chore: remove dead code (#3561)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2022-04-11 10:47:18 +02:00 · 2022-04-11 10:47:18 +02:00 · 585b0f17a6
commit 585b0f17a6
parent 84aa2e3fbb
2 changed files with 41 additions and 153 deletions
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@ -15,101 +15,70 @@ import (
 )

 const (
-	clusterrolekind = "ClusterRole"
-	rolekind        = "Role"
-	// SaPrefix represents service account prefix in admission requests
-	SaPrefix = "system:serviceaccount:"
-	// KyvernoSuffix ...
-	KyvernoSuffix = "kyverno:"
+	clusterroleKind = "ClusterRole"
+	roleKind        = "Role"
+	// saPrefix represents service account prefix in admission requests
+	saPrefix = "system:serviceaccount:"
 )

-type allRolesStruct struct {
-	RoleType string
-	Role     []string
-}
-
-var allRoles []allRolesStruct
-
 //GetRoleRef gets the list of roles and cluster roles for the incoming api-request
-func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) (roles []string, clusterRoles []string, err error) {
+func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) ([]string, []string, error) {
 	keys := append(request.UserInfo.Groups, request.UserInfo.Username)
 	if utils.SliceContains(keys, dynamicConfig.GetExcludeGroupRole()...) {
-		return
+		return nil, nil, nil
 	}
-
 	// rolebindings
-	roleBindings, err := rbLister.List(labels.NewSelector())
+	roleBindings, err := rbLister.List(labels.Everything())
 	if err != nil {
-		return roles, clusterRoles, fmt.Errorf("failed to list rolebindings: %v", err)
+		return nil, nil, fmt.Errorf("failed to list rolebindings: %v", err)
 	}
-
-	rs, crs, err := getRoleRefByRoleBindings(roleBindings, request.UserInfo)
-	if err != nil {
-		return roles, clusterRoles, err
-	}
-	roles = append(roles, rs...)
-	clusterRoles = append(clusterRoles, crs...)
-
+	rs, crs := getRoleRefByRoleBindings(roleBindings, request.UserInfo)
 	// clusterrolebindings
 	clusterroleBindings, err := crbLister.List(labels.NewSelector())
 	if err != nil {
-		return roles, clusterRoles, fmt.Errorf("failed to list clusterrolebindings: %v", err)
+		return nil, nil, fmt.Errorf("failed to list clusterrolebindings: %v", err)
 	}
-
-	crs, err = getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo)
-	if err != nil {
-		return roles, clusterRoles, err
-	}
-	clusterRoles = append(clusterRoles, crs...)
-
-	return roles, clusterRoles, nil
+	crs = append(crs, getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo)...)
+	return rs, crs, nil
 }

-func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string, err error) {
+func getRoleRefByRoleBindings(roleBindings []*rbacv1.RoleBinding, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string) {
 	for _, rolebinding := range roleBindings {
 		for _, subject := range rolebinding.Subjects {
-			if !matchSubjectsMap(subject, userInfo) {
-				continue
-			}
-
-			switch rolebinding.RoleRef.Kind {
-			case rolekind:
-				roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)
-			case clusterrolekind:
-				clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)
+			if matchSubjectsMap(subject, userInfo) {
+				switch rolebinding.RoleRef.Kind {
+				case roleKind:
+					roles = append(roles, rolebinding.Namespace+":"+rolebinding.RoleRef.Name)
+				case clusterroleKind:
+					clusterRoles = append(clusterRoles, rolebinding.RoleRef.Name)
+				}
 			}
 		}
 	}
-
-	return roles, clusterRoles, nil
+	return roles, clusterRoles
 }

 // RoleRef in ClusterRoleBindings can only reference a ClusterRole in the global namespace
-func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) (clusterRoles []string, err error) {
+func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBinding, userInfo authenticationv1.UserInfo) (clusterRoles []string) {
 	for _, clusterRoleBinding := range clusterroleBindings {
 		for _, subject := range clusterRoleBinding.Subjects {
-			if !matchSubjectsMap(subject, userInfo) {
-				continue
-			}
-
-			if clusterRoleBinding.RoleRef.Kind == clusterrolekind {
-				clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)
+			if matchSubjectsMap(subject, userInfo) {
+				if clusterRoleBinding.RoleRef.Kind == clusterroleKind {
+					clusterRoles = append(clusterRoles, clusterRoleBinding.RoleRef.Name)
+				}
 			}
 		}
 	}
-	return clusterRoles, nil
+	return clusterRoles
 }

 // matchSubjectsMap checks if userInfo found in subject
 // return true directly if found a match
 // subject.kind can only be ServiceAccount, User and Group
 func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
-	// ServiceAccount
-	if strings.Contains(userInfo.Username, SaPrefix) {
+	if strings.Contains(userInfo.Username, saPrefix) {
 		return matchServiceAccount(subject, userInfo)
 	}
-
-	// User or Group
 	return matchUserOrGroup(subject, userInfo)
 }

