kubernetes-retired · carolynvs · Apr 23, 2018 · Feb 28, 2018 · Feb 28, 2018 · Feb 28, 2018
diff --git a/pkg/apis/servicecatalog/types.go b/pkg/apis/servicecatalog/types.go
@@ -101,6 +101,15 @@ type CommonServiceBrokerSpec struct {
 	// RelistRequests is a strictly increasing, non-negative integer counter that
 	// can be manually incremented by a user to manually trigger a relist.
 	RelistRequests int64
+
+	// CatalogRestrictions allows adding restrictions onto Class/Plans on relist.
+	CatalogRestrictions *CatalogRestrictions
+}
+
+// CatalogRestrictions holds the restriction for service class and plan.
+type CatalogRestrictions struct {
+	ServicePlan  []string
+	ServiceClass []string
 }
 
 // ClusterServiceBrokerSpec represents a description of a Broker.

diff --git a/pkg/apis/servicecatalog/v1beta1/conversion.go b/pkg/apis/servicecatalog/v1beta1/conversion.go
@@ -16,7 +16,12 @@ limitations under the License.
 
 package v1beta1
 
-import "fmt"
+import (
+	"fmt"
+
+	"github.com/kubernetes-incubator/service-catalog/pkg/filter"
+	"k8s.io/apimachinery/pkg/labels"
+)
 
 // These functions are used for field selectors. They are only needed if
 // field selection is made available for types, hence we only have them for
@@ -88,3 +93,32 @@ func ServiceInstanceFieldLabelConversionFunc(label, value string) (string, strin
 		return "", "", fmt.Errorf("field label not supported: %s", label)
 	}
 }
+
+// ConvertClusterServiceClassToProperties takes a Service Class and pulls out the
+// properties we support for filtering, converting them into a map in the
+// expected format.
+func ConvertClusterServiceClassToProperties(serviceClass *ClusterServiceClass) filter.Properties {
+	if serviceClass == nil {
+		return labels.Set{}
+	}
+	return labels.Set{
+		FilterName:             serviceClass.Name,
+		FilterSpecExternalName: serviceClass.Spec.ExternalName,
+		FilterSpecExternalID:   serviceClass.Spec.ExternalID,
+	}
+}
+
+// ConvertServicePlanToProperties takes a Service Plan and pulls out the
+// properties we support for filtering, converting them into a map in the
+// expected format.
+func ConvertClusterServicePlanToProperties(servicePlan *ClusterServicePlan) filter.Properties {
+	if servicePlan == nil {
+		return labels.Set{}
+	}
+	return labels.Set{
+		FilterName:                        servicePlan.Name,
+		FilterSpecExternalName:            servicePlan.Spec.ExternalName,
+		FilterSpecExternalID:              servicePlan.Spec.ExternalID,
+		FilterSpecClusterServiceClassName: servicePlan.Spec.ClusterServiceClassRef.Name,
+	}
+}
diff --git a/pkg/apis/servicecatalog/v1beta1/conversion_test.go b/pkg/apis/servicecatalog/v1beta1/conversion_test.go
@@ -17,8 +17,13 @@ limitations under the License.
 package v1beta1
 
 import (
+	"encoding/json"
 	"strings"
 	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/kubernetes-incubator/service-catalog/pkg/apis/servicecatalog"
 )
 
