Rename AuthorizationAttributes -> Action

Allows conversions to be automatically generated, and the name is not
externally visible.

Author: smarterclayton

pkg/authorization/api/types.go

@@ -189,7 +189,7 @@ type ResourceAccessReview struct {
 	unversioned.TypeMeta
 
 	// Action describes the action being tested
-	Action AuthorizationAttributes
+	Action
 }
 
 // SubjectAccessReviewResponse describes whether or not a user or group can perform an action
@@ -209,7 +209,7 @@ type SubjectAccessReview struct {
 	unversioned.TypeMeta
 
 	// Action describes the action being tested
-	Action AuthorizationAttributes
+	Action
 	// User is optional.  If both User and Groups are empty, the current authenticated user is used.
 	User string
 	// Groups is optional.  Groups is the list of groups to which the User belongs.
@@ -226,15 +226,15 @@ type LocalResourceAccessReview struct {
 	unversioned.TypeMeta
 
 	// Action describes the action being tested
-	Action AuthorizationAttributes
+	Action
 }
 
 // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace
 type LocalSubjectAccessReview struct {
 	unversioned.TypeMeta
 
 	// Action describes the action being tested.  The Namespace element is FORCED to the current namespace.
-	Action AuthorizationAttributes
+	Action
 	// User is optional.  If both User and Groups are empty, the current authenticated user is used.
 	User string
 	// Groups is optional.  Groups is the list of groups to which the User belongs.
@@ -246,8 +246,8 @@ type LocalSubjectAccessReview struct {
 	Scopes []string
 }
 
-// AuthorizationAttributes describes a request to be authorized
-type AuthorizationAttributes struct {
+// Action describes a request to be authorized
+type Action struct {
 	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
 	Namespace string
 	// Verb is one of: get, list, watch, create, update, delete

pkg/authorization/api/v1/conversion.go

@@ -13,115 +13,54 @@ import (
 	uservalidation "github.com/openshift/origin/pkg/user/api/validation"
 )
 
-func Convert_v1_ResourceAccessReview_To_api_ResourceAccessReview(in *ResourceAccessReview, out *newer.ResourceAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func Convert_api_ResourceAccessReview_To_v1_ResourceAccessReview(in *newer.ResourceAccessReview, out *ResourceAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func Convert_v1_LocalResourceAccessReview_To_api_LocalResourceAccessReview(in *LocalResourceAccessReview, out *newer.LocalResourceAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func Convert_api_LocalResourceAccessReview_To_v1_LocalResourceAccessReview(in *newer.LocalResourceAccessReview, out *LocalResourceAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func Convert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in *SubjectAccessReview, out *newer.SubjectAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {
+	if err := autoConvert_v1_SubjectAccessReview_To_api_SubjectAccessReview(in, out, s); err != nil {
 		return err
 	}
 
 	out.Groups = sets.NewString(in.GroupsSlice...)
-
 	return nil
 }
 
 func Convert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in *newer.SubjectAccessReview, out *SubjectAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {
+	if err := autoConvert_api_SubjectAccessReview_To_v1_SubjectAccessReview(in, out, s); err != nil {
 		return err
 	}
 
 	out.GroupsSlice = in.Groups.List()
-
 	return nil
 }
 
 func Convert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in *LocalSubjectAccessReview, out *newer.LocalSubjectAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.AuthorizationAttributes, &out.Action, conversion.IgnoreMissingFields); err != nil {
+	if err := autoConvert_v1_LocalSubjectAccessReview_To_api_LocalSubjectAccessReview(in, out, s); err != nil {
 		return err
 	}
 
 	out.Groups = sets.NewString(in.GroupsSlice...)
-
 	return nil
 }
 
 func Convert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in *newer.LocalSubjectAccessReview, out *LocalSubjectAccessReview, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
-		return err
-	}
-	if err := s.DefaultConvert(&in.Action, &out.AuthorizationAttributes, conversion.IgnoreMissingFields); err != nil {
+	if err := autoConvert_api_LocalSubjectAccessReview_To_v1_LocalSubjectAccessReview(in, out, s); err != nil {
 		return err
 	}
 
 	out.GroupsSlice = in.Groups.List()
-
 	return nil
 }
 
 func Convert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in *ResourceAccessReviewResponse, out *newer.ResourceAccessReviewResponse, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
+	if err := autoConvert_v1_ResourceAccessReviewResponse_To_api_ResourceAccessReviewResponse(in, out, s); err != nil {
 		return err
 	}
 
 	out.Users = sets.NewString(in.UsersSlice...)
 	out.Groups = sets.NewString(in.GroupsSlice...)
-
 	return nil
 }
 
 func Convert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in *newer.ResourceAccessReviewResponse, out *ResourceAccessReviewResponse, s conversion.Scope) error {
-	if err := s.DefaultConvert(in, out, conversion.IgnoreMissingFields); err != nil {
+	if err := autoConvert_api_ResourceAccessReviewResponse_To_v1_ResourceAccessReviewResponse(in, out, s); err != nil {
 		return err
 	}
 

pkg/authorization/api/v1/swagger_doc.go

@@ -5,8 +5,8 @@ package v1
 // by hack/update-generated-swagger-descriptions.sh and should be run after a full build of OpenShift.
 // ==== DO NOT EDIT THIS FILE MANUALLY ====
 
-var map_AuthorizationAttributes = map[string]string{
-	"":                   "AuthorizationAttributes describes a request to the API server",
+var map_Action = map[string]string{
+	"":                   "Action describes a request to the API server",
 	"namespace":          "Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces",
 	"verb":               "Verb is one of: get, list, watch, create, update, delete",
 	"resourceAPIGroup":   "Group is the API group of the resource Serialized as resourceAPIGroup to avoid confusion with the 'groups' field when inlined",
@@ -16,8 +16,8 @@ var map_AuthorizationAttributes = map[string]string{
 	"content":            "Content is the actual content of the request for create and update",
 }
 
-func (AuthorizationAttributes) SwaggerDoc() map[string]string {
-	return map_AuthorizationAttributes
+func (Action) SwaggerDoc() map[string]string {
+	return map_Action
 }
 
 var map_ClusterPolicy = map[string]string{

pkg/authorization/api/v1/types.go

@@ -173,8 +173,8 @@ type ResourceAccessReviewResponse struct {
 type ResourceAccessReview struct {
 	unversioned.TypeMeta `json:",inline"`
 
-	// AuthorizationAttributes describes the action being tested.
-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`
+	// Action describes the action being tested.
+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`
 }
 
 // SubjectAccessReviewResponse describes whether or not a user or group can perform an action
@@ -197,8 +197,8 @@ type OptionalScopes []string
 type SubjectAccessReview struct {
 	unversioned.TypeMeta `json:",inline"`
 
-	// AuthorizationAttributes describes the action being tested.
-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`
+	// Action describes the action being tested.
+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`
 	// User is optional. If both User and Groups are empty, the current authenticated user is used.
 	User string `json:"user" protobuf:"bytes,2,opt,name=user"`
 	// GroupsSlice is optional. Groups is the list of groups to which the User belongs.
@@ -214,16 +214,16 @@ type SubjectAccessReview struct {
 type LocalResourceAccessReview struct {
 	unversioned.TypeMeta `json:",inline"`
 
-	// AuthorizationAttributes describes the action being tested.  The Namespace element is FORCED to the current namespace.
-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`
+	// Action describes the action being tested.  The Namespace element is FORCED to the current namespace.
+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`
 }
 
 // LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace
 type LocalSubjectAccessReview struct {
 	unversioned.TypeMeta `json:",inline"`
 
-	// AuthorizationAttributes describes the action being tested.  The Namespace element is FORCED to the current namespace.
-	AuthorizationAttributes `json:",inline" protobuf:"bytes,1,opt,name=authorizationAttributes"`
+	// Action describes the action being tested.  The Namespace element is FORCED to the current namespace.
+	Action `json:",inline" protobuf:"bytes,1,opt,name=Action"`
 	// User is optional.  If both User and Groups are empty, the current authenticated user is used.
 	User string `json:"user" protobuf:"bytes,2,opt,name=user"`
 	// Groups is optional.  Groups is the list of groups to which the User belongs.
@@ -235,8 +235,8 @@ type LocalSubjectAccessReview struct {
 	Scopes OptionalScopes `json:"scopes" protobuf:"bytes,4,rep,name=scopes"`
 }
 
