func()

in cmd/gcp-controller-manager/service_account_verifier.go [240:305]


func (sav *serviceAccountVerifier) verify(key string) (bool, error) {
	o, exists, err := sav.saIndexer.GetByKey(key)
	if err != nil {
		return false, fmt.Errorf("failed to get ServiceAccount %q: %v", key, err)
	}
	if !exists {
		// Remove the ksa entry from verifiedSAs in case it was previosly authorized.
		namespace, name, err := cache.SplitMetaNamespaceKey(key)
		if err != nil {
			klog.Errorf("Dropping invalid key %q in SA queue: %v", key, err)
			return false, nil
		}
		ksa := serviceAccount{namespace, name}
		if removedGSA, found := sav.verifiedSAs.remove(ksa); found {
			klog.Infof("Removed permission %q:%q; KSA removed", ksa, removedGSA)
			return true, nil
		}
		return false, nil
	}
	sa, ok := o.(*core.ServiceAccount)
	if !ok {
		klog.Errorf("Dropping invalid object from SA queue with key %q: %#v", key, o)
		return false, nil
	}
	ksa := serviceAccount{sa.ObjectMeta.Namespace, sa.ObjectMeta.Name}

	ann, found := sa.ObjectMeta.Annotations[serviceAccountAnnotationGSAEmail]
	if !found || ann == "" {
		// Annotation added (by admin) will not take effect until the SA's next periodic resync.
		klog.V(5).Infof("SA %v does not have a GsaEmail annotation.", sa)
		if removedGSA, found := sav.verifiedSAs.remove(ksa); found {
			klog.Infof("Removed permission %q:%q; annotation removed", ksa, removedGSA)
			return true, nil
		}
		return false, nil
	}
	gsa := gsaEmail(ann)
	permitted, err := sav.hms.authorize(ksa, gsa)
	if err != nil {
		return false, fmt.Errorf("failed to authorize %s:%s; err: %v", ksa, gsa, err)
	}

	if !permitted {
		if removedGSA, found := sav.verifiedSAs.remove(ksa); found {
			if removedGSA == gsa {
				klog.Infof("Removed permission %q:%q; no longer valid", ksa, gsa)
			} else {
				klog.Infof("Removed permission %q:%q; current annotation :%q is denied", ksa, removedGSA, gsa)
			}
			// Trigger CM update if SA was found (ie, previously permitted)
			return true, nil
		}
		klog.Infof("Permission denied %q:%q", ksa, gsa)
		return false, nil
	}
	previousGSA, found := sav.verifiedSAs.add(ksa, gsa)
	if !found {
		klog.Infof("Permission verified %q:%q", ksa, gsa)
		return true, nil
	} else if previousGSA != gsa {
		klog.Infof("Permission changed to %q:%q from :%q", ksa, gsa, previousGSA)
		return true, nil
	}
	klog.Infof("Permission re-verified %q:%q", ksa, gsa)
	return false, nil
}