From 8a944797fe890642cdd26a5625d5a8c06e642011 Mon Sep 17 00:00:00 2001
From: deads2k <deads@redhat.com>
Date: Tue, 11 Oct 2016 10:07:25 -0400
Subject: [PATCH] allow review endpoints on missing namespaces

---
 pkg/project/admission/lifecycle/admission.go  | 31 +++++++++----------
 test/cmd/projects.sh                          | 17 ++++++++++
 .../namespace/lifecycle/admission.go          |  1 +
 3 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/pkg/project/admission/lifecycle/admission.go b/pkg/project/admission/lifecycle/admission.go
index 528b84bbee5e..952cc9f40129 100644
--- a/pkg/project/admission/lifecycle/admission.go
+++ b/pkg/project/admission/lifecycle/admission.go
@@ -10,11 +10,11 @@ import (
 
 	"k8s.io/kubernetes/pkg/admission"
 	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	"k8s.io/kubernetes/pkg/util/sets"
 
-	"github.com/openshift/origin/pkg/api"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/api"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	"github.com/openshift/origin/pkg/project/cache"
 	projectutil "github.com/openshift/origin/pkg/project/util"
@@ -33,10 +33,17 @@ type lifecycle struct {
 	cache  *cache.ProjectCache
 
 	// creatableResources is a set of resources that can be created even if the namespace is terminating
-	creatableResources sets.String
+	creatableResources map[unversioned.GroupResource]bool
 }
 
-var recommendedCreatableResources = sets.NewString("resourceaccessreviews", "localresourceaccessreviews")
+var recommendedCreatableResources = map[unversioned.GroupResource]bool{
+	authorizationapi.Resource("resourceaccessreviews"):      true,
+	authorizationapi.Resource("localresourceaccessreviews"): true,
+	authorizationapi.Resource("subjectaccessreviews"):       true,
+	authorizationapi.Resource("localsubjectaccessreviews"):  true,
+	authorizationapi.Resource("selfsubjectrulesreviews"):    true,
+	authorizationapi.Resource("subjectrulesreviews"):        true,
+}
 var _ = oadmission.WantsProjectCache(&lifecycle{})
 var _ = oadmission.Validator(&lifecycle{})
 
@@ -46,9 +53,8 @@ func (e *lifecycle) Admit(a admission.Attributes) (err error) {
 	if len(a.GetNamespace()) == 0 {
 		return nil
 	}
-	// always allow a SAR request through, the SAR will return information about
-	// the ability to take action on the object, no need to verify it here.
-	if isSubjectAccessReview(a) {
+	// always allow creatable resources through.  These requests should always be allowed.
+	if e.creatableResources[a.GetResource().GroupResource()] {
 		return nil
 	}
 
@@ -117,18 +123,9 @@ func (e *lifecycle) Validate() error {
 	return nil
 }
 
-func NewLifecycle(client clientset.Interface, creatableResources sets.String) (admission.Interface, error) {
+func NewLifecycle(client clientset.Interface, creatableResources map[unversioned.GroupResource]bool) (admission.Interface, error) {
 	return &lifecycle{
 		client:             client,
 		creatableResources: creatableResources,
 	}, nil
 }
-
-var (
-	sar  = api.Kind("SubjectAccessReview")
-	lsar = api.Kind("LocalSubjectAccessReview")
-)
-
-func isSubjectAccessReview(a admission.Attributes) bool {
-	return a.GetKind().GroupKind() == sar || a.GetKind().GroupKind() == lsar
-}
diff --git a/test/cmd/projects.sh b/test/cmd/projects.sh
index ccec18205fb1..33d48ca5837a 100755
--- a/test/cmd/projects.sh
+++ b/test/cmd/projects.sh
@@ -3,6 +3,21 @@ source "$(dirname "${BASH_SOURCE}")/../../hack/lib/init.sh"
 trap os::test::junit::reconcile_output EXIT
 
 os::test::junit::declare_suite_start "cmd/projects"
+
+os::test::junit::declare_suite_start "cmd/projects/lifecycle"
+# resourceaccessreview
+os::cmd::expect_success 'oc policy who-can get pods -n missing-ns'
+# selfsubjectaccessreview
+os::cmd::expect_success 'oc policy can-i get pods -n missing-ns'
+# selfsubjectrulesreivew
+os::cmd::expect_success 'oc policy can-i --list -n missing-ns'
+# subjectaccessreview
+os::cmd::expect_success 'oc policy can-i get pods --user=bob -n missing-ns'
+# subjectrulesreview
+os::cmd::expect_success 'oc policy can-i --list  --user=bob -n missing-ns'
+echo 'project lifecycle ok'
+os::test::junit::declare_suite_end
+
 os::cmd::expect_failure_and_text 'oc projects test_arg' 'no arguments'
 # log in as a test user and expect no projects
 os::cmd::expect_success 'oc login -u test -p test'
@@ -21,4 +36,6 @@ os::cmd::try_until_text 'oc projects' 'test6'
 os::cmd::expect_success_and_text 'oc project test6' 'Now using project "test6"'
 os::cmd::expect_success_and_text 'oc config view -o jsonpath="{.contexts[*].context.namespace}"' '\btest6\b'
 echo 'projects command ok'
+
+
 os::test::junit::declare_suite_end
diff --git a/vendor/k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle/admission.go b/vendor/k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle/admission.go
index 50f6c3cfbd96..74d6e95efbfc 100644
--- a/vendor/k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle/admission.go
+++ b/vendor/k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle/admission.go
@@ -205,6 +205,7 @@ var accessReviewResources = map[unversioned.GroupResource]bool{
 	unversioned.GroupResource{Group: "", Resource: "resourceaccessreviews"}:      true,
 	unversioned.GroupResource{Group: "", Resource: "localresourceaccessreviews"}: true,
 	unversioned.GroupResource{Group: "", Resource: "selfsubjectrulesreviews"}:    true,
+	unversioned.GroupResource{Group: "", Resource: "subjectrulesreviews"}:        true,
 }
 
 func isAccessReview(a admission.Attributes) bool {