Add glide.yaml and vendor deps

vendor/k8s.io/kubernetes/pkg/auth/authorizer/BUILD

@@ -0,0 +1,18 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["interfaces.go"],
+    tags = ["automanaged"],
+    deps = ["//pkg/auth/user:go_default_library"],
+)

vendor/k8s.io/kubernetes/pkg/auth/authorizer/abac/BUILD

@@ -0,0 +1,51 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["abac.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/latest:go_default_library",
+        "//pkg/apis/abac/v0:go_default_library",
+        "//pkg/auth/authorizer:go_default_library",
+        "//pkg/runtime:go_default_library",
+        "//vendor:github.com/golang/glog",
+    ],
+)
+
+filegroup(
+    name = "example_policy",
+    testonly = True,
+    srcs = [
+        "example_policy_file.jsonl",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["abac_test.go"],
+    data = [
+        ":example_policy",
+    ],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/apis/abac:go_default_library",
+        "//pkg/apis/abac/v0:go_default_library",
+        "//pkg/apis/abac/v1beta1:go_default_library",
+        "//pkg/auth/authorizer:go_default_library",
+        "//pkg/auth/user:go_default_library",
+        "//pkg/runtime:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/auth/authorizer/abac/abac.go

@@ -0,0 +1,234 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package abac
+
+// Policy authorizes Kubernetes API actions using an Attribute-based access
+// control scheme.
+
+import (
+	"bufio"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/golang/glog"
+
+	api "k8s.io/kubernetes/pkg/apis/abac"
+	_ "k8s.io/kubernetes/pkg/apis/abac/latest"
+	"k8s.io/kubernetes/pkg/apis/abac/v0"
+	"k8s.io/kubernetes/pkg/auth/authorizer"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+type policyLoadError struct {
+	path string
+	line int
+	data []byte
+	err  error
+}
+
+func (p policyLoadError) Error() string {
+	if p.line >= 0 {
+		return fmt.Sprintf("error reading policy file %s, line %d: %s: %v", p.path, p.line, string(p.data), p.err)
+	}
+	return fmt.Sprintf("error reading policy file %s: %v", p.path, p.err)
+}
+
+type policyList []*api.Policy
+
+// TODO: Have policies be created via an API call and stored in REST storage.
+func NewFromFile(path string) (policyList, error) {
+	// File format is one map per line.  This allows easy concatentation of files,
+	// comments in files, and identification of errors by line number.
+	file, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	pl := make(policyList, 0)
+
+	decoder := api.Codecs.UniversalDecoder()
+
+	i := 0
+	unversionedLines := 0
+	for scanner.Scan() {
+		i++
+		p := &api.Policy{}
+		b := scanner.Bytes()
+
+		// skip comment lines and blank lines
+		trimmed := strings.TrimSpace(string(b))
+		if len(trimmed) == 0 || strings.HasPrefix(trimmed, "#") {
+			continue
+		}
+
+		decodedObj, _, err := decoder.Decode(b, nil, nil)
+		if err != nil {
+			if !(runtime.IsMissingVersion(err) || runtime.IsMissingKind(err) || runtime.IsNotRegisteredError(err)) {
+				return nil, policyLoadError{path, i, b, err}
+			}
+			unversionedLines++
+			// Migrate unversioned policy object
+			oldPolicy := &v0.Policy{}
+			if err := runtime.DecodeInto(decoder, b, oldPolicy); err != nil {
+				return nil, policyLoadError{path, i, b, err}
+			}
+			if err := api.Scheme.Convert(oldPolicy, p, nil); err != nil {
+				return nil, policyLoadError{path, i, b, err}
+			}
+			pl = append(pl, p)
+			continue
+		}
+
+		decodedPolicy, ok := decodedObj.(*api.Policy)
+		if !ok {
+			return nil, policyLoadError{path, i, b, fmt.Errorf("unrecognized object: %#v", decodedObj)}
+		}
+		pl = append(pl, decodedPolicy)
+	}
+
+	if unversionedLines > 0 {
+		glog.Warningf("Policy file %s contained unversioned rules. See docs/admin/authorization.md#abac-mode for ABAC file format details.", path)
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, policyLoadError{path, -1, nil, err}
+	}
+	return pl, nil
+}
+
+func matches(p api.Policy, a authorizer.Attributes) bool {
+	if subjectMatches(p, a) {
+		if verbMatches(p, a) {
