ceph-csi/vendor/k8s.io/apiserver/pkg/authorization/cel/compile.go

/*
Copyright 2023 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package cel

import (
	"fmt"

	"github.com/google/cel-go/cel"
	celast "github.com/google/cel-go/common/ast"
	"github.com/google/cel-go/common/operators"
	"github.com/google/cel-go/common/types/ref"

	authorizationv1 "k8s.io/api/authorization/v1"
	"k8s.io/apimachinery/pkg/util/version"
	apiservercel "k8s.io/apiserver/pkg/cel"
	"k8s.io/apiserver/pkg/cel/environment"
	genericfeatures "k8s.io/apiserver/pkg/features"
	utilfeature "k8s.io/apiserver/pkg/util/feature"
)

const (
	subjectAccessReviewRequestVarName = "request"

	fieldSelectorVarName = "fieldSelector"
	labelSelectorVarName = "labelSelector"
)

// CompilationResult represents a compiled authorization cel expression.
type CompilationResult struct {
	Program            cel.Program
	ExpressionAccessor ExpressionAccessor

	// These track if a given expression uses fieldSelector and labelSelector,
	// so construction of data passed to the CEL expression can be optimized if those fields are unused.
	UsesFieldSelector bool
	UsesLabelSelector bool
}

// EvaluationResult contains the minimal required fields and metadata of a cel evaluation
type EvaluationResult struct {
	EvalResult         ref.Val
	ExpressionAccessor ExpressionAccessor
}

// Compiler is an interface for compiling CEL expressions with the desired environment mode.
type Compiler interface {
	CompileCELExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error)
}

type compiler struct {
	envSet *environment.EnvSet
}

// NewCompiler returns a new Compiler.
func NewCompiler(env *environment.EnvSet) Compiler {
	return &compiler{
		envSet: mustBuildEnv(env),
	}
}

func (c compiler) CompileCELExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error) {
	resultError := func(errorString string, errType apiservercel.ErrorType) (CompilationResult, error) {
		err := &apiservercel.Error{
			Type:   errType,
			Detail: errorString,
		}
		return CompilationResult{
			ExpressionAccessor: expressionAccessor,
		}, err
	}
	env, err := c.envSet.Env(environment.StoredExpressions)
	if err != nil {
		return resultError(fmt.Sprintf("unexpected error loading CEL environment: %v", err), apiservercel.ErrorTypeInternal)
	}
	ast, issues := env.Compile(expressionAccessor.GetExpression())
	if issues != nil {
		return resultError("compilation failed: "+issues.String(), apiservercel.ErrorTypeInvalid)
	}
	found := false
	returnTypes := expressionAccessor.ReturnTypes()
	for _, returnType := range returnTypes {
		if ast.OutputType() == returnType {
			found = true
			break
		}
	}
	if !found {
		var reason string
		if len(returnTypes) == 1 {
			reason = fmt.Sprintf("must evaluate to %v but got %v", returnTypes[0].String(), ast.OutputType())
		} else {
			reason = fmt.Sprintf("must evaluate to one of %v", returnTypes)
		}

		return resultError(reason, apiservercel.ErrorTypeInvalid)
	}
	checkedExpr, err := cel.AstToCheckedExpr(ast)
	if err != nil {
		// should be impossible since env.Compile returned no issues
		return resultError("unexpected compilation error: "+err.Error(), apiservercel.ErrorTypeInternal)
	}
	celAST, err := celast.ToAST(checkedExpr)
	if err != nil {
		// should be impossible since env.Compile returned no issues
		return resultError("unexpected compilation error: "+err.Error(), apiservercel.ErrorTypeInternal)
	}

	var usesFieldSelector, usesLabelSelector bool
	celast.PreOrderVisit(celast.NavigateAST(celAST), celast.NewExprVisitor(func(e celast.Expr) {
		// we already know we use both, no need to inspect more
		if usesFieldSelector && usesLabelSelector {
			return
		}

