Never skip Project requests (#120)

bastjan · web-flow · commit 0e26c3e003cf · 2024-08-29T14:29:50.000+02:00
The requests comes from internal components of OpenShift, but has an annotation with the original user name.

The user from the annotation is checked later.
diff --git a/webhooks/namespace_project_organization_mutator.go b/webhooks/namespace_project_organization_mutator.go
@@ -58,6 +58,7 @@ func (m *NamespaceProjectOrganizationMutator) Handle(ctx context.Context, req ad
 	ctx = log.IntoContext(ctx, log.FromContext(ctx).
 		WithName("webhook.namespace-project-organization-mutator.appuio.io").
 		WithValues("id", req.UID, "user", req.UserInfo.Username).
+		WithValues("operation", req.Operation).
 		WithValues("namespace", req.Namespace, "name", req.Name,
 			"group", req.Kind.Group, "version", req.Kind.Version, "kind", req.Kind.Kind))
 
@@ -69,7 +70,11 @@ func (m *NamespaceProjectOrganizationMutator) handle(ctx context.Context, req ad
 	if err != nil {
 		return admission.Errored(http.StatusInternalServerError, fmt.Errorf("error while checking skipper: %w", err))
 	}
-	if skip {
+	if skip && req.Kind.Kind == "Project" {
+		// Project requests come from internal openshift components with annotations for user info.
+		// Do not allow them but check the annotations later in the code.
+		log.FromContext(ctx).Info("`Project` requests will not be skipped")
+	} else if skip {
 		return admission.Allowed("skipped")
 	}
 
diff --git a/webhooks/namespace_project_organization_mutator_test.go b/webhooks/namespace_project_organization_mutator_test.go
@@ -32,6 +32,8 @@ func Test_NamespaceProjectOrganizationMutator_Handle(t *testing.T) {
 
 		allowed  bool
 		orgPatch string
+
+		skip bool
 	}{
 		{
 			name: "Project: request with org label set",
@@ -111,6 +113,21 @@ func Test_NamespaceProjectOrganizationMutator_Handle(t *testing.T) {
 			user:    "user",
 			allowed: false,
 		},
+		{
+			name: "Project: project requests should not be skipped",
+
+			object: newProjectRequest("project", map[string]string{orgLabel: "other-org"}, nil),
+			additionalObjects: func(*testing.T) []client.Object {
+				return []client.Object{
+					newUser("user", ""),
+					newGroup("other-org"),
+				}
+			},
+
+			skip:    true,
+			user:    "user",
+			allowed: false,
+		},
 		{
 			name: "Namespace: request with org label set, user not in org",
 
@@ -358,7 +375,7 @@ func Test_NamespaceProjectOrganizationMutator_Handle(t *testing.T) {
 			subject := NamespaceProjectOrganizationMutator{
 				Decoder: decoder,
 				Client:  c,
-				Skipper: skipper.StaticSkipper{},
+				Skipper: skipper.StaticSkipper{ShouldSkip: tc.skip},
 
 				OrganizationLabel:                 orgLabel,
 				UserDefaultOrganizationAnnotation: testDefaultOrgAnnotation,
