add validation

mfojtik · mfojtik · commit c44b4c2bc2c3 · 2016-10-04T10:05:32.000+02:00
diff --git a/pkg/api/validation/register.go b/pkg/api/validation/register.go
@@ -42,6 +42,7 @@ func init() {
 func registerAll() {
 	Validator.MustRegister(&authorizationapi.SelfSubjectRulesReview{}, authorizationvalidation.ValidateSelfSubjectRulesReview, nil)
 	Validator.MustRegister(&authorizationapi.SubjectAccessReview{}, authorizationvalidation.ValidateSubjectAccessReview, nil)
+	Validator.MustRegister(&authorizationapi.SubjectRulesReview{}, authorizationvalidation.ValidateSubjectRulesReview, nil)
 	Validator.MustRegister(&authorizationapi.ResourceAccessReview{}, authorizationvalidation.ValidateResourceAccessReview, nil)
 	Validator.MustRegister(&authorizationapi.LocalSubjectAccessReview{}, authorizationvalidation.ValidateLocalSubjectAccessReview, nil)
 	Validator.MustRegister(&authorizationapi.LocalResourceAccessReview{}, authorizationvalidation.ValidateLocalResourceAccessReview, nil)
diff --git a/pkg/authorization/api/v1/types.go b/pkg/authorization/api/v1/types.go
@@ -171,7 +171,7 @@ type SubjectRulesReviewSpec struct {
 	// Groups is optional.  Groups is the list of groups to which the User belongs.  At least one of User and Groups must be specified.
 	Groups []string `json:"groups" protobuf:"bytes,2,rep,name=groups"`
 	// Scopes to use for the evaluation.  Empty means "use the unscoped (full) permissions of the user/groups".
-	Scopes OptionalScopes `json:"scopes" protobuf:"bytes,3,rep,name=scopes"`
+	Scopes OptionalScopes `json:"scopes" protobuf:"bytes,3,opt,name=scopes"`
 }
 
 // SubjectRulesReviewStatus is contains the result of a rules check
diff --git a/pkg/authorization/api/validation/validation.go b/pkg/authorization/api/validation/validation.go
@@ -18,6 +18,16 @@ func ValidateSelfSubjectRulesReview(review *authorizationapi.SelfSubjectRulesRev
 	return field.ErrorList{}
 }
 
+func ValidateSubjectRulesReview(rules *authorizationapi.SubjectRulesReview) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(rules.Spec.Groups) == 0 && len(rules.Spec.User) == 0 {
+		allErrs = append(allErrs, field.Required(field.NewPath("user"), "at least one of user and groups must be specified"))
+	}
+
+	return allErrs
+}
+
 func ValidateSubjectAccessReview(review *authorizationapi.SubjectAccessReview) field.ErrorList {
 	allErrs := field.ErrorList{}
 

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,7 @@ type SubjectRulesReviewSpec struct {`
`171`	`171`	`// Groups is optional. Groups is the list of groups to which the User belongs. At least one of User and Groups must be specified.`
`172`	`172`	Groups []string `json:"groups" protobuf:"bytes,2,rep,name=groups"`
`173`	`173`	`// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".`
`174`		- Scopes OptionalScopes `json:"scopes" protobuf:"bytes,3,rep,name=scopes"`
	`174`	+ Scopes OptionalScopes `json:"scopes" protobuf:"bytes,3,opt,name=scopes"`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`// SubjectRulesReviewStatus is contains the result of a rules check`