		var fieldName string
		switch e.Kind() {
		case celast.SelectKind:
			// simple select (.fieldSelector / .labelSelector)
			fieldName = e.AsSelect().FieldName()
		case celast.CallKind:
			// optional select (.?fieldSelector / .?labelSelector)
			if e.AsCall().FunctionName() != operators.OptSelect {
				return
			}
			args := e.AsCall().Args()
			// args[0] is the receiver (what comes before the `.?`), args[1] is the field name being optionally selected (what comes after the `.?`)
			if len(args) != 2 || args[1].Kind() != celast.LiteralKind || args[1].AsLiteral().Type() != cel.StringType {
				return
			}
			fieldName, _ = args[1].AsLiteral().Value().(string)
		}

		switch fieldName {
		case fieldSelectorVarName:
			usesFieldSelector = true
		case labelSelectorVarName:
			usesLabelSelector = true
		}
	}))

	prog, err := env.Program(ast)
	if err != nil {
		return resultError("program instantiation failed: "+err.Error(), apiservercel.ErrorTypeInternal)
	}
	return CompilationResult{
		Program:            prog,
		ExpressionAccessor: expressionAccessor,
		UsesFieldSelector:  usesFieldSelector,
		UsesLabelSelector:  usesLabelSelector,
	}, nil
}

func mustBuildEnv(baseEnv *environment.EnvSet) *environment.EnvSet {
	field := func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField {
		return apiservercel.NewDeclField(name, declType, required, nil, nil)
	}
	fields := func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField {
		result := make(map[string]*apiservercel.DeclField, len(fields))
		for _, f := range fields {
			result[f.Name] = f
		}
		return result
	}
	subjectAccessReviewSpecRequestType := buildRequestType(field, fields)
	extended, err := baseEnv.Extend(
		environment.VersionedOptions{
			// we record this as 1.0 since it was available in the
			// first version that supported this feature
			IntroducedVersion: version.MajorMinor(1, 0),
			EnvOptions: []cel.EnvOption{
				cel.Variable(subjectAccessReviewRequestVarName, subjectAccessReviewSpecRequestType.CelType()),
			},
			DeclTypes: []*apiservercel.DeclType{
				subjectAccessReviewSpecRequestType,
			},
		},
	)
	if err != nil {
		panic(fmt.Sprintf("environment misconfigured: %v", err))
	}

	return extended
}

// buildRequestType generates a DeclType for SubjectAccessReviewSpec.
// if attributes are added here, also add to convertObjectToUnstructured.
func buildRequestType(field func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField, fields func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField) *apiservercel.DeclType {
	resourceAttributesType := buildResourceAttributesType(field, fields)
	nonResourceAttributesType := buildNonResourceAttributesType(field, fields)
	return apiservercel.NewObjectType("kubernetes.SubjectAccessReviewSpec", fields(
		field("resourceAttributes", resourceAttributesType, false),
		field("nonResourceAttributes", nonResourceAttributesType, false),
		field("user", apiservercel.StringType, false),
		field("groups", apiservercel.NewListType(apiservercel.StringType, -1), false),
		field("extra", apiservercel.NewMapType(apiservercel.StringType, apiservercel.NewListType(apiservercel.StringType, -1), -1), false),
		field("uid", apiservercel.StringType, false),
	))
}

// buildResourceAttributesType generates a DeclType for ResourceAttributes.
// if attributes are added here, also add to convertObjectToUnstructured.
func buildResourceAttributesType(field func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField, fields func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField) *apiservercel.DeclType {
	resourceAttributesFields := []*apiservercel.DeclField{
		field("namespace", apiservercel.StringType, false),
		field("verb", apiservercel.StringType, false),
		field("group", apiservercel.StringType, false),
		field("version", apiservercel.StringType, false),
		field("resource", apiservercel.StringType, false),
		field("subresource", apiservercel.StringType, false),
		field("name", apiservercel.StringType, false),
	}
	if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.AuthorizeWithSelectors) {
		resourceAttributesFields = append(resourceAttributesFields, field("fieldSelector", buildFieldSelectorType(field, fields), false))
		resourceAttributesFields = append(resourceAttributesFields, field("labelSelector", buildLabelSelectorType(field, fields), false))
	}
	return apiservercel.NewObjectType("kubernetes.ResourceAttributes", fields(resourceAttributesFields...))
}

func buildFieldSelectorType(field func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField, fields func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField) *apiservercel.DeclType {
	return apiservercel.NewObjectType("kubernetes.FieldSelectorAttributes", fields(
		field("rawSelector", apiservercel.StringType, false),
		field("requirements", apiservercel.NewListType(buildSelectorRequirementType(field, fields), -1), false),
	))
}

func buildLabelSelectorType(field func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField, fields func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField) *apiservercel.DeclType {
	return apiservercel.NewObjectType("kubernetes.LabelSelectorAttributes", fields(
		field("rawSelector", apiservercel.StringType, false),
		field("requirements", apiservercel.NewListType(buildSelectorRequirementType(field, fields), -1), false),
	))
}

func buildSelectorRequirementType(field func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField, fields func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField) *apiservercel.DeclType {
	return apiservercel.NewObjectType("kubernetes.SelectorRequirement", fields(
		field("key", apiservercel.StringType, false),
		field("operator", apiservercel.StringType, false),
		field("values", apiservercel.NewListType(apiservercel.StringType, -1), false),
	))
}

// buildNonResourceAttributesType generates a DeclType for NonResourceAttributes.
// if attributes are added here, also add to convertObjectToUnstructured.
func buildNonResourceAttributesType(field func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField, fields func(fields ...*apiservercel.DeclField) map[string]*apiservercel.DeclField) *apiservercel.DeclType {
	return apiservercel.NewObjectType("kubernetes.NonResourceAttributes", fields(
		field("path", apiservercel.StringType, false),
		field("verb", apiservercel.StringType, false),
	))
}

func convertObjectToUnstructured(obj *authorizationv1.SubjectAccessReviewSpec, includeFieldSelector, includeLabelSelector bool) map[string]interface{} {
	// Construct version containing every SubjectAccessReview user and string attribute field, even omitempty ones, for evaluation by CEL
	extra := obj.Extra
	if extra == nil {
		extra = map[string]authorizationv1.ExtraValue{}
	}
	ret := map[string]interface{}{
		"user":   obj.User,
		"groups": obj.Groups,
		"uid":    string(obj.UID),
		"extra":  extra,
	}
	if obj.ResourceAttributes != nil {
		resourceAttributes := map[string]interface{}{
			"namespace":   obj.ResourceAttributes.Namespace,
			"verb":        obj.ResourceAttributes.Verb,
			"group":       obj.ResourceAttributes.Group,
			"version":     obj.ResourceAttributes.Version,
			"resource":    obj.ResourceAttributes.Resource,
			"subresource": obj.ResourceAttributes.Subresource,
			"name":        obj.ResourceAttributes.Name,
		}

		if includeFieldSelector && obj.ResourceAttributes.FieldSelector != nil {
			if len(obj.ResourceAttributes.FieldSelector.Requirements) > 0 {
				requirements := make([]map[string]interface{}, 0, len(obj.ResourceAttributes.FieldSelector.Requirements))
				for _, r := range obj.ResourceAttributes.FieldSelector.Requirements {
					requirements = append(requirements, map[string]interface{}{
						"key":      r.Key,
						"operator": r.Operator,
						"values":   r.Values,
					})
				}
				resourceAttributes[fieldSelectorVarName] = map[string]interface{}{"requirements": requirements}
			}
			if len(obj.ResourceAttributes.FieldSelector.RawSelector) > 0 {
				resourceAttributes[fieldSelectorVarName] = map[string]interface{}{"rawSelector": obj.ResourceAttributes.FieldSelector.RawSelector}
			}
		}

		if includeLabelSelector && obj.ResourceAttributes.LabelSelector != nil {
			if len(obj.ResourceAttributes.LabelSelector.Requirements) > 0 {
				requirements := make([]map[string]interface{}, 0, len(obj.ResourceAttributes.LabelSelector.Requirements))
				for _, r := range obj.ResourceAttributes.LabelSelector.Requirements {
					requirements = append(requirements, map[string]interface{}{
						"key":      r.Key,
						"operator": r.Operator,
						"values":   r.Values,
					})
				}
				resourceAttributes[labelSelectorVarName] = map[string]interface{}{"requirements": requirements}
			}
			if len(obj.ResourceAttributes.LabelSelector.RawSelector) > 0 {
				resourceAttributes[labelSelectorVarName] = map[string]interface{}{"rawSelector": obj.ResourceAttributes.LabelSelector.RawSelector}
			}
		}

		ret["resourceAttributes"] = resourceAttributes
	}
	if obj.NonResourceAttributes != nil {
		ret["nonResourceAttributes"] = map[string]string{
			"verb": obj.NonResourceAttributes.Verb,
			"path": obj.NonResourceAttributes.Path,
		}
	}
	return ret
}
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`/*`
			`Copyright 2023 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package cel`

			`import (`
			`"fmt"`

			`"github.com/google/cel-go/cel"`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`celast "github.com/google/cel-go/common/ast"`
			`"github.com/google/cel-go/common/operators"`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`"github.com/google/cel-go/common/types/ref"`

			`authorizationv1 "k8s.io/api/authorization/v1"`
			`"k8s.io/apimachinery/pkg/util/version"`
			`apiservercel "k8s.io/apiserver/pkg/cel"`
			`"k8s.io/apiserver/pkg/cel/environment"`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`genericfeatures "k8s.io/apiserver/pkg/features"`
			`utilfeature "k8s.io/apiserver/pkg/util/feature"`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`)`

			`const (`
			`subjectAccessReviewRequestVarName = "request"`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00
			`fieldSelectorVarName = "fieldSelector"`
			`labelSelectorVarName = "labelSelector"`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`)`

			`// CompilationResult represents a compiled authorization cel expression.`
			`type CompilationResult struct {`
			`Program cel.Program`
			`ExpressionAccessor ExpressionAccessor`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00
			`// These track if a given expression uses fieldSelector and labelSelector,`
			`// so construction of data passed to the CEL expression can be optimized if those fields are unused.`
			`UsesFieldSelector bool`
			`UsesLabelSelector bool`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`}`

			`// EvaluationResult contains the minimal required fields and metadata of a cel evaluation`
			`type EvaluationResult struct {`
			`EvalResult ref.Val`
			`ExpressionAccessor ExpressionAccessor`
			`}`

			`// Compiler is an interface for compiling CEL expressions with the desired environment mode.`
			`type Compiler interface {`
			`CompileCELExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error)`
			`}`

			`type compiler struct {`
			`envSet *environment.EnvSet`
			`}`

			`// NewCompiler returns a new Compiler.`
			`func NewCompiler(env *environment.EnvSet) Compiler {`
			`return &compiler{`
			`envSet: mustBuildEnv(env),`
			`}`
			`}`

			`func (c compiler) CompileCELExpression(expressionAccessor ExpressionAccessor) (CompilationResult, error) {`
			`resultError := func(errorString string, errType apiservercel.ErrorType) (CompilationResult, error) {`
			`err := &apiservercel.Error{`
			`Type: errType,`
			`Detail: errorString,`
			`}`
			`return CompilationResult{`
			`ExpressionAccessor: expressionAccessor,`
			`}, err`
			`}`
			`env, err := c.envSet.Env(environment.StoredExpressions)`
			`if err != nil {`
			`return resultError(fmt.Sprintf("unexpected error loading CEL environment: %v", err), apiservercel.ErrorTypeInternal)`
			`}`
			`ast, issues := env.Compile(expressionAccessor.GetExpression())`
			`if issues != nil {`
			`return resultError("compilation failed: "+issues.String(), apiservercel.ErrorTypeInvalid)`
			`}`
			`found := false`
			`returnTypes := expressionAccessor.ReturnTypes()`
			`for _, returnType := range returnTypes {`
			`if ast.OutputType() == returnType {`
			`found = true`
			`break`
			`}`
			`}`
			`if !found {`
			`var reason string`
			`if len(returnTypes) == 1 {`
			`reason = fmt.Sprintf("must evaluate to %v but got %v", returnTypes[0].String(), ast.OutputType())`
			`} else {`
			`reason = fmt.Sprintf("must evaluate to one of %v", returnTypes)`
			`}`

