Skip to content
This repository has been archived by the owner on Mar 11, 2021. It is now read-only.

Commit

Permalink
Improve documentation, avoid boolean parameter for getting namespace
Browse files Browse the repository at this point in the history
  • Loading branch information
ebaron committed Sep 7, 2018
1 parent 8ea65cb commit 9d34f9f
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 10 deletions.
13 changes: 11 additions & 2 deletions kubernetes/deployments_access.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ func (rulesMap accessRules) isAuthorized(reqs []*requestedAccess) bool {
return true
}

// CanGetSpace returns whether the user is authorized to call KubeClientInterface.GetSpace
func (kc *kubeClient) CanGetSpace() (bool, error) {
// Also need access to build configs and builds in user namespace
ok, err := kc.checkAuthorizedInEnv(getBuildConfigsAndBuildsRules, environmentTypeUser)
Expand All @@ -92,6 +93,7 @@ func (kc *kubeClient) CanGetSpace() (bool, error) {
return true, nil
}

// CanGetApplication returns whether the user is authorized to call KubeClientInterface.GetApplication
func (kc *kubeClient) CanGetApplication() (bool, error) {
// Also need access to builds in user namespace
ok, err := kc.checkAuthorizedInEnv(getBuildsRules, environmentTypeUser)
Expand Down Expand Up @@ -122,6 +124,7 @@ var getDeploymentRules = []*requestedAccess{
{qualifiedResource{"", "routes"}, []string{verbList}},
}

// CanGetDeployment returns whether the user is authorized to call KubeClientInterface.GetDeployment
func (kc *kubeClient) CanGetDeployment(envName string) (bool, error) {
return kc.checkAuthorizedWithBuilds(envName, getDeploymentRules)
}
Expand All @@ -132,6 +135,7 @@ var scaleDeploymentRules = []*requestedAccess{
{qualifiedResource{"", "deploymentconfigs/scale"}, []string{verbUpdate}},
}

// CanScaleDeployment returns whether the user is authorized to call KubeClientInterface.ScaleDeployment
func (kc *kubeClient) CanScaleDeployment(envName string) (bool, error) {
return kc.checkAuthorizedWithBuilds(envName, scaleDeploymentRules)
}
Expand All @@ -142,6 +146,7 @@ var deleteDeploymentRules = []*requestedAccess{
{qualifiedResource{"", "deploymentconfigs"}, []string{verbGet, verbDelete}},
}

// CanDeleteDeployment returns whether the user is authorized to call KubeClientInterface.DeleteDeployment
func (kc *kubeClient) CanDeleteDeployment(envName string) (bool, error) {
return kc.checkAuthorizedWithBuilds(envName, deleteDeploymentRules)
}
Expand All @@ -152,16 +157,18 @@ var getDeploymentStatsRules = []*requestedAccess{
{qualifiedResource{"", "pods"}, []string{verbList}},
}

// CanGetDeploymentStats returns whether the user is authorized to call KubeClientInterface.GetDeploymentStats
func (kc *kubeClient) CanGetDeploymentStats(envName string) (bool, error) {
return kc.checkAuthorizedWithBuilds(envName, getDeploymentStatsRules)
}

// CanGetDeploymentStatSeries returns whether the user is authorized to call KubeClientInterface.GetDeploymentStatSeries
func (kc *kubeClient) CanGetDeploymentStatSeries(envName string) (bool, error) {
return kc.checkAuthorizedWithBuilds(envName, getDeploymentStatsRules)
}

func (kc *kubeClient) checkAuthorizedWithBuilds(envName string, reqs []*requestedAccess) (bool, error) {
// Also need access to builds in user namespace
// Builds are located in user namespace
ok, err := kc.checkAuthorizedInEnv(getBuildsRules, environmentTypeUser)
if err != nil {
return false, err
Expand Down Expand Up @@ -196,6 +203,7 @@ var getEnvironmentRules = []*requestedAccess{
{qualifiedResource{"", "resourcequotas"}, []string{verbList}},
}

// CanGetEnvironments returns whether the user is authorized to call KubeClientInterface.GetEnvironments
func (kc *kubeClient) CanGetEnvironments() (bool, error) {
for envName := range kc.envMap {
if kc.CanDeploy(envName) {
Expand All @@ -210,6 +218,7 @@ func (kc *kubeClient) CanGetEnvironments() (bool, error) {
return true, nil
}

// CanGetEnvironment returns whether the user is authorized to call KubeClientInterface.GetEnvironment
func (kc *kubeClient) CanGetEnvironment(envName string) (bool, error) {
return kc.checkAuthorizedInEnv(getEnvironmentRules, envName)
}
Expand All @@ -223,7 +232,7 @@ func (kc *kubeClient) getRulesForEnvironment(envName string) (*accessRules, erro
}

// Lookup authorization rules for this environment
envNS, err := kc.getEnvironmentNamespace(envName, true)
envNS, err := kc.getEnvironmentNamespace(envName)
if err != nil {
return nil, err
}
Expand Down
30 changes: 22 additions & 8 deletions kubernetes/deployments_kubeclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@ func (kc *kubeClient) GetApplication(spaceName string, appName string) (*app.Sim
// Get all deployments of this app for each environment in this space
deployments := []*app.SimpleDeployment{}
for envName := range kc.envMap {
// Only look for the application in environments where the user can deploy applications
if kc.CanDeploy(envName) {
deployment, err := kc.GetDeployment(spaceName, appName, envName)
if err != nil {
Expand All @@ -342,7 +343,7 @@ func (kc *kubeClient) GetApplication(spaceName string, appName string) (*app.Sim
// ScaleDeployment adjusts the desired number of replicas for a specified application, returning the
// previous number of desired replicas
func (kc *kubeClient) ScaleDeployment(spaceName string, appName string, envName string, deployNumber int) (*int, error) {
envNS, err := kc.getEnvironmentNamespace(envName, false)
envNS, err := kc.getDeployableEnvironmentNamespace(envName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -426,7 +427,7 @@ func (kc *kubeClient) getApplicationURL(envNS string, deploy *deployment) (*stri
// GetDeployment returns information about the current deployment of an application within a
// particular environment. The application must exist within the provided space.
func (kc *kubeClient) GetDeployment(spaceName string, appName string, envName string) (*app.SimpleDeployment, error) {
envNS, err := kc.getEnvironmentNamespace(envName, false)
envNS, err := kc.getDeployableEnvironmentNamespace(envName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -498,7 +499,7 @@ func (kc *kubeClient) GetDeployment(spaceName string, appName string, envName st
// beyond the specified start time, which are then aggregated into a single data point.
func (kc *kubeClient) GetDeploymentStats(spaceName string, appName string, envName string,
startTime time.Time) (*app.SimpleDeploymentStats, error) {
envNS, err := kc.getEnvironmentNamespace(envName, false)
envNS, err := kc.getDeployableEnvironmentNamespace(envName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -557,7 +558,7 @@ func (kc *kubeClient) GetDeploymentStats(spaceName string, appName string, envNa
// limit argument, only the newest datapoints within that limit are returned.
func (kc *kubeClient) GetDeploymentStatSeries(spaceName string, appName string, envName string,
startTime time.Time, endTime time.Time, limit int) (*app.SimpleDeploymentStatSeries, error) {
envNS, err := kc.getEnvironmentNamespace(envName, false)
envNS, err := kc.getDeployableEnvironmentNamespace(envName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -614,7 +615,7 @@ func (kc *kubeClient) GetDeploymentStatSeries(spaceName string, appName string,
}

func (kc *kubeClient) DeleteDeployment(spaceName string, appName string, envName string) error {
envNS, err := kc.getEnvironmentNamespace(envName, false)
envNS, err := kc.getDeployableEnvironmentNamespace(envName)
if err != nil {
return err
}
Expand Down Expand Up @@ -670,6 +671,7 @@ func (kc *kubeClient) DeleteDeployment(spaceName string, appName string, envName
func (kc *kubeClient) GetEnvironments() ([]*app.SimpleEnvironment, error) {
envs := []*app.SimpleEnvironment{}
for envName := range kc.envMap {
// Only return environments where the user can deploy applications
if kc.CanDeploy(envName) {
env, err := kc.GetEnvironment(envName)
if err != nil {
Expand All @@ -683,7 +685,7 @@ func (kc *kubeClient) GetEnvironments() ([]*app.SimpleEnvironment, error) {

// GetEnvironment returns information on an environment with the provided name
func (kc *kubeClient) GetEnvironment(envName string) (*app.SimpleEnvironment, error) {
envNS, err := kc.getEnvironmentNamespace(envName, false)
envNS, err := kc.getDeployableEnvironmentNamespace(envName)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -767,9 +769,21 @@ func (oc *openShiftAPIClient) GetBuildConfigs(namespace string, labelSelector st
return oc.getResource(bcURL, false)
}

func (kc *kubeClient) getEnvironmentNamespace(envName string, includeInternal bool) (string, error) {
// getDeployableEnvironmentNamespace finds a namespace with the corresponding environment name.
// Differs from getEnvironmentNamespace in that the environment must be one where the user can deploy
// applications
func (kc *kubeClient) getDeployableEnvironmentNamespace(envName string) (string, error) {
envNS, pres := kc.envMap[envName]
if !pres || !kc.CanDeploy(envName) && !includeInternal {
if !pres || !kc.CanDeploy(envName) {
return "", errs.Errorf("unknown environment: %s", envName)
}
return envNS, nil
}

// getEnvironmentNamespace finds a namespace with the corresponding environment name
func (kc *kubeClient) getEnvironmentNamespace(envName string) (string, error) {
envNS, pres := kc.envMap[envName]
if !pres {
return "", errs.Errorf("unknown environment: %s", envName)
}
return envNS, nil
Expand Down

0 comments on commit 9d34f9f

Please sign in to comment.