move GetNamespaceTenant logic to utils from webhook

projectcapsule · Sep 3, 2020 · 4cb0bf5 · 4cb0bf5
1 parent 9d845b3
commit 4cb0bf5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 58 deletions.
diff --git a/api/v1alpha1/tenant_labels.go b/api/v1alpha1/tenant_labels.go
@@ -34,6 +34,10 @@ func GetTypeLabel(t runtime.Object) (label string, err error) {
 		return "capsule.clastix.io/network-policy", nil
 	case *corev1.ResourceQuota:
 		return "capsule.clastix.io/resource-quota", nil
+	case *corev1.Service:
+		return "capsule.clastix.io/tenant", nil
+	case *corev1.Endpoints:
+		return "capsule.clastix.io/tenant", nil
 	default:
 		err = fmt.Errorf("type %T is not mapped as Capsule label recognized", v)
 	}

diff --git a/pkg/webhook/owner_reference/patching.go b/pkg/webhook/owner_reference/patching.go
@@ -19,9 +19,7 @@ package owner_reference
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"net/http"
-	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -31,6 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	"github.com/clastix/capsule/api/v1alpha1"
+	"github.com/clastix/capsule/pkg/utils"
 	"github.com/clastix/capsule/pkg/webhook"
 )
 
@@ -76,7 +75,7 @@ func (r *handler) OnCreate(ctx context.Context, req admission.Request, clt clien
 				return admission.Errored(http.StatusBadRequest, err)
 			}
 			// Tenant owner must adhere to user that asked for NS creation
-			if !r.isTenantOwner(t.Spec.Owner, req) {
+			if !utils.IsTenantOwner(t.Spec.Owner, req.UserInfo) {
 				return admission.Denied("Cannot assign the desired namespace to a non-owned Tenant")
 			}
 			// Patching the response
@@ -85,43 +84,19 @@ func (r *handler) OnCreate(ctx context.Context, req admission.Request, clt clien
 
 	}
 
-	// assigning namespace to Tenant in case of --force-tenant-prefix flag enabled
-	if r.forceTenantPrefix {
-		tenantName := strings.Split(ns.GetName(), "-")[0]
-		// retrieving the selected Tenant
-		t := &v1alpha1.Tenant{}
-		if err := clt.Get(ctx, types.NamespacedName{Name: tenantName}, t); err != nil {
-			return admission.Errored(http.StatusBadRequest, err)
-		}
-		// Tenant owner must adhere to user that asked for NS creation
-		if !r.isTenantOwner(t.Spec.Owner, req) {
-			return admission.Denied("Cannot assign the desired namespace to a non-owned Tenant")
-		}
-		// Patching the response
-		return r.patchResponseForOwnerRef(t, ns)
-	}
-
-	tl, err := r.listTenantsForOwner(ctx, "User", req.UserInfo.Username, clt)
+	tenant, err := utils.GetNamespaceTenant(ctx, ns.Name, r.forceTenantPrefix, req.UserInfo, clt)
 	if err != nil {
+		if err, ok := err.(*utils.TenantNotFoundError); ok {
+			return admission.Denied(err.Error())
+		}
 		return admission.Errored(http.StatusBadRequest, err)
 	}
-	if len(tl.Items) > 0 {
-		return r.patchResponseForOwnerRef(&tl.Items[0], ns)
+	// Tenant owner must adhere to user that asked for NS creation
+	if !utils.IsTenantOwner(tenant.Spec.Owner, req.UserInfo) {
+		return admission.Denied("Cannot assign the desired namespace to a non-owned Tenant")
 	}
 
-	if len(req.UserInfo.Groups) > 0 {
-		for _, group := range req.UserInfo.Groups {
-			tl, err := r.listTenantsForOwner(ctx, "Group", group, clt)
-			if err != nil {
-				return admission.Errored(http.StatusBadRequest, err)
-			}
-			if len(tl.Items) > 0 {
-				return r.patchResponseForOwnerRef(&tl.Items[0], ns)
-			}
-		}
-	}
-
-	return admission.Denied("You do not have any Tenant assigned: please, reach out the system administrators")
+	return r.patchResponseForOwnerRef(tenant, ns)
 }
 
 func (r *handler) OnDelete(ctx context.Context, req admission.Request, client client.Client, decoder *admission.Decoder) admission.Response {
@@ -132,15 +107,6 @@ func (r *handler) OnUpdate(ctx context.Context, req admission.Request, client cl
 	return admission.Denied("Capsule user cannot update a Namespace")
 }
 
-func (r *handler) listTenantsForOwner(ctx context.Context, ownerKind string, ownerName string, clt client.Client) (*v1alpha1.TenantList, error) {
-	tl := &v1alpha1.TenantList{}
-	f := client.MatchingFields{
-		".spec.owner.ownerkind": fmt.Sprintf("%s:%s", ownerKind, ownerName),
-	}
-	err := clt.List(ctx, tl, f)
-	return tl, err
-}
-
 func (r *handler) patchResponseForOwnerRef(tenant *v1alpha1.Tenant, ns *corev1.Namespace) admission.Response {
 	scheme := runtime.NewScheme()
 	_ = v1alpha1.AddToScheme(scheme)
@@ -153,17 +119,3 @@ func (r *handler) patchResponseForOwnerRef(tenant *v1alpha1.Tenant, ns *corev1.N
 	c, _ := json.Marshal(ns)
 	return admission.PatchResponseFromRaw(o, c)
 }
-
-func (r *handler) isTenantOwner(os v1alpha1.OwnerSpec, req admission.Request) bool {
-	if os.Kind == "User" && req.UserInfo.Username == os.Name {
-		return true
-	}
-	if os.Kind == "Group" {
-		for _, group := range req.UserInfo.Groups {
-			if group == os.Name {
-				return true
-			}
-		}
-	}
-	return false
-}