Documentation ¶
Index ¶
- func EvaluateRole(r *types.VDIUserRole, action *types.APIAction) bool
- func EvaluateRule(r rbacv1.Rule, action *types.APIAction) bool
- func EvaluateUser(u *types.VDIUser, action *types.APIAction) bool
- func FilterTemplates(u *types.VDIUser, tmpls []*desktopsv1.Template) []*desktopsv1.Template
- func FilterUserNamespaces(u *types.VDIUser, nss []string) []string
- func FilterUserServiceAccounts(u *types.VDIUser, sas []string, ns string) []string
- func RoleIncludesRule(r *types.VDIUserRole, ruleToCheck rbacv1.Rule, ...) bool
- func RuleIncludes(r, ruleToCheck rbacv1.Rule, resourceGetter types.ResourceGetter) bool
- func UserIncludesRule(u *types.VDIUser, ruleToCheck rbacv1.Rule, resourceGetter types.ResourceGetter) bool
- func VDIRoleToUserRole(v *rbacv1.VDIRole) *types.VDIUserRole
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EvaluateRole ¶
func EvaluateRole(r *types.VDIUserRole, action *types.APIAction) bool
EvaluateRole iterates all the rules in the given role role and returns true if any of them allow the provided action.
func EvaluateRule ¶
EvaluateRule checks if the given rule allows the given action. First the verb is matched, then the resource type, and then optionally a name and namespace.
func EvaluateUser ¶
EvaluateUser will iterate the user's roles and return true if any of them have a rule that allows the given action.
func FilterTemplates ¶
func FilterTemplates(u *types.VDIUser, tmpls []*desktopsv1.Template) []*desktopsv1.Template
FilterTemplates will take a list of DesktopTemplates and filter them based off which ones the user is allowed to use.
func FilterUserNamespaces ¶
FilterUserNamespaces will take a list of namespaces and filter them based off the ones this user can provision desktops in.
func FilterUserServiceAccounts ¶
FilterUserServiceAccounts will take a list of service accounts and a given namespace, and filter them based off the ones this user can assume with desktops.
func RoleIncludesRule ¶
func RoleIncludesRule(r *types.VDIUserRole, ruleToCheck rbacv1.Rule, resourceGetter types.ResourceGetter) bool
RoleIncludesRule returns true if the rules applied to this role are not elevated by any of the permissions in the provided rule.
func RuleIncludes ¶
func RuleIncludes(r, ruleToCheck rbacv1.Rule, resourceGetter types.ResourceGetter) bool
RuleIncludes returns false if ruleToCheck matches any actions or resources that r does not.
func UserIncludesRule ¶
func UserIncludesRule(u *types.VDIUser, ruleToCheck rbacv1.Rule, resourceGetter types.ResourceGetter) bool
UserIncludesRule returns true if the rules applied to this user are not elevated by any of the permissions in the provided rule.
func VDIRoleToUserRole ¶
func VDIRoleToUserRole(v *rbacv1.VDIRole) *types.VDIUserRole
VDIRoleToUserRole converts the given VDIRole to the VDIUserRole format. The VDIUserRole is a condensed representation meant to be stored in JWTs.
Types ¶
This section is empty.