feat: use organization context

datum-cloud · Dec 14, 2024 · c80811f · c80811f
1 parent e5d868c
commit c80811f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 19 deletions.
diff --git a/cmd/datum-authorization-webhook/app/internal/iam/core_control_plane_authorizer.go b/cmd/datum-authorization-webhook/app/internal/iam/core_control_plane_authorizer.go
@@ -7,6 +7,7 @@ import (
 
 	"buf.build/gen/go/datum-cloud/iam/grpc/go/datum/iam/v1alpha/iamv1alphagrpc"
 	iampb "buf.build/gen/go/datum-cloud/iam/protocolbuffers/go/datum/iam/v1alpha"
+	"go.datumapis.com/datum/cmd/datum-authorization-webhook/app/internal/webhook"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/codes"
@@ -36,13 +37,7 @@ func (o *CoreControlPlaneAuthorizer) Authorize(ctx context.Context, attributes a
 		return authorizer.DecisionNoOpinion, "", nil
 	}
 
-	labelSelector, err := attributes.GetLabelSelector()
-	if err != nil {
-		span.SetStatus(codes.Error, err.Error())
-		return authorizer.DecisionNoOpinion, "", fmt.Errorf("failed to get label selector: %w", err)
-	}
-
-	organizationID, err := getOrganizationID(labelSelector)
+	organizationID, err := webhook.GetOrganizationUID(ctx)
 	if err != nil {
 		return authorizer.DecisionNoOpinion, "", err
 	}

diff --git a/cmd/datum-authorization-webhook/app/internal/webhook/webhook.go b/cmd/datum-authorization-webhook/app/internal/webhook/webhook.go
@@ -2,22 +2,43 @@ package webhook
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	authorizationv1 "k8s.io/api/authorization/v1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )
 
+type ContextKey string
+
+const OrganizationUIDContextKey ContextKey = "resourcemanager.datumapis.com/organization-uid"
+
+func GetOrganizationUID(ctx context.Context) (string, error) {
+	value := ctx.Value(OrganizationUIDContextKey)
+	if value == nil {
+		return "", fmt.Errorf("organization UID not set in context")
+	}
+
+	orgID, ok := value.(string)
+	if !ok {
+		return "", fmt.Errorf("invalid organization ID set in context")
+	}
+
+	return orgID, nil
+}
+
 func NewAuthorizerWebhook(authzer authorizer.Authorizer) *Webhook {
 	return &Webhook{
 		Handler: HandlerFunc(func(ctx context.Context, r Request) Response {
 			if r.Spec.ResourceAttributes != nil && r.Spec.NonResourceAttributes != nil {
 				return Denied("must specify oneof resource or non-resource attributes, not both")
 			}
 
+			if orgID := r.Spec.Extra["datum-organization-uid"]; len(orgID) > 0 {
+				ctx = context.WithValue(ctx, OrganizationUIDContextKey, orgID[0])
+			}
+
 			attrs := authorizer.AttributesRecord{
 				User: &user.DefaultInfo{
 					Name:   r.Spec.User,
@@ -35,16 +56,6 @@ func NewAuthorizerWebhook(authzer authorizer.Authorizer) *Webhook {
 				attrs.Subresource = resourceAttrs.Subresource
 				attrs.Name = resourceAttrs.Name
 				attrs.ResourceRequest = true
-				if resourceAttrs.LabelSelector != nil {
-					for _, requirement := range resourceAttrs.LabelSelector.Requirements {
-						req, _ := labels.NewRequirement(
-							requirement.Key,
-							selection.Operator(requirement.Operator),
-							requirement.Values,
-						)
-						attrs.LabelSelectorRequirements = append(attrs.LabelSelectorRequirements, *req)
-					}
-				}
 			}
 
 			if nonResourceAttrs := r.Spec.NonResourceAttributes; nonResourceAttrs != nil {