fix: provide a restmapper to the webhook with a full scope instead of only the limited scope of the vws (#57)

* fix: provide a restmapper to the webhook with a full scope instead of only the limited scope of the vws

* tests: provide some tests for the new function

* tests: increase coverage in contextual package

Author: aaronschweig

.mockery.yml

@@ -14,6 +14,9 @@ packages:
   github.com/openfga/api/proto/openfga/v1:
     config:
       include-interface-regex: OpenFGAServiceClient
+  github.com/platform-mesh/rebac-authz-webhook/pkg/restmapper:
+    config:
+      include-interface-regex: Provider
   sigs.k8s.io/controller-runtime/pkg/client:
     config:
       include-interface-regex: ^Client

cmd/serve.go

@@ -29,6 +29,7 @@ import (
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/handler/contextual"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/handler/nonresourceattributes"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/handler/orgs"
+	"github.com/platform-mesh/rebac-authz-webhook/pkg/restmapper"
 
 	"github.com/kcp-dev/multicluster-provider/apiexport"
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
@@ -120,14 +121,16 @@ var serveCmd = &cobra.Command{
 			klog.Exit(err, "failed to get orgs workspace")
 		}
 
+		mapperProvider := restmapper.New()
+
 		extraAttrClusterKey := serverCfg.Webhook.ClusterKey
 
 		mgr.GetWebhookServer().Register("/authz", authorization.New(
 			klog.NewKlogr(),
 			union.New(
 				nonresourceattributes.New("/api"),
 				orgs.New(fga, extraAttrClusterKey, ws.Spec.Cluster, storeRes.Stores[0].Id),
-				contextual.New(mgr, fga, extraAttrClusterKey),
+				contextual.New(mgr, fga, mapperProvider, extraAttrClusterKey),
 			),
 		))
 
@@ -138,6 +141,10 @@ var serveCmd = &cobra.Command{
 			klog.Exit(err, "unable to set up ready check")
 		}
 
+		if err := mgr.Add(mapperProvider); err != nil {
+			klog.Exit(err, "unable to register rest mapper provider")
+		}
+
 		klog.Info("Starting provider")
 		go func() {
 			if err := provider.Run(ctx, mgr); err != nil {

pkg/handler/contextual/contextual.go

@@ -2,11 +2,13 @@ package contextual
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/authorization"
+	"github.com/platform-mesh/rebac-authz-webhook/pkg/restmapper"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/util"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -20,18 +22,20 @@ import (
 const maxRelationLength = 50
 
 type contextualAuthorizer struct {
-	clusterKey string
-	mgr        mcmanager.Manager
-	fga        openfgav1.OpenFGAServiceClient
+	clusterKey     string
+	mgr            mcmanager.Manager
+	fga            openfgav1.OpenFGAServiceClient
+	mapperProvider restmapper.Provider
 }
 
 var _ authorization.Handler = &contextualAuthorizer{}
 
-func New(mgr mcmanager.Manager, fga openfgav1.OpenFGAServiceClient, clusterKey string) authorization.Handler {
+func New(mgr mcmanager.Manager, fga openfgav1.OpenFGAServiceClient, mapperProvider restmapper.Provider, clusterKey string) authorization.Handler {
 	return &contextualAuthorizer{
-		mgr:        mgr,
-		fga:        fga,
-		clusterKey: clusterKey,
+		mgr:            mgr,
+		fga:            fga,
+		clusterKey:     clusterKey,
+		mapperProvider: mapperProvider,
 	}
 }
 
@@ -82,7 +86,12 @@ func (c *contextualAuthorizer) Handle(ctx context.Context, req authorization.Req
 		Resource: attrs.Resource,
 	}
 
-	restMapper := accountInfoCluster.GetRESTMapper()
+	restMapper, ok := c.mapperProvider.Get(clusterName)
+	if !ok {
+		klog.ErrorS(errors.New("failed to get RESTMapper for cluster"), "clusterName", clusterName)
+		return authorization.NoOpinion()
+	}
+
 	gvk, err := restMapper.KindFor(gvr)
 	if err != nil {
 		klog.ErrorS(err, "failed to get GVK for GVR", "GVR", gvr)

pkg/handler/contextual/contextual_test.go

@@ -26,6 +26,7 @@ func TestHandler(t *testing.T) {
 		res      authorization.Response
 		fgaMocks func(openfga *mocks.OpenFGAServiceClient)
 		k8sMocks func(client *mocks.Client, cluster *mocks.Cluster)
+		rmpMocks func(rmp *mocks.Provider)
 	}{
 		{
 			name: "should skip processing if no extra attrs present",
@@ -65,6 +66,43 @@ func TestHandler(t *testing.T) {
 