@ -117,10 +86,9 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 // serviceaccount represents as saPrefix:namespace:name in userInfo
 func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool {
 	subjectServiceAccount := subject.Namespace + ":" + subject.Name
-	if userInfo.Username[len(SaPrefix):] != subjectServiceAccount {
+	if userInfo.Username[len(saPrefix):] != subjectServiceAccount {
 		return false
 	}
-
 	log.Log.V(3).Info(fmt.Sprintf("found a matched service account not match: %s", subjectServiceAccount))
 	return true
 }
@ -134,81 +102,5 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 			return true
 		}
 	}
-
 	return false
 }
-
-//IsRoleAuthorize is role authorize or not
-func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) (bool, error) {
-	if strings.Contains(request.UserInfo.Username, SaPrefix) {
-		roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request, dynamicConfig)
-		if err != nil {
-			return false, err
-		}
-		allRoles := append(allRoles, allRolesStruct{
-			RoleType: "ClusterRole",
-			Role:     clusterRoles,
-		}, allRolesStruct{
-			RoleType: "Role",
-			Role:     roles,
-		})
-		for _, r := range allRoles {
-			for _, e := range r.Role {
-				if strings.Contains(e, KyvernoSuffix) {
-					return true, nil
-				}
-				var labels map[string]string
-				if r.RoleType == "Role" {
-					roleData := strings.Split(e, ":")
-					role, err := rLister.Roles(roleData[0]).Get(strings.Join(roleData[1:], ":"))
-					if err != nil {
-						return false, err
-					}
-					labels = role.GetLabels()
-				} else {
-					role, err := crLister.Get(e)
-					if err != nil {
-						return false, err
-					}
-					labels = role.GetLabels()
-				}
-				if !strings.Contains(e, KyvernoSuffix) {
-					if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
-						return true, nil
-					}
-				}
-			}
-		}
-		return true, nil
-	}
-	// User or Group
-	for _, e := range dynamicConfig.GetExcludeUsername() {
-		if strings.Contains(request.UserInfo.Username, e) {
-			return true, nil
-		}
-	}
-
-	// Restrict Development Roles
-	for _, e := range dynamicConfig.RestrictDevelopmentUsername() {
-		if strings.Contains(request.UserInfo.Username, strings.TrimSpace(e)) {
-			return false, nil
-		}
-	}
-
-	var matchedRoles []bool
-	excludeGroupRule := append(dynamicConfig.GetExcludeGroupRole(), KyvernoSuffix)
-	for _, e := range request.UserInfo.Groups {
-		for _, defaultSuffix := range excludeGroupRule {
-
-			if strings.Contains(strings.TrimSpace(e), strings.TrimSpace(defaultSuffix)) {
-				matchedRoles = append(matchedRoles, true)
-				break
-			}
-		}
-	}
-	if len(matchedRoles) == len(request.UserInfo.Groups) {
-		return true, nil
-	}
-
-	return false, nil
-}
--- a/pkg/userinfo/roleRef_test.go
+++ b/pkg/userinfo/roleRef_test.go
@ -1,7 +1,6 @@
 package userinfo

 import (
-	"reflect"
 	"testing"

 	"gotest.tools/assert"
@ -63,7 +62,7 @@ func Test_matchServiceAccount_subject_variants(t *testing.T) {

 	for _, test := range tests {
 		res := matchServiceAccount(test.subject, userInfo)
-		assert.Assert(t, test.expected == res)
+		assert.Equal(t, test.expected, res)
 	}
 }

@ -167,7 +166,7 @@ func Test_getRoleRefByRoleBindings(t *testing.T) {
 				Namespace: "default",
 			},
 		}, rbacv1.RoleRef{
-			Kind: rolekind,
+			Kind: roleKind,
 			Name: "myrole",
 		},
 	)
@ -180,7 +179,7 @@ func Test_getRoleRefByRoleBindings(t *testing.T) {
 				Namespace: "default",
 			},
 		}, rbacv1.RoleRef{
-			Kind: clusterrolekind,
+			Kind: clusterroleKind,
 			Name: "myclusterrole",
 		},
 	)
@ -191,10 +190,9 @@ func Test_getRoleRefByRoleBindings(t *testing.T) {

 	expectedrole := []string{"mynamespace:myrole"}
 	expectedClusterRole := []string{"myclusterrole"}
-	roles, clusterroles, err := getRoleRefByRoleBindings(list, sa)
-	assert.Assert(t, err == nil)
-	assert.Assert(t, reflect.DeepEqual(roles, expectedrole))
-	assert.Assert(t, reflect.DeepEqual(clusterroles, expectedClusterRole))
+	roles, clusterroles := getRoleRefByRoleBindings(list, sa)
+	assert.DeepEqual(t, roles, expectedrole)
+	assert.DeepEqual(t, clusterroles, expectedClusterRole)
 }

 func newClusterRoleBinding(name, ns string, subjects []rbacv1.Subject, roles rbacv1.RoleRef) *rbacv1.ClusterRoleBinding {
@ -220,7 +218,7 @@ func Test_getRoleRefByClusterRoleBindings(t *testing.T) {
 				Name: "kube-scheduler",
 			},
 		}, rbacv1.RoleRef{
-			Kind: clusterrolekind,
+			Kind: clusterroleKind,
 			Name: "fakeclusterrole",
 		},
 	)
@ -232,7 +230,7 @@ func Test_getRoleRefByClusterRoleBindings(t *testing.T) {
 				Name: "system:masters",
 			},
 		}, rbacv1.RoleRef{
-			Kind: clusterrolekind,
+			Kind: clusterroleKind,
 			Name: "myclusterrole",
 		},
 	)
@ -247,11 +245,9 @@ func Test_getRoleRefByClusterRoleBindings(t *testing.T) {
 		Groups:   []string{"system:authenticated"},
 	}

-	clusterroles, err := getRoleRefByClusterRoleBindings(list, group)
-	assert.Assert(t, err == nil)
-	assert.Assert(t, reflect.DeepEqual(clusterroles, []string{"myclusterrole"}))
+	clusterroles := getRoleRefByClusterRoleBindings(list, group)
+	assert.DeepEqual(t, clusterroles, []string{"myclusterrole"})

-	clusterroles, err = getRoleRefByClusterRoleBindings(list, user)
-	assert.Assert(t, err == nil)
-	assert.Assert(t, len(clusterroles) == 0)
+	clusterroles = getRoleRefByClusterRoleBindings(list, user)
+	assert.Equal(t, len(clusterroles), 0)
 }