1. origin
  2. pkg
  3. client
  4. localsubjectaccessreview.go
Raw Blame History 
package client

import (
	kapierrors "k8s.io/kubernetes/pkg/api/errors"

	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
)

type LocalSubjectAccessReviewsImpersonator interface {
	ImpersonateLocalSubjectAccessReviews(namespace, token string) LocalSubjectAccessReviewInterface
}

// LocalSubjectAccessReviewsNamespacer has methods to work with LocalSubjectAccessReview resources in a namespace
type LocalSubjectAccessReviewsNamespacer interface {
	LocalSubjectAccessReviews(namespace string) LocalSubjectAccessReviewInterface
}

// LocalSubjectAccessReviewInterface exposes methods on LocalSubjectAccessReview resources.
type LocalSubjectAccessReviewInterface interface {
	Create(policy *authorizationapi.LocalSubjectAccessReview) (*authorizationapi.SubjectAccessReviewResponse, error)
}

// localSubjectAccessReviews implements LocalSubjectAccessReviewsNamespacer interface
type localSubjectAccessReviews struct {
	r     *Client
	ns    string
	token *string
}

// newImpersonatingLocalSubjectAccessReviews returns a subjectAccessReviews
func newImpersonatingLocalSubjectAccessReviews(c *Client, namespace, token string) *localSubjectAccessReviews {
	return &localSubjectAccessReviews{
		r:     c,
		ns:    namespace,
		token: &token,
	}
}

// newLocalSubjectAccessReviews returns a localSubjectAccessReviews
func newLocalSubjectAccessReviews(c *Client, namespace string) *localSubjectAccessReviews {
	return &localSubjectAccessReviews{
		r:  c,
		ns: namespace,
	}
}

func (c *localSubjectAccessReviews) Create(sar *authorizationapi.LocalSubjectAccessReview) (*authorizationapi.SubjectAccessReviewResponse, error) {
	result := &authorizationapi.SubjectAccessReviewResponse{}

	req, err := overrideAuth(c.token, c.r.Post().Namespace(c.ns).Resource("localSubjectAccessReviews"))
	if err != nil {
		return &authorizationapi.SubjectAccessReviewResponse{}, err
	}

	err = req.Body(sar).Do().Into(result)

	// if we get one of these failures, we may be talking to an older openshift.  In that case, we need to try hitting ns/namespace-name/subjectaccessreview
	if kapierrors.IsForbidden(err) || kapierrors.IsNotFound(err) {
		deprecatedSAR := &authorizationapi.SubjectAccessReview{
			Action: sar.Action,
			User:   sar.User,
			Groups: sar.Groups,
		}
		deprecatedResponse := &authorizationapi.SubjectAccessReviewResponse{}

		req, err := overrideAuth(c.token, c.r.Post().Namespace(c.ns).Resource("subjectAccessReviews"))
		if err != nil {
			return &authorizationapi.SubjectAccessReviewResponse{}, err
		}
		deprecatedAttemptErr := req.Body(deprecatedSAR).Do().Into(deprecatedResponse)
		if deprecatedAttemptErr == nil {
			err = nil
			result = deprecatedResponse
		}
	}

	return result, err
}