From 25c9c045dd540d04992817ca9397a14b0202ead0 Mon Sep 17 00:00:00 2001 From: Jeongwoo Kim - jekim Date: Wed, 12 Jul 2023 15:13:15 +0900 Subject: [PATCH] fix: go v4 --- third_party/webhook/authz.go | 39 +++------ third_party/webhook/authz_v1beta1_test.go | 79 ------------------ third_party/webhook/converter.go | 97 ----------------------- 3 files changed, 11 insertions(+), 204 deletions(-) delete mode 100644 third_party/webhook/authz_v1beta1_test.go delete mode 100644 third_party/webhook/converter.go diff --git a/third_party/webhook/authz.go b/third_party/webhook/authz.go index 032766c..e2b5d53 100644 --- a/third_party/webhook/authz.go +++ b/third_party/webhook/authz.go @@ -10,7 +10,6 @@ import ( "strings" authz "k8s.io/api/authorization/v1" - authzv1beta1 "k8s.io/api/authorization/v1beta1" ) const ( @@ -90,42 +89,32 @@ func (a *authorizer) clientX509(ctx context.Context) (*client, error) { } // getSubjectAccessReview extracts the subject access review object from the request and returns it. -func (a *authorizer) getSubjectAccessReview(ctx context.Context, req *http.Request) (bool, *authz.SubjectAccessReview, error) { - isV1Beta := false // TODO: Remove me! Temporary fix to support both v1 and v1beta1 versions of SubjectAccessReview. +func (a *authorizer) getSubjectAccessReview(ctx context.Context, req *http.Request) (*authz.SubjectAccessReview, error) { b, err := ioutil.ReadAll(req.Body) if err != nil { - return isV1Beta, nil, fmt.Errorf("body read error for authorization request, %v", err) + return nil, fmt.Errorf("body read error for authorization request, %v", err) } if len(b) == 0 { - return isV1Beta, nil, fmt.Errorf("empty body for authorization request") + return nil, fmt.Errorf("empty body for authorization request") } if isLogEnabled(ctx, LogTraceServer) { getLogger(ctx).Printf("request body: %s\n", b) } var r authz.SubjectAccessReview if err := json.Unmarshal(b, &r); err != nil { - return isV1Beta, nil, fmt.Errorf("invalid JSON request '%s', %v", b, err) - } - // TODO: Remove me! This is a temporary fix to support both v1 and v1beta1 versions of SubjectAccessReview & will be removed in future. - if r.APIVersion == authzSupportedBetaVersion { - isV1Beta = true - var rV1Beta1 authzv1beta1.SubjectAccessReview - if err := json.Unmarshal(b, &rV1Beta1); err != nil { - return isV1Beta, nil, fmt.Errorf("invalid JSON request '%s', %v", b, err) - } - r = ConvertIntoV1(rV1Beta1) - // glg.Warn("Your cluster is using deprecated authorization.k8s.io/v1beta1 instead of authorization.k8s.io/v1", "convertedFrom:", rV1Beta1, "convertedTo:", r) + return nil, fmt.Errorf("invalid JSON request '%s', %v", b, err) } + if r.APIVersion != authzSupportedVersion { - return isV1Beta, nil, fmt.Errorf("unsupported authorization version, want '%s', got '%s'", authzSupportedVersion, r.APIVersion) + return nil, fmt.Errorf("unsupported authorization version, want '%s', got '%s'", authzSupportedVersion, r.APIVersion) } if r.Kind != authzSupportedKind { - return isV1Beta, nil, fmt.Errorf("unsupported authorization kind, want '%s', got '%s'", authzSupportedKind, r.Kind) + return nil, fmt.Errorf("unsupported authorization kind, want '%s', got '%s'", authzSupportedKind, r.Kind) } if r.Spec.ResourceAttributes == nil && r.Spec.NonResourceAttributes == nil { - return isV1Beta, nil, fmt.Errorf("bad authorization spec, must have one of resource or non-resource