Merge pull request #24 from ComradeProgrammer/opt

feat: optimize ${OBJECT}&${NAMESPACE}&${RESOURCE}
casbin · Sep 12, 2022 · 284f244 · 284f244
2 parents 1896204 + eef07c9
commit 284f244
Show file tree

Hide file tree

Showing 12 changed files with 39 additions and 29 deletions.
diff --git a/example/allowed_repo/model.yaml b/example/allowed_repo/model.yaml
@@ -15,5 +15,5 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    access(r.obj.Request.Object.Object.Spec.Template.Spec.Containers , 0, "Image") == p.obj
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    access(${OBJECT}.Spec.Template.Spec.Containers , 0, "Image") == p.obj
diff --git a/example/block_nodeport_service/model.yaml b/example/block_nodeport_service/model.yaml
@@ -15,6 +15,6 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="services" && \
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="services" && \
     r.obj.Request.Operation != "DELETE" &&\
-    string(r.obj.Request.Object.Object.Spec.Type)  == p.obj
+    string(${OBJECT}.Spec.Type)  == p.obj
diff --git a/example/container_resource_limit/model.yaml b/example/container_resource_limit/model.yaml
@@ -15,6 +15,6 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    parseFloat(access(r.obj.Request.Object.Object.Spec.Template.Spec.Containers , 0, "Resources","Limits","cpu","Value")) >= parseFloat(p.cpu) && \
-    parseFloat(access(r.obj.Request.Object.Object.Spec.Template.Spec.Containers , 0, "Resources","Limits","memory","Value")) >= parseFloat(p.memory)
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    parseFloat(access(${OBJECT}.Spec.Template.Spec.Containers , 0, "Resources","Limits","cpu","Value")) >= parseFloat(p.cpu) && \
+    parseFloat(access(${OBJECT}.Spec.Template.Spec.Containers , 0, "Resources","Limits","memory","Value")) >= parseFloat(p.memory)
diff --git a/example/disallowed_tag/model.yaml b/example/disallowed_tag/model.yaml
@@ -15,5 +15,5 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    contain(split(accessWithWildcard(r.obj.Request.Object.Object.Spec.Template.Spec.Containers , "*", "Image"),":",1) , p.obj)
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    contain(split(accessWithWildcard(${OBJECT}.Spec.Template.Spec.Containers , "*", "Image"),":",1) , p.obj)
diff --git a/example/external_ip/model.yaml b/example/external_ip/model.yaml
@@ -15,5 +15,5 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="services" && \
-    contain(accessWithWildcard(r.obj.Request.Object.Object.Spec.ExternalIPs , "*") , p.obj)
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="services" && \
+    contain(accessWithWildcard(${OBJECT}.Spec.ExternalIPs , "*") , p.obj)
diff --git a/example/https_only/model.yaml b/example/https_only/model.yaml
@@ -15,7 +15,7 @@ spec:
     e = some(where (p.eft == allow))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="ingresses" && \
-    access(r.obj.Request.Object.Object , "Annotations", "kubernetes.io/ingress.allow-http") == "false" &&\
-    parseFloat(len(r.obj.Request.Object.Object.Spec.TLS)) > 0 || \
-    r.obj.Request.Resource.Resource !="ingresses"
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="ingresses" && \
+    access(${OBJECT} , "Annotations", "kubernetes.io/ingress.allow-http") == "false" &&\
+    parseFloat(len(${OBJECT}.Spec.TLS)) > 0 || \
+    ${RESOURCE} !="ingresses"
diff --git a/example/image_digest/model.yaml b/example/image_digest/model.yaml
@@ -15,6 +15,6 @@ spec:
     e = some(where (p.eft == allow))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    matchRegex(accessWithWildcard(r.obj.Request.Object.Object.Spec.Template.Spec.Containers , "*", "Image") , p.obj) || \
-    r.obj.Request.Resource.Resource !="deployments"
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    matchRegex(accessWithWildcard(${OBJECT}.Spec.Template.Spec.Containers , "*", "Image") , p.obj) || \
+    ${RESOURCE} !="deployments"
diff --git a/example/replica_limits/model.yaml b/example/replica_limits/model.yaml
@@ -15,5 +15,5 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    parseFloat(access(r.obj.Request.Object.Object.Spec.Replicas)) <= parseFloat(p.obj)
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    parseFloat(access(${OBJECT}.Spec.Replicas)) <= parseFloat(p.obj)
diff --git a/example/required_annotations/model.yaml b/example/required_annotations/model.yaml
@@ -15,6 +15,6 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    access(r.obj.Request.Object.Object,"ObjectMeta","Annotations",p.key)!= p.value|| \
-    r.obj.Request.Resource.Resource !="deployments"
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    access(${OBJECT},"ObjectMeta","Annotations",p.key)!= p.value|| \
+    ${RESOURCE} !="deployments"
diff --git a/example/required_labels/model.yaml b/example/required_labels/model.yaml
@@ -15,6 +15,6 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments" && \
-    access(r.obj.Request.Object.Object,"ObjectMeta","Labels",p.key)!= p.value|| \
-    r.obj.Request.Resource.Resource !="deployments"
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments" && \
+    access(${OBJECT},"ObjectMeta","Labels",p.key)!= p.value|| \
+    ${RESOURCE} !="deployments"
diff --git a/example/required_probes/model.yaml b/example/required_probes/model.yaml
@@ -15,6 +15,6 @@ spec:
     e = !some(where (p.eft == deny))
 
     [matchers]
-    m = r.obj.Request.Namespace == "default" && r.obj.Request.Resource.Resource =="deployments"&& \
+    m = ${NAMESPACE} == "default" && ${RESOURCE} =="deployments"&& \
     r.obj.Request.Operation != "DELETE" && \
-    isNil(access(r.obj.Request.Object.Object.Spec.Template.Spec.Containers,0,p.type))
+    isNil(access(${OBJECT}.Spec.Template.Spec.Containers,0,p.type))
diff --git a/internal/model/model_adaptor_loader.go b/internal/model/model_adaptor_loader.go
@@ -16,6 +16,7 @@ package model
 import (
 	"context"
 	"path/filepath"
+	"strings"
 
 	"github.com/casbin/casbin/v2/model"
 	"github.com/casbin/casbin/v2/persist"
@@ -60,7 +61,8 @@ func (m *ModelLoader) GetModelAndAdaptors() ([]ModelAdaptorPair, error) {
 	}
 	res := make([]ModelAdaptorPair, 0)
 	for _, crdModel := range list.Items {
-		casbinModel, err := model.NewModelFromString(crdModel.Spec.ModelText)
+		modelText := ModelMacroSubstitution(crdModel.Spec.ModelText)
+		casbinModel, err := model.NewModelFromString(modelText)
 		if err != nil {
 			return nil, err
 		}
@@ -104,3 +106,11 @@ func (m *ModelLoader) establishExternalClient() error {
 	m.clientset = clientset
 	return nil
 }
+
+func ModelMacroSubstitution(originalModelText string) string {
+	res := strings.ReplaceAll(originalModelText, "${OBJECT}", "r.obj.Request.Object.Object")
+	res = strings.ReplaceAll(res, "${NAMESPACE}", "r.obj.Request.Namespace")
+	res = strings.ReplaceAll(res, "${RESOURCE}", "r.obj.Request.Resource.Resource")
+
+	return res
+}