From b8c3cb492e7ec8e0ab3ebf6fd6a6d7fcd831e9ad Mon Sep 17 00:00:00 2001
From: David Eads <deads@redhat.com>
Date: Wed, 24 Feb 2021 10:38:04 -0500
Subject: [PATCH] bump - k8s union authorizer

---
 .../googleapis/gnostic/compiler/README.md     |   2 +-
 .../go/fuzzy_mode_convert_table.md            |   2 +-
 .../github.com/modern-go/concurrent/README.md |   2 +-
 .../github.com/modern-go/reflect2/README.md   |   2 +-
 .../pkg/authorization/union/union.go          | 106 ++++++++++++++++++
 vendor/k8s.io/utils/trace/README.md           |   2 +-
 vendor/modules.txt                            |   1 +
 7 files changed, 112 insertions(+), 5 deletions(-)
 create mode 100644 vendor/k8s.io/apiserver/pkg/authorization/union/union.go

diff --git a/vendor/github.com/googleapis/gnostic/compiler/README.md b/vendor/github.com/googleapis/gnostic/compiler/README.md
index 848b16c69..803cf4ed1 100644
--- a/vendor/github.com/googleapis/gnostic/compiler/README.md
+++ b/vendor/github.com/googleapis/gnostic/compiler/README.md
@@ -1,3 +1,3 @@
 # Compiler support code
 
-This directory contains compiler support code used by Gnostic and Gnostic extensions.
\ No newline at end of file
+This directory contains compiler support code used by Gnostic and Gnostic extensions.
diff --git a/vendor/github.com/json-iterator/go/fuzzy_mode_convert_table.md b/vendor/github.com/json-iterator/go/fuzzy_mode_convert_table.md
index 3095662b0..81d75abbc 100644
--- a/vendor/github.com/json-iterator/go/fuzzy_mode_convert_table.md
+++ b/vendor/github.com/json-iterator/go/fuzzy_mode_convert_table.md
@@ -4,4 +4,4 @@
 | string | empty string => false <br/> string "0" => false <br/> other strings => true | "123.32" => 123 <br/> "-123.4" => -123 <br/> "123.23xxxw" => 123 <br/>  "abcde12" => 0 <br/> "-32.1" => -32| 13.2 => 13 <br/> -1.1 => 0 |12.1 => 12.1 <br/> -12.3 => -12.3<br/> 12.4xxa => 12.4 <br/> +1.1e2 =>110 |same as origin|
 | bool | true => true <br/> false => false| true => 1 <br/> false => 0 | true => 1 <br/> false => 0 |true => 1 <br/>false => 0|true => "true" <br/> false => "false"|
 | object | true | 0 | 0 |0|originnal json|
-| array | empty array => false <br/> nonempty array => true| [] => 0 <br/> [1,2] => 1 | [] => 0 <br/> [1,2] => 1 |[] => 0<br/>[1,2] => 1|original json|
\ No newline at end of file
+| array | empty array => false <br/> nonempty array => true| [] => 0 <br/> [1,2] => 1 | [] => 0 <br/> [1,2] => 1 |[] => 0<br/>[1,2] => 1|original json|
diff --git a/vendor/github.com/modern-go/concurrent/README.md b/vendor/github.com/modern-go/concurrent/README.md
index acab3200a..16413f7b2 100644
--- a/vendor/github.com/modern-go/concurrent/README.md
+++ b/vendor/github.com/modern-go/concurrent/README.md
@@ -46,4 +46,4 @@ fmt.Println("executor stopped")
 attach goroutine to executor instance, so that we can
 
 * cancel it by stop the executor with Stop/StopAndWait/StopAndWaitForever
-* handle panic by callback: the default behavior will no longer crash your application
\ No newline at end of file
+* handle panic by callback: the default behavior will no longer crash your application
diff --git a/vendor/github.com/modern-go/reflect2/README.md b/vendor/github.com/modern-go/reflect2/README.md
index 6f968aab9..9a3e7f439 100644
--- a/vendor/github.com/modern-go/reflect2/README.md
+++ b/vendor/github.com/modern-go/reflect2/README.md
@@ -68,4 +68,4 @@ Instead of casting `[]byte` to `sliceHeader` in your application using unsafe.
 We can use reflect2 instead. This way, if `sliceHeader` changes in the future,
 only reflect2 need to be upgraded.
 
-reflect2 tries its best to keep the implementation same as reflect (by testing).
\ No newline at end of file
+reflect2 tries its best to keep the implementation same as reflect (by testing).
diff --git a/vendor/k8s.io/apiserver/pkg/authorization/union/union.go b/vendor/k8s.io/apiserver/pkg/authorization/union/union.go
new file mode 100644
index 000000000..89d68ffed
--- /dev/null
+++ b/vendor/k8s.io/apiserver/pkg/authorization/union/union.go
@@ -0,0 +1,106 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package union implements an authorizer that combines multiple subauthorizer.
+// The union authorizer iterates over each subauthorizer and returns the first
+// decision that is either an Allow decision or a Deny decision. If a
+// subauthorizer returns a NoOpinion, then the union authorizer moves onto the
+// next authorizer or, if the subauthorizer was the last authorizer, returns
+// NoOpinion as the aggregate decision. I.e. union authorizer creates an
+// aggregate decision and supports short-circuit allows and denies from
+// subauthorizers.
+package union
+
+import (
+	"context"
+	"strings"
+
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+// unionAuthzHandler authorizer against a chain of authorizer.Authorizer
+type unionAuthzHandler []authorizer.Authorizer
+
+// New returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
+func New(authorizationHandlers ...authorizer.Authorizer) authorizer.Authorizer {
+	return unionAuthzHandler(authorizationHandlers)
+}
+
+// Authorizes against a chain of authorizer.Authorizer objects and returns nil if successful and returns error if unsuccessful
+func (authzHandler unionAuthzHandler) Authorize(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+	var (
+		errlist    []error
+		reasonlist []string
+	)
+
+	for _, currAuthzHandler := range authzHandler {
+		decision, reason, err := currAuthzHandler.Authorize(ctx, a)
+
+		if err != nil {
+			errlist = append(errlist, err)
+		}
+		if len(reason) != 0 {
+			reasonlist = append(reasonlist, reason)
+		}
+		switch decision {
+		case authorizer.DecisionAllow, authorizer.DecisionDeny:
+			return decision, reason, err
+		case authorizer.DecisionNoOpinion:
+			// continue to the next authorizer
+		}
+	}
+
+	return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
+}
+
+// unionAuthzRulesHandler authorizer against a chain of authorizer.RuleResolver
+type unionAuthzRulesHandler []authorizer.RuleResolver
+
+// NewRuleResolvers returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
+func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authorizer.RuleResolver {
+	return unionAuthzRulesHandler(authorizationHandlers)
+}
+
+// RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful
+func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
+	var (
+		errList              []error
+		resourceRulesList    []authorizer.ResourceRuleInfo
+		nonResourceRulesList []authorizer.NonResourceRuleInfo
+	)
+	incompleteStatus := false
+
+	for _, currAuthzHandler := range authzHandler {
+		resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace)
+
+		if incomplete == true {
+			incompleteStatus = true
+		}
+		if err != nil {
+			errList = append(errList, err)
+		}
+		if len(resourceRules) > 0 {
+			resourceRulesList = append(resourceRulesList, resourceRules...)
+		}
+		if len(nonResourceRules) > 0 {
+			nonResourceRulesList = append(nonResourceRulesList, nonResourceRules...)
+		}
+	}
+
+	return resourceRulesList, nonResourceRulesList, incompleteStatus, utilerrors.NewAggregate(errList)
+}
diff --git a/vendor/k8s.io/utils/trace/README.md b/vendor/k8s.io/utils/trace/README.md
index 1e9c69389..56c964e95 100644
--- a/vendor/k8s.io/utils/trace/README.md
+++ b/vendor/k8s.io/utils/trace/README.md
@@ -64,4 +64,4 @@ func doSomething(ctx context.Context) {
     
     doSomethingElse(ctx)
 }
-```
\ No newline at end of file
+```
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 86e46ff5e..e6ef48f2a 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -324,6 +324,7 @@ k8s.io/apiserver/pkg/authentication/token/tokenfile
 k8s.io/apiserver/pkg/authentication/user
 k8s.io/apiserver/pkg/authorization/authorizer
 k8s.io/apiserver/pkg/authorization/authorizerfactory
+k8s.io/apiserver/pkg/authorization/union
 k8s.io/apiserver/pkg/endpoints/request
 k8s.io/apiserver/pkg/server/dynamiccertificates
 k8s.io/apiserver/pkg/server/egressselector