+			// Resource and non-resource requests are mutually exclusive, at most one will match a policy
+			if resourceMatches(p, a) {
+				return true
+			}
+			if nonResourceMatches(p, a) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// subjectMatches returns true if specified user and group properties in the policy match the attributes
+func subjectMatches(p api.Policy, a authorizer.Attributes) bool {
+	matched := false
+
+	username := ""
+	groups := []string{}
+	if user := a.GetUser(); user != nil {
+		username = user.GetName()
+		groups = user.GetGroups()
+	}
+
+	// If the policy specified a user, ensure it matches
+	if len(p.Spec.User) > 0 {
+		if p.Spec.User == "*" {
+			matched = true
+		} else {
+			matched = p.Spec.User == username
+			if !matched {
+				return false
+			}
+		}
+	}
+
+	// If the policy specified a group, ensure it matches
+	if len(p.Spec.Group) > 0 {
+		if p.Spec.Group == "*" {
+			matched = true
+		} else {
+			matched = false
+			for _, group := range groups {
+				if p.Spec.Group == group {
+					matched = true
+				}
+			}
+			if !matched {
+				return false
+			}
+		}
+	}
+
+	return matched
+}
+
+func verbMatches(p api.Policy, a authorizer.Attributes) bool {
+	// TODO: match on verb
+
+	// All policies allow read only requests
+	if a.IsReadOnly() {
+		return true
+	}
+
+	// Allow if policy is not readonly
+	if !p.Spec.Readonly {
+		return true
+	}
+
+	return false
+}
+
+func nonResourceMatches(p api.Policy, a authorizer.Attributes) bool {
+	// A non-resource policy cannot match a resource request
+	if !a.IsResourceRequest() {
+		// Allow wildcard match
+		if p.Spec.NonResourcePath == "*" {
+			return true
+		}
+		// Allow exact match
+		if p.Spec.NonResourcePath == a.GetPath() {
+			return true
+		}
+		// Allow a trailing * subpath match
+		if strings.HasSuffix(p.Spec.NonResourcePath, "*") && strings.HasPrefix(a.GetPath(), strings.TrimRight(p.Spec.NonResourcePath, "*")) {
+			return true
+		}
+	}
+	return false
+}
+
+func resourceMatches(p api.Policy, a authorizer.Attributes) bool {
+	// A resource policy cannot match a non-resource request
+	if a.IsResourceRequest() {
+		if p.Spec.Namespace == "*" || p.Spec.Namespace == a.GetNamespace() {
+			if p.Spec.Resource == "*" || p.Spec.Resource == a.GetResource() {
+				if p.Spec.APIGroup == "*" || p.Spec.APIGroup == a.GetAPIGroup() {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// Authorizer implements authorizer.Authorize
+func (pl policyList) Authorize(a authorizer.Attributes) (bool, string, error) {
+	for _, p := range pl {
+		if matches(*p, a) {
+			return true, "", nil
+		}
+	}
+	return false, "No policy matched.", nil
+	// TODO: Benchmark how much time policy matching takes with a medium size
+	// policy file, compared to other steps such as encoding/decoding.
+	// Then, add Caching only if needed.
+}

vendor/k8s.io/kubernetes/pkg/auth/authorizer/abac/example_policy_file.jsonl

@@ -0,0 +1,10 @@
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*",         "nonResourcePath": "*", "readonly": true}}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin",     "namespace": "*",              "resource": "*",         "apiGroup": "*"                   }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*",              "resource": "pods",                       "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*",              "resource": "bindings"                                     }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "pods",                       "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "services",                   "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "endpoints",                  "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "events"                                       }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"alice",     "namespace": "projectCaribou", "resource": "*",         "apiGroup": "*"                   }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"bob",       "namespace": "projectCaribou", "resource": "*",         "apiGroup": "*", "readonly": true }}

vendor/k8s.io/kubernetes/pkg/auth/authorizer/interfaces.go

@@ -0,0 +1,140 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+import (
+	"net/http"
+
+	"k8s.io/kubernetes/pkg/auth/user"
+)
+
+// Attributes is an interface used by an Authorizer to get information about a request
+// that is used to make an authorization decision.
+type Attributes interface {
+	// GetUser returns the user.Info object to authorize
+	GetUser() user.Info
+
+	// GetVerb returns the kube verb associated with API requests (this includes get, list, watch, create, update, patch, delete, and proxy),
+	// or the lowercased HTTP verb associated with non-API requests (this includes get, put, post, patch, and delete)
+	GetVerb() string
+
+	// When IsReadOnly() == true, the request has no side effects, other than
+	// caching, logging, and other incidentals.
+	IsReadOnly() bool
+
+	// The namespace of the object, if a request is for a REST object.
+	GetNamespace() string
+
+	// The kind of object, if a request is for a REST object.
+	GetResource() string
+
+	// GetSubresource returns the subresource being requested, if present
+	GetSubresource() string
+
+	// GetName returns the name of the object as parsed off the request.  This will not be present for all request types, but
+	// will be present for: get, update, delete
+	GetName() string
+
+	// The group of the resource, if a request is for a REST object.
+	GetAPIGroup() string
+
+	// GetAPIVersion returns the version of the group requested, if a request is for a REST object.
+	GetAPIVersion() string
+
+	// IsResourceRequest returns true for requests to API resources, like /api/v1/nodes,
+	// and false for non-resource endpoints like /api, /healthz, and /swaggerapi
+	IsResourceRequest() bool
+
+	// GetPath returns the path of the request
+	GetPath() string
+}
+
+// Authorizer makes an authorization decision based on information gained by making
+// zero or more calls to methods of the Attributes interface.  It returns nil when an action is
+// authorized, otherwise it returns an error.
+type Authorizer interface {
+	Authorize(a Attributes) (authorized bool, reason string, err error)
+}
+
+type AuthorizerFunc func(a Attributes) (bool, string, error)
+
+func (f AuthorizerFunc) Authorize(a Attributes) (bool, string, error) {
+	return f(a)
+}
+
+// RequestAttributesGetter provides a function that extracts Attributes from an http.Request
+type RequestAttributesGetter interface {
+	GetRequestAttributes(user.Info, *http.Request) Attributes
+}
+
+// AttributesRecord implements Attributes interface.
+type AttributesRecord struct {
+	User            user.Info
+	Verb            string
+	Namespace       string
+	APIGroup        string
+	APIVersion      string
+	Resource        string
+	Subresource     string
+	Name            string
+	ResourceRequest bool
+	Path            string
+}
+
+func (a AttributesRecord) GetUser() user.Info {
+	return a.User
+}
+
+func (a AttributesRecord) GetVerb() string {
+	return a.Verb
+}
+
+func (a AttributesRecord) IsReadOnly() bool {
+	return a.Verb == "get" || a.Verb == "list" || a.Verb == "watch"
+}
+
+func (a AttributesRecord) GetNamespace() string {
+	return a.Namespace
+}
+
+func (a AttributesRecord) GetResource() string {
+	return a.Resource
+}
+
+func (a AttributesRecord) GetSubresource() string {
+	return a.Subresource
+}
+
+func (a AttributesRecord) GetName() string {
+	return a.Name
+}
+
+func (a AttributesRecord) GetAPIGroup() string {
+	return a.APIGroup
+}
+
+func (a AttributesRecord) GetAPIVersion() string {
+	return a.APIVersion
+}
+
+func (a AttributesRecord) IsResourceRequest() bool {
+	return a.ResourceRequest
+}
+
+func (a AttributesRecord) GetPath() string {
+	return a.Path
+}

