| /* |
| Copyright 2014 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package serviceaccount |
| |
| import ( |
| "fmt" |
| "strings" |
| |
| apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation" |
| ) |
| |
| const ( |
| ServiceAccountUsernamePrefix = "system:serviceaccount:" |
| ServiceAccountUsernameSeparator = ":" |
| ServiceAccountGroupPrefix = "system:serviceaccounts:" |
| AllServiceAccountsGroup = "system:serviceaccounts" |
| ) |
| |
| // MakeUsername generates a username from the given namespace and ServiceAccount name. |
| // The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name. |
| func MakeUsername(namespace, name string) string { |
| return ServiceAccountUsernamePrefix + namespace + ServiceAccountUsernameSeparator + name |
| } |
| |
| var invalidUsernameErr = fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name")) |
| |
| // SplitUsername returns the namespace and ServiceAccount name embedded in the given username, |
| // or an error if the username is not a valid name produced by MakeUsername |
| func SplitUsername(username string) (string, string, error) { |
| if !strings.HasPrefix(username, ServiceAccountUsernamePrefix) { |
| return "", "", invalidUsernameErr |
| } |
| trimmed := strings.TrimPrefix(username, ServiceAccountUsernamePrefix) |
| parts := strings.Split(trimmed, ServiceAccountUsernameSeparator) |
| if len(parts) != 2 { |
| return "", "", invalidUsernameErr |
| } |
| namespace, name := parts[0], parts[1] |
| if len(apimachineryvalidation.ValidateNamespaceName(namespace, false)) != 0 { |
| return "", "", invalidUsernameErr |
| } |
| if len(apimachineryvalidation.ValidateServiceAccountName(name, false)) != 0 { |
| return "", "", invalidUsernameErr |
| } |
| return namespace, name, nil |
| } |
| |
| // MakeGroupNames generates service account group names for the given namespace |
| func MakeGroupNames(namespace string) []string { |
| return []string{ |
| AllServiceAccountsGroup, |
| MakeNamespaceGroupName(namespace), |
| } |
| } |
| |
| // MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in |
| func MakeNamespaceGroupName(namespace string) string { |
| return ServiceAccountGroupPrefix + namespace |
| } |