From 0e26c3e003cf85893cd753fe3606df78791989e2 Mon Sep 17 00:00:00 2001 From: Sebastian Widmer Date: Thu, 29 Aug 2024 14:29:50 +0200 Subject: [PATCH] Never skip `Project` requests (#120) The requests comes from internal components of OpenShift, but has an annotation with the original user name. The user from the annotation is checked later. --- .../namespace_project_organization_mutator.go | 7 ++++++- ...space_project_organization_mutator_test.go | 19 ++++++++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/webhooks/namespace_project_organization_mutator.go b/webhooks/namespace_project_organization_mutator.go index e85c534..8f27b9f 100644 --- a/webhooks/namespace_project_organization_mutator.go +++ b/webhooks/namespace_project_organization_mutator.go @@ -58,6 +58,7 @@ func (m *NamespaceProjectOrganizationMutator) Handle(ctx context.Context, req ad ctx = log.IntoContext(ctx, log.FromContext(ctx). WithName("webhook.namespace-project-organization-mutator.appuio.io"). WithValues("id", req.UID, "user", req.UserInfo.Username). + WithValues("operation", req.Operation). WithValues("namespace", req.Namespace, "name", req.Name, "group", req.Kind.Group, "version", req.Kind.Version, "kind", req.Kind.Kind)) @@ -69,7 +70,11 @@ func (m *NamespaceProjectOrganizationMutator) handle(ctx context.Context, req ad if err != nil { return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error while checking skipper: %w", err)) } - if skip { + if skip && req.Kind.Kind == "Project" { + // Project requests come from internal openshift components with annotations for user info. + // Do not allow them but check the annotations later in the code. + log.FromContext(ctx).Info("`Project` requests will not be skipped") + } else if skip { return admission.Allowed("skipped") } diff --git a/webhooks/namespace_project_organization_mutator_test.go b/webhooks/namespace_project_organization_mutator_test.go index 15b0672..f72552c 100644 --- a/webhooks/namespace_project_organization_mutator_test.go +++ b/webhooks/namespace_project_organization_mutator_test.go @@ -32,6 +32,8 @@ func Test_NamespaceProjectOrganizationMutator_Handle(t *testing.T) { allowed bool orgPatch string + + skip bool }{ { name: "Project: request with org label set", @@ -111,6 +113,21 @@ func Test_NamespaceProjectOrganizationMutator_Handle(t *testing.T) { user: "user", allowed: false, }, + { + name: "Project: project requests should not be skipped", + + object: newProjectRequest("project", map[string]string{orgLabel: "other-org"}, nil), + additionalObjects: func(*testing.T) []client.Object { + return []client.Object{ + newUser("user", ""), + newGroup("other-org"), + } + }, + + skip: true, + user: "user", + allowed: false, + }, { name: "Namespace: request with org label set, user not in org", @@ -358,7 +375,7 @@ func Test_NamespaceProjectOrganizationMutator_Handle(t *testing.T) { subject := NamespaceProjectOrganizationMutator{ Decoder: decoder, Client: c, - Skipper: skipper.StaticSkipper{}, + Skipper: skipper.StaticSkipper{ShouldSkip: tc.skip}, OrganizationLabel: orgLabel, UserDefaultOrganizationAnnotation: testDefaultOrgAnnotation,