 type conversionFunc func(string, string) (string, string, error)
@@ -235,3 +240,129 @@ func runTestCases(t *testing.T, cases []testcase, testFuncName string, testFunc
 		}
 	}
 }
+
+func TestConvert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions_AndBack(t *testing.T) {
+	originalIn := CatalogRestrictions{
+		ServiceClass: []string{"name not in (foo)"},
+		ServicePlan:  []string{"name == bar", "externalName==baz"},
+	}
+	var originalOut servicecatalog.CatalogRestrictions
+
+	Convert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions(&originalIn, &originalOut, nil)
+
+	var convertedOut CatalogRestrictions
+
+	Convert_servicecatalog_CatalogRestrictions_To_v1beta1_CatalogRestrictions(&originalOut, &convertedOut, nil)
+
+	// original in and converted out should match, but string formatting and order modifications are  allowed.
+
+	for _, r := range convertedOut.ServiceClass {
+		if !findInRequirementsIgnoreSpaces(r, originalIn.ServiceClass) {
+			t.Fail()
+		}
+	}
+
+	for _, r := range convertedOut.ServicePlan {
+		if !findInRequirementsIgnoreSpaces(r, originalIn.ServicePlan) {
+			t.Fail()
+		}
+	}
+}
+
+func findInRequirementsIgnoreSpaces(requirement string, requirements []string) bool {
+	find := strings.Replace(requirement, " ", "", -1)
+	for _, r := range requirements {
+		found := strings.Replace(r, " ", "", -1)
+		if find == found {
+			return true
+		}
+	}
+	return false
+}
+
+func TestConvertClusterServiceClassToProperties(t *testing.T) {
+	cases := []struct {
+		name string
+		sc   *ClusterServiceClass
+		json string
+	}{
+		{
+			name: "nil object",
+			json: "{}",
+		},
+		{
+			name: "normal object",
+			sc: &ClusterServiceClass{
+				ObjectMeta: metav1.ObjectMeta{Name: "service-class"},
+				Spec: ClusterServiceClassSpec{
+					CommonServiceClassSpec: CommonServiceClassSpec{
+						ExternalName: "external-class-name",
+						ExternalID:   "external-id",
+					},
+				},
+			},
+			json: "{\"name\":\"service-class\",\"spec.externalID\":\"external-id\",\"spec.externalName\":\"external-class-name\"}",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			p := ConvertClusterServiceClassToProperties(tc.sc)
+			if p == nil {
+				t.Fatalf("Failed to create Properties object from %+v", tc.sc)
+			}
+			b, err := json.Marshal(p)
+			if err != nil {
+				t.Fatalf("Unexpected error with json marchal, %v", err)
+			}
+			js := string(b)
+			if js != tc.json {
+				t.Fatalf("Failed to create expected Properties object,\n\texpected: \t%q,\n \tgot: \t\t%q", tc.json, js)
+			}
+		})
+	}
+}
+
+func TestConvertClusterServicePlanToProperties(t *testing.T) {
+	cases := []struct {
+		name string
+		sp   *ClusterServicePlan
+		json string
+	}{
+		{
+			name: "nil object",
+			json: "{}",
+		},
+		{
+			name: "normal object",
+			sp: &ClusterServicePlan{
+				ObjectMeta: metav1.ObjectMeta{Name: "service-plan"},
+				Spec: ClusterServicePlanSpec{
+					CommonServicePlanSpec: CommonServicePlanSpec{
+						ExternalName: "external-plan-name",
+						ExternalID:   "external-id",
+					},
+					ClusterServiceClassRef: ClusterObjectReference{
+						Name: "cluster-service-class-name",
+					},
+				},
+			},
+			json: "{\"name\":\"service-plan\",\"spec.clusterServiceClass.name\":\"cluster-service-class-name\",\"spec.externalID\":\"external-id\",\"spec.externalName\":\"external-plan-name\"}",
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			p := ConvertClusterServicePlanToProperties(tc.sp)
+			if p == nil {
+				t.Fatalf("Failed to create Properties object from %+v", tc.sp)
+			}
+			b, err := json.Marshal(p)
+			if err != nil {
+				t.Fatalf("Unexpected error with json marchal, %v", err)
+			}
+			js := string(b)
+			if js != tc.json {
+				t.Fatalf("Failed to create expected Properties object,\n\texpected: \t%q,\n \tgot: \t\t%q", tc.json, js)
+			}
+		})
+	}
+}
diff --git a/pkg/apis/servicecatalog/v1beta1/types.go b/pkg/apis/servicecatalog/v1beta1/types.go
@@ -121,6 +121,57 @@ type CommonServiceBrokerSpec struct {
 	// can be manually incremented by a user to manually trigger a relist.
 	// +optional
 	RelistRequests int64 `json:"relistRequests"`
+
+	// CatalogRestrictions allows adding restrictions onto Class/Plans on relist.
+	// +optional
+	CatalogRestrictions *CatalogRestrictions `json:"catalogRestrictions,omitempty"`
+}
+
+// ServiceCatalogRestrictions contains the restrictions used to on catalog re-list.
+// Some examples of this object are as follows:
+//
+// This is an example of a whitelist on service externalName.
+// Goal: Only list Services with the externalName of FooService and BarService,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["externalName in (FooService, BarService)"]
+// }
+//
+// This is an example of a blacklist on service externalName.
+// Goal: Allow all services except the ones with the externalName of FooService and BarService,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["externalName notin (FooService, BarService)"]
+// }
+//
+// This whitelists plans called "Demo", and blacklists (but only a single element in
+// the list) a service and a plan.
+// Goal: Allow all plans with the externalName demo, but not AABBCC, and not a specific service by name,
+// Solution: restrictions := ServiceCatalogRestrictions{
+// 		ServiceClass: ["name!=AABBB-CCDD-EEGG-HIJK"]
+// 		ServicePlan: ["externalName in (Demo)", "name!=AABBCC"]
+// }
+//
+// CatalogRestrictions strings have a special format similar to Label Selectors,
+// except the catalog supports only a very specific property set.
+//
+// The predicate format is expected to be `<property><conditional><requirement>`
+// Check the *Requirements type definition for which <property> strings will be allowed.
+// <conditional> is allowed to be one of the following: ==, !=, in, notin
+// <requirement> will be a string value if `==` or `!=` are used.
+// <requirement> will be a set of string values if `in` or `notin` are used.
+// Multiple predicates are allowed to be chained with a comma (,)
+//
+// ServiceClass allowed property names:
+//   name - the value set to [Cluster]ServiceClass.Name
+//   externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName
+//
+// ServicePlan allowed property names:
+//   name - the value set to [Cluster]ServiceClass.Name
+//   externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName
+type CatalogRestrictions struct {
+	// ServiceClass represents a selector for plans, used to filter catalog re-lists.
+	ServiceClass []string `json:"serviceClass,omitempty"`
+	// ServicePlan represents a selector for classes, used to filter catalog re-lists.
+	ServicePlan []string `json:"servicePlan,omitempty"`
 }
 
 // ClusterServiceBrokerSpec represents a description of a Broker.
@@ -1241,6 +1292,18 @@ type ClusterObjectReference struct {
 	Name string `json:"name,omitempty"`
 }
 
+// Filter path for Properties
+const (
+	// Name field.
+	FilterName = "name"
+	// SpecExternalName is the external name of the object.
+	FilterSpecExternalName = "spec.externalName"
+	// SpecExternalID is the external id of the object.
+	FilterSpecExternalID = "spec.externalID"
+	// SpecClusterServiceClassName is only used for plans, the parent service class name.
+	FilterSpecClusterServiceClassName = "spec.clusterServiceClass.name"
+)
+
 // SecretTransform is a single transformation that is applied to the
 // credentials returned from the broker before they are inserted into
 // the Secret associated with the ServiceBinding.

diff --git a/pkg/apis/servicecatalog/v1beta1/zz_generated.conversion.go b/pkg/apis/servicecatalog/v1beta1/zz_generated.conversion.go
@@ -40,6 +40,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_servicecatalog_BasicAuthConfig_To_v1beta1_BasicAuthConfig,
 		Convert_v1beta1_BearerTokenAuthConfig_To_servicecatalog_BearerTokenAuthConfig,
 		Convert_servicecatalog_BearerTokenAuthConfig_To_v1beta1_BearerTokenAuthConfig,
+		Convert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions,
+		Convert_servicecatalog_CatalogRestrictions_To_v1beta1_CatalogRestrictions,
 		Convert_v1beta1_ClusterBasicAuthConfig_To_servicecatalog_ClusterBasicAuthConfig,
 		Convert_servicecatalog_ClusterBasicAuthConfig_To_v1beta1_ClusterBasicAuthConfig,
 		Convert_v1beta1_ClusterBearerTokenAuthConfig_To_servicecatalog_ClusterBearerTokenAuthConfig,
@@ -195,6 +197,28 @@ func Convert_servicecatalog_BearerTokenAuthConfig_To_v1beta1_BearerTokenAuthConf
 	return autoConvert_servicecatalog_BearerTokenAuthConfig_To_v1beta1_BearerTokenAuthConfig(in, out, s)
 }
 
+func autoConvert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions(in *CatalogRestrictions, out *servicecatalog.CatalogRestrictions, s conversion.Scope) error {
+	out.ServiceClass = *(*[]string)(unsafe.Pointer(&in.ServiceClass))
+	out.ServicePlan = *(*[]string)(unsafe.Pointer(&in.ServicePlan))
+	return nil
+}
+
+// Convert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions is an autogenerated conversion function.
+func Convert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions(in *CatalogRestrictions, out *servicecatalog.CatalogRestrictions, s conversion.Scope) error {
+	return autoConvert_v1beta1_CatalogRestrictions_To_servicecatalog_CatalogRestrictions(in, out, s)
+}
+
+func autoConvert_servicecatalog_CatalogRestrictions_To_v1beta1_CatalogRestrictions(in *servicecatalog.CatalogRestrictions, out *CatalogRestrictions, s conversion.Scope) error {
+	out.ServicePlan = *(*[]string)(unsafe.Pointer(&in.ServicePlan))
+	out.ServiceClass = *(*[]string)(unsafe.Pointer(&in.ServiceClass))
+	return nil
+}
+
+// Convert_servicecatalog_CatalogRestrictions_To_v1beta1_CatalogRestrictions is an autogenerated conversion function.
+func Convert_servicecatalog_CatalogRestrictions_To_v1beta1_CatalogRestrictions(in *servicecatalog.CatalogRestrictions, out *CatalogRestrictions, s conversion.Scope) error {
+	return autoConvert_servicecatalog_CatalogRestrictions_To_v1beta1_CatalogRestrictions(in, out, s)
+}
+
 func autoConvert_v1beta1_ClusterBasicAuthConfig_To_servicecatalog_ClusterBasicAuthConfig(in *ClusterBasicAuthConfig, out *servicecatalog.ClusterBasicAuthConfig, s conversion.Scope) error {
 	out.SecretRef = (*servicecatalog.ObjectReference)(unsafe.Pointer(in.SecretRef))
 	return nil
@@ -602,6 +626,7 @@ func autoConvert_v1beta1_CommonServiceBrokerSpec_To_servicecatalog_CommonService
 	out.RelistBehavior = servicecatalog.ServiceBrokerRelistBehavior(in.RelistBehavior)
 	out.RelistDuration = (*v1.Duration)(unsafe.Pointer(in.RelistDuration))
 	out.RelistRequests = in.RelistRequests
+	out.CatalogRestrictions = (*servicecatalog.CatalogRestrictions)(unsafe.Pointer(in.CatalogRestrictions))
 	return nil
 }
 
@@ -617,6 +642,7 @@ func autoConvert_servicecatalog_CommonServiceBrokerSpec_To_v1beta1_CommonService
 	out.RelistBehavior = ServiceBrokerRelistBehavior(in.RelistBehavior)
 	out.RelistDuration = (*v1.Duration)(unsafe.Pointer(in.RelistDuration))
 	out.RelistRequests = in.RelistRequests
+	out.CatalogRestrictions = (*CatalogRestrictions)(unsafe.Pointer(in.CatalogRestrictions))
 	return nil
 }
 

diff --git a/pkg/apis/servicecatalog/v1beta1/zz_generated.deepcopy.go b/pkg/apis/servicecatalog/v1beta1/zz_generated.deepcopy.go
@@ -75,6 +75,32 @@ func (in *BearerTokenAuthConfig) DeepCopy() *BearerTokenAuthConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CatalogRestrictions) DeepCopyInto(out *CatalogRestrictions) {
+	*out = *in
+	if in.ServiceClass != nil {
+		in, out := &in.ServiceClass, &out.ServiceClass
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ServicePlan != nil {
+		in, out := &in.ServicePlan, &out.ServicePlan
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogRestrictions.
+func (in *CatalogRestrictions) DeepCopy() *CatalogRestrictions {
+	if in == nil {
+		return nil
+	}
+	out := new(CatalogRestrictions)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterBasicAuthConfig) DeepCopyInto(out *ClusterBasicAuthConfig) {
 	*out = *in
@@ -493,6 +519,15 @@ func (in *CommonServiceBrokerSpec) DeepCopyInto(out *CommonServiceBrokerSpec) {
 			**out = **in
 		}
 	}
+	if in.CatalogRestrictions != nil {
+		in, out := &in.CatalogRestrictions, &out.CatalogRestrictions
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(CatalogRestrictions)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }