Skip to content
This repository has been archived by the owner on Dec 20, 2022. It is now read-only.

Commit

Permalink
[patch] Use env sa prefix (#76)
Browse files Browse the repository at this point in the history
* Fix sa prefix

* Fix test

* update comment

Co-authored-by: Kyo Fujisaki <kyfujisa@yahoo-corp.jp>
Co-authored-by: wfan <wfan@yahoo-corp.jp>
3 people authored Jul 20, 2021
1 parent ce8494d commit c1bd5c0
Showing 2 changed files with 10 additions and 5 deletions.
7 changes: 4 additions & 3 deletions service/resolver.go
Original file line number Diff line number Diff line change
@@ -240,8 +240,8 @@ func (r *resolve) GetNonResourceNamespace() string {

// PrincipalFromUser maps K8s user to Athenz principal.
// 1. service account: if has ServiceAccountPrefixes, remove prefix, map to AthenzServiceAccountPrefix
// 1.1. if contains namespace, create domain by namespace and AthenzServiceAccountPrefix
// 1.2. if no namespaces, prepend AthenzServiceAccountPrefix
// 1.1. if contains namespace, create domain by the namespace and AthenzServiceAccountPrefix
// 1.2. if no namespaces, create domain by EmptyNamespace and AthenzServiceAccountPrefix
// 2. athenz user: if has AthenzUserPrefix, OR not contains ".", map to AthenzUserPrefix
// 3. certificate: if not service account and athenz user, no mapping
func (r *resolve) PrincipalFromUser(user string, groups []string) string {
@@ -271,7 +271,8 @@ func (r *resolve) PrincipalFromUser(user string, groups []string) string {
return strings.TrimPrefix(strings.TrimSuffix(strings.Join(
append(r.BuildServiceAccountPrefixFromNamespace(parts[0]), parts[1:]...), "."), ":"), ":")
}
return r.cfg.AthenzServiceAccountPrefix + strings.TrimSuffix(strings.TrimPrefix(strings.TrimPrefix(user, prefix), ":"), ":")
return strings.TrimPrefix(strings.TrimSuffix(strings.Join(
append(r.BuildServiceAccountPrefixFromNamespace(r.cfg.EmptyNamespace), parts[0]), "."), ":"), ":")
}

// athenz user
8 changes: 6 additions & 2 deletions service/resolver_test.go
Original file line number Diff line number Diff line change
@@ -1060,13 +1060,15 @@ func Test_resolve_PrincipalFromUser(t *testing.T) {
fields: fields{
cfg: config.Platform{
ServiceAccountPrefixes: []string{"prefix-319:"},
EmptyNamespace: "empty",
},
athenzSAPrefix: "athenz._namespace_.",
},
args: args{
user: "prefix-319:user-323",
groups: []string{"system:serviceaccounts"},
},
want: "user-323",
want: "athenz.empty.user-323",
},
{
name: "Check resolve PrincipalFromUser ServiceAccountPrefixes match user prefix, single part, no groups",
@@ -1087,13 +1089,15 @@ func Test_resolve_PrincipalFromUser(t *testing.T) {
fields: fields{
cfg: config.Platform{
ServiceAccountPrefixes: []string{"prefix-331"},
EmptyNamespace: "empty",
},
athenzSAPrefix: "athenz._namespace_.",
},
args: args{
user: "prefix-331:user-335:",
groups: []string{"system:serviceaccounts"},
},
want: "user-335",
want: "athenz.empty.user-335",
},
{
name: "Check resolve PrincipalFromUser ServiceAccountPrefixes match user prefix, multiple parts, empty namespace",

0 comments on commit c1bd5c0

Please sign in to comment.