URL decode Role AssumeRolePolicyDocument (#28)

RedbackThomson · web-flow · commit acd995ec7176 · 2022-05-18T12:54:45.000-07:00
Description of changes:
The response from creating or reading a `Role` encodes the `AssumeRolePolicyDocument` with URL encoding (any non-alphanumeric character is converted to hex). When attempting to update the role with the encoded string, the API returns an error. This pull request adds hook code to convert it back into a multiline string so that it matches the original spec.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/apis/v1alpha1/ack-generate-metadata.yaml b/apis/v1alpha1/ack-generate-metadata.yaml
@@ -1,8 +1,8 @@
 ack_generate_info:
-  build_date: "2022-04-15T17:26:33Z"
-  build_hash: 50c64871bcaf88b9ee200eb8d6b8245fa8f675eb
-  go_version: go1.17.5
-  version: v0.18.4
+  build_date: "2022-05-12T22:56:43Z"
+  build_hash: c651d2bb60694df1f7a5dad823258472a1a6fc8a
+  go_version: go1.18.1
+  version: v0.18.4-12-gc651d2b
 api_directory_checksum: 7d8d584cdaec82ab61d867fc030cb9bb45ac706f
 api_version: v1alpha1
 aws_sdk_go_version: v1.42.0
diff --git a/go.local.mod b/go.local.mod
@@ -0,0 +1,70 @@
+module github.com/aws-controllers-k8s/iam-controller
+
+go 1.17
+
+replace github.com/aws-controllers-k8s/runtime => ../runtime
+
+require (
+	github.com/aws-controllers-k8s/runtime v0.0.0
+	github.com/aws/aws-sdk-go v1.42.0
+	github.com/go-logr/logr v1.2.0
+	github.com/spf13/pflag v1.0.5
+	k8s.io/api v0.23.0
+	k8s.io/apimachinery v0.23.0
+	k8s.io/client-go v0.23.0
+	sigs.k8s.io/controller-runtime v0.11.0
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-logr/zapr v1.2.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.5 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/uuid v1.1.2 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/itchyny/gojq v0.12.6 // indirect
+	github.com/itchyny/timefmt-go v0.1.3 // indirect
+	github.com/jaypipes/envutil v1.0.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_golang v1.11.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.28.0 // indirect
+	github.com/prometheus/procfs v0.6.0 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/zap v1.19.1 // indirect
+	golang.org/x/net v0.0.0-20210825183410-e898025ed96a // indirect
+	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect
+	golang.org/x/sys v0.0.0-20211124211545-fe61309f8881 // indirect
+	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/apiextensions-apiserver v0.23.0 // indirect
+	k8s.io/component-base v0.23.0 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
+	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
diff --git a/go.local.sum b/go.local.sum
diff --git a/pkg/resource/role/hooks.go b/pkg/resource/role/hooks.go
@@ -15,6 +15,7 @@ package role
 
 import (
 	"context"
+	"net/url"
 
 	ackrtlog "github.com/aws-controllers-k8s/runtime/pkg/runtime/log"
 	ackutil "github.com/aws-controllers-k8s/runtime/pkg/util"
@@ -275,3 +276,7 @@ func (rm *resourceManager) removeTags(
 	rm.metrics.RecordAPICall("DELETE", "UntagRole", err)
 	return err
 }
+
+func decodeAssumeDocument(encoded string) (string, error) {
+	return url.QueryUnescape(encoded)
+}
diff --git a/pkg/resource/role/sdk.go b/pkg/resource/role/sdk.go
diff --git a/templates/hooks/role/sdk_create_post_set_output.go.tpl b/templates/hooks/role/sdk_create_post_set_output.go.tpl
@@ -1,3 +1,10 @@
+    if ko.Spec.AssumeRolePolicyDocument != nil {
+		if doc, err := decodeAssumeDocument(*ko.Spec.AssumeRolePolicyDocument); err != nil {
+			return nil, err
+		} else {
+			ko.Spec.AssumeRolePolicyDocument = &doc
+		}
+	}
     if err := rm.syncPolicies(ctx, &resource{ko}); err != nil {
         return nil, err
     }
diff --git a/templates/hooks/role/sdk_read_one_post_set_output.go.tpl b/templates/hooks/role/sdk_read_one_post_set_output.go.tpl
@@ -1,3 +1,10 @@
+	if ko.Spec.AssumeRolePolicyDocument != nil {
+		if doc, err := decodeAssumeDocument(*ko.Spec.AssumeRolePolicyDocument); err != nil {
+			return nil, err
+		} else {
+			ko.Spec.AssumeRolePolicyDocument = &doc
+		}
+	}
 	if policies, err := rm.getPolicies(ctx, &resource{ko}); err != nil {
 		return nil, err
 	} else {
@@ -7,4 +14,4 @@
 		return nil, err
 	} else {
 		ko.Spec.Tags = tags
-	}
+	}
diff --git a/test/e2e/resources/role_simple.yaml b/test/e2e/resources/role_simple.yaml
@@ -6,7 +6,19 @@ spec:
   name: $ROLE_NAME
   description: $ROLE_DESCRIPTION
   maxSessionDuration: $MAX_SESSION_DURATION
-  assumeRolePolicyDocument: '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}'
+  assumeRolePolicyDocument: >
+    {
+      "Version":"2012-10-17",
+      "Statement": [{
+        "Effect":"Allow",
+        "Principal": {
+          "Service": [
+            "ec2.amazonaws.com"
+          ]
+        },
+        "Action": ["sts:AssumeRole"]
+      }]
+    }
   tags:
     - key: tag1
       value: val1
