Commit cb565585 authored by Mike Danese's avatar Mike Danese

csr: add resync to csr approver

parent 5ce3b359
...@@ -91,10 +91,15 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error { ...@@ -91,10 +91,15 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err) return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err)
} }
tried := []string{}
for _, r := range a.recognizers { for _, r := range a.recognizers {
if !r.recognize(csr, x509cr) { if !r.recognize(csr, x509cr) {
continue continue
} }
tried = append(tried, r.permission.Subresource)
approved, err := a.authorize(csr, r.permission) approved, err := a.authorize(csr, r.permission)
if err != nil { if err != nil {
return err return err
...@@ -108,6 +113,11 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error { ...@@ -108,6 +113,11 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error {
return nil return nil
} }
} }
if len(tried) != 0 {
return fmt.Errorf("recognized csr %q as %v but subject access review was not approved", csr.Name, tried)
}
return nil return nil
} }
......
...@@ -89,6 +89,7 @@ func TestHandle(t *testing.T) { ...@@ -89,6 +89,7 @@ func TestHandle(t *testing.T) {
message string message string
allowed bool allowed bool
recognized bool recognized bool
err bool
verify func(*testing.T, []testclient.Action) verify func(*testing.T, []testclient.Action)
}{ }{
{ {
...@@ -119,6 +120,7 @@ func TestHandle(t *testing.T) { ...@@ -119,6 +120,7 @@ func TestHandle(t *testing.T) {
} }
_ = as[0].(testclient.CreateActionImpl) _ = as[0].(testclient.CreateActionImpl)
}, },
err: true,
}, },
{ {
recognized: true, recognized: true,
...@@ -155,7 +157,7 @@ func TestHandle(t *testing.T) { ...@@ -155,7 +157,7 @@ func TestHandle(t *testing.T) {
} }
for _, c := range cases { for _, c := range cases {
t.Run(fmt.Sprintf("recognized:%v,allowed: %v", c.recognized, c.allowed), func(t *testing.T) { t.Run(fmt.Sprintf("recognized:%v,allowed: %v,err: %v", c.recognized, c.allowed, c.err), func(t *testing.T) {
client := &fake.Clientset{} client := &fake.Clientset{}
client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) { client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) {
return true, &authorization.SubjectAccessReview{ return true, &authorization.SubjectAccessReview{
...@@ -177,7 +179,7 @@ func TestHandle(t *testing.T) { ...@@ -177,7 +179,7 @@ func TestHandle(t *testing.T) {
}, },
} }
csr := makeTestCsr() csr := makeTestCsr()
if err := approver.handle(csr); err != nil { if err := approver.handle(csr); err != nil && !c.err {
t.Errorf("unexpected err: %v", err) t.Errorf("unexpected err: %v", err)
} }
c.verify(t, client.Actions()) c.verify(t, client.Actions())
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment