mirror of
https://github.com/projectcapsule/capsule.git
synced 2026-04-01 00:09:31 +00:00
a6b830b1af
* fix(controller): decode old object for delete requests Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: modernize golang Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * fix(config): remove usergroups default Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * sec(ghsa-2ww6-hf35-mfjm): intercept namespace subresource Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * chore: conflicts Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> * feat(api): add rulestatus api Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com> --------- Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>
96 lines
2.0 KiB
Go
96 lines
2.0 KiB
Go
// Copyright 2020-2026 Project Capsule Authors
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package api
|
|
|
|
import (
|
|
"fmt"
|
|
"reflect"
|
|
"regexp"
|
|
"sort"
|
|
"strings"
|
|
)
|
|
|
|
// +kubebuilder:object:generate=true
|
|
type ForbiddenListSpec struct {
|
|
Exact []string `json:"denied,omitempty"`
|
|
Regex string `json:"deniedRegex,omitempty"`
|
|
}
|
|
|
|
func (in ForbiddenListSpec) ExactMatch(value string) (ok bool) {
|
|
if len(in.Exact) > 0 {
|
|
sort.SliceStable(in.Exact, func(i, j int) bool {
|
|
return strings.ToLower(in.Exact[i]) < strings.ToLower(in.Exact[j])
|
|
})
|
|
|
|
i := sort.SearchStrings(in.Exact, value)
|
|
|
|
ok = i < len(in.Exact) && in.Exact[i] == value
|
|
}
|
|
|
|
return ok
|
|
}
|
|
|
|
func (in ForbiddenListSpec) RegexMatch(value string) (ok bool) {
|
|
if len(in.Regex) > 0 {
|
|
ok = regexp.MustCompile(in.Regex).MatchString(value)
|
|
}
|
|
|
|
return ok
|
|
}
|
|
|
|
type ForbiddenError struct {
|
|
key string
|
|
spec ForbiddenListSpec
|
|
}
|
|
|
|
func NewForbiddenError(key string, forbiddenSpec ForbiddenListSpec) error {
|
|
return &ForbiddenError{
|
|
key: key,
|
|
spec: forbiddenSpec,
|
|
}
|
|
}
|
|
|
|
func (f ForbiddenError) Error() string {
|
|
return fmt.Sprintf("%s is forbidden for the current Tenant. %s", f.key, f.appendForbiddenError())
|
|
}
|
|
|
|
//nolint:predeclared,revive
|
|
func (f *ForbiddenError) appendForbiddenError() (append string) {
|
|
append += "Forbidden are "
|
|
if len(f.spec.Exact) > 0 {
|
|
append += fmt.Sprintf("one of the following (%s)", strings.Join(f.spec.Exact, ", "))
|
|
if len(f.spec.Regex) > 0 {
|
|
append += " or "
|
|
}
|
|
}
|
|
|
|
if len(f.spec.Regex) > 0 {
|
|
append += fmt.Sprintf("matching the regex %s", f.spec.Regex)
|
|
}
|
|
|
|
return append
|
|
}
|
|
|
|
func ValidateForbidden(metadata map[string]string, forbiddenList ForbiddenListSpec) error {
|
|
if reflect.DeepEqual(ForbiddenListSpec{}, forbiddenList) {
|
|
return nil
|
|
}
|
|
|
|
for key := range metadata {
|
|
var forbidden, matched bool
|
|
|
|
forbidden = forbiddenList.ExactMatch(key)
|
|
matched = forbiddenList.RegexMatch(key)
|
|
|
|
if forbidden || matched {
|
|
return NewForbiddenError(
|
|
key,
|
|
forbiddenList,
|
|
)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|