fix: bypass using serviceaccount when openshift requester exists (#424)

myishay · Yishay Mendelsohn · web-flow · commit 9c90d618fdca · 2023-07-19T16:39:53.000+03:00
* fix: bypass using serviceaccount when openshift requester exists

* fix: logic fix for requester bypass

---------

Co-authored-by: Yishay Mendelsohn &lt;yishaymendelsohn@Yishays-MacBook-Pro-2.local&gt;
diff --git a/pkg/services/validationService.go b/pkg/services/validationService.go
@@ -4,14 +4,15 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/datreeio/admission-webhook-datree/pkg/openshiftService"
 	"net/http"
 	"os"
 	"regexp"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/datreeio/admission-webhook-datree/pkg/openshiftService"
+
 	authenticationv1 "k8s.io/api/authentication/v1"
 
 	"github.com/datreeio/admission-webhook-datree/pkg/errorReporter"
@@ -412,9 +413,6 @@ func (vs *ValidationService) shouldBypassByPermissions(userInfo authenticationv1
 	userName := userInfo.Username
 	groups := userInfo.Groups
 	if openShiftRequester != "" {
-		// override username
-		userName = openShiftRequester
-
 		// override groups
 		groupsFromOpenshiftService, err := vs.OpenshiftService.GetGroupsUserBelongsTo(openShiftRequester)
 		if err != nil {
@@ -425,8 +423,16 @@ func (vs *ValidationService) shouldBypassByPermissions(userInfo authenticationv1
 	}
 
 	for _, userAccount := range bypassPermissions.UserAccounts {
-		if match, _ := regexp.MatchString(userAccount, userName); match {
-			return true
+		if openShiftRequester != "" {
+			matchOpenshiftRequester, _ := regexp.MatchString(userAccount, openShiftRequester)
+			if matchOpenshiftRequester {
+				return true
+			}
+		} else {
+			matchUsername, _ := regexp.MatchString(userAccount, userName)
+			if matchUsername {
+				return true
+			}
 		}
 	}
 
