github/steve
1
0
Fork 0
mirror of https://github.com/niusmallnan/steve.git synced 2025-06-27 23:16:56 +00:00
Code Issues Projects Releases Wiki Activity

cleanup: Remove unused namespace constraint

Browse Source 
The use of AddNamespaceConstraint was removed in e35b8304 of
rancher/rancher, so there is no possibility of there being a namespace
constraint in the request context. Remove the unused function and the
unused codepath from the rbac store.
This commit is contained in:
Colleen Murphy 2022-10-11 12:28:51 -07:00
parent 475f311d0b
commit ea61c2187a
1 changed files with 2 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
pkg/stores/proxy/rbac_store.go
View File

@ -1,9 +1,7 @@
package proxy package proxy
import ( import (
"context"
"fmt" "fmt"
"net/http"
"sort" "sort"
"github.com/rancher/apiserver/pkg/types" "github.com/rancher/apiserver/pkg/types"
@ -20,19 +18,6 @@ var (
} }
) )
type filterKey struct{}
func AddNamespaceConstraint(req *http.Request, names ...string) *http.Request {
set := sets.NewString(names...)
ctx := context.WithValue(req.Context(), filterKey{}, set)
return req.WithContext(ctx)
}
func getNamespaceConstraint(req *http.Request) (sets.String, bool) {
set, ok := req.Context().Value(filterKey{}).(sets.String)
return set, ok
}
type Partition struct { type Partition struct {
Namespace string Namespace string
All bool All bool
@ -128,35 +113,9 @@ func (b *byNameOrNamespaceStore) Watch(apiOp *types.APIRequest, schema *types.AP
return b.Store.WatchNames(apiOp, schema, wr, b.partition.Names) return b.Store.WatchNames(apiOp, schema, wr, b.partition.Names)
} }
// isPassthrough determines whether a request can be passed through directly to the underlying store
// or if the results need to be partitioned by namespace and name based on the requester's access.
func isPassthrough(apiOp *types.APIRequest, schema *types.APISchema, verb string) ([]partition.Partition, bool) { func isPassthrough(apiOp *types.APIRequest, schema *types.APISchema, verb string) ([]partition.Partition, bool) {
partitions, passthrough := isPassthroughUnconstrained(apiOp, schema, verb)
namespaces, ok := getNamespaceConstraint(apiOp.Request)
if !ok {
return partitions, passthrough
}
var result []partition.Partition
if passthrough {
for namespace := range namespaces {
result = append(result, Partition{
Namespace: namespace,
All: true,
})
}
return result, false
}
for _, partition := range partitions {
if namespaces.Has(partition.Name()) {
result = append(result, partition)
}
}
return result, false
}
func isPassthroughUnconstrained(apiOp *types.APIRequest, schema *types.APISchema, verb string) ([]partition.Partition, bool) {
accessListByVerb, _ := attributes.Access(schema).(accesscontrol.AccessListByVerb) accessListByVerb, _ := attributes.Access(schema).(accesscontrol.AccessListByVerb)
if accessListByVerb.All(verb) { if accessListByVerb.All(verb) {
return nil, true return nil, true