-// AuthorizationAttributes describes a request to the API server
-type AuthorizationAttributes struct {
+// Action describes a request to the API server
+type Action struct {
 	// Namespace is the namespace of the action being requested.  Currently, there is no distinction between no namespace and all namespaces
 	Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"`
 	// Verb is one of: get, list, watch, create, update, delete

pkg/authorization/authorizer/adapter/attributes.go

@@ -17,12 +17,12 @@ type AdapterAttributes struct {
 	namespace               string
 	userName                string
 	groups                  []string
-	authorizationAttributes oauthorizer.AuthorizationAttributes
+	authorizationAttributes oauthorizer.Action
 }
 
 // OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes
 // Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes
-func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.AuthorizationAttributes) {
+func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.Action) {
 	// Build a context to hold the namespace and user info
 	ctx := kapi.NewContext()
 	ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())
@@ -59,7 +59,7 @@ func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oa
 
 // KubernetesAuthorizerAttributes adapts Origin authorization attributes to Kubernetes authorization attributes
 // The returned attributes can be passed to OriginAuthorizerAttributes to access extra information from the Origin attributes interface
-func KubernetesAuthorizerAttributes(namespace string, userName string, groups []string, oattrs oauthorizer.AuthorizationAttributes) kauthorizer.Attributes {
+func KubernetesAuthorizerAttributes(namespace string, userName string, groups []string, oattrs oauthorizer.Action) kauthorizer.Attributes {
 	return AdapterAttributes{
 		namespace:               namespace,
 		userName:                userName,

pkg/authorization/authorizer/adapter/attributes_test.go

@@ -112,7 +112,7 @@ func TestAttributeIntersection(t *testing.T) {
 	)
 
 	kattributesType := reflect.TypeOf((*kauthorizer.Attributes)(nil)).Elem()
-	oattributesType := reflect.TypeOf((*oauthorizer.AuthorizationAttributes)(nil)).Elem()
+	oattributesType := reflect.TypeOf((*oauthorizer.Action)(nil)).Elem()
 
 	kattributesMethods := sets.NewString()
 	for i := 0; i < kattributesType.NumMethod(); i++ {

pkg/authorization/authorizer/attributes.go

@@ -21,9 +21,9 @@ type DefaultAuthorizationAttributes struct {
 	URL               string
 }
 
-// ToDefaultAuthorizationAttributes coerces AuthorizationAttributes to DefaultAuthorizationAttributes.  Namespace is not included
+// ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes.  Namespace is not included
 // because the authorizer takes that information on the context
-func ToDefaultAuthorizationAttributes(in authorizationapi.AuthorizationAttributes) DefaultAuthorizationAttributes {
+func ToDefaultAuthorizationAttributes(in authorizationapi.Action) DefaultAuthorizationAttributes {
 	return DefaultAuthorizationAttributes{
 		Verb:         in.Verb,
 		APIGroup:     in.Group,
@@ -136,8 +136,8 @@ func splitPath(thePath string) []string {
 	return strings.Split(thePath, "/")
 }
 
-// DefaultAuthorizationAttributes satisfies the AuthorizationAttributes interface
-var _ AuthorizationAttributes = DefaultAuthorizationAttributes{}
+// DefaultAuthorizationAttributes satisfies the Action interface
+var _ Action = DefaultAuthorizationAttributes{}
 
 func (a DefaultAuthorizationAttributes) GetAPIVersion() string {
 	return a.APIVersion

pkg/authorization/authorizer/attributes_builder.go

@@ -16,7 +16,7 @@ func NewAuthorizationAttributeBuilder(contextMapper kapi.RequestContextMapper, i
 	return &openshiftAuthorizationAttributeBuilder{contextMapper, infoResolver}
 }
 
-func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request) (AuthorizationAttributes, error) {
+func (a *openshiftAuthorizationAttributeBuilder) GetAttributes(req *http.Request) (Action, error) {
 	requestInfo, err := a.infoResolver.GetRequestInfo(req)
 	if err != nil {
 		return nil, err

pkg/authorization/authorizer/attributes_test.go

@@ -7,13 +7,13 @@ import (
 )
 
 func TestAuthorizationAttributes(t *testing.T) {
-	// Wrapper to make sure additions to the AuthorizationAttributes interface get corresponding fields added in api.AuthorizationAttributes
-	// If an additional function is required to satisfy this interface, the data for it should come from the contained authorizationapi.AuthorizationAttributes
-	var _ AuthorizationAttributes = authorizationAttributesAdapter{}
+	// Wrapper to make sure additions to the Action interface get corresponding fields added in api.Action
+	// If an additional function is required to satisfy this interface, the data for it should come from the contained authorizationapi.Action
+	var _ Action = authorizationAttributesAdapter{}
 }
 
 type authorizationAttributesAdapter struct {
-	attrs authorizationapi.AuthorizationAttributes
+	attrs authorizationapi.Action
 }
 
 func (a authorizationAttributesAdapter) GetVerb() string {
@@ -37,17 +37,17 @@ func (a authorizationAttributesAdapter) GetResourceName() string {
 }
 
 func (a authorizationAttributesAdapter) GetRequestAttributes() interface{} {
-	// AuthorizationAttributes doesn't currently support request attributes,
+	// Action doesn't currently support request attributes,
 	// because they cannot be reliably serialized
 	return nil
 }
 
 func (a authorizationAttributesAdapter) IsNonResourceURL() bool {
-	// AuthorizationAttributes currently only supports resource authorization checks
+	// Action currently only supports resource authorization checks
 	return false
 }
 
 func (a authorizationAttributesAdapter) GetURL() string {
-	// AuthorizationAttributes currently only supports resource authorization checks
+	// Action currently only supports resource authorization checks
 	return ""
 }

pkg/authorization/authorizer/authorizer.go

@@ -18,7 +18,7 @@ func NewAuthorizer(ruleResolver rulevalidation.AuthorizationRuleResolver, forbid
 	return &openshiftAuthorizer{ruleResolver, forbiddenMessageMaker}
 }
 
-func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) {
+func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Action) (bool, string, error) {
 	attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes)
 
 	// keep track of errors in case we are unable to authorize the action.
@@ -63,7 +63,7 @@ func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Autho
 // If we got an error, then the list of subjects may not be complete, but it does not contain any incorrect names.
 // This is done because policy rules are purely additive and policy determinations
 // can be made on the basis of those rules that are found.
-func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (sets.String, sets.String, error) {
+func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes Action) (sets.String, sets.String, error) {
 	errs := []error{}
 
 	masterContext := kapi.WithNamespace(ctx, kapi.NamespaceNone)
@@ -87,7 +87,7 @@ func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes Au
 	return users, groups, kerrors.NewAggregate(errs)
 }
 
-func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.Context, passedAttributes AuthorizationAttributes) (sets.String, sets.String, error) {
+func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.Context, passedAttributes Action) (sets.String, sets.String, error) {
 	attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes)
 
 	errs := []error{}
@@ -129,7 +129,7 @@ func (a *openshiftAuthorizer) getAllowedSubjectsFromNamespaceBindings(ctx kapi.C
 // authorizeWithNamespaceRules returns isAllowed, reason, and error.  If an error is returned, isAllowed and reason are still valid.  This seems strange
 // but errors are not always fatal to the authorization process.  It is entirely possible to get an error and be able to continue determine authorization
 // status in spite of it.  This is most common when a bound role is missing, but enough roles are still present and bound to authorize the request.
-func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, passedAttributes AuthorizationAttributes) (bool, string, error) {
+func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, passedAttributes Action) (bool, string, error) {
 	attributes := CoerceToDefaultAuthorizationAttributes(passedAttributes)
 
 	allRules, ruleRetrievalError := a.ruleResolver.GetEffectivePolicyRules(ctx)
@@ -153,7 +153,7 @@ func (a *openshiftAuthorizer) authorizeWithNamespaceRules(ctx kapi.Context, pass
 
 // TODO this may or may not be the behavior we want for managing rules.  As a for instance, a verb might be specified
 // that our attributes builder will never satisfy.  For now, I think gets us close.  Maybe a warning message of some kind?
-func CoerceToDefaultAuthorizationAttributes(passedAttributes AuthorizationAttributes) *DefaultAuthorizationAttributes {
+func CoerceToDefaultAuthorizationAttributes(passedAttributes Action) *DefaultAuthorizationAttributes {
 	attributes, ok := passedAttributes.(*DefaultAuthorizationAttributes)
 	if !ok {
 		attributes = &DefaultAuthorizationAttributes{