attributes") + return nil, fmt.Errorf("bad authorization spec, must have one of resource or non-resource attributes") } - return isV1Beta, &r, nil + return &r, nil } // grantStatus adds extra information to a review status. @@ -322,7 +311,7 @@ func (a *authorizer) logOutcome(logger Logger, sr *authz.SubjectAccessReviewSpec func (a *authorizer) ServeHTTP(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - isV1Beta, sr, err := a.getSubjectAccessReview(ctx, r) + sr, err := a.getSubjectAccessReview(ctx, r) if err != nil { getLogger(ctx).Printf("authz request error from %s: %v\n", r.RemoteAddr, err) http.Error(w, err.Error(), http.StatusBadRequest) @@ -332,16 +321,10 @@ func (a *authorizer) ServeHTTP(w http.ResponseWriter, r *http.Request) { gs := a.authorize(ctx, sr.Spec) a.logOutcome(getLogger(ctx), &sr.Spec, gs) - // TODO: Remove me! Temporary Tweaks to support both v1 and v1beta1 - apiVersion := sr.APIVersion - if isV1Beta { - apiVersion = authzSupportedBetaVersion - } - resp := struct { APIVersion string `json:"apiVersion"` Kind string `json:"kind"` Status authz.SubjectAccessReviewStatus `json:"status"` - }{apiVersion, sr.Kind, gs.status} + }{sr.APIVersion, sr.Kind, gs.status} writeJSON(ctx, w, &resp) } diff --git a/third_party/webhook/authz_v1beta1_test.go b/third_party/webhook/authz_v1beta1_test.go deleted file mode 100644 index 552da26..0000000 --- a/third_party/webhook/authz_v1beta1_test.go +++ /dev/null @@ -1,79 +0,0 @@ -package webhook - -import ( - "context" - "errors" - "testing" - - authz "k8s.io/api/authorization/v1" - authzv1beta1 "k8s.io/api/authorization/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// TODO: Remove this file authz_v1beta1_test.go! This is a temporary test to ensure that the old API version is still supported & will be eventually removed. - -// TODO: This is a temporary test to ensure that the old API version is still supported & will be eventually removed. - -func tester(t *testing.T, input authzv1beta1.SubjectAccessReview) { - s := newAuthzScaffold(t) - defer s.Close() - s.config.Mapper = mrfn(func(ctx context.Context, spec authz.SubjectAccessReviewSpec) (principal string, checks []AthenzAccessCheck, err error) { - return "", - nil, - errors.New("foobar") - }) - - ar := runAuthzTest(s, serialize(input), nil) - w := ar.w - body := ar.body - result := w.Result() - - if result.StatusCode != 200 { - t.Fatal("invalid status code", result.StatusCode) - } - tr := checkGrant(t, body.Bytes(), false) - - if tr.APIVersion != authzSupportedBetaVersion { - t.Errorf("wrong API version. Want '%s', got '%s'", authzSupportedBetaVersion, tr.APIVersion) - } - - msg := "mapping error: foobar" - if tr.Status.EvaluationError != msg { - t.Errorf("want '%s', got '%s'", msg, tr.Status.EvaluationError) - } - if tr.Status.Reason != helpText { - t.Error("authz internals leak") - } - s.containsLog(msg) -} - -func stdAuthzBeta1Input(insertingGroup []string) authzv1beta1.SubjectAccessReview { - return authzv1beta1.SubjectAccessReview{ - TypeMeta: metav1.TypeMeta{ - Kind: authzSupportedKind, - APIVersion: authzSupportedBetaVersion, - }, - Spec: authzv1beta1.SubjectAccessReviewSpec{ - User: "bob", - ResourceAttributes: &authzv1beta1.ResourceAttributes{ - Namespace: "foo-bar", - Verb: "get", - Resource: "baz", - }, - Groups: insertingGroup, - }, - } -} - -// TODO: This is a temporary test to ensure that the old