			`return resultError(reason, apiservercel.ErrorTypeInvalid)`
			`}`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`checkedExpr, err := cel.AstToCheckedExpr(ast)`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`if err != nil {`
			`// should be impossible since env.Compile returned no issues`
			`return resultError("unexpected compilation error: "+err.Error(), apiservercel.ErrorTypeInternal)`
			`}`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`celAST, err := celast.ToAST(checkedExpr)`
			`if err != nil {`
			`// should be impossible since env.Compile returned no issues`
			`return resultError("unexpected compilation error: "+err.Error(), apiservercel.ErrorTypeInternal)`
			`}`

			`var usesFieldSelector, usesLabelSelector bool`
			`celast.PreOrderVisit(celast.NavigateAST(celAST), celast.NewExprVisitor(func(e celast.Expr) {`
			`// we already know we use both, no need to inspect more`
			`if usesFieldSelector && usesLabelSelector {`
			`return`
			`}`

			`var fieldName string`
			`switch e.Kind() {`
			`case celast.SelectKind:`
			`// simple select (.fieldSelector / .labelSelector)`
			`fieldName = e.AsSelect().FieldName()`
			`case celast.CallKind:`
			`// optional select (.?fieldSelector / .?labelSelector)`
			`if e.AsCall().FunctionName() != operators.OptSelect {`
			`return`
			`}`
			`args := e.AsCall().Args()`
			// args[0] is the receiver (what comes before the `.?`), args[1] is the field name being optionally selected (what comes after the `.?`)
			`if len(args) != 2 \|\| args[1].Kind() != celast.LiteralKind \|\| args[1].AsLiteral().Type() != cel.StringType {`
			`return`
			`}`
			`fieldName, _ = args[1].AsLiteral().Value().(string)`
			`}`

			`switch fieldName {`
			`case fieldSelectorVarName:`
			`usesFieldSelector = true`
			`case labelSelectorVarName:`
			`usesLabelSelector = true`
			`}`
			`}))`

rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`prog, err := env.Program(ast)`
			`if err != nil {`
			`return resultError("program instantiation failed: "+err.Error(), apiservercel.ErrorTypeInternal)`
			`}`
			`return CompilationResult{`
			`Program: prog,`
			`ExpressionAccessor: expressionAccessor,`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`UsesFieldSelector: usesFieldSelector,`
			`UsesLabelSelector: usesLabelSelector,`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`}, nil`
			`}`

			`func mustBuildEnv(baseEnv environment.EnvSet) environment.EnvSet {`
			`field := func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField {`
			`return apiservercel.NewDeclField(name, declType, required, nil, nil)`
			`}`
			`fields := func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField {`
			`result := make(map[string]*apiservercel.DeclField, len(fields))`
			`for _, f := range fields {`
			`result[f.Name] = f`
			`}`
			`return result`
			`}`
			`subjectAccessReviewSpecRequestType := buildRequestType(field, fields)`
			`extended, err := baseEnv.Extend(`
			`environment.VersionedOptions{`
			`// we record this as 1.0 since it was available in the`
			`// first version that supported this feature`
			`IntroducedVersion: version.MajorMinor(1, 0),`
			`EnvOptions: []cel.EnvOption{`
			`cel.Variable(subjectAccessReviewRequestVarName, subjectAccessReviewSpecRequestType.CelType()),`
			`},`
			`DeclTypes: []*apiservercel.DeclType{`
			`subjectAccessReviewSpecRequestType,`
			`},`
			`},`
			`)`
			`if err != nil {`
			`panic(fmt.Sprintf("environment misconfigured: %v", err))`
			`}`

			`return extended`
			`}`

			`// buildRequestType generates a DeclType for SubjectAccessReviewSpec.`
			`// if attributes are added here, also add to convertObjectToUnstructured.`
			`func buildRequestType(field func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField, fields func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField) *apiservercel.DeclType {`
			`resourceAttributesType := buildResourceAttributesType(field, fields)`
			`nonResourceAttributesType := buildNonResourceAttributesType(field, fields)`
			`return apiservercel.NewObjectType("kubernetes.SubjectAccessReviewSpec", fields(`
			`field("resourceAttributes", resourceAttributesType, false),`
			`field("nonResourceAttributes", nonResourceAttributesType, false),`
			`field("user", apiservercel.StringType, false),`
			`field("groups", apiservercel.NewListType(apiservercel.StringType, -1), false),`
			`field("extra", apiservercel.NewMapType(apiservercel.StringType, apiservercel.NewListType(apiservercel.StringType, -1), -1), false),`
			`field("uid", apiservercel.StringType, false),`
			`))`
			`}`

			`// buildResourceAttributesType generates a DeclType for ResourceAttributes.`
			`// if attributes are added here, also add to convertObjectToUnstructured.`
			`func buildResourceAttributesType(field func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField, fields func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField) *apiservercel.DeclType {`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`resourceAttributesFields := []*apiservercel.DeclField{`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`field("namespace", apiservercel.StringType, false),`
			`field("verb", apiservercel.StringType, false),`
			`field("group", apiservercel.StringType, false),`
			`field("version", apiservercel.StringType, false),`
			`field("resource", apiservercel.StringType, false),`
			`field("subresource", apiservercel.StringType, false),`
			`field("name", apiservercel.StringType, false),`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`}`
			`if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.AuthorizeWithSelectors) {`
			`resourceAttributesFields = append(resourceAttributesFields, field("fieldSelector", buildFieldSelectorType(field, fields), false))`
			`resourceAttributesFields = append(resourceAttributesFields, field("labelSelector", buildLabelSelectorType(field, fields), false))`
			`}`
			`return apiservercel.NewObjectType("kubernetes.ResourceAttributes", fields(resourceAttributesFields...))`
			`}`

			`func buildFieldSelectorType(field func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField, fields func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField) *apiservercel.DeclType {`
			`return apiservercel.NewObjectType("kubernetes.FieldSelectorAttributes", fields(`
			`field("rawSelector", apiservercel.StringType, false),`
			`field("requirements", apiservercel.NewListType(buildSelectorRequirementType(field, fields), -1), false),`
			`))`
			`}`

			`func buildLabelSelectorType(field func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField, fields func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField) *apiservercel.DeclType {`
			`return apiservercel.NewObjectType("kubernetes.LabelSelectorAttributes", fields(`
			`field("rawSelector", apiservercel.StringType, false),`
			`field("requirements", apiservercel.NewListType(buildSelectorRequirementType(field, fields), -1), false),`
			`))`
			`}`

			`func buildSelectorRequirementType(field func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField, fields func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField) *apiservercel.DeclType {`
			`return apiservercel.NewObjectType("kubernetes.SelectorRequirement", fields(`
			`field("key", apiservercel.StringType, false),`
			`field("operator", apiservercel.StringType, false),`
			`field("values", apiservercel.NewListType(apiservercel.StringType, -1), false),`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`))`
			`}`

			`// buildNonResourceAttributesType generates a DeclType for NonResourceAttributes.`
			`// if attributes are added here, also add to convertObjectToUnstructured.`
			`func buildNonResourceAttributesType(field func(name string, declType apiservercel.DeclType, required bool) apiservercel.DeclField, fields func(fields ...apiservercel.DeclField) map[string]apiservercel.DeclField) *apiservercel.DeclType {`
			`return apiservercel.NewObjectType("kubernetes.NonResourceAttributes", fields(`
			`field("path", apiservercel.StringType, false),`
			`field("verb", apiservercel.StringType, false),`
			`))`
			`}`

rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`func convertObjectToUnstructured(obj *authorizationv1.SubjectAccessReviewSpec, includeFieldSelector, includeLabelSelector bool) map[string]interface{} {`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`// Construct version containing every SubjectAccessReview user and string attribute field, even omitempty ones, for evaluation by CEL`
			`extra := obj.Extra`
			`if extra == nil {`
			`extra = map[string]authorizationv1.ExtraValue{}`
			`}`
			`ret := map[string]interface{}{`
			`"user": obj.User,`
			`"groups": obj.Groups,`
			`"uid": string(obj.UID),`
			`"extra": extra,`
			`}`
			`if obj.ResourceAttributes != nil {`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00			`resourceAttributes := map[string]interface{}{`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`"namespace": obj.ResourceAttributes.Namespace,`
			`"verb": obj.ResourceAttributes.Verb,`
			`"group": obj.ResourceAttributes.Group,`
			`"version": obj.ResourceAttributes.Version,`
			`"resource": obj.ResourceAttributes.Resource,`
			`"subresource": obj.ResourceAttributes.Subresource,`
			`"name": obj.ResourceAttributes.Name,`
			`}`
rebase: update kubernetes to latest updating the kubernetes release to the latest in main go.mod Signed-off-by: Madhu Rajanna <madhupr007@gmail.com> 2024-08-19 08:01:33 +00:00
			`if includeFieldSelector && obj.ResourceAttributes.FieldSelector != nil {`
			`if len(obj.ResourceAttributes.FieldSelector.Requirements) > 0 {`
			`requirements := make([]map[string]interface{}, 0, len(obj.ResourceAttributes.FieldSelector.Requirements))`
			`for _, r := range obj.ResourceAttributes.FieldSelector.Requirements {`
			`requirements = append(requirements, map[string]interface{}{`
			`"key": r.Key,`
			`"operator": r.Operator,`
			`"values": r.Values,`
			`})`
			`}`
			`resourceAttributes[fieldSelectorVarName] = map[string]interface{}{"requirements": requirements}`
			`}`
			`if len(obj.ResourceAttributes.FieldSelector.RawSelector) > 0 {`
			`resourceAttributes[fieldSelectorVarName] = map[string]interface{}{"rawSelector": obj.ResourceAttributes.FieldSelector.RawSelector}`
			`}`
			`}`

			`if includeLabelSelector && obj.ResourceAttributes.LabelSelector != nil {`
			`if len(obj.ResourceAttributes.LabelSelector.Requirements) > 0 {`
			`requirements := make([]map[string]interface{}, 0, len(obj.ResourceAttributes.LabelSelector.Requirements))`
			`for _, r := range obj.ResourceAttributes.LabelSelector.Requirements {`
			`requirements = append(requirements, map[string]interface{}{`
			`"key": r.Key,`
			`"operator": r.Operator,`
			`"values": r.Values,`
			`})`
			`}`
			`resourceAttributes[labelSelectorVarName] = map[string]interface{}{"requirements": requirements}`
			`}`
			`if len(obj.ResourceAttributes.LabelSelector.RawSelector) > 0 {`
			`resourceAttributes[labelSelectorVarName] = map[string]interface{}{"rawSelector": obj.ResourceAttributes.LabelSelector.RawSelector}`
			`}`
			`}`

			`ret["resourceAttributes"] = resourceAttributes`
rebase: update k8s.io packages to v0.29.0 Signed-off-by: Niels de Vos <ndevos@ibm.com> 2023-12-20 12:23:59 +00:00			`}`
			`if obj.NonResourceAttributes != nil {`
			`ret["nonResourceAttributes"] = map[string]string{`
			`"verb": obj.NonResourceAttributes.Verb,`
			`"path": obj.NonResourceAttributes.Path,`
			`}`
			`}`
			`return ret`
			`}`