vendor/k8s.io/kubernetes/pkg/auth/authorizer/union/BUILD

@@ -0,0 +1,29 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+    "go_test",
+    "cgo_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["union.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/auth/authorizer:go_default_library",
+        "//pkg/util/errors:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["union_test.go"],
+    library = "go_default_library",
+    tags = ["automanaged"],
+    deps = ["//pkg/auth/authorizer:go_default_library"],
+)

vendor/k8s.io/kubernetes/pkg/auth/authorizer/union/union.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package union
+
+import (
+	"strings"
+
+	"k8s.io/kubernetes/pkg/auth/authorizer"
+	utilerrors "k8s.io/kubernetes/pkg/util/errors"
+)
+
+// unionAuthzHandler authorizer against a chain of authorizer.Authorizer
+type unionAuthzHandler []authorizer.Authorizer
+
+// New returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
+func New(authorizationHandlers ...authorizer.Authorizer) authorizer.Authorizer {
+	return unionAuthzHandler(authorizationHandlers)
+}
+
+// Authorizes against a chain of authorizer.Authorizer objects and returns nil if successful and returns error if unsuccessful
+func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool, string, error) {
+	var (
+		errlist    []error
+		reasonlist []string
+	)
+
+	for _, currAuthzHandler := range authzHandler {
+		authorized, reason, err := currAuthzHandler.Authorize(a)
+
+		if err != nil {
+			errlist = append(errlist, err)
+		}
+		if len(reason) != 0 {
+			reasonlist = append(reasonlist, reason)
+		}
+		if !authorized {
+			continue
+		}
+		return true, reason, nil
+	}
+
+	return false, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
+}

vendor/k8s.io/kubernetes/pkg/auth/authorizer/union/union_test.go

@@ -0,0 +1,83 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package union
+
+import (
+	"fmt"
+	"testing"
+
+	"k8s.io/kubernetes/pkg/auth/authorizer"
+)
+
+type mockAuthzHandler struct {
+	isAuthorized bool
+	err          error
+}
+
+func (mock *mockAuthzHandler) Authorize(a authorizer.Attributes) (bool, string, error) {
+	if mock.err != nil {
+		return false, "", mock.err
+	}
+	if !mock.isAuthorized {
+		return false, "", nil
+	}
+	return true, "", nil
+}
+
+func TestAuthorizationSecondPasses(t *testing.T) {
+	handler1 := &mockAuthzHandler{isAuthorized: false}
+	handler2 := &mockAuthzHandler{isAuthorized: true}
+	authzHandler := New(handler1, handler2)
+
+	authorized, _, _ := authzHandler.Authorize(nil)
+	if !authorized {
+		t.Errorf("Unexpected authorization failure")
+	}
+}
+
+func TestAuthorizationFirstPasses(t *testing.T) {
+	handler1 := &mockAuthzHandler{isAuthorized: true}
+	handler2 := &mockAuthzHandler{isAuthorized: false}
+	authzHandler := New(handler1, handler2)
+
+	authorized, _, _ := authzHandler.Authorize(nil)
+	if !authorized {
+		t.Errorf("Unexpected authorization failure")
+	}
+}
+
+func TestAuthorizationNonePasses(t *testing.T) {
+	handler1 := &mockAuthzHandler{isAuthorized: false}
+	handler2 := &mockAuthzHandler{isAuthorized: false}
+	authzHandler := New(handler1, handler2)
+
+	authorized, _, _ := authzHandler.Authorize(nil)
+	if authorized {
+		t.Errorf("Expected failed authorization")
+	}
+}
+
+func TestAuthorizationError(t *testing.T) {
+	handler1 := &mockAuthzHandler{err: fmt.Errorf("foo")}
+	handler2 := &mockAuthzHandler{err: fmt.Errorf("foo")}
+	authzHandler := New(handler1, handler2)
+
+	_, _, err := authzHandler.Authorize(nil)
+	if err == nil {
+		t.Errorf("Expected error: %v", err)
+	}
+}