feat: kubesphere 4.0 (#6115)
* feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> * feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> --------- Signed-off-by: ci-bot <ci-bot@kubesphere.io> Co-authored-by: ks-ci-bot <ks-ci-bot@example.com> Co-authored-by: joyceliu <joyceliu@yunify.com>
This commit is contained in:
KubeSphere CI Bot
committed by
GitHub
GitHub
parent
b5015ec7b9
commit
447a51f08b
52
vendor/github.com/open-policy-agent/opa/bundle/store.go
generated
vendored
52
vendor/github.com/open-policy-agent/opa/bundle/store.go
generated
vendored
@@ -13,6 +13,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/open-policy-agent/opa/ast"
|
||||
iCompiler "github.com/open-policy-agent/opa/internal/compiler"
|
||||
"github.com/open-policy-agent/opa/internal/json/patch"
|
||||
"github.com/open-policy-agent/opa/metrics"
|
||||
"github.com/open-policy-agent/opa/storage"
|
||||
@@ -291,14 +292,16 @@ func readEtagFromStore(ctx context.Context, store storage.Store, txn storage.Tra
|
||||
|
||||
// ActivateOpts defines options for the Activate API call.
|
||||
type ActivateOpts struct {
|
||||
Ctx context.Context
|
||||
Store storage.Store
|
||||
Txn storage.Transaction
|
||||
TxnCtx *storage.Context
|
||||
Compiler *ast.Compiler
|
||||
Metrics metrics.Metrics
|
||||
Bundles map[string]*Bundle // Optional
|
||||
ExtraModules map[string]*ast.Module // Optional
|
||||
Ctx context.Context
|
||||
Store storage.Store
|
||||
Txn storage.Transaction
|
||||
TxnCtx *storage.Context
|
||||
Compiler *ast.Compiler
|
||||
Metrics metrics.Metrics
|
||||
Bundles map[string]*Bundle // Optional
|
||||
ExtraModules map[string]*ast.Module // Optional
|
||||
AuthorizationDecisionRef ast.Ref
|
||||
ParserOptions ast.ParserOptions
|
||||
|
||||
legacy bool
|
||||
}
|
||||
@@ -312,10 +315,11 @@ func Activate(opts *ActivateOpts) error {
|
||||
|
||||
// DeactivateOpts defines options for the Deactivate API call
|
||||
type DeactivateOpts struct {
|
||||
Ctx context.Context
|
||||
Store storage.Store
|
||||
Txn storage.Transaction
|
||||
BundleNames map[string]struct{}
|
||||
Ctx context.Context
|
||||
Store storage.Store
|
||||
Txn storage.Transaction
|
||||
BundleNames map[string]struct{}
|
||||
ParserOptions ast.ParserOptions
|
||||
}
|
||||
|
||||
// Deactivate the bundle(s). This will erase associated data, policies, and the manifest entry from the store.
|
||||
@@ -330,7 +334,7 @@ func Deactivate(opts *DeactivateOpts) error {
|
||||
erase[root] = struct{}{}
|
||||
}
|
||||
}
|
||||
_, err := eraseBundles(opts.Ctx, opts.Store, opts.Txn, opts.BundleNames, erase)
|
||||
_, err := eraseBundles(opts.Ctx, opts.Store, opts.Txn, opts.ParserOptions, opts.BundleNames, erase)
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -380,7 +384,7 @@ func activateBundles(opts *ActivateOpts) error {
|
||||
|
||||
// Erase data and policies at new + old roots, and remove the old
|
||||
// manifests before activating a new snapshot bundle.
|
||||
remaining, err := eraseBundles(opts.Ctx, opts.Store, opts.Txn, names, erase)
|
||||
remaining, err := eraseBundles(opts.Ctx, opts.Store, opts.Txn, opts.ParserOptions, names, erase)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -450,7 +454,7 @@ func activateBundles(opts *ActivateOpts) error {
|
||||
remainingAndExtra[name] = mod
|
||||
}
|
||||
|
||||
err = compileModules(opts.Compiler, opts.Metrics, snapshotBundles, remainingAndExtra, opts.legacy)
|
||||
err = compileModules(opts.Compiler, opts.Metrics, snapshotBundles, remainingAndExtra, opts.legacy, opts.AuthorizationDecisionRef)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -491,7 +495,7 @@ func doDFS(obj map[string]json.RawMessage, path string, roots []string) error {
|
||||
|
||||
// Note: filepath.Join can return paths with '\' separators, always use
|
||||
// filepath.ToSlash to keep them normalized.
|
||||
newPath = strings.TrimLeft(filepath.ToSlash(newPath), "/.")
|
||||
newPath = strings.TrimLeft(normalizePath(newPath), "/.")
|
||||
|
||||
contains := false
|
||||
prefix := false
|
||||
@@ -583,13 +587,13 @@ func activateDeltaBundles(opts *ActivateOpts, bundles map[string]*Bundle) error
|
||||
|
||||
// erase bundles by name and roots. This will clear all policies and data at its roots and remove its
|
||||
// manifest from storage.
|
||||
func eraseBundles(ctx context.Context, store storage.Store, txn storage.Transaction, names map[string]struct{}, roots map[string]struct{}) (map[string]*ast.Module, error) {
|
||||
func eraseBundles(ctx context.Context, store storage.Store, txn storage.Transaction, parserOpts ast.ParserOptions, names map[string]struct{}, roots map[string]struct{}) (map[string]*ast.Module, error) {
|
||||
|
||||
if err := eraseData(ctx, store, txn, roots); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
remaining, err := erasePolicies(ctx, store, txn, roots)
|
||||
remaining, err := erasePolicies(ctx, store, txn, parserOpts, roots)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -631,7 +635,7 @@ func eraseData(ctx context.Context, store storage.Store, txn storage.Transaction
|
||||
return nil
|
||||
}
|
||||
|
||||
func erasePolicies(ctx context.Context, store storage.Store, txn storage.Transaction, roots map[string]struct{}) (map[string]*ast.Module, error) {
|
||||
func erasePolicies(ctx context.Context, store storage.Store, txn storage.Transaction, parserOpts ast.ParserOptions, roots map[string]struct{}) (map[string]*ast.Module, error) {
|
||||
|
||||
ids, err := store.ListPolicies(ctx, txn)
|
||||
if err != nil {
|
||||
@@ -645,7 +649,7 @@ func erasePolicies(ctx context.Context, store storage.Store, txn storage.Transac
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
module, err := ast.ParseModule(id, string(bs))
|
||||
module, err := ast.ParseModuleWithOpts(id, string(bs), parserOpts)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -755,7 +759,7 @@ func writeData(ctx context.Context, store storage.Store, txn storage.Transaction
|
||||
return nil
|
||||
}
|
||||
|
||||
func compileModules(compiler *ast.Compiler, m metrics.Metrics, bundles map[string]*Bundle, extraModules map[string]*ast.Module, legacy bool) error {
|
||||
func compileModules(compiler *ast.Compiler, m metrics.Metrics, bundles map[string]*Bundle, extraModules map[string]*ast.Module, legacy bool, authorizationDecisionRef ast.Ref) error {
|
||||
|
||||
m.Timer(metrics.RegoModuleCompile).Start()
|
||||
defer m.Timer(metrics.RegoModuleCompile).Stop()
|
||||
@@ -789,7 +793,11 @@ func compileModules(compiler *ast.Compiler, m metrics.Metrics, bundles map[strin
|
||||
return compiler.Errors
|
||||
}
|
||||
|
||||
return nil
|
||||
if authorizationDecisionRef.Equal(ast.EmptyRef()) {
|
||||
return nil
|
||||
}
|
||||
|
||||
return iCompiler.VerifyAuthorizationPolicySchema(compiler, authorizationDecisionRef)
|
||||
}
|
||||
|
||||
func writeModules(ctx context.Context, store storage.Store, txn storage.Transaction, compiler *ast.Compiler, m metrics.Metrics, bundles map[string]*Bundle, extraModules map[string]*ast.Module, legacy bool) error {
|
||||
|
||||
Reference in New Issue
Block a user