chore: refactoring and test implementations for authorization webhook (#54)

* chore: initial refactoring progress

* tests: wrote more test for contextual authorizer

* tests: finish up contextual authorizer tests

* tests: add test to the webhook framework

* tests: provdie test for union logic

* chore: skip test requirement for util for now

* chore: running in the local setup revealed some bugs

* chore: address review comments

* chore: more review comments and minor improvements

* chore: update Dockerfile for build arguments and enhance logging in root command

Author: aaronschweig

.github/workflows/pipeline.yaml

@@ -18,6 +18,5 @@ jobs:
     with:
       imageTagName: ghcr.io/platform-mesh/rebac-authz-webhook
       useTask: true
-      coverageThresholdFile: 0
-      coverageThresholdPackage: 0
-      coverageThresholdTotal: 0
+      useLocalCoverageConfig: true
+      coverageThresholdTotal: 80

.mockery.yml

@@ -6,23 +6,20 @@ recursive: false
 require-template-schema-exists: true
 template: testify
 template-schema: '{{.Template}}.schema.json'
-dir: 'pkg/resolver/mocks'
+dir: 'pkg/handler/mocks'
 pkgname: mocks
 structname: '{{.InterfaceName}}'
+filename: '{{.InterfaceName}}.go'
 packages:
-  k8s.io/apimachinery/pkg/api/meta:
-    config:
-      include-interface-regex: RESTMapper
-      filename: restmapper.go
-  sigs.k8s.io/controller-runtime/pkg/kcp:
+  github.com/openfga/api/proto/openfga/v1:
     config:
-      filename: kcp.go
+      include-interface-regex: OpenFGAServiceClient
   sigs.k8s.io/controller-runtime/pkg/client:
     config:
-      include-interface-regex: Client
-      filename: k8sclient.go
-  github.com/openfga/api/proto/openfga/v1:
+      include-interface-regex: ^Client
+  sigs.k8s.io/controller-runtime/pkg/cluster:
     config:
-      dir: 'pkg/handler/mocks'
-      include-interface-regex: OpenFGAServiceClient
-      filename: openfgaclient.go
+      include-interface-regex: Cluster
+  sigs.k8s.io/multicluster-runtime/pkg/manager:
+    config:
+      include-interface-regex: Manager

.testcoverage.yml

@@ -0,0 +1,7 @@
+exclude:
+  paths:
+    - ^pkg/handler/mocks # exclude generated mock files
+    - main\.go$ # skip covering main.go
+    - ^cmd # skip covering cmd directory
+    - ^pkg/authorization/response\.go$
+    - ^pkg/util

Dockerfile

@@ -1,18 +1,18 @@
 FROM golang:1.25 AS builder
 
-ENV GOSUMDB=off
-
-RUN git config --global credential.helper store
-RUN --mount=type=secret,id=org_token echo "https://gha:$(cat /run/secrets/org_token)@github.com" > /root/.git-credentials
+ARG TARGETOS
+ARG TARGETARCH
 
 WORKDIR /app
 
 COPY go.mod go.mod
 COPY go.sum go.sum
 
+RUN go mod download
+
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o rebac-authz-webhook main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o rebac-authz-webhook main.go
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /