rename rbac request and cleanup comments related to verbs

verifa · Nov 16, 2024 · 0499d98 · 0499d98
1 parent 93894a8
commit 0499d98
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 53 deletions.
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -132,8 +132,10 @@ func (a *Auth) Check(
 	if err != nil {
 		return false, err
 	}
-	checkRequest := RBACRequest{
-		Groups: user.Groups,
+	checkRequest := Request{
+		Subject: RequestSubject{
+			Groups: user.Groups,
+		},
 		Verb:   req.Verb,
 		Object: req.Object,
 	}
@@ -162,8 +164,10 @@ func (a *Auth) List(
 		if err := json.Unmarshal(rawObj, &obj); err != nil {
 			return fmt.Errorf("unmarshaling object: %w", err)
 		}
-		ok := a.RBAC.Check(ctx, RBACRequest{
-			Groups: user.Groups,
+		ok := a.RBAC.Check(ctx, Request{
+			Subject: RequestSubject{
+				Groups: user.Groups,
+			},
 			Verb:   VerbRead,
 			Object: obj,
 		})

diff --git a/pkg/auth/rbac.go b/pkg/auth/rbac.go
@@ -132,37 +132,38 @@ type Permissions struct {
 type Verb string
 
 const (
-	// VerbRead is the lowest level of allow access.
-	// VerbRead is the highest level of deny access.
-	// If you are denied read access, you are denied all levels of access.
+	// VerbRead allows/denies a subject to read objects.
 	VerbRead Verb = "read"
-	// VerbUpdate allows a user to update objects.
-	// It implies VerbRead.
+	// VerbUpdate allows/denies a subject to update objects.
 	VerbUpdate Verb = "update"
-	// VerbCreate allows a user to create objects.
-	// It implies VerbRead.
+	// VerbCreate allows/denies a subject to create objects.
 	VerbCreate Verb = "create"
-	// VerbDelete allows a user to delete objects.
-	// It implies VerbRead.
+	// VerbDelete allows/denies a subject to delete objects.
 	VerbDelete Verb = "delete"
-	// VerbRun allows a user to run actions for an actor.
+	// VerbRun allows/denies a subject to run actions for an actor.
 	VerbRun Verb = "run"
+	// VerbAll allows/denies a subject to perform all verbs.
 	VerbAll Verb = "*"
 )
 
-type RBACRequest struct {
+// Request is a request to check if Subject is allowed to perform Verb on Object.
+type Request struct {
+	Subject RequestSubject
+	Verb    Verb
+	Object  hz.ObjectKeyer
+}
+
+type RequestSubject struct {
 	Groups []string
-	Verb   Verb
-	Object hz.ObjectKeyer
 }
 
-func (r *RBAC) Check(ctx context.Context, req RBACRequest) bool {
+func (r *RBAC) Check(ctx context.Context, req Request) bool {
 	r.mx.RLock()
 	defer r.mx.RUnlock()
 
 	isAllow := false
 	isDeny := false
-	for _, gr := range req.Groups {
+	for _, gr := range req.Subject.Groups {
 		group, ok := r.Permissions[gr]
 		if !ok {
 			continue

diff --git a/pkg/auth/rbac_test.go b/pkg/auth/rbac_test.go
@@ -12,7 +12,7 @@ import (
 func TestRBAC(t *testing.T) {
 	ctx := context.Background()
 	type testcase struct {
-		req    RBACRequest
+		req    Request
 		expect bool
 	}
 
@@ -67,9 +67,11 @@ func TestRBAC(t *testing.T) {
 		},
 		cases: []testcase{
 			{
-				req: RBACRequest{
-					Groups: []string{"group-creator"},
-					Verb:   "read",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-creator"},
+					},
+					Verb: "read",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "Namespace",
@@ -80,9 +82,11 @@ func TestRBAC(t *testing.T) {
 				expect: true,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-creator"},
-					Verb:   "read",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-creator"},
+					},
+					Verb: "read",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "Namespace",
@@ -93,9 +97,11 @@ func TestRBAC(t *testing.T) {
 				expect: false,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-creator"},
-					Verb:   "read",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-creator"},
+					},
+					Verb: "read",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -106,9 +112,11 @@ func TestRBAC(t *testing.T) {
 				expect: true,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-creator"},
-					Verb:   "create",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-creator"},
+					},
+					Verb: "create",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -119,9 +127,11 @@ func TestRBAC(t *testing.T) {
 				expect: true,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-creator"},
-					Verb:   "delete",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-creator"},
+					},
+					Verb: "delete",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -132,9 +142,11 @@ func TestRBAC(t *testing.T) {
 				expect: false,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-unknown"},
-					Verb:   "read",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-unknown"},
+					},
+					Verb: "read",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -189,9 +201,11 @@ func TestRBAC(t *testing.T) {
 		},
 		cases: []testcase{
 			{
-				req: RBACRequest{
-					Groups: []string{"group-runner"},
-					Verb:   "run",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-runner"},
+					},
+					Verb: "run",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -281,9 +295,11 @@ func TestRBAC(t *testing.T) {
 		},
 		cases: []testcase{
 			{
-				req: RBACRequest{
-					Groups: []string{"group-deny-delete"},
-					Verb:   "run",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-deny-delete"},
+					},
+					Verb: "run",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -294,9 +310,11 @@ func TestRBAC(t *testing.T) {
 				expect: true,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-deny-delete"},
-					Verb:   "create",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-deny-delete"},
+					},
+					Verb: "create",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",
@@ -307,9 +325,11 @@ func TestRBAC(t *testing.T) {
 				expect: true,
 			},
 			{
-				req: RBACRequest{
-					Groups: []string{"group-deny-delete"},
-					Verb:   "delete",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"group-deny-delete"},
+					},
+					Verb: "delete",
 					Object: hz.ObjectKey{
 						Name:      "superfluous",
 						Namespace: "namespace-test",
@@ -326,9 +346,11 @@ func TestRBAC(t *testing.T) {
 		adminGroups: []string{"admin"},
 		cases: []testcase{
 			{
-				req: RBACRequest{
-					Groups: []string{"admin"},
-					Verb:   "delete",
+				req: Request{
+					Subject: RequestSubject{
+						Groups: []string{"admin"},
+					},
+					Verb: "delete",
 					Object: hz.ObjectKey{
 						Group:     "group-test",
 						Kind:      "object-test",