vendor files

vendor/k8s.io/kubernetes/pkg/registry/authorization/OWNERS

@@ -0,0 +1,4 @@
+reviewers:
+- deads2k
+- liggitt
+- enj

vendor/k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview/BUILD

@@ -0,0 +1,35 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["rest.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview",
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//pkg/apis/authorization/validation:go_default_library",
+        "//pkg/registry/authorization/util:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview/rest.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package localsubjectaccessreview
+
+import (
+	"fmt"
+
+	kapierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+	authorizationvalidation "k8s.io/kubernetes/pkg/apis/authorization/validation"
+	authorizationutil "k8s.io/kubernetes/pkg/registry/authorization/util"
+)
+
+type REST struct {
+	authorizer authorizer.Authorizer
+}
+
+func NewREST(authorizer authorizer.Authorizer) *REST {
+	return &REST{authorizer}
+}
+
+func (r *REST) New() runtime.Object {
+	return &authorizationapi.LocalSubjectAccessReview{}
+}
+
+func (r *REST) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
+	localSubjectAccessReview, ok := obj.(*authorizationapi.LocalSubjectAccessReview)
+	if !ok {
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a LocaLocalSubjectAccessReview: %#v", obj))
+	}
+	if errs := authorizationvalidation.ValidateLocalSubjectAccessReview(localSubjectAccessReview); len(errs) > 0 {
+		return nil, kapierrors.NewInvalid(authorizationapi.Kind(localSubjectAccessReview.Kind), "", errs)
+	}
+	namespace := genericapirequest.NamespaceValue(ctx)
+	if len(namespace) == 0 {
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("namespace is required on this type: %v", namespace))
+	}
+	if namespace != localSubjectAccessReview.Namespace {
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("spec.resourceAttributes.namespace must match namespace: %v", namespace))
+	}
+
+	authorizationAttributes := authorizationutil.AuthorizationAttributesFrom(localSubjectAccessReview.Spec)
+	decision, reason, evaluationErr := r.authorizer.Authorize(authorizationAttributes)
+
+	localSubjectAccessReview.Status = authorizationapi.SubjectAccessReviewStatus{
+		Allowed: (decision == authorizer.DecisionAllow),
+		Denied:  (decision == authorizer.DecisionDeny),
+		Reason:  reason,
+	}
+	if evaluationErr != nil {
+		localSubjectAccessReview.Status.EvaluationError = evaluationErr.Error()
+	}
+
+	return localSubjectAccessReview, nil
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/rest/BUILD

@@ -0,0 +1,40 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["storage_authorization.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/rest",
+    deps = [
+        "//pkg/api/legacyscheme:go_default_library",
+        "//pkg/apis/authorization:go_default_library",
+        "//pkg/registry/authorization/localsubjectaccessreview:go_default_library",
+        "//pkg/registry/authorization/selfsubjectaccessreview:go_default_library",
+        "//pkg/registry/authorization/selfsubjectrulesreview:go_default_library",
+        "//pkg/registry/authorization/subjectaccessreview:go_default_library",
+        "//vendor/k8s.io/api/authorization/v1:go_default_library",
+        "//vendor/k8s.io/api/authorization/v1beta1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/server/storage:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/authorization/rest/storage_authorization.go

@@ -0,0 +1,104 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rest
+
+import (
+	authorizationv1 "k8s.io/api/authorization/v1"
+	authorizationv1beta1 "k8s.io/api/authorization/v1beta1"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	"k8s.io/apiserver/pkg/registry/generic"
+	"k8s.io/apiserver/pkg/registry/rest"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	serverstorage "k8s.io/apiserver/pkg/server/storage"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
+	"k8s.io/kubernetes/pkg/apis/authorization"
+	"k8s.io/kubernetes/pkg/registry/authorization/localsubjectaccessreview"
+	"k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview"
+	"k8s.io/kubernetes/pkg/registry/authorization/selfsubjectrulesreview"
+	"k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview"
+)
+
+type RESTStorageProvider struct {
+	Authorizer   authorizer.Authorizer
+	RuleResolver authorizer.RuleResolver
+}
+
+func (p RESTStorageProvider) NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, bool) {
+	if p.Authorizer == nil {
+		return genericapiserver.APIGroupInfo{}, false
+	}
+
+	apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(authorization.GroupName, legacyscheme.Registry, legacyscheme.Scheme, legacyscheme.ParameterCodec, legacyscheme.Codecs)
+	// If you add a version here, be sure to add an entry in `k8s.io/kubernetes/cmd/kube-apiserver/app/aggregator.go with specific priorities.
+	// TODO refactor the plumbing to provide the information in the APIGroupInfo
+
+	if apiResourceConfigSource.AnyResourcesForVersionEnabled(authorizationv1beta1.SchemeGroupVersion) {
+		apiGroupInfo.VersionedResourcesStorageMap[authorizationv1beta1.SchemeGroupVersion.Version] = p.v1beta1Storage(apiResourceConfigSource, restOptionsGetter)
+		apiGroupInfo.GroupMeta.GroupVersion = authorizationv1beta1.SchemeGroupVersion
+	}
+
+	if apiResourceConfigSource.AnyResourcesForVersionEnabled(authorizationv1.SchemeGroupVersion) {
+		apiGroupInfo.VersionedResourcesStorageMap[authorizationv1.SchemeGroupVersion.Version] = p.v1Storage(apiResourceConfigSource, restOptionsGetter)
+		apiGroupInfo.GroupMeta.GroupVersion = authorizationv1.SchemeGroupVersion
+	}
+
+	return apiGroupInfo, true
+}
+
+func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
+	version := authorizationv1beta1.SchemeGroupVersion
+
+	storage := map[string]rest.Storage{}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("subjectaccessreviews")) {
+		storage["subjectaccessreviews"] = subjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectaccessreviews")) {
+		storage["selfsubjectaccessreviews"] = selfsubjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) {
+		storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectrulesreviews")) {
+		storage["selfsubjectrulesreviews"] = selfsubjectrulesreview.NewREST(p.RuleResolver)
+	}
+
+	return storage
+}
+
+func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) map[string]rest.Storage {
+	version := authorizationv1beta1.SchemeGroupVersion
+
+	storage := map[string]rest.Storage{}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("subjectaccessreviews")) {
+		storage["subjectaccessreviews"] = subjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectaccessreviews")) {
+		storage["selfsubjectaccessreviews"] = selfsubjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("localsubjectaccessreviews")) {
+		storage["localsubjectaccessreviews"] = localsubjectaccessreview.NewREST(p.Authorizer)
+	}
+	if apiResourceConfigSource.ResourceEnabled(version.WithResource("selfsubjectrulesreviews")) {
+		storage["selfsubjectrulesreviews"] = selfsubjectrulesreview.NewREST(p.RuleResolver)
+	}
+
+	return storage
+}
+
+func (p RESTStorageProvider) GroupName() string {
+	return authorization.GroupName
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview/BUILD

@@ -0,0 +1,35 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["rest.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview",
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//pkg/apis/authorization/validation:go_default_library",
+        "//pkg/registry/authorization/util:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/registry/authorization/selfsubjectaccessreview/rest.go

@@ -0,0 +1,76 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selfsubjectaccessreview
+
+import (
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+	authorizationvalidation "k8s.io/kubernetes/pkg/apis/authorization/validation"
+	authorizationutil "k8s.io/kubernetes/pkg/registry/authorization/util"
+)
+
+type REST struct {
+	authorizer authorizer.Authorizer
+}
+
+func NewREST(authorizer authorizer.Authorizer) *REST {
+	return &REST{authorizer}
+}
+
+func (r *REST) New() runtime.Object {
+	return &authorizationapi.SelfSubjectAccessReview{}
+}
+
+func (r *REST) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
+	selfSAR, ok := obj.(*authorizationapi.SelfSubjectAccessReview)
+	if !ok {
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectAccessReview: %#v", obj))
+	}
+	if errs := authorizationvalidation.ValidateSelfSubjectAccessReview(selfSAR); len(errs) > 0 {
+		return nil, apierrors.NewInvalid(authorizationapi.Kind(selfSAR.Kind), "", errs)
+	}
+	userToCheck, exists := genericapirequest.UserFrom(ctx)
+	if !exists {
+		return nil, apierrors.NewBadRequest("no user present on request")
+	}
+
+	var authorizationAttributes authorizer.AttributesRecord
+	if selfSAR.Spec.ResourceAttributes != nil {
+		authorizationAttributes = authorizationutil.ResourceAttributesFrom(userToCheck, *selfSAR.Spec.ResourceAttributes)
+	} else {
+		authorizationAttributes = authorizationutil.NonResourceAttributesFrom(userToCheck, *selfSAR.Spec.NonResourceAttributes)
+	}
+
+	decision, reason, evaluationErr := r.authorizer.Authorize(authorizationAttributes)
+
+	selfSAR.Status = authorizationapi.SubjectAccessReviewStatus{
+		Allowed: (decision == authorizer.DecisionAllow),
+		Denied:  (decision == authorizer.DecisionDeny),
+		Reason:  reason,
+	}
+	if evaluationErr != nil {
+		selfSAR.Status.EvaluationError = evaluationErr.Error()
+	}
+
+	return selfSAR, nil
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/selfsubjectrulesreview/BUILD

