Skip to content

Commit

Permalink
Merge pull request #802 from jlandowner/hotfix/default-addons
Browse files Browse the repository at this point in the history
Skip UserRole validation for Default UserAddon
  • Loading branch information
jlandowner authored Aug 4, 2023
2 parents a09a762 + 72a3d9e commit cf31141
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 102 deletions.
3 changes: 0 additions & 3 deletions api/v1alpha1/template_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,6 @@ const (

// TemplateAnnKeyDisableNamePrefix is an annotation key on Template to notify controller not to add name prefix
TemplateAnnKeyDisableNamePrefix = "cosmo-workspace.github.io/disable-nameprefix"
// TemplateAnnKeySkipValidation is an annotation key on Template to notify webhook not to validate
TemplateAnnKeySkipValidation = "cosmo-workspace.github.io/skip-validation"

// TemplateAnnKeyUserRoles is an annotation key on Template for specific UserRoles
TemplateAnnKeyUserRoles = "cosmo-workspace.github.io/userroles"
// TemplateAnnKeyRequiredAddons is a annotation key for Template which requires useraddons
Expand Down
17 changes: 12 additions & 5 deletions internal/webhooks/user_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,11 +193,18 @@ func (h *UserValidationWebhookHandler) Handle(ctx context.Context, req admission
return admission.Denied(fmt.Sprintf("failed to create addon %s: template is not labeled as useraddon", tmpl.GetName()))
}

// check user has role for the addon
if ok := kosmo.IsAllowedToUseTemplate(ctx, user, tmpl); !ok {
requiredRoles := kubeutil.GetAnnotation(tmpl, cosmov1alpha1.TemplateAnnKeyUserRoles)
log.Info("user has no valid roles for template", "user", user.Name, "addon", tmpl.GetName(), "requiredRoles", requiredRoles)
return admission.Denied(fmt.Sprintf("addon '%s' is only for roles '%s'", tmpl.GetName(), requiredRoles))
isDefault, err := strconv.ParseBool(kubeutil.GetAnnotation(tmpl, cosmov1alpha1.UserAddonTemplateAnnKeyDefaultUserAddon))
if err != nil {
isDefault = false
}

// check user has role for the addon if addon is not default
if !isDefault {
if ok := kosmo.IsAllowedToUseTemplate(ctx, user, tmpl); !ok {
requiredRoles := kubeutil.GetAnnotation(tmpl, cosmov1alpha1.TemplateAnnKeyUserRoles)
log.Info("user has no valid roles for template", "user", user.Name, "addon", tmpl.GetName(), "requiredRoles", requiredRoles)
return admission.Denied(fmt.Sprintf("addon '%s' is only for roles '%s'", tmpl.GetName(), requiredRoles))
}
}

// check user has required addon
Expand Down
13 changes: 0 additions & 13 deletions pkg/template/label.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,16 +42,3 @@ func IsDisableNamePrefix(tmpl cosmov1alpha1.TemplateObject) bool {
}
return disable
}

func IsSkipValidation(tmpl cosmov1alpha1.TemplateObject) bool {
ann := tmpl.GetAnnotations()
if ann == nil {
return false
}
val := ann[cosmov1alpha1.TemplateAnnKeySkipValidation]
skip, err := strconv.ParseBool(val)
if err != nil {
return false
}
return skip
}
81 changes: 0 additions & 81 deletions pkg/template/label_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -220,84 +220,3 @@ func TestIsDisableNamePrefix(t *testing.T) {
})
}
}

func TestIsSkipValidation(t *testing.T) {
type args struct {
tmpl cosmov1alpha1.TemplateObject
}
tests := []struct {
name string
args args
want bool
}{

{
name: "has disable annotation on Template",
want: true,
args: args{
tmpl: &cosmov1alpha1.Template{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
cosmov1alpha1.TemplateAnnKeySkipValidation: "1",
},
},
},
},
},
{
name: "has disable annotation on ClusterTemplate",
want: true,
args: args{
tmpl: &cosmov1alpha1.ClusterTemplate{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
cosmov1alpha1.TemplateAnnKeySkipValidation: "true",
},
},
},
},
},
{
name: "enable annotation",
want: false,
args: args{
tmpl: &cosmov1alpha1.ClusterTemplate{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
cosmov1alpha1.TemplateAnnKeySkipValidation: "0",
},
},
},
},
},
{
name: "invalid annotation",
want: false,
args: args{
tmpl: &cosmov1alpha1.ClusterTemplate{
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
cosmov1alpha1.TemplateAnnKeySkipValidation: "invalid",
},
},
},
},
},
{
name: "no annotations",
want: false,
args: args{
tmpl: &cosmov1alpha1.ClusterTemplate{
ObjectMeta: metav1.ObjectMeta{},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := IsSkipValidation(tt.args.tmpl); got != tt.want {
t.Errorf("IsSkipValidation() = %v, want %v", got, tt.want)
}
})
}
}

0 comments on commit cf31141

Please sign in to comment.