kyverno/pkg/policy/generate/auth.go

package generate

import (
	"github.com/go-logr/logr"
	"github.com/kyverno/kyverno/pkg/auth"
	dclient "github.com/kyverno/kyverno/pkg/dclient"
)

//Operations provides methods to performing operations on resource
type Operations interface {
	// CanICreate returns 'true' if self can 'create' resource
	CanICreate(kind, namespace string) (bool, error)
	// CanIUpdate returns 'true' if self can 'update' resource
	CanIUpdate(kind, namespace string) (bool, error)
	// CanIDelete returns 'true' if self can 'delete' resource
	CanIDelete(kind, namespace string) (bool, error)
	// CanIGet returns 'true' if self can 'get' resource
	CanIGet(kind, namespace string) (bool, error)
}

//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
type Auth struct {
	client *dclient.Client
	log    logr.Logger
}

//NewAuth returns a new instance of Auth for operations
func NewAuth(client *dclient.Client, log logr.Logger) *Auth {
	a := Auth{
		client: client,
		log:    log,
	}
	return &a
}

// CanICreate returns 'true' if self can 'create' resource
func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
	canI := auth.NewCanI(a.client, kind, namespace, "create", a.log)
	ok, err := canI.RunAccessCheck()
	if err != nil {
		return false, err
	}
	return ok, nil
}

// CanIUpdate returns 'true' if self can 'update' resource
func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
	canI := auth.NewCanI(a.client, kind, namespace, "update", a.log)
	ok, err := canI.RunAccessCheck()
	if err != nil {
		return false, err
	}
	return ok, nil
}

// CanIDelete returns 'true' if self can 'delete' resource
func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
	canI := auth.NewCanI(a.client, kind, namespace, "delete", a.log)
	ok, err := canI.RunAccessCheck()
	if err != nil {
		return false, err
	}
	return ok, nil
}

// CanIGet returns 'true' if self can 'get' resource
func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
	canI := auth.NewCanI(a.client, kind, namespace, "get", a.log)
	ok, err := canI.RunAccessCheck()
	if err != nil {
		return false, err
	}
	return ok, nil
}
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`package generate`

			`import (`
logs & access 2020-03-17 11:05:20 -07:00			`"github.com/go-logr/logr"`
update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00			`"github.com/kyverno/kyverno/pkg/auth"`
			`dclient "github.com/kyverno/kyverno/pkg/dclient"`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`)`

			`//Operations provides methods to performing operations on resource`
			`type Operations interface {`
			`// CanICreate returns 'true' if self can 'create' resource`
			`CanICreate(kind, namespace string) (bool, error)`
			`// CanIUpdate returns 'true' if self can 'update' resource`
			`CanIUpdate(kind, namespace string) (bool, error)`
			`// CanIDelete returns 'true' if self can 'delete' resource`
			`CanIDelete(kind, namespace string) (bool, error)`
			`// CanIGet returns 'true' if self can 'get' resource`
			`CanIGet(kind, namespace string) (bool, error)`
			`}`

			`//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations`
			`type Auth struct {`
			`client *dclient.Client`
logs & access 2020-03-17 11:05:20 -07:00			`log logr.Logger`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`}`

			`//NewAuth returns a new instance of Auth for operations`
logs & access 2020-03-17 11:05:20 -07:00			`func NewAuth(client dclient.Client, log logr.Logger) Auth {`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`a := Auth{`
			`client: client,`
logs & access 2020-03-17 11:05:20 -07:00			`log: log,`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`}`
			`return &a`
			`}`

			`// CanICreate returns 'true' if self can 'create' resource`
			`func (a *Auth) CanICreate(kind, namespace string) (bool, error) {`
logs & access 2020-03-17 11:05:20 -07:00			`canI := auth.NewCanI(a.client, kind, namespace, "create", a.log)`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`ok, err := canI.RunAccessCheck()`
			`if err != nil {`
			`return false, err`
			`}`
			`return ok, nil`
			`}`

			`// CanIUpdate returns 'true' if self can 'update' resource`
			`func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {`
logs & access 2020-03-17 11:05:20 -07:00			`canI := auth.NewCanI(a.client, kind, namespace, "update", a.log)`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`ok, err := canI.RunAccessCheck()`
			`if err != nil {`
			`return false, err`
			`}`
			`return ok, nil`
			`}`

			`// CanIDelete returns 'true' if self can 'delete' resource`
			`func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {`
logs & access 2020-03-17 11:05:20 -07:00			`canI := auth.NewCanI(a.client, kind, namespace, "delete", a.log)`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`ok, err := canI.RunAccessCheck()`
			`if err != nil {`
			`return false, err`
			`}`
			`return ok, nil`
			`}`

			`// CanIGet returns 'true' if self can 'get' resource`
			`func (a *Auth) CanIGet(kind, namespace string) (bool, error) {`
logs & access 2020-03-17 11:05:20 -07:00			`canI := auth.NewCanI(a.client, kind, namespace, "get", a.log)`
refactor & validate operations for generate rules in PolicyValidation 2020-03-11 18:14:23 -07:00			`ok, err := canI.RunAccessCheck()`
			`if err != nil {`
			`return false, err`
			`}`
			`return ok, nil`
			`}`