 			},
 		},
+		{
+			name: "should skip processing if restmapper cannot be retrieved",
+			req: authorization.Request{
+				SubjectAccessReview: v1.SubjectAccessReview{
+					Spec: v1.SubjectAccessReviewSpec{
+						Extra: map[string]v1.ExtraValue{
+							"authorization.kubernetes.io/cluster-name": {"a"},
+						},
+						ResourceAttributes: &v1.ResourceAttributes{},
+					},
+				},
+			},
+			res: authorization.NoOpinion(),
+			k8sMocks: func(cl *mocks.Client, cluster *mocks.Cluster) {
+				cl.EXPECT().
+					Get(mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+					RunAndReturn(
+						func(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
+							acc := obj.(*v1alpha1.AccountInfo)
+
+							*acc = v1alpha1.AccountInfo{
+								Spec: v1alpha1.AccountInfoSpec{
+									Account: v1alpha1.AccountLocation{
+										OriginClusterId: "origin",
+										Name:            "origin-account",
+									},
+								},
+							}
+							return nil
+						},
+					)
+
+			},
+			rmpMocks: func(rmp *mocks.Provider) {
+				rmp.EXPECT().Get(mock.Anything).Return(nil, false)
+			},
+		},
 		{
 			name: "should process request non-parent, non-namespaced successfully",
 			req: authorization.Request{
@@ -103,6 +141,8 @@ func TestHandler(t *testing.T) {
 						},
 					)
 
+			},
+			rmpMocks: func(rmp *mocks.Provider) {
 				rm := meta.NewDefaultRESTMapper([]schema.GroupVersion{})
 
 				gv := schema.GroupVersion{
@@ -117,7 +157,7 @@ func TestHandler(t *testing.T) {
 					meta.RESTScopeRoot,
 				)
 
-				cluster.EXPECT().GetRESTMapper().Return(rm)
+				rmp.EXPECT().Get(mock.Anything).Return(rm, true)
 			},
 			fgaMocks: func(openfga *mocks.OpenFGAServiceClient) {
 				openfga.EXPECT().Check(mock.Anything, mock.Anything).RunAndReturn(
@@ -181,7 +221,8 @@ func TestHandler(t *testing.T) {
 							return nil
 						},
 					)
-
+			},
+			rmpMocks: func(rmp *mocks.Provider) {
 				rm := meta.NewDefaultRESTMapper([]schema.GroupVersion{})
 
 				gv := schema.GroupVersion{
@@ -196,7 +237,7 @@ func TestHandler(t *testing.T) {
 					meta.RESTScopeNamespace,
 				)
 
-				cluster.EXPECT().GetRESTMapper().Return(rm)
+				rmp.EXPECT().Get(mock.Anything).Return(rm, true)
 			},
 			fgaMocks: func(openfga *mocks.OpenFGAServiceClient) {
 				openfga.EXPECT().Check(mock.Anything, mock.Anything).RunAndReturn(
@@ -268,7 +309,8 @@ func TestHandler(t *testing.T) {
 							return nil
 						},
 					)
-
+			},
+			rmpMocks: func(rmp *mocks.Provider) {
 				rm := meta.NewDefaultRESTMapper([]schema.GroupVersion{})
 
 				gv := schema.GroupVersion{
@@ -283,7 +325,7 @@ func TestHandler(t *testing.T) {
 					meta.RESTScopeNamespace,
 				)
 
-				cluster.EXPECT().GetRESTMapper().Return(rm)
+				rmp.EXPECT().Get(mock.Anything).Return(rm, true)
 			},
 			fgaMocks: func(openfga *mocks.OpenFGAServiceClient) {
 				openfga.EXPECT().Check(mock.Anything, mock.Anything).RunAndReturn(
@@ -346,7 +388,8 @@ func TestHandler(t *testing.T) {
 							return nil
 						},
 					)
-
+			},
+			rmpMocks: func(rmp *mocks.Provider) {
 				rm := meta.NewDefaultRESTMapper([]schema.GroupVersion{})
 
 				gv := schema.GroupVersion{
@@ -361,7 +404,7 @@ func TestHandler(t *testing.T) {
 					meta.RESTScopeRoot,
 				)
 
-				cluster.EXPECT().GetRESTMapper().Return(rm)
+				rmp.EXPECT().Get(mock.Anything).Return(rm, true)
 			},
 			fgaMocks: func(openfga *mocks.OpenFGAServiceClient) {
 				openfga.EXPECT().Check(mock.Anything, mock.Anything).RunAndReturn(
@@ -398,6 +441,11 @@ func TestHandler(t *testing.T) {
 				test.k8sMocks(client, cluster)
 			}
 
+			rmp := mocks.NewProvider(t)
+			if test.rmpMocks != nil {
+				test.rmpMocks(rmp)
+			}
+
 			mgr.EXPECT().GetCluster(mock.Anything, mock.Anything).Return(cluster, nil).Maybe()
 			cluster.EXPECT().GetClient().Return(client).Maybe()
 
@@ -406,7 +454,7 @@ func TestHandler(t *testing.T) {
 				test.fgaMocks(openfga)
 			}
 
-			h := contextual.New(mgr, openfga, "authorization.kubernetes.io/cluster-name")
+			h := contextual.New(mgr, openfga, rmp, "authorization.kubernetes.io/cluster-name")
 
 			ctx := t.Context()