API version is still supported & will be eventually removed. -func TestAuthzBetaV1ApiConversion(t *testing.T) { - insertingGroups := [][]string{ - {"v1beta1-testing", "v1beta1-group"}, // multiple elements - {}, // empty group - nil, // not defined - } - - for _, insertingGroup := range insertingGroups { - tester(t, stdAuthzBeta1Input(insertingGroup)) - } -} diff --git a/third_party/webhook/converter.go b/third_party/webhook/converter.go deleted file mode 100644 index 6467a58..0000000 --- a/third_party/webhook/converter.go +++ /dev/null @@ -1,97 +0,0 @@ -package webhook - -// TODO: This whole converter is temporary. -import ( - authz "k8s.io/api/authorization/v1" - authzv1beta1 "k8s.io/api/authorization/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func getExtras(rV1Beta1 *authzv1beta1.SubjectAccessReview) map[string]authz.ExtraValue { - v1Extra := make(map[string]authz.ExtraValue) - if rV1Beta1 == nil || rV1Beta1.Spec.Extra == nil { - return v1Extra - } - - for key, value := range rV1Beta1.Spec.Extra { - v1Extra[key] = authz.ExtraValue(value) - } - return v1Extra -} - -func getNonResourceAttributes(rV1Beta1 *authzv1beta1.SubjectAccessReview) (nra *authz.NonResourceAttributes) { - if rV1Beta1 == nil || rV1Beta1.Spec.NonResourceAttributes == nil { - return nra - } - - nra = &authz.NonResourceAttributes{ - Path: rV1Beta1.Spec.NonResourceAttributes.Path, - Verb: rV1Beta1.Spec.NonResourceAttributes.Verb, - } - return nra -} - -func getResourceAttributes(rV1Beta1 *authzv1beta1.SubjectAccessReview) (ra *authz.ResourceAttributes) { - if rV1Beta1 == nil || rV1Beta1.Spec.ResourceAttributes == nil { - return ra - } - - ra = &authz.ResourceAttributes{ - Namespace: rV1Beta1.Spec.ResourceAttributes.Namespace, - Verb: rV1Beta1.Spec.ResourceAttributes.Verb, - Group: rV1Beta1.Spec.ResourceAttributes.Group, - Version: rV1Beta1.Spec.ResourceAttributes.Version, - Resource: rV1Beta1.Spec.ResourceAttributes.Resource, - Subresource: rV1Beta1.Spec.ResourceAttributes.Subresource, - Name: rV1Beta1.Spec.ResourceAttributes.Name, - } - return ra -} - -func getSpec(rV1Beta1 *authzv1beta1.SubjectAccessReview) (spec authz.SubjectAccessReviewSpec) { - if rV1Beta1 == nil { - return spec - } - spec = authz.SubjectAccessReviewSpec{ - User: rV1Beta1.Spec.User, - UID: rV1Beta1.Spec.UID, - Extra: getExtras(rV1Beta1), - Groups: rV1Beta1.Spec.Groups, - NonResourceAttributes: getNonResourceAttributes(rV1Beta1), - ResourceAttributes: getResourceAttributes(rV1Beta1), - } - return spec -} - -func getStatus(rV1Beta1 *authzv1beta1.SubjectAccessReview) (status authz.SubjectAccessReviewStatus) { - if rV1Beta1 == nil { - return status - } - status = authz.SubjectAccessReviewStatus{ - Allowed: rV1Beta1.Status.Allowed, - Denied: rV1Beta1.Status.Denied, - Reason: rV1Beta1.Status.Reason, - EvaluationError: rV1Beta1.Status.EvaluationError, - } - return status -} - -func getObjectMeta(rV1Beta1 *authzv1beta1.SubjectAccessReview) (om metav1.ObjectMeta) { - if rV1Beta1 == nil { - return om - } - om = *rV1Beta1.ObjectMeta.DeepCopy() - return om -} - -func ConvertIntoV1(rV1Beta1 authzv1beta1.SubjectAccessReview) authz.SubjectAccessReview { - return authz.SubjectAccessReview{ - TypeMeta: metav1.TypeMeta{ - Kind: rV1Beta1.Kind, - APIVersion: authzSupportedVersion, - }, - ObjectMeta: getObjectMeta(&rV1Beta1), - Spec: getSpec(&rV1Beta1), - Status: getStatus(&rV1Beta1), - } -}