2020-03-11 18:14:23 -07:00
|
|
|
package generate
|
|
|
|
|
|
|
|
|
|
import (
|
2020-03-17 11:05:20 -07:00
|
|
|
"github.com/go-logr/logr"
|
2020-10-07 11:12:31 -07:00
|
|
|
"github.com/kyverno/kyverno/pkg/auth"
|
|
|
|
|
dclient "github.com/kyverno/kyverno/pkg/dclient"
|
2020-03-11 18:14:23 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
//Operations provides methods to performing operations on resource
|
|
|
|
|
type Operations interface {
|
|
|
|
|
// CanICreate returns 'true' if self can 'create' resource
|
|
|
|
|
CanICreate(kind, namespace string) (bool, error)
|
|
|
|
|
// CanIUpdate returns 'true' if self can 'update' resource
|
|
|
|
|
CanIUpdate(kind, namespace string) (bool, error)
|
|
|
|
|
// CanIDelete returns 'true' if self can 'delete' resource
|
|
|
|
|
CanIDelete(kind, namespace string) (bool, error)
|
|
|
|
|
// CanIGet returns 'true' if self can 'get' resource
|
|
|
|
|
CanIGet(kind, namespace string) (bool, error)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
|
|
|
|
|
type Auth struct {
|
|
|
|
|
client *dclient.Client
|
2020-03-17 11:05:20 -07:00
|
|
|
log logr.Logger
|
2020-03-11 18:14:23 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//NewAuth returns a new instance of Auth for operations
|
2020-03-17 11:05:20 -07:00
|
|
|
func NewAuth(client *dclient.Client, log logr.Logger) *Auth {
|
2020-03-11 18:14:23 -07:00
|
|
|
a := Auth{
|
|
|
|
|
client: client,
|
2020-03-17 11:05:20 -07:00
|
|
|
log: log,
|
2020-03-11 18:14:23 -07:00
|
|
|
}
|
|
|
|
|
return &a
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CanICreate returns 'true' if self can 'create' resource
|
|
|
|
|
func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
|
2022-04-27 15:34:08 +02:00
|
|
|
canI := auth.NewCanI(a.client, kind, namespace, "create")
|
2020-03-11 18:14:23 -07:00
|
|
|
ok, err := canI.RunAccessCheck()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
return ok, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CanIUpdate returns 'true' if self can 'update' resource
|
|
|
|
|
func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
|
2022-04-27 15:34:08 +02:00
|
|
|
canI := auth.NewCanI(a.client, kind, namespace, "update")
|
2020-03-11 18:14:23 -07:00
|
|
|
ok, err := canI.RunAccessCheck()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
return ok, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CanIDelete returns 'true' if self can 'delete' resource
|
|
|
|
|
func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
|
2022-04-27 15:34:08 +02:00
|
|
|
canI := auth.NewCanI(a.client, kind, namespace, "delete")
|
2020-03-11 18:14:23 -07:00
|
|
|
ok, err := canI.RunAccessCheck()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
return ok, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CanIGet returns 'true' if self can 'get' resource
|
|
|
|
|
func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
|
2022-04-27 15:34:08 +02:00
|
|
|
canI := auth.NewCanI(a.client, kind, namespace, "get")
|
2020-03-11 18:14:23 -07:00
|
|
|
ok, err := canI.RunAccessCheck()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
return ok, nil
|
|
|
|
|
}
|
