From 41eafd1bdc1c366ec24fd8aa68ffd82372c56c5d Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Wed, 20 Jul 2022 21:39:49 -0400 Subject: [PATCH] wip007 Signed-off-by: Monis Khan --- internal/registry/clientsecretrequest/rest.go | 44 +++++++++++++++++-- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/internal/registry/clientsecretrequest/rest.go b/internal/registry/clientsecretrequest/rest.go index 16aec9c7..214edb52 100644 --- a/internal/registry/clientsecretrequest/rest.go +++ b/internal/registry/clientsecretrequest/rest.go @@ -17,6 +17,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/validation/field" + genericapirequest "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/registry/rest" corev1client "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/utils/trace" @@ -48,7 +50,7 @@ type REST struct { tableConvertor rest.TableConvertor secretStorage *oidcclientsecretstorage.OIDCClientSecretStorage clients configv1alpha1clientset.OIDCClientInterface - namespace string // TODO use + namespace string rand io.Reader } @@ -102,8 +104,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation }) defer t.Log() - // TODO actually validate the request like checking that the namespace is the supervisor's namespace - req, err := validateRequest(obj, t) + req, err := r.validateRequest(ctx, obj, createValidation, options, t) if err != nil { return nil, err } @@ -160,13 +161,41 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation }, nil } -func validateRequest(obj runtime.Object, t *trace.Trace) (*clientsecretapi.OIDCClientSecretRequest, error) { +func (r *REST) validateRequest( + ctx context.Context, + obj runtime.Object, + createValidation rest.ValidateObjectFunc, + options *metav1.CreateOptions, + t *trace.Trace, +) (*clientsecretapi.OIDCClientSecretRequest, error) { clientSecretRequest, ok := obj.(*clientsecretapi.OIDCClientSecretRequest) if !ok { traceValidationFailure(t, "not an OIDCClientSecretRequest") return nil, apierrors.NewBadRequest(fmt.Sprintf("not an OIDCClientSecretRequest: %#v", obj)) } + // just a sanity check, not sure how to honor a dry run on a virtual API + if options != nil { + if len(options.DryRun) != 0 { + traceValidationFailure(t, "dryRun not supported") + errs := field.ErrorList{field.NotSupported(field.NewPath("dryRun"), options.DryRun, nil)} + return nil, apierrors.NewInvalid(clientsecretapi.Kind(clientSecretRequest.Kind), clientSecretRequest.Name, errs) + } + } + + if namespace := genericapirequest.NamespaceValue(ctx); namespace != r.namespace { + msg := fmt.Sprintf("namespace must be %s on OIDCClientSecretRequest, was %s", r.namespace, namespace) + traceValidationFailure(t, msg) + return nil, apierrors.NewBadRequest(msg) + } + + if createValidation != nil { + if err := createValidation(ctx, obj.DeepCopyObject()); err != nil { + traceFailureWithError(t, "validation webhook", err) + return nil, err + } + } + return clientSecretRequest, nil } @@ -177,6 +206,13 @@ func traceValidationFailure(t *trace.Trace, msg string) { ) } +func traceFailureWithError(t *trace.Trace, failureType string, err error) { + t.Step("failure", + trace.Field{Key: "failureType", Value: failureType}, + trace.Field{Key: "msg", Value: err.Error()}, + ) +} + func generateSecret(rand io.Reader) (string, error) { var buf [32]byte if _, err := io.ReadFull(rand, buf[:]); err != nil {