*: addressing PR review comments

cmd/kube-rbac-proxy/app/kube-rbac-proxy.go

@@ -297,18 +297,18 @@ func Run(cfg *server.KubeRBACProxyConfig) error {
 func setupAuthorizer(krbInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverconfig.AuthorizationInfo) (authorizer.Authorizer, error) {
 	// Pre authorizer is running before any other authorizer.
 	// It works outside of the default authorizers.
-	var pre authorizer.Authorizer
+	var pathAuthorizer authorizer.Authorizer
 
 	// AllowPaths denies access to paths that are not listed.
 	// IgnorePaths doesn't auth(n/z) paths that are listed.
 	switch {
 	case len(krbInfo.AllowPaths) > 0:
-		pre = path.NewAllowPathAuthorizer(krbInfo.AllowPaths)
+		pathAuthorizer = path.NewAllowPathAuthorizer(krbInfo.AllowPaths)
 	case len(krbInfo.IgnorePaths) > 0:
-		pre = path.NewAlwaysAllowPathAuthorizer(krbInfo.IgnorePaths)
+		pathAuthorizer = path.NewAlwaysAllowPathAuthorizer(krbInfo.IgnorePaths)
 	}
 
-	// Delegated authorizers are running after the pre authorizer
+	// Delegated authorizers are running after the pathAuthorizer
 	// and after the attributes have been rewritten.
 	var delegated []authorizer.Authorizer
 	// Static authorization authorizes against a static file is ran before the SubjectAccessReview.
@@ -342,8 +342,8 @@ func setupAuthorizer(krbInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverco
 		attrsGenerator,
 	)
 
-	if pre != nil {
-		return union.New(pre, rewritingAuthorizer), nil
+	if pathAuthorizer != nil {
+		return union.New(pathAuthorizer, rewritingAuthorizer), nil
 	}
 
 	return rewritingAuthorizer, nil

pkg/authorization/rewrite/attributes.go

@@ -118,7 +118,7 @@ func NewRewritingAttributesGenerator(attributes *ResourceAttributes) *RewritingA
 // is VERY DANGEROUS. It should only be used in a narrow use-case, where the
 // upstream is interpreting the input data as well.
 func (r *RewritingAttributesGenerator) Generate(ctx context.Context, attr authorizer.Attributes) []authorizer.Attributes {
-	params := GetKubeRBACProxyParams(ctx)
+	params := getKubeRBACProxyParams(ctx)
 	if len(params) == 0 {
 		return nil
 	}

pkg/authorization/rewrite/middleware.go

@@ -71,9 +71,9 @@ func WithKubeRBACProxyParams(ctx context.Context, params []string) context.Conte
 	return request.WithValue(ctx, rewriterParams, params)
 }
 
-// GetKubeRBACProxyParams returns the values from the context that should be
+// getKubeRBACProxyParams returns the values from the context that should be
 // used to rewrite the attributes.
-func GetKubeRBACProxyParams(ctx context.Context) []string {
+func getKubeRBACProxyParams(ctx context.Context) []string {
 	params, _ := ctx.Value(rewriterParams).([]string)
 
 	return params

pkg/authorization/rewrite/middleware_test.go

@@ -13,29 +13,27 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-package rewrite_test
+package rewrite
 
 import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"reflect"
 	"testing"
-
-	"github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite"
 )
 
 func TestRewriteParamsMiddleware(t *testing.T) {
 	testCases := []struct {
 		name     string
-		rewrite  *rewrite.SubjectAccessReviewRewrites
+		rewrite  *SubjectAccessReviewRewrites
 		request  *http.Request
 		expected []string
 	}{
 		{
 			name: "with query param rewrites config",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByQueryParameter: &rewrite.QueryParameterRewriteConfig{
+			rewrite: &SubjectAccessReviewRewrites{
+				ByQueryParameter: &QueryParameterRewriteConfig{
 					Name: "namespace",
 				},
 			},
@@ -46,8 +44,8 @@ func TestRewriteParamsMiddleware(t *testing.T) {
 		},
 		{
 			name: "with query param rewrites config but missing URL query",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByQueryParameter: &rewrite.QueryParameterRewriteConfig{
+			rewrite: &SubjectAccessReviewRewrites{
+				ByQueryParameter: &QueryParameterRewriteConfig{
 					Name: "namespace",
 				},
 			},
@@ -56,8 +54,8 @@ func TestRewriteParamsMiddleware(t *testing.T) {
 		},
 		{
 			name: "with http header rewrites config",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByHTTPHeader: &rewrite.HTTPHeaderRewriteConfig{Name: "namespace"},
+			rewrite: &SubjectAccessReviewRewrites{
+				ByHTTPHeader: &HTTPHeaderRewriteConfig{Name: "namespace"},
 			},
 			request: createRequest(withHeaderParameters(map[string][]string{
 				"namespace": {"default"},
@@ -66,8 +64,8 @@ func TestRewriteParamsMiddleware(t *testing.T) {
 		},
 		{
 			name: "with http header rewrites config and additional header",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByHTTPHeader: &rewrite.HTTPHeaderRewriteConfig{Name: "namespace"},
+			rewrite: &SubjectAccessReviewRewrites{
+				ByHTTPHeader: &HTTPHeaderRewriteConfig{Name: "namespace"},
 			},
 			request: createRequest(withHeaderParameters(map[string][]string{
 				"namespace": {"default", "other"},
@@ -76,17 +74,17 @@ func TestRewriteParamsMiddleware(t *testing.T) {
 		},
 		{
 			name: "with http header rewrites config but missing header",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByQueryParameter: &rewrite.QueryParameterRewriteConfig{Name: "namespace"},
+			rewrite: &SubjectAccessReviewRewrites{
+				ByQueryParameter: &QueryParameterRewriteConfig{Name: "namespace"},
 			},
 			request:  createRequest(),
 			expected: nil,
 		},
 		{
 			name: "with http header and query param rewrites config",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByHTTPHeader:     &rewrite.HTTPHeaderRewriteConfig{Name: "namespace"},
-				ByQueryParameter: &rewrite.QueryParameterRewriteConfig{Name: "namespace"},
+			rewrite: &SubjectAccessReviewRewrites{
+				ByHTTPHeader:     &HTTPHeaderRewriteConfig{Name: "namespace"},
+				ByQueryParameter: &QueryParameterRewriteConfig{Name: "namespace"},
 			},
 			request: createRequest(
 				withHeaderParameters(map[string][]string{"namespace": {"default"}}),
@@ -96,8 +94,8 @@ func TestRewriteParamsMiddleware(t *testing.T) {
 		},
 		{
 			name: "with query header rewrites config but header params",
-			rewrite: &rewrite.SubjectAccessReviewRewrites{
-				ByQueryParameter: &rewrite.QueryParameterRewriteConfig{Name: "namespace"},
+			rewrite: &SubjectAccessReviewRewrites{
+				ByQueryParameter: &QueryParameterRewriteConfig{Name: "namespace"},
 			},
 			request: createRequest(withHeaderParameters(map[string][]string{
 				"namespace": {"default", "other"},
@@ -108,14 +106,14 @@ func TestRewriteParamsMiddleware(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			rewrite.WithKubeRBACProxyParamsHandler(
+			WithKubeRBACProxyParamsHandler(
 				http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-					values := rewrite.GetKubeRBACProxyParams(r.Context())
+					values := getKubeRBACProxyParams(r.Context())
 					if !reflect.DeepEqual(values, tc.expected) {
 						t.Errorf("expected values to be %v, have %v", tc.expected, values)
 					}
 				}),
-				&rewrite.RewriteAttributesConfig{Rewrites: tc.rewrite},
+				&RewriteAttributesConfig{Rewrites: tc.rewrite},
 			).ServeHTTP(nil, tc.request)
 		})
 	}

pkg/authorization/rewrite/rewrite.go

@@ -37,7 +37,7 @@ type rewritingAuthorizer struct {
 
 var _ authorizer.Authorizer = &rewritingAuthorizer{}
 
-// It generates a list of attributes based on the given attributes generator
+// Authorize generates a list of attributes based on the given attributes generator
 // and context. All attributes must be authorized to allow the request.
 // If no attributes are generated, the request is denied.
 func (n *rewritingAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {