v5.10.1

分支 (195)

标签 (247)

管理

管理

main

fallbackPipeline

sudhanshu#5009/DOS-fix

change-password-feature

bugfix/manualCheckExe_5002

sudhanshu#2608-fix

francis#2608-fix

feature/new-silence-attributes

bugfix/5002_manualCheckexe

develop/6

release/6.11

feature-silenced-change

sudhanshu/5009

500

dependabot/go_modules/golang.org/x/crypto-0.17.0

fix-types-wrapper-lift

bump-core-modules

dependabot/go_modules/google.golang.org/grpc-1.56.3

remove-context-emptyCtx-assertions

justin-debug

v6.11.0

types/v0.13.0

types/v0.12.0-alpha10

types/v0.12.0-alpha9

v7.0.0-alpha1

v6.10.0

v6.9.2

types/v0.12.0

types/v0.12.0-alpha8

types/v0.12.0-alpha7

v6.9.1

v6.9.0

types/v0.12.0-alpha6

types/v0.12.0-alpha5

types/v0.12.0-alpha4

types/v0.12.0-alpha3

types/v0.12.0-alpha2

types/v0.12.0-alpha1

v6.8.2

api/core/v2.16.0

sensu-go
/
api
/
core
/
v2
/
rbac.go

package v2

import (
	"errors"
	"net/url"
	"path"
)

const (
	// ClusterRolesResource is the name of this resource type
	ClusterRolesResource = "clusterroles"

	// ClusterRoleBindingsResource is the name of this resource type
	ClusterRoleBindingsResource = "clusterrolebindings"

	// RolesResource is the name of this resource type
	RolesResource = "roles"

	// RoleBindingsResource is the name of this resource type
	RoleBindingsResource = "rolebindings"

	// ResourceAll represents all possible resources
	ResourceAll = "*"
	// VerbAll represents all possible verbs
	VerbAll = "*"

	// GroupType represents a group object in a subject
	GroupType = "Group"
	// UserType represents a user object in a subject
	UserType = "User"

	// LocalSelfUserResource represents a local user trying to view itself
	// or change its password
	LocalSelfUserResource = "localselfuser"
)

// CommonCoreResources represents the common "core" resources found in a
// namespace
var CommonCoreResources = []string{
	"assets",
	"checks",
	"entities",
	"extensions",
	"events",
	"filters",
	"handlers",
	"hooks",
	"mutators",
	"silenced",
}

// FixtureSubject creates a Subject for testing
func FixtureSubject(subjectType, name string) Subject {
	return Subject{
		Type: subjectType,
		Name: name,
	}
}

// FixtureRule returns a partial rule
func FixtureRule() Rule {
	return Rule{
		Verbs:     []string{VerbAll},
		Resources: []string{ResourceAll},
	}
}

// FixtureRole returns a partial role
func FixtureRole(name, namespace string) *Role {
	return &Role{
		ObjectMeta: NewObjectMeta(name, namespace),
		Rules: []Rule{
			FixtureRule(),
		},
	}
}

// FixtureRoleRef creates a RoleRef for testing
func FixtureRoleRef(roleType, name string) RoleRef {
	return RoleRef{
		Type: roleType,
		Name: name,
	}
}

// FixtureRoleBinding creates a RoleBinding for testing
func FixtureRoleBinding(name, namespace string) *RoleBinding {
	return &RoleBinding{
		ObjectMeta: NewObjectMeta(name, namespace),
		Subjects:   []Subject{FixtureSubject(UserType, "username")},
		RoleRef:    FixtureRoleRef("Role", "read-write"),
	}
}

// FixtureClusterRole returns a partial role
func FixtureClusterRole(name string) *ClusterRole {
	return &ClusterRole{
		ObjectMeta: NewObjectMeta(name, ""),
		Rules: []Rule{
			FixtureRule(),
		},
	}
}

// FixtureClusterRoleBinding creates a ClusterRoleBinding for testing
func FixtureClusterRoleBinding(name string) *ClusterRoleBinding {
	return &ClusterRoleBinding{
		ObjectMeta: NewObjectMeta(name, ""),
		Subjects:   []Subject{FixtureSubject(UserType, "username")},
		RoleRef:    FixtureRoleRef("ClusterRole", "read-write"),
	}
}

// StorePrefix returns the path prefix to this resource in the store
func (r *ClusterRole) StorePrefix() string {
	return "rbac/" + ClusterRolesResource
}

// URIPath returns the path component of a cluster role URI.
func (r *ClusterRole) URIPath() string {
	return path.Join(URLPrefix, ClusterRolesResource, url.PathEscape(r.Name))
}

// Validate a ClusterRole
func (r *ClusterRole) Validate() error {
	if err := ValidateSubscriptionName(r.Name); err != nil {
		return errors.New("the ClusterRole name " + err.Error())
	}

	if len(r.Rules) == 0 {
		return errors.New("a ClusterRole must have at least one rule")
	}

	if r.Namespace != "" {
		return errors.New("ClusterRole cannot have a namespace")
	}

	return nil
}

// StorePrefix returns the path prefix to this resource in the store
func (b *ClusterRoleBinding) StorePrefix() string {
	return "rbac/" + ClusterRoleBindingsResource
}

// URIPath returns the path component of a cluster role binding URI.
func (b *ClusterRoleBinding) URIPath() string {
	return path.Join(URLPrefix, ClusterRoleBindingsResource, url.PathEscape(b.Name))
}

// Validate a ClusterRoleBinding
func (b *ClusterRoleBinding) Validate() error {
	if err := ValidateSubscriptionName(b.Name); err != nil {
		return errors.New("the ClusterRoleBinding name " + err.Error())
	}

	if b.RoleRef.Name == "" || b.RoleRef.Type == "" {
		return errors.New("a ClusterRoleBinding needs a roleRef")
	}

	if len(b.Subjects) == 0 {
		return errors.New("a ClusterRoleBinding must have at least one subject")
	}

	if b.Namespace != "" {
		return errors.New("ClusterRoleBinding cannot have a namespace")
	}

	return nil
}

// StorePrefix returns the path prefix to this resource in the store
func (r *Role) StorePrefix() string {
	return "rbac/" + RolesResource
}

// URIPath returns the path component of a role URI.
func (r *Role) URIPath() string {
	return path.Join(URLPrefix, "namespaces", url.PathEscape(r.Namespace), RolesResource, url.PathEscape(r.Name))

}

// Validate a Role
func (r *Role) Validate() error {
	if err := ValidateSubscriptionName(r.Name); err != nil {
		return errors.New("the Role name " + err.Error())
	}

	if r.Namespace == "" {
		return errors.New("the Role namespace must be set")
	}

	if len(r.Rules) == 0 {
		return errors.New("a Role must have at least one rule")
	}

	return nil
}

// StorePrefix returns the path prefix to this resource in the store
func (b *RoleBinding) StorePrefix() string {
	return "rbac/" + RoleBindingsResource
}

// URIPath returns the path component of a role binding URI.
func (b *RoleBinding) URIPath() string {
	return path.Join(URLPrefix, "namespaces", url.PathEscape(b.Namespace), RoleBindingsResource, url.PathEscape(b.Name))
}

// Validate a RoleBinding
func (b *RoleBinding) Validate() error {
	if err := ValidateSubscriptionName(b.Name); err != nil {
		return errors.New("the RoleBinding name " + err.Error())
	}

	if b.Namespace == "" {
		return errors.New("the RoleBinding namespace must be set")
	}

	if b.RoleRef.Name == "" || b.RoleRef.Type == "" {
		return errors.New("a RoleBinding needs a roleRef")
	}

	if len(b.Subjects) == 0 {
		return errors.New("a RoleBinding must have at least one subject")
	}

	return nil
}

// ResourceMatches returns whether the specified requestedResource matches any
// of the rule resources
func (r Rule) ResourceMatches(requestedResource string) bool {
	for _, resource := range r.Resources {
		if resource == ResourceAll {
			return true
		}

		if resource == requestedResource {
			return true
		}
	}

	return false
}

// ResourceNameMatches returns whether the specified requestedResourceName
// matches any of the rule resources
func (r Rule) ResourceNameMatches(requestedResourceName string) bool {
	if len(r.ResourceNames) == 0 {
		return true
	}

	for _, name := range r.ResourceNames {
		if name == requestedResourceName {
			return true
		}
	}

	return false
}

// VerbMatches returns whether the specified requestedVerb matches any of the
// rule verbs
func (r Rule) VerbMatches(requestedVerb string) bool {
	for _, verb := range r.Verbs {
		if verb == VerbAll {
			return true
		}

		if verb == requestedVerb {
			return true
		}
	}

	return false
}

// NewRole creates a new Role.
func NewRole(meta ObjectMeta) *Role {
	return &Role{ObjectMeta: meta}
}

// NewRoleBinding creates a new RoleBinding.
func NewRoleBinding(meta ObjectMeta) *RoleBinding {
	return &RoleBinding{ObjectMeta: meta}
}

// ClusterRoleFields returns a set of fields that represent that resource
func ClusterRoleFields(r Resource) map[string]string {
	resource := r.(*ClusterRole)
	return map[string]string{
		"clusterrole.name": resource.ObjectMeta.Name,
	}
}

// ClusterRoleBindingFields returns a set of fields that represent that resource
func ClusterRoleBindingFields(r Resource) map[string]string {
	resource := r.(*ClusterRoleBinding)
	return map[string]string{
		"clusterrolebinding.name":          resource.ObjectMeta.Name,
		"clusterrolebinding.role_ref.name": resource.RoleRef.Name,
		"clusterrolebinding.role_ref.type": resource.RoleRef.Type,
	}
}

// RoleFields returns a set of fields that represent that resource
func RoleFields(r Resource) map[string]string {
	resource := r.(*Role)
	return map[string]string{
		"role.name":      resource.ObjectMeta.Name,
		"role.namespace": resource.ObjectMeta.Namespace,
	}
}

// RoleBindingFields returns a set of fields that represent that resource
func RoleBindingFields(r Resource) map[string]string {
	resource := r.(*RoleBinding)
	return map[string]string{
		"rolebinding.name":          resource.ObjectMeta.Name,
		"rolebinding.namespace":     resource.ObjectMeta.Namespace,
		"rolebinding.role_ref.name": resource.RoleRef.Name,
		"rolebinding.role_ref.type": resource.RoleRef.Type,
	}
}

// SetNamespace sets the namespace of the resource.
func (r *ClusterRole) SetNamespace(namespace string) {
	return
}

// SetNamespace sets the namespace of the resource.
func (b *ClusterRoleBinding) SetNamespace(namespace string) {
	return
}

// SetNamespace sets the namespace of the resource.
func (r *Role) SetNamespace(namespace string) {
	r.Namespace = namespace
}

// SetNamespace sets the namespace of the resource.
func (b *RoleBinding) SetNamespace(namespace string) {
	b.Namespace = namespace
}