Skip to content

Commit 6edd9e4

Browse files
Merge pull request #2090 from ardaguclu/ocpbugs-52936
OCPBUGS-52936: oc adm policy: Only initialize UserClient if built-in OAuth is enabled
2 parents d07df3d + e2784fc commit 6edd9e4

File tree

2 files changed

+112
-4
lines changed

2 files changed

+112
-4
lines changed

pkg/cli/admin/policy/modify_roles.go

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"fmt"
77
"strings"
88

9+
userv1 "github.com/openshift/api/user/v1"
910
ocmdhelpers "github.com/openshift/oc/pkg/helpers/cmd"
1011
"github.com/spf13/cobra"
1112
"k8s.io/client-go/discovery"
@@ -345,19 +346,40 @@ func (o *RoleModificationOptions) innerComplete(f kcmdutil.Factory, cmd *cobra.C
345346
if err != nil {
346347
return err
347348
}
348-
o.RbacClient, err = rbacv1client.NewForConfig(clientConfig)
349+
o.DiscoveryClient, err = f.ToDiscoveryClient()
349350
if err != nil {
350351
return err
351352
}
352-
o.UserClient, err = userv1client.NewForConfig(clientConfig)
353+
o.RbacClient, err = rbacv1client.NewForConfig(clientConfig)
353354
if err != nil {
354355
return err
355356
}
356-
o.ServiceAccountClient, err = corev1client.NewForConfig(clientConfig)
357+
358+
userAPIAvailable := false
359+
groupList, err := o.DiscoveryClient.ServerGroups()
360+
if discovery.IsGroupDiscoveryFailedError(err) {
361+
// proceed with partial results; treat missing groups as "not found"
362+
err = nil
363+
}
357364
if err != nil {
358365
return err
359366
}
360-
o.DiscoveryClient, err = f.ToDiscoveryClient()
367+
for _, group := range groupList.Groups {
368+
// We try to determine that built-in OAuth is enabled or not to initialize UserClient.
369+
// Because we don't need UserClient, if external OIDC is used.
370+
// Simply checking the existence of userv1 in the discovery can signal us whether built-in OAuth is functioning or not.
371+
if group.PreferredVersion.GroupVersion == userv1.GroupVersion.String() {
372+
userAPIAvailable = true
373+
break
374+
}
375+
}
376+
if userAPIAvailable {
377+
o.UserClient, err = userv1client.NewForConfig(clientConfig)
378+
if err != nil {
379+
return err
380+
}
381+
}
382+
o.ServiceAccountClient, err = corev1client.NewForConfig(clientConfig)
361383
if err != nil {
362384
return err
363385
}

pkg/cli/admin/policy/modify_roles_test.go

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,21 @@ import (
66
"reflect"
77
"testing"
88

9+
"github.com/spf13/cobra"
910
corev1 "k8s.io/api/core/v1"
1011
rbacv1 "k8s.io/api/rbac/v1"
1112
"k8s.io/apimachinery/pkg/api/equality"
1213
kapierrors "k8s.io/apimachinery/pkg/api/errors"
1314
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1415
diffutil "k8s.io/apimachinery/pkg/util/diff"
1516
"k8s.io/cli-runtime/pkg/genericclioptions"
17+
"k8s.io/cli-runtime/pkg/genericiooptions"
1618
"k8s.io/cli-runtime/pkg/printers"
1719
fakeclient "k8s.io/client-go/kubernetes/fake"
1820
rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
21+
cmdtesting "k8s.io/kubectl/pkg/cmd/testing"
22+
kcmdutil "k8s.io/kubectl/pkg/cmd/util"
23+
"k8s.io/utils/ptr"
1924

2025
userv1 "github.com/openshift/api/user/v1"
2126
fakeuserclient "github.com/openshift/client-go/user/clientset/versioned/fake"
@@ -589,6 +594,87 @@ func TestModifyNamedLocalRoleBinding(t *testing.T) {
589594
modifyRoleAndCheck(t, o, tcName, tc.action, tc.expectedRoleBindingName, tc.expectedSubjects, tc.expectedRoleBindingList)
590595
}
591596
}
597+
598+
func TestRoleModificationCompleteNonExistUser(t *testing.T) {
599+
ioStreams, _, _, _ := genericiooptions.NewTestIOStreams()
600+
601+
dc := cmdtesting.NewFakeCachedDiscoveryClient()
602+
dc.Groups = []*metav1.APIGroup{
603+
{
604+
Name: "",
605+
PreferredVersion: metav1.GroupVersionForDiscovery{
606+
GroupVersion: "v1",
607+
},
608+
},
609+
{
610+
Name: "foo",
611+
PreferredVersion: metav1.GroupVersionForDiscovery{
612+
GroupVersion: "foo/v1beta1",
613+
},
614+
},
615+
{
616+
Name: "bar",
617+
PreferredVersion: metav1.GroupVersionForDiscovery{
618+
GroupVersion: "bar/v1",
619+
},
620+
},
621+
}
622+
623+
tf := cmdtesting.NewTestFactory().WithNamespace("test").WithDiscoveryClient(dc)
624+
defer tf.Cleanup()
625+
626+
opt := NewRoleModificationOptions(ioStreams)
627+
cmd := &cobra.Command{}
628+
kcmdutil.AddDryRunFlag(cmd)
629+
err := opt.Complete(tf, cmd, []string{"test", "test"}, ptr.To([]string{}), "")
630+
if err != nil {
631+
t.Fatalf("unexpected error: %s", err)
632+
}
633+
if opt.UserClient != nil {
634+
t.Fatal("expected UserClient to be nil")
635+
}
636+
}
637+
638+
func TestRoleModificationCompleteExistUser(t *testing.T) {
639+
ioStreams, _, _, _ := genericiooptions.NewTestIOStreams()
640+
641+
dc := cmdtesting.NewFakeCachedDiscoveryClient()
642+
dc.Groups = []*metav1.APIGroup{
643+
{
644+
Name: "",
645+
PreferredVersion: metav1.GroupVersionForDiscovery{
646+
GroupVersion: "v1",
647+
},
648+
},
649+
{
650+
Name: "foo",
651+
PreferredVersion: metav1.GroupVersionForDiscovery{
652+
GroupVersion: "foo/v1beta1",
653+
},
654+
},
655+
{
656+
Name: "user.openshift.io",
657+
PreferredVersion: metav1.GroupVersionForDiscovery{
658+
GroupVersion: "user.openshift.io/v1",
659+
},
660+
},
661+
}
662+
663+
tf := cmdtesting.NewTestFactory().WithNamespace("test").WithDiscoveryClient(dc)
664+
defer tf.Cleanup()
665+
666+
opt := NewRoleModificationOptions(ioStreams)
667+
cmd := &cobra.Command{}
668+
kcmdutil.AddDryRunFlag(cmd)
669+
err := opt.Complete(tf, cmd, []string{"test", "test"}, ptr.To([]string{}), "")
670+
if err != nil {
671+
t.Fatalf("unexpected error: %s", err)
672+
}
673+
if opt.UserClient == nil {
674+
t.Fatal("expected UserClient not to be nil")
675+
}
676+
}
677+
592678
func TestModifyRoleBindingWarnings(t *testing.T) {
593679
type clusterState struct {
594680
roles *rbacv1.RoleList

0 commit comments

Comments
 (0)