfo provides a simple user information exchange object @@ -35,6 +45,7 @@ type DefaultInfo struct { Name string UID string Groups []string + Extra map[string][]string } func (i *DefaultInfo) GetName() string { @@ -48,3 +59,7 @@ func (i *DefaultInfo) GetUID() string { func (i *DefaultInfo) GetGroups() []string { return i.Groups } + +func (i *DefaultInfo) GetExtra() map[string][]string { + return i.Extra +} diff --git a/test/integration/service_account_test.go b/test/integration/service_account_test.go index e80e5783e4e..cf07b264c3b 100644 --- a/test/integration/service_account_test.go +++ b/test/integration/service_account_test.go @@ -355,7 +355,7 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie // 2. A ServiceAccountToken authenticator that validates ServiceAccount tokens rootTokenAuth := authenticator.TokenFunc(func(token string) (user.Info, bool, error) { if token == rootToken { - return &user.DefaultInfo{rootUserName, "", []string{}}, true, nil + return &user.DefaultInfo{Name: rootUserName}, true, nil } return nil, false, nil })