fix iam admission webhook (#2008)
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
@@ -6,4 +6,4 @@ metadata:
|
||||
name: admin
|
||||
spec:
|
||||
email: admin@kubesphere.io
|
||||
password: $2a$04$wr/XmTQ99uQpgi335xPyoOM08h34ZQk265pdqHMv5Yw6Xo2vfiO/6
|
||||
password: P@88w0rd
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: MutatingWebhookConfiguration
|
||||
metadata:
|
||||
@@ -53,3 +51,19 @@ webhooks:
|
||||
- UPDATE
|
||||
resources:
|
||||
- users
|
||||
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: webhook-service
|
||||
namespace: kubesphere-system
|
||||
spec:
|
||||
ports:
|
||||
- port: 443
|
||||
targetPort: 443
|
||||
selector:
|
||||
app: ks-controller-manager
|
||||
tier: backend
|
||||
@@ -50,6 +50,7 @@ func Resource(resource string) schema.GroupResource {
|
||||
func addKnownTypes(scheme *runtime.Scheme) error {
|
||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||
&User{},
|
||||
&UserList{},
|
||||
&Role{},
|
||||
&RoleList{},
|
||||
&RoleBinding{},
|
||||
|
||||
@@ -21,7 +21,6 @@ package user
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
"net/http"
|
||||
@@ -51,28 +50,26 @@ func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admi
|
||||
return admission.Errored(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
email := user.Spec.Email
|
||||
|
||||
allUsers := v1alpha2.UserList{}
|
||||
|
||||
err = a.Client.List(ctx, &v1alpha2.UserList{}, &client.ListOptions{})
|
||||
err = a.Client.List(ctx, &allUsers, &client.ListOptions{})
|
||||
|
||||
if err != nil {
|
||||
return admission.Errored(http.StatusInternalServerError, err)
|
||||
}
|
||||
|
||||
found := emailAlreadyExist(allUsers, email)
|
||||
alreadyExist := emailAlreadyExist(allUsers, user)
|
||||
|
||||
if !found {
|
||||
return admission.Denied(fmt.Sprintf("email %s must be unique", email))
|
||||
if alreadyExist {
|
||||
return admission.Denied("user email already exists")
|
||||
}
|
||||
|
||||
return admission.Allowed("")
|
||||
}
|
||||
|
||||
func emailAlreadyExist(users v1alpha2.UserList, email string) bool {
|
||||
for _, user := range users.Items {
|
||||
if user.Spec.Email == email {
|
||||
func emailAlreadyExist(users v1alpha2.UserList, user *v1alpha2.User) bool {
|
||||
for _, exist := range users.Items {
|
||||
if exist.Spec.Email == user.Spec.Email && exist.Name != user.Name {
|
||||
return true
|
||||
}
|
||||
}
|
||||
@@ -109,3 +106,15 @@ func hashPassword(password string) (string, error) {
|
||||
bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
|
||||
return string(bytes), err
|
||||
}
|
||||
|
||||
// InjectDecoder injects the decoder.
|
||||
func (a *PasswordCipher) InjectDecoder(d *admission.Decoder) error {
|
||||
a.decoder = d
|
||||
return nil
|
||||
}
|
||||
|
||||
// InjectDecoder injects the decoder.
|
||||
func (a *EmailValidator) InjectDecoder(d *admission.Decoder) error {
|
||||
a.decoder = d
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user