Skip to content

Commit

Permalink
SARs must not have a name
Browse files Browse the repository at this point in the history
  • Loading branch information
@bastjan
bastjan committed Mar 18, 2023
1 parent 4cf02cb commit eef135e
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 16 deletions.
5 changes: 0 additions & 5 deletions webhooks/invitation_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,8 @@ import (
"fmt"
"net/http"

"github.com/google/uuid"
"go.uber.org/multierr"
authenticationv1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/apis/authorization"
"sigs.k8s.io/controller-runtime/pkg/client"
Expand Down Expand Up @@ -86,9 +84,6 @@ func canEditTarget(ctx context.Context, c client.Client, user authenticationv1.U
ra.Verb = verb

rw := authorization.SubjectAccessReview{
ObjectMeta: metav1.ObjectMeta{
Name: uuid.New().String(),
},
Spec: authorization.SubjectAccessReviewSpec{
ResourceAttributes: ra,
User: user.Username,
Expand Down
22 changes: 11 additions & 11 deletions webhooks/invitation_webhook_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
ktesting "k8s.io/client-go/testing"
"k8s.io/kubernetes/pkg/apis/authorization"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
Expand Down Expand Up @@ -331,37 +330,38 @@ func prepareInvitationValidatorTest(t *testing.T, sarAllowedUser string, initObj
Kind: "RoleBinding",
}, meta.RESTScopeNamespace)

tr := subjectAccessReviewResponder{
ktesting.NewObjectTracker(scheme, clientgoscheme.Codecs.UniversalDecoder()),
sarAllowedUser,
}
var client client.WithWatch

client := fake.NewClientBuilder().
client = fake.NewClientBuilder().
WithScheme(scheme).
WithObjects(initObjs...).
WithRESTMapper(drm).
WithObjectTracker(tr).
Build()

client = subjectAccessReviewResponder{
client,
sarAllowedUser,
}

iv := &InvitationValidator{}
iv.InjectClient(client)
iv.InjectDecoder(decoder)

return iv
}

// subjectAccessReviewResponder is a wrapper for testing.ObjectTracker that responds to SubjectAccessReview create requests
// subjectAccessReviewResponder is a wrapper for client.WithWatch that responds to SubjectAccessReview create requests
// and allows or denies the request based on the allowedUser name.
type subjectAccessReviewResponder struct {
ktesting.ObjectTracker
client.WithWatch

allowedUser string
}

func (r subjectAccessReviewResponder) Create(gvr schema.GroupVersionResource, obj runtime.Object, ns string) error {
func (r subjectAccessReviewResponder) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error {
if sar, ok := obj.(*authorization.SubjectAccessReview); ok {
sar.Status.Allowed = sar.Spec.User == r.allowedUser
return nil
}
return r.ObjectTracker.Create(gvr, obj, ns)
return r.WithWatch.Create(ctx, obj, opts...)
}

0 comments on commit eef135e

Please sign in to comment.