package client import ( kapierrors "k8s.io/kubernetes/pkg/api/errors" authorizationapi "github.com/openshift/origin/pkg/authorization/api" ) // ResourceAccessReviews has methods to work with ResourceAccessReview resources in the cluster scope type ResourceAccessReviews interface { ResourceAccessReviews() ResourceAccessReviewInterface } // ResourceAccessReviewInterface exposes methods on ResourceAccessReview resources. type ResourceAccessReviewInterface interface { Create(policy *authorizationapi.ResourceAccessReview) (*authorizationapi.ResourceAccessReviewResponse, error) } // resourceAccessReviews implements ResourceAccessReviews interface type resourceAccessReviews struct { r *Client } // newResourceAccessReviews returns a resourceAccessReviews func newResourceAccessReviews(c *Client) *resourceAccessReviews { return &resourceAccessReviews{ r: c, } } func (c *resourceAccessReviews) Create(rar *authorizationapi.ResourceAccessReview) (result *authorizationapi.ResourceAccessReviewResponse, err error) { result = &authorizationapi.ResourceAccessReviewResponse{} // if this a cluster RAR, then no special handling if len(rar.Action.Namespace) == 0 { err = c.r.Post().Resource("resourceAccessReviews").Body(rar).Do().Into(result) return } err = c.r.Post().Resource("resourceAccessReviews").Body(rar).Do().Into(result) // if the namespace values don't match then we definitely hit an old server. If we got a forbidden, then we might have hit an old server // and should try the old endpoint if (rar.Action.Namespace != result.Namespace) || kapierrors.IsForbidden(err) { deprecatedResponse := &authorizationapi.ResourceAccessReviewResponse{} deprecatedAttemptErr := c.r.Post().Namespace(rar.Action.Namespace).Resource("resourceAccessReviews").Body(rar).Do().Into(deprecatedResponse) // if we definitely hit an old server, then return the error and result you get from the older server. if rar.Action.Namespace != result.Namespace { return deprecatedResponse, deprecatedAttemptErr } // if we're not certain it was an old server, success overwrites the previous error, but failure doesn't overwrite the previous error if deprecatedAttemptErr == nil { err = nil result = deprecatedResponse } } return }