Avoid allocations while checking role bindings

Author: smarterclayton

pkg/authorization/api/helpers.go

@@ -244,6 +244,59 @@ func SubjectsStrings(currentNamespace string, subjects []kapi.ObjectReference) (
 	return users, groups, sas, others
 }
 
+// SubjectsContainUser returns true if the provided subjects contain the named user. currentNamespace
+// is used to identify service accounts that are defined in a relative fashion.
+func SubjectsContainUser(subjects []kapi.ObjectReference, currentNamespace string, user string) bool {
+	if !strings.HasPrefix(user, serviceaccount.ServiceAccountUsernamePrefix) {
+		for _, subject := range subjects {
+			switch subject.Kind {
+			case UserKind, SystemUserKind:
+				if user == subject.Name {
+					return true
+				}
+			}
+		}
+		return false
+	}
+
+	for _, subject := range subjects {
+		switch subject.Kind {
+		case ServiceAccountKind:
+			namespace := currentNamespace
+			if len(subject.Namespace) > 0 {
+				namespace = subject.Namespace
+			}
+			if len(namespace) == 0 {
+				continue
+			}
+			if user == serviceaccount.MakeUsername(namespace, subject.Name) {
+				return true
+			}
+
+		case UserKind, SystemUserKind:
+			if user == subject.Name {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// SubjectsContainGroups returns true if the provided subjects any of the named groups.
+func SubjectsContainGroups(subjects []kapi.ObjectReference, groups []string) bool {
+	for _, subject := range subjects {
+		switch subject.Kind {
+		case GroupKind, SystemGroupKind:
+			for _, group := range groups {
+				if group == subject.Name {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 func AddUserToSAR(user user.Info, sar *SubjectAccessReview) *SubjectAccessReview {
 	origScopes := user.GetExtra()[ScopesKey]
 	scopes := make([]string, len(origScopes), len(origScopes))

pkg/authorization/interfaces/interfaces.go

@@ -2,6 +2,7 @@ package interfaces
 
 import (
 	kapi "k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/auth/user"
 	"k8s.io/kubernetes/pkg/util/sets"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
@@ -36,6 +37,9 @@ type RoleBinding interface {
 	RoleRef() kapi.ObjectReference
 	Users() sets.String
 	Groups() sets.String
+
+	// AppliesToUser returns true if the provided user matches this role binding
+	AppliesToUser(user.Info) bool
 }
 
 func NewClusterPolicyAdapter(policy *authorizationapi.ClusterPolicy) Policy {
@@ -219,6 +223,17 @@ func (a RoleBindingAdapter) Groups() sets.String {
 	return sets.NewString(groups...)
 }
 
+// AppliesToUser returns true if this binding applies to the provided user.
+func (a RoleBindingAdapter) AppliesToUser(user user.Info) bool {
+	if authorizationapi.SubjectsContainUser(a.roleBinding.Subjects, a.roleBinding.Namespace, user.GetName()) {
+		return true
+	}
+	if authorizationapi.SubjectsContainGroups(a.roleBinding.Subjects, user.GetGroups()) {
+		return true
+	}
+	return false
+}
+
 type ClusterPolicyBindingAdapter struct {
 	policyBinding *authorizationapi.ClusterPolicyBinding
 
@@ -274,3 +289,14 @@ func (a ClusterRoleBindingAdapter) Groups() sets.String {
 
 	return sets.NewString(groups...)
 }
+
+// AppliesToUser returns true if this binding applies to the provided user.
+func (a ClusterRoleBindingAdapter) AppliesToUser(user user.Info) bool {
+	if authorizationapi.SubjectsContainUser(a.roleBinding.Subjects, a.roleBinding.Namespace, user.GetName()) {
+		return true
+	}
+	if authorizationapi.SubjectsContainGroups(a.roleBinding.Subjects, user.GetGroups()) {
+		return true
+	}
+	return false
+}

pkg/authorization/rulevalidation/find_rules.go

@@ -129,7 +129,7 @@ func (a *DefaultRuleResolver) GetEffectivePolicyRules(ctx kapi.Context) ([]autho
 	errs := []error{}
 	rules := make([]authorizationapi.PolicyRule, 0, len(roleBindings))
 	for _, roleBinding := range roleBindings {
-		if !appliesToUser(roleBinding.Users(), roleBinding.Groups(), user) {
+		if !roleBinding.AppliesToUser(user) {
 			continue
 		}