From eef135e86493e0668d8fe4459504045c2d25f07e Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Sat, 18 Mar 2023 21:14:58 +0100 Subject: [PATCH] SARs must not have a name --- webhooks/invitation_webhook.go | 5 ----- webhooks/invitation_webhook_test.go | 22 +++++++++++----------- 2 files changed, 11 insertions(+), 16 deletions(-) diff --git a/webhooks/invitation_webhook.go b/webhooks/invitation_webhook.go index 80c8176b..bf79554f 100644 --- a/webhooks/invitation_webhook.go +++ b/webhooks/invitation_webhook.go @@ -5,10 +5,8 @@ import ( "fmt" "net/http" - "github.com/google/uuid" "go.uber.org/multierr" authenticationv1 "k8s.io/api/authentication/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/kubernetes/pkg/apis/authorization" "sigs.k8s.io/controller-runtime/pkg/client" @@ -86,9 +84,6 @@ func canEditTarget(ctx context.Context, c client.Client, user authenticationv1.U ra.Verb = verb rw := authorization.SubjectAccessReview{ - ObjectMeta: metav1.ObjectMeta{ - Name: uuid.New().String(), - }, Spec: authorization.SubjectAccessReviewSpec{ ResourceAttributes: ra, User: user.Username, diff --git a/webhooks/invitation_webhook_test.go b/webhooks/invitation_webhook_test.go index 9e25f444..fd0ecc76 100644 --- a/webhooks/invitation_webhook_test.go +++ b/webhooks/invitation_webhook_test.go @@ -16,7 +16,6 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" clientgoscheme "k8s.io/client-go/kubernetes/scheme" - ktesting "k8s.io/client-go/testing" "k8s.io/kubernetes/pkg/apis/authorization" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -331,18 +330,19 @@ func prepareInvitationValidatorTest(t *testing.T, sarAllowedUser string, initObj Kind: "RoleBinding", }, meta.RESTScopeNamespace) - tr := subjectAccessReviewResponder{ - ktesting.NewObjectTracker(scheme, clientgoscheme.Codecs.UniversalDecoder()), - sarAllowedUser, - } + var client client.WithWatch - client := fake.NewClientBuilder(). + client = fake.NewClientBuilder(). WithScheme(scheme). WithObjects(initObjs...). WithRESTMapper(drm). - WithObjectTracker(tr). Build() + client = subjectAccessReviewResponder{ + client, + sarAllowedUser, + } + iv := &InvitationValidator{} iv.InjectClient(client) iv.InjectDecoder(decoder) @@ -350,18 +350,18 @@ func prepareInvitationValidatorTest(t *testing.T, sarAllowedUser string, initObj return iv } -// subjectAccessReviewResponder is a wrapper for testing.ObjectTracker that responds to SubjectAccessReview create requests +// subjectAccessReviewResponder is a wrapper for client.WithWatch that responds to SubjectAccessReview create requests // and allows or denies the request based on the allowedUser name. type subjectAccessReviewResponder struct { - ktesting.ObjectTracker + client.WithWatch allowedUser string } -func (r subjectAccessReviewResponder) Create(gvr schema.GroupVersionResource, obj runtime.Object, ns string) error { +func (r subjectAccessReviewResponder) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { if sar, ok := obj.(*authorization.SubjectAccessReview); ok { sar.Status.Allowed = sar.Spec.User == r.allowedUser return nil } - return r.ObjectTracker.Create(gvr, obj, ns) + return r.WithWatch.Create(ctx, obj, opts...) }