-
Notifications
You must be signed in to change notification settings - Fork 66
/
authorizer_groups.go
52 lines (45 loc) · 1.2 KB
/
authorizer_groups.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
package main
import (
"fmt"
"net/http"
"strings"
"k8s.io/apiserver/pkg/authentication/user"
)
const (
wildcardMatcher = "*"
)
// Authorizer decides if a request, made by the given identity, is allowed.
// The interface draws some inspiration from Kubernetes' interface:
// https://github.com/kubernetes/apiserver/blob/master/pkg/authorization/authorizer/interfaces.go#L67-L72
type Authorizer interface {
Authorize(r *http.Request, userinfo user.Info) (allowed bool, reason string, err error)
}
type groupsAuthorizer struct {
allowed map[string]bool
}
func newGroupsAuthorizer(allowlist []string) Authorizer {
allowed := map[string]bool{}
for _, g := range allowlist {
if g == wildcardMatcher {
allowed = map[string]bool{g: true}
break
}
allowed[g] = true
}
return &groupsAuthorizer{
allowed: allowed,
}
}
func (ga *groupsAuthorizer) Authorize(r *http.Request, userinfo user.Info) (bool, string, error) {
if ga.allowed[wildcardMatcher] {
return true, "", nil
}
for _, g := range userinfo.GetGroups() {
if ga.allowed[g] {
return true, "", nil
}
}
reason := fmt.Sprintf("User's groups ([%s]) are not in allowlist.",
strings.Join(userinfo.GetGroups(), ","))
return false, reason, nil
}