kubeflow · k8s-ci-robot · Nov 17, 2020 · Nov 5, 2020 · Nov 5, 2020 · Nov 5, 2020
diff --git a/backend/src/apiserver/BUILD.bazel b/backend/src/apiserver/BUILD.bazel
@@ -11,6 +11,7 @@ go_library(
     visibility = ["//visibility:private"],
     deps = [
         "//backend/api:go_default_library",
+        "//backend/src/apiserver/archive:go_default_library",
         "//backend/src/apiserver/client:go_default_library",
         "//backend/src/apiserver/common:go_default_library",
         "//backend/src/apiserver/model:go_default_library",
@@ -21,6 +22,7 @@ go_library(
         "@com_github_cenkalti_backoff//:go_default_library",
         "@com_github_fsnotify_fsnotify//:go_default_library",
         "@com_github_golang_glog//:go_default_library",
+        "@com_github_gorilla_mux//:go_default_library",
         "@com_github_grpc_ecosystem_grpc_gateway//runtime:go_default_library",
         "@com_github_jinzhu_gorm//:go_default_library",
         "@com_github_jinzhu_gorm//dialects/sqlite:go_default_library",

diff --git a/backend/src/apiserver/client/BUILD.bazel b/backend/src/apiserver/client/BUILD.bazel
@@ -5,14 +5,14 @@ go_library(
     srcs = [
         "argo.go",
         "argo_fake.go",
-        "kfam.go",
-        "kfam_fake.go",
         "kubernetes_core.go",
         "kubernetes_core_fake.go",
         "minio.go",
         "pod_fake.go",
         "scheduled_workflow_fake.go",
         "sql.go",
+        "subject_access_review.go",
+        "subject_access_review_fake.go",
         "swf.go",
         "swf_fake.go",
         "workflow_fake.go",
@@ -33,6 +33,7 @@ go_library(
         "@com_github_minio_minio_go//:go_default_library",
         "@com_github_minio_minio_go//pkg/credentials:go_default_library",
         "@com_github_pkg_errors//:go_default_library",
+        "@io_k8s_api//authorization/v1:go_default_library",
         "@io_k8s_api//core/v1:go_default_library",
         "@io_k8s_api//policy/v1beta1:go_default_library",
         "@io_k8s_apimachinery//pkg/api/errors:go_default_library",
@@ -48,14 +49,8 @@ go_library(
 
 go_test(
     name = "go_default_test",
-    srcs = [
-        "kfam_test.go",
-        "sql_test.go",
-    ],
+    srcs = ["sql_test.go"],
     data = glob(["test/**/*"]),  # keep
     embed = [":go_default_library"],
-    deps = [
-        "@com_github_go_sql_driver_mysql//:go_default_library",
-        "@com_github_stretchr_testify//assert:go_default_library",
-    ],
+    deps = ["@com_github_go_sql_driver_mysql//:go_default_library"],
 )
diff --git a/backend/src/apiserver/client/kfam.go b/backend/src/apiserver/client/kfam.go
diff --git a/backend/src/apiserver/client/kfam_fake.go b/backend/src/apiserver/client/kfam_fake.go
diff --git a/backend/src/apiserver/client/kfam_test.go b/backend/src/apiserver/client/kfam_test.go
diff --git a/backend/src/apiserver/client/kubernetes_core.go b/backend/src/apiserver/client/kubernetes_core.go
@@ -41,10 +41,7 @@ func CreateKubernetesCoreOrFatal(initConnectionTimeout time.Duration) Kubernetes
 	var err error
 	var operation = func() error {
 		client, err = createKubernetesCore()
-		if err != nil {
-			return err
-		}
-		return nil
+		return err
 	}
 	b := backoff.NewExponentialBackOff()
 	b.MaxElapsedTime = initConnectionTimeout

diff --git a/backend/src/apiserver/client/subject_access_review.go b/backend/src/apiserver/client/subject_access_review.go
@@ -0,0 +1,61 @@
+// Copyright 2020 Arrikto Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"time"
+
+	"github.com/cenkalti/backoff"
+	"github.com/golang/glog"
+	"github.com/pkg/errors"
+	authzv1 "k8s.io/api/authorization/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+type SubjectAccessReviewInterface interface {
+	Create(sar *authzv1.SubjectAccessReview) (result *authzv1.SubjectAccessReview, err error)
+}
+
+func createSubjectAccessReviewClient() (SubjectAccessReviewInterface, error) {
+	restConfig, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to initialize kubernetes client.")
+	}
+
+	clientSet, err := kubernetes.NewForConfig(restConfig)
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to initialize kubernetes client set.")
+	}
+	return clientSet.AuthorizationV1().SubjectAccessReviews(), nil
+}
+
+// CreateSubjectAccessReviewClientOrFatal creates a new SubjectAccessReview client.
+func CreateSubjectAccessReviewClientOrFatal(initConnectionTimeout time.Duration) SubjectAccessReviewInterface {
+	var client SubjectAccessReviewInterface
+	var err error
+	var operation = func() error {
+		client, err = createSubjectAccessReviewClient()
+		return err
+	}
+	b := backoff.NewExponentialBackOff()
+	b.MaxElapsedTime = initConnectionTimeout
+	err = backoff.Retry(operation, b)
+
+	if err != nil {
+		glog.Fatalf("Failed to create SubjectAccessReview client. Error: %v", err)
+	}
+	return client
+}
diff --git a/backend/src/apiserver/client/subject_access_review_fake.go b/backend/src/apiserver/client/subject_access_review_fake.go
@@ -0,0 +1,63 @@
+// Copyright 2020 Arrikto Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"github.com/pkg/errors"
+	authzv1 "k8s.io/api/authorization/v1"
+)
+
+type FakeSubjectAccessReviewClient struct {
+}
+
+func (FakeSubjectAccessReviewClient) Create(*authzv1.SubjectAccessReview) (*authzv1.SubjectAccessReview, error) {
+	return &authzv1.SubjectAccessReview{Status: authzv1.SubjectAccessReviewStatus{
+		Allowed:         true,
+		Denied:          false,
+		Reason:          "",
+		EvaluationError: "",
+	}}, nil
+}
+
+func NewFakeSubjectAccessReviewClient() FakeSubjectAccessReviewClient {
+	return FakeSubjectAccessReviewClient{}
+}
+
+type FakeSubjectAccessReviewClientUnauthorized struct {
+}
+
+func (FakeSubjectAccessReviewClientUnauthorized) Create(*authzv1.SubjectAccessReview) (*authzv1.SubjectAccessReview, error) {
+	return &authzv1.SubjectAccessReview{Status: authzv1.SubjectAccessReviewStatus{
+		Allowed:         false,
+		Denied:          false,
+		Reason:          "this is not allowed",
+		EvaluationError: "",
+	}}, nil
+}
+
+func NewFakeSubjectAccessReviewClientUnauthorized() FakeSubjectAccessReviewClientUnauthorized {
+	return FakeSubjectAccessReviewClientUnauthorized{}
+}
+
+type FakeSubjectAccessReviewClientError struct {
+}
+
+func (FakeSubjectAccessReviewClientError) Create(*authzv1.SubjectAccessReview) (*authzv1.SubjectAccessReview, error) {
+	return nil, errors.New("failed to create subject access review")
+}
+
+func NewFakeSubjectAccessReviewClientError() FakeSubjectAccessReviewClientError {
+	return FakeSubjectAccessReviewClientError{}
+}