@@ -0,0 +1,30 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["rest.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/selfsubjectrulesreview",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

vendor/k8s.io/kubernetes/pkg/registry/authorization/selfsubjectrulesreview/rest.go

@@ -0,0 +1,100 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selfsubjectrulesreview
+
+import (
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+)
+
+// REST implements a RESTStorage for selfsubjectrulesreview.
+type REST struct {
+	ruleResolver authorizer.RuleResolver
+}
+
+// NewREST returns a RESTStorage object that will work against selfsubjectrulesreview.
+func NewREST(ruleResolver authorizer.RuleResolver) *REST {
+	return &REST{ruleResolver}
+}
+
+// New creates a new selfsubjectrulesreview object.
+func (r *REST) New() runtime.Object {
+	return &authorizationapi.SelfSubjectRulesReview{}
+}
+
+// Create attempts to get self subject rules in specific namespace.
+func (r *REST) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
+	selfSRR, ok := obj.(*authorizationapi.SelfSubjectRulesReview)
+	if !ok {
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("not a SelfSubjectRulesReview: %#v", obj))
+	}
+
+	user, ok := genericapirequest.UserFrom(ctx)
+	if !ok {
+		return nil, apierrors.NewBadRequest("no user present on request")
+	}
+
+	namespace := selfSRR.Spec.Namespace
+	if namespace == "" {
+		return nil, apierrors.NewBadRequest("no namespace on request")
+	}
+	resourceInfo, nonResourceInfo, incomplete, err := r.ruleResolver.RulesFor(user, namespace)
+
+	ret := &authorizationapi.SelfSubjectRulesReview{
+		Status: authorizationapi.SubjectRulesReviewStatus{
+			ResourceRules:    getResourceRules(resourceInfo),
+			NonResourceRules: getNonResourceRules(nonResourceInfo),
+			Incomplete:       incomplete,
+		},
+	}
+
+	if err != nil {
+		ret.Status.EvaluationError = err.Error()
+	}
+
+	return ret, nil
+}
+
+func getResourceRules(infos []authorizer.ResourceRuleInfo) []authorizationapi.ResourceRule {
+	rules := make([]authorizationapi.ResourceRule, len(infos))
+	for i, info := range infos {
+		rules[i] = authorizationapi.ResourceRule{
+			Verbs:         info.GetVerbs(),
+			APIGroups:     info.GetAPIGroups(),
+			Resources:     info.GetResources(),
+			ResourceNames: info.GetResourceNames(),
+		}
+	}
+	return rules
+}
+
+func getNonResourceRules(infos []authorizer.NonResourceRuleInfo) []authorizationapi.NonResourceRule {
+	rules := make([]authorizationapi.NonResourceRule, len(infos))
+	for i, info := range infos {
+		rules[i] = authorizationapi.NonResourceRule{
+			Verbs:           info.GetVerbs(),
+			NonResourceURLs: info.GetNonResourceURLs(),
+		}
+	}
+	return rules
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview/BUILD

@@ -0,0 +1,50 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["rest.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview",
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//pkg/apis/authorization/validation:go_default_library",
+        "//pkg/registry/authorization/util:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["rest_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/registry/rest:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview/rest.go

@@ -0,0 +1,66 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package subjectaccessreview
+
+import (
+	"fmt"
+
+	kapierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+	authorizationvalidation "k8s.io/kubernetes/pkg/apis/authorization/validation"
+	authorizationutil "k8s.io/kubernetes/pkg/registry/authorization/util"
+)
+
+type REST struct {
+	authorizer authorizer.Authorizer
+}
+
+func NewREST(authorizer authorizer.Authorizer) *REST {
+	return &REST{authorizer}
+}
+
+func (r *REST) New() runtime.Object {
+	return &authorizationapi.SubjectAccessReview{}
+}
+
+func (r *REST) Create(ctx genericapirequest.Context, obj runtime.Object, createValidation rest.ValidateObjectFunc, includeUninitialized bool) (runtime.Object, error) {
+	subjectAccessReview, ok := obj.(*authorizationapi.SubjectAccessReview)
+	if !ok {
+		return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a SubjectAccessReview: %#v", obj))
+	}
+	if errs := authorizationvalidation.ValidateSubjectAccessReview(subjectAccessReview); len(errs) > 0 {
+		return nil, kapierrors.NewInvalid(authorizationapi.Kind(subjectAccessReview.Kind), "", errs)
+	}
+
+	authorizationAttributes := authorizationutil.AuthorizationAttributesFrom(subjectAccessReview.Spec)
+	decision, reason, evaluationErr := r.authorizer.Authorize(authorizationAttributes)
+
+	subjectAccessReview.Status = authorizationapi.SubjectAccessReviewStatus{
+		Allowed: (decision == authorizer.DecisionAllow),
+		Denied:  (decision == authorizer.DecisionDeny),
+		Reason:  reason,
+	}
+	if evaluationErr != nil {
+		subjectAccessReview.Status.EvaluationError = evaluationErr.Error()
+	}
+
+	return subjectAccessReview, nil
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/subjectaccessreview/rest_test.go

@@ -0,0 +1,217 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package subjectaccessreview
+
+import (
+	"errors"
+	"strings"
+	"testing"
+
+	"reflect"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
+	"k8s.io/apiserver/pkg/registry/rest"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+)
+
+type fakeAuthorizer struct {
+	attrs authorizer.Attributes
+
+	decision authorizer.Decision
+	reason   string
+	err      error
+}
+
+func (f *fakeAuthorizer) Authorize(attrs authorizer.Attributes) (authorizer.Decision, string, error) {
+	f.attrs = attrs
+	return f.decision, f.reason, f.err
+}
+
+func TestCreate(t *testing.T) {
+	testcases := map[string]struct {
+		spec     authorizationapi.SubjectAccessReviewSpec
+		decision authorizer.Decision
+		reason   string
+		err      error
+
+		expectedErr    string
+		expectedAttrs  authorizer.Attributes
+		expectedStatus authorizationapi.SubjectAccessReviewStatus
+	}{
+		"empty": {
+			expectedErr: "nonResourceAttributes or resourceAttributes",
+		},
+
+		"nonresource rejected": {
+			spec: authorizationapi.SubjectAccessReviewSpec{
+				User: "bob",
+				NonResourceAttributes: &authorizationapi.NonResourceAttributes{Verb: "get", Path: "/mypath"},
+			},
+			decision: authorizer.DecisionNoOpinion,
+			reason:   "myreason",
+			err:      errors.New("myerror"),
+			expectedAttrs: authorizer.AttributesRecord{
+				User:            &user.DefaultInfo{Name: "bob"},
+				Verb:            "get",
+				Path:            "/mypath",
+				ResourceRequest: false,
+			},
+			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
+				Allowed:         false,
+				Reason:          "myreason",
+				EvaluationError: "myerror",
+			},
+		},
+
+		"nonresource allowed": {
+			spec: authorizationapi.SubjectAccessReviewSpec{
+				User: "bob",
+				NonResourceAttributes: &authorizationapi.NonResourceAttributes{Verb: "get", Path: "/mypath"},
+			},
+			decision: authorizer.DecisionAllow,
+			reason:   "allowed",
+			err:      nil,
+			expectedAttrs: authorizer.AttributesRecord{
+				User:            &user.DefaultInfo{Name: "bob"},
+				Verb:            "get",
+				Path:            "/mypath",
+				ResourceRequest: false,
+			},
+			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
+				Allowed:         true,
+				Reason:          "allowed",
+				EvaluationError: "",
+			},
+		},
+
+		"resource rejected": {
+			spec: authorizationapi.SubjectAccessReviewSpec{
+				User: "bob",
+				ResourceAttributes: &authorizationapi.ResourceAttributes{
+					Namespace:   "myns",
+					Verb:        "create",
+					Group:       "extensions",
+					Version:     "v1beta1",
+					Resource:    "deployments",
+					Subresource: "scale",
+					Name:        "mydeployment",
+				},
+			},
+			decision: authorizer.DecisionNoOpinion,
+			reason:   "myreason",
+			err:      errors.New("myerror"),
+			expectedAttrs: authorizer.AttributesRecord{
+				User:            &user.DefaultInfo{Name: "bob"},
+				Namespace:       "myns",
+				Verb:            "create",
+				APIGroup:        "extensions",
+				APIVersion:      "v1beta1",
+				Resource:        "deployments",
+				Subresource:     "scale",
+				Name:            "mydeployment",
+				ResourceRequest: true,
+			},
+			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
+				Allowed:         false,
+				Denied:          false,
+				Reason:          "myreason",
+				EvaluationError: "myerror",
+			},
+		},
+
+		"resource allowed": {
+			spec: authorizationapi.SubjectAccessReviewSpec{
+				User: "bob",
+				ResourceAttributes: &authorizationapi.ResourceAttributes{
+					Namespace:   "myns",
+					Verb:        "create",
+					Group:       "extensions",
+					Version:     "v1beta1",
+					Resource:    "deployments",
+					Subresource: "scale",
+					Name:        "mydeployment",
+				},
+			},
+			decision: authorizer.DecisionAllow,
+			reason:   "allowed",
+			err:      nil,
+			expectedAttrs: authorizer.AttributesRecord{
+				User:            &user.DefaultInfo{Name: "bob"},
+				Namespace:       "myns",
+				Verb:            "create",
+				APIGroup:        "extensions",
+				APIVersion:      "v1beta1",
+				Resource:        "deployments",
+				Subresource:     "scale",
+				Name:            "mydeployment",
+				ResourceRequest: true,
+			},
+			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
+				Allowed:         true,
+				Denied:          false,
+				Reason:          "allowed",
+				EvaluationError: "",
+			},
+		},
+
+		"resource denied": {
+			spec: authorizationapi.SubjectAccessReviewSpec{
+				User:               "bob",
+				ResourceAttributes: &authorizationapi.ResourceAttributes{},
+			},
+			decision: authorizer.DecisionDeny,
+			expectedAttrs: authorizer.AttributesRecord{
+				User:            &user.DefaultInfo{Name: "bob"},
+				ResourceRequest: true,
+			},
+			expectedStatus: authorizationapi.SubjectAccessReviewStatus{
+				Allowed: false,
+				Denied:  true,
+			},
+		},
+	}
+
+	for k, tc := range testcases {
+		auth := &fakeAuthorizer{
+			decision: tc.decision,
+			reason:   tc.reason,
+			err:      tc.err,
+		}
+		storage := NewREST(auth)
+
+		result, err := storage.Create(genericapirequest.NewContext(), &authorizationapi.SubjectAccessReview{Spec: tc.spec}, rest.ValidateAllObjectFunc, false)
+		if err != nil {
+			if tc.expectedErr != "" {
+				if !strings.Contains(err.Error(), tc.expectedErr) {
+					t.Errorf("%s: expected %s to contain %q", k, err, tc.expectedErr)
+				}
+			} else {
+				t.Errorf("%s: %v", k, err)
+			}
+			continue
+		}
+		if !reflect.DeepEqual(auth.attrs, tc.expectedAttrs) {
+			t.Errorf("%s: expected\n%#v\ngot\n%#v", k, tc.expectedAttrs, auth.attrs)
+		}
+		status := result.(*authorizationapi.SubjectAccessReview).Status
+		if !reflect.DeepEqual(status, tc.expectedStatus) {
+			t.Errorf("%s: expected\n%#v\ngot\n%#v", k, tc.expectedStatus, status)
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/util/BUILD

@@ -0,0 +1,43 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["helpers.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/util",
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["helpers_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/registry/authorization/util",
+    library = ":go_default_library",
+    deps = [
+        "//pkg/apis/authorization:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
+    ],
+)

vendor/k8s.io/kubernetes/pkg/registry/authorization/util/helpers.go

@@ -0,0 +1,79 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+)
+
+// ResourceAttributesFrom combines the API object information and the user.Info from the context to build a full authorizer.AttributesRecord for resource access
+func ResourceAttributesFrom(user user.Info, in authorizationapi.ResourceAttributes) authorizer.AttributesRecord {
+	return authorizer.AttributesRecord{
+		User:            user,
+		Verb:            in.Verb,
+		Namespace:       in.Namespace,
+		APIGroup:        in.Group,
+		APIVersion:      in.Version,
+		Resource:        in.Resource,
+		Subresource:     in.Subresource,
+		Name:            in.Name,
+		ResourceRequest: true,
+	}
+}
+
+// NonResourceAttributesFrom combines the API object information and the user.Info from the context to build a full authorizer.AttributesRecord for non resource access
+func NonResourceAttributesFrom(user user.Info, in authorizationapi.NonResourceAttributes) authorizer.AttributesRecord {
+	return authorizer.AttributesRecord{
+		User:            user,
+		ResourceRequest: false,
+		Path:            in.Path,
+		Verb:            in.Verb,
+	}
+}
+
+func convertToUserInfoExtra(extra map[string]authorizationapi.ExtraValue) map[string][]string {
+	if extra == nil {
+		return nil
+	}
+	ret := map[string][]string{}
+	for k, v := range extra {
+		ret[k] = []string(v)
+	}
+
+	return ret
+}
+
+// AuthorizationAttributesFrom takes a spec and returns the proper authz attributes to check it.
+func AuthorizationAttributesFrom(spec authorizationapi.SubjectAccessReviewSpec) authorizer.AttributesRecord {
+	userToCheck := &user.DefaultInfo{
+		Name:   spec.User,
+		Groups: spec.Groups,
+		UID:    spec.UID,
+		Extra:  convertToUserInfoExtra(spec.Extra),
+	}
+
+	var authorizationAttributes authorizer.AttributesRecord
+	if spec.ResourceAttributes != nil {
+		authorizationAttributes = ResourceAttributesFrom(userToCheck, *spec.ResourceAttributes)
+	} else {
+		authorizationAttributes = NonResourceAttributesFrom(userToCheck, *spec.NonResourceAttributes)
+	}
+
+	return authorizationAttributes
+}

vendor/k8s.io/kubernetes/pkg/registry/authorization/util/helpers_test.go

@@ -0,0 +1,74 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package util
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+	authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
+)
+
+func TestResourceAttributesFrom(t *testing.T) {
+	knownResourceAttributesNames := sets.NewString(
+		// Fields we copy in ResourceAttributesFrom
+		"Verb",
+		"Namespace",
+		"Group",
+		"Version",
+		"Resource",
+		"Subresource",
+		"Name",
+
+		// Fields we copy in NonResourceAttributesFrom
+		"Path",
+		"Verb",
+	)
+	reflect.TypeOf(authorizationapi.ResourceAttributes{}).FieldByNameFunc(func(name string) bool {
+		if !knownResourceAttributesNames.Has(name) {
+			t.Errorf("authorizationapi.ResourceAttributes has a new field: %q. Add to ResourceAttributesFrom/NonResourceAttributesFrom as appropriate, then add to knownResourceAttributesNames", name)
+		}
+		return false
+	})
+
+	knownAttributesRecordFieldNames := sets.NewString(
+		// Fields we set in ResourceAttributesFrom
+		"User",
+		"Verb",
+		"Namespace",
+		"APIGroup",
+		"APIVersion",
+		"Resource",
+		"Subresource",
+		"Name",
+		"ResourceRequest",
+
+		// Fields we set in NonResourceAttributesFrom
+		"User",
+		"ResourceRequest",
+		"Path",
+		"Verb",
+	)
+	reflect.TypeOf(authorizer.AttributesRecord{}).FieldByNameFunc(func(name string) bool {
+		if !knownAttributesRecordFieldNames.Has(name) {
+			t.Errorf("authorizer.AttributesRecord has a new field: %q. Add to ResourceAttributesFrom/NonResourceAttributesFrom as appropriate, then add to knownAttributesRecordFieldNames", name)
+		}
+		return false
+	})
+}