Commit b4ebfd47 authored by deads2k's avatar deads2k

add user.Info.GetExtra

parent 96586e7c
...@@ -147,6 +147,19 @@ func DeepCopy_authorization_SubjectAccessReviewSpec(in SubjectAccessReviewSpec, ...@@ -147,6 +147,19 @@ func DeepCopy_authorization_SubjectAccessReviewSpec(in SubjectAccessReviewSpec,
} else { } else {
out.Groups = nil out.Groups = nil
} }
if in.Extra != nil {
in, out := in.Extra, &out.Extra
*out = make(map[string][]string)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
} else {
(*out)[key] = newVal.([]string)
}
}
} else {
out.Extra = nil
}
return nil return nil
} }
......
...@@ -101,6 +101,9 @@ type SubjectAccessReviewSpec struct { ...@@ -101,6 +101,9 @@ type SubjectAccessReviewSpec struct {
User string User string
// Groups is the groups you're testing for. // Groups is the groups you're testing for.
Groups []string Groups []string
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
// it needs a reflection here.
Extra map[string][]string
} }
// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAttributes
......
...@@ -321,6 +321,20 @@ func autoConvert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessR ...@@ -321,6 +321,20 @@ func autoConvert_v1beta1_SubjectAccessReviewSpec_To_authorization_SubjectAccessR
} else { } else {
out.Groups = nil out.Groups = nil
} }
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string][]string, len(*in))
for key, val := range *in {
newVal := new([]string)
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&val, newVal, 0); err != nil {
return err
}
(*out)[key] = *newVal
}
} else {
out.Extra = nil
}
return nil return nil
} }
...@@ -358,6 +372,20 @@ func autoConvert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessR ...@@ -358,6 +372,20 @@ func autoConvert_authorization_SubjectAccessReviewSpec_To_v1beta1_SubjectAccessR
} else { } else {
out.Groups = nil out.Groups = nil
} }
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string][]string, len(*in))
for key, val := range *in {
newVal := new([]string)
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&val, newVal, 0); err != nil {
return err
}
(*out)[key] = *newVal
}
} else {
out.Extra = nil
}
return nil return nil
} }
......
...@@ -147,6 +147,19 @@ func DeepCopy_v1beta1_SubjectAccessReviewSpec(in SubjectAccessReviewSpec, out *S ...@@ -147,6 +147,19 @@ func DeepCopy_v1beta1_SubjectAccessReviewSpec(in SubjectAccessReviewSpec, out *S
} else { } else {
out.Groups = nil out.Groups = nil
} }
if in.Extra != nil {
in, out := in.Extra, &out.Extra
*out = make(map[string][]string)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
} else {
(*out)[key] = newVal.([]string)
}
}
} else {
out.Extra = nil
}
return nil return nil
} }
......
...@@ -100,6 +100,9 @@ type SubjectAccessReviewSpec struct { ...@@ -100,6 +100,9 @@ type SubjectAccessReviewSpec struct {
User string `json:"user,omitempty"` User string `json:"user,omitempty"`
// Groups is the groups you're testing for. // Groups is the groups you're testing for.
Groups []string `json:"group,omitempty"` Groups []string `json:"group,omitempty"`
// Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer
// it needs a reflection here.
Extra map[string][]string `json:"extra,omitempty"`
} }
// SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes // SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes
......
...@@ -98,6 +98,7 @@ var map_SubjectAccessReviewSpec = map[string]string{ ...@@ -98,6 +98,7 @@ var map_SubjectAccessReviewSpec = map[string]string{
"nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request", "nonResourceAttributes": "NonResourceAttributes describes information for a non-resource access request",
"user": "User is the user you're testing for. If you specify \"User\" but not \"Group\", then is it interpreted as \"What if User were not a member of any groups", "user": "User is the user you're testing for. If you specify \"User\" but not \"Group\", then is it interpreted as \"What if User were not a member of any groups",
"group": "Groups is the groups you're testing for.", "group": "Groups is the groups you're testing for.",
"extra": "Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.",
} }
func (SubjectAccessReviewSpec) SwaggerDoc() map[string]string { func (SubjectAccessReviewSpec) SwaggerDoc() map[string]string {
......
...@@ -27,6 +27,16 @@ type Info interface { ...@@ -27,6 +27,16 @@ type Info interface {
GetUID() string GetUID() string
// GetGroups returns the names of the groups the user is a member of // GetGroups returns the names of the groups the user is a member of
GetGroups() []string GetGroups() []string
// GetExtra can contain any additional information that the authenticator
// thought was interesting. One example would be scopes on a token.
// Keys in this map should be namespaced to the authenticator or
// authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo"
// This is a map[string][]string because it needs to be serializeable into
// a SubjectAccessReviewSpec.authorization.k8s.io for proper authorization
// delegation flows
GetExtra() map[string][]string
} }
// DefaultInfo provides a simple user information exchange object // DefaultInfo provides a simple user information exchange object
...@@ -35,6 +45,7 @@ type DefaultInfo struct { ...@@ -35,6 +45,7 @@ type DefaultInfo struct {
Name string Name string
UID string UID string
Groups []string Groups []string
Extra map[string][]string
} }
func (i *DefaultInfo) GetName() string { func (i *DefaultInfo) GetName() string {
...@@ -48,3 +59,7 @@ func (i *DefaultInfo) GetUID() string { ...@@ -48,3 +59,7 @@ func (i *DefaultInfo) GetUID() string {
func (i *DefaultInfo) GetGroups() []string { func (i *DefaultInfo) GetGroups() []string {
return i.Groups return i.Groups
} }
func (i *DefaultInfo) GetExtra() map[string][]string {
return i.Extra
}
...@@ -355,7 +355,7 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie ...@@ -355,7 +355,7 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
// 2. A ServiceAccountToken authenticator that validates ServiceAccount tokens // 2. A ServiceAccountToken authenticator that validates ServiceAccount tokens
rootTokenAuth := authenticator.TokenFunc(func(token string) (user.Info, bool, error) { rootTokenAuth := authenticator.TokenFunc(func(token string) (user.Info, bool, error) {
if token == rootToken { if token == rootToken {
return &user.DefaultInfo{rootUserName, "", []string{}}, true, nil return &user.DefaultInfo{Name: rootUserName}, true, nil
} }
return nil, false, nil return nil, false, nil
}) })
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment