Skip to content

Commit 49356a3

Browse files
anniegracehuanniegracehu
committed
Minimize update parser parity diff.
Inline legacy update parsing in _update_rbac for source-of-truth behavior and keep old/new parity assertions behind KUBEPLUS_UPDATE_EQ_CHECK, while removing extra helper methods. Made-with: Cursor
1 parent 4719e7c commit 49356a3

File tree

2 files changed

+52
-38
lines changed

2 files changed

+52
-38
lines changed

provider-kubeconfig.py

Lines changed: 28 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -85,34 +85,6 @@ def _parse_permission_rules(self, perms):
8585
rule_list.append(rule_group)
8686
return rule_list, resources
8787

88-
def _parse_permission_rules_old(self, perms):
89-
"""Legacy update parser path kept for parity verification."""
90-
rule_list = []
91-
resources = []
92-
for api_group, res_actions in perms.items():
93-
for res in res_actions:
94-
for resource, verbs in res.items():
95-
if resource not in resources:
96-
resources.append(resource.strip())
97-
rule_group = {}
98-
if api_group == "non-apigroup":
99-
if "nonResourceURL" in resource:
100-
parts = resource.split("nonResourceURL::")
101-
non_res = parts[1].strip() if len(parts) > 1 else parts[0].strip()
102-
rule_group["nonResourceURLs"] = [non_res]
103-
rule_group["verbs"] = verbs
104-
else:
105-
rule_group["apiGroups"] = [api_group]
106-
rule_group["verbs"] = verbs
107-
if "resourceName" in resource:
108-
parts = resource.split("/resourceName::")
109-
rule_group["resources"] = [parts[0].strip()]
110-
rule_group["resourceNames"] = [parts[1].strip()]
111-
else:
112-
rule_group["resources"] = [resource]
113-
rule_list.append(rule_group)
114-
return rule_list, resources
115-
11688
def _read_perm_configmap_resources(self, sa, namespace, kubeconfig):
11789
cfg_map_name = sa + "-perms"
11890
cfg_map_filename = sa + "-perms.txt"
@@ -259,12 +231,6 @@ def _assert_all_resources_parity(self, label, old_resources, new_resources):
259231
f"Only in new: {new_only}"
260232
)
261233

262-
def _assert_update_parser_parity(self, perms):
263-
old_rule_list, old_resources = self._parse_permission_rules_old(perms)
264-
new_rule_list, new_resources = self._parse_permission_rules(perms)
265-
self._assert_rule_parity("update-parser", old_rule_list, new_rule_list)
266-
self._assert_all_resources_parity("update-parser", old_resources, new_resources)
267-
268234
def _build_consumer_rules_old(self):
269235
# Read all resources
270236
ruleGroup1 = {}
@@ -685,10 +651,35 @@ def _apply_provider_rbac(self, sa, namespace, kubeconfig):
685651
def _update_rbac(self, permissionfile, sa, namespace, kubeconfig):
686652
"""Add permissions from JSON/YAML file to provider (update command)."""
687653
perms = self._load_permission_data(permissionfile)
688-
old_rule_list, old_resources = self._parse_permission_rules_old(perms)
654+
# Keep old update parser path inline as source of truth.
655+
old_rule_list = []
656+
old_resources = []
657+
for api_group, res_actions in perms.items():
658+
for res in res_actions:
659+
for resource, verbs in res.items():
660+
if resource not in old_resources:
661+
old_resources.append(resource.strip())
662+
rule_group = {}
663+
if api_group == "non-apigroup":
664+
if "nonResourceURL" in resource:
665+
parts = resource.split("nonResourceURL::")
666+
non_res = parts[1].strip() if len(parts) > 1 else parts[0].strip()
667+
rule_group["nonResourceURLs"] = [non_res]
668+
rule_group["verbs"] = verbs
669+
else:
670+
rule_group["apiGroups"] = [api_group]
671+
rule_group["verbs"] = verbs
672+
if "resourceName" in resource:
673+
parts = resource.split("/resourceName::")
674+
rule_group["resources"] = [parts[0].strip()]
675+
rule_group["resourceNames"] = [parts[1].strip()]
676+
else:
677+
rule_group["resources"] = [resource]
678+
old_rule_list.append(rule_group)
679+
new_rule_list, new_resources = self._parse_permission_rules(perms)
689680
if os.getenv("KUBEPLUS_UPDATE_EQ_CHECK", "0") == "1":
690-
self._assert_update_parser_parity(perms)
691-
# Keep old update parser path as source of truth.
681+
self._assert_rule_parity("update-parser", old_rule_list, new_rule_list)
682+
self._assert_all_resources_parity("update-parser", old_resources, new_resources)
692683
rule_list = old_rule_list
693684
new_resources = old_resources
694685

tests/test_provider_kubeconfig.py

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -143,7 +143,30 @@ def test_update_old_and_new_parsers_match(self):
143143
{"nonResourceURL::/metrics": ["get"]},
144144
],
145145
}
146-
old_rules, old_resources = self.generator._parse_permission_rules_old(perms)
146+
old_rules = []
147+
old_resources = []
148+
for api_group, res_actions in perms.items():
149+
for res in res_actions:
150+
for resource, verbs in res.items():
151+
if resource not in old_resources:
152+
old_resources.append(resource.strip())
153+
rule_group = {}
154+
if api_group == "non-apigroup":
155+
if "nonResourceURL" in resource:
156+
parts = resource.split("nonResourceURL::")
157+
non_res = parts[1].strip() if len(parts) > 1 else parts[0].strip()
158+
rule_group["nonResourceURLs"] = [non_res]
159+
rule_group["verbs"] = verbs
160+
else:
161+
rule_group["apiGroups"] = [api_group]
162+
rule_group["verbs"] = verbs
163+
if "resourceName" in resource:
164+
parts = resource.split("/resourceName::")
165+
rule_group["resources"] = [parts[0].strip()]
166+
rule_group["resourceNames"] = [parts[1].strip()]
167+
else:
168+
rule_group["resources"] = [resource]
169+
old_rules.append(rule_group)
147170
new_rules, new_resources = self.generator._parse_permission_rules(perms)
148171
self.generator._assert_rule_parity("test-update-parser", old_rules, new_rules)
149172
self.generator._assert_all_resources_parity("test-update-parser", old_resources, new_resources)

0 commit comments

Comments
 (0)