fix: forward context in validatingwebhooks (#517)

* fix: forward context in validatingwebhooks

Signed-off-by: Francesco Ilario <[email protected]>

* add context in tests

Signed-off-by: Francesco Ilario <[email protected]>

---------

Signed-off-by: Francesco Ilario <[email protected]>

pkg/webhook/validatingwebhook/validate_k8simagepuller_request.go

@@ -33,15 +33,15 @@ func (v K8sImagePullerRequestValidator) HandleValidate(w http.ResponseWriter, r
 		respBody = []byte("unable to read the body of the request")
 	} else {
 		// validate the request
-		respBody = v.validate(body)
+		respBody = v.validate(r.Context(), body)
 		w.WriteHeader(http.StatusOK)
 	}
 	if _, err := io.WriteString(w, string(respBody)); err != nil {
 		log.Error(err, "unable to write response")
 	}
 }
 
-func (v K8sImagePullerRequestValidator) validate(body []byte) []byte {
+func (v K8sImagePullerRequestValidator) validate(ctx context.Context, body []byte) []byte {
 	log.Info("incoming request", "body", string(body))
 	admReview := admissionv1.AdmissionReview{}
 	if _, _, err := deserializer.Decode(body, nil, &admReview); err != nil {
@@ -52,7 +52,7 @@ func (v K8sImagePullerRequestValidator) validate(body []byte) []byte {
 	}
 	//check if the requesting user is a sandbox user
 	requestingUser := &userv1.User{}
-	err := v.Client.Get(context.TODO(), types.NamespacedName{
+	err := v.Client.Get(ctx, types.NamespacedName{
 		Name: admReview.Request.UserInfo.Username,
 	}, requestingUser)
 

pkg/webhook/validatingwebhook/validate_k8simagepuller_request_test.go

@@ -2,6 +2,7 @@ package validatingwebhook
 
 import (
 	"bytes"
+	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -28,7 +29,7 @@ func TestHandleValidateK8sImagePullerAdmissionRequest(t *testing.T) {
 		req := newCreateK8sImagePullerAdmissionRequest(t, "johnsmith")
 
 		// when
-		response := v.validate(req)
+		response := v.validate(context.TODO(), req)
 
 		// then
 		test.VerifyRequestBlocked(t, response, "this is a Dev Sandbox enforced restriction. you are trying to create a KubernetesImagePuller resource, which is not allowed", "b6ae2ab4-782b-11ee-b962-0242ac120002")
@@ -39,7 +40,7 @@ func TestHandleValidateK8sImagePullerAdmissionRequest(t *testing.T) {
 		req := newCreateK8sImagePullerAdmissionRequest(t, "johnsmith-crtadmin")
 
 		// when
-		response := v.validate(req)
+		response := v.validate(context.TODO(), req)
 
 		// then
 		test.VerifyRequestAllowed(t, response, "b6ae2ab4-782b-11ee-b962-0242ac120002")

pkg/webhook/validatingwebhook/validate_rolebinding_request.go

@@ -37,15 +37,15 @@ func (v RoleBindingRequestValidator) HandleValidate(w http.ResponseWriter, r *ht
 		respBody = []byte("unable to read the body of the request")
 	} else {
 		// validate the request
-		respBody = v.validate(body)
+		respBody = v.validate(r.Context(), body)
 		w.WriteHeader(http.StatusOK)
 	}
 	if _, err := io.WriteString(w, string(respBody)); err != nil {
 		log.Error(err, "unable to write response")
 	}
 }
 
-func (v RoleBindingRequestValidator) validate(body []byte) []byte {
+func (v RoleBindingRequestValidator) validate(ctx context.Context, body []byte) []byte {
 	admReview := admissionv1.AdmissionReview{}
 	if _, _, err := deserializer.Decode(body, nil, &admReview); err != nil {
 		//sanitize the body
@@ -72,7 +72,7 @@ func (v RoleBindingRequestValidator) validate(body []byte) []byte {
 	for _, sub := range subjects {
 		if containsSubject(subjectsList, sub) {
 			requestingUser := &userv1.User{}
-			err := v.Client.Get(context.TODO(), types.NamespacedName{
+			err := v.Client.Get(ctx, types.NamespacedName{
 				Name: admReview.Request.UserInfo.Username,
 			}, requestingUser)
 

pkg/webhook/validatingwebhook/validate_rolebinding_request_test.go

@@ -2,6 +2,7 @@ package validatingwebhook
 
 import (
 	"bytes"
+	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -41,31 +42,31 @@ func TestValidateRoleBindingAdmissionRequest(t *testing.T) {
 	t.Run("sandbox user trying to create rolebinding for all serviceaccounts is denied", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "johnsmith", true)
 		// when
-		response := v.validate(sandboxUserForAllServiceAccountsJSON)
+		response := v.validate(context.TODO(), sandboxUserForAllServiceAccountsJSON)
 		// then
 		test.VerifyRequestBlocked(t, response, "please create a rolebinding for a specific user or service account to avoid this error", "a68769e5-d817-4617-bec5-90efa2bad6f6")
 	})
 
 	t.Run("sandbox user trying to create rolebinding for all serviceaccounts: is denied", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "johnsmith", true)
 		// when
-		response := v.validate(sandboxUserForAllServiceAccountsJSON2)
+		response := v.validate(context.TODO(), sandboxUserForAllServiceAccountsJSON2)
 		// then
 		test.VerifyRequestBlocked(t, response, "please create a rolebinding for a specific user or service account to avoid this error", "a68769e5-d817-4617-bec5-90efa2bad7g8")
 	})
 
 	t.Run("sandbox user trying to create rolebinding for all authenticated users is denied", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "johnsmith", true)
 		// when
-		response := v.validate(sandboxUserForAllUsersJSON)
+		response := v.validate(context.TODO(), sandboxUserForAllUsersJSON)
 		// then
 		test.VerifyRequestBlocked(t, response, "please create a rolebinding for a specific user or service account to avoid this error", "a68769e5-d817-4617-bec5-90efa2bad8k8")
 	})
 
 	t.Run("sandbox user trying to create rolebinding for all authenticated: is denied", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "johnsmith", true)
 		// when
-		response := v.validate(sandboxUserForAllUsersJSON2)
+		response := v.validate(context.TODO(), sandboxUserForAllUsersJSON2)
 		// then
 		test.VerifyRequestBlocked(t, response, "please create a rolebinding for a specific user or service account to avoid this error", "a68769e5-d817-4617-bec5-90efa2bad9l9")
 	})
@@ -76,7 +77,7 @@ func TestValidateRoleBindingAdmissionRequestAllowed(t *testing.T) {
 	t.Run("SA or kubeadmin trying to create rolebinding is allowed", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "system:kubeadmin", false)
 		// when user is kubeadmin
-		response := v.validate(allowedUserJSON)
+		response := v.validate(context.TODO(), allowedUserJSON)
 
 		// then
 		test.VerifyRequestAllowed(t, response, "a68769e5-d817-4617-bec5-90efa2bad6g7")
@@ -85,23 +86,23 @@ func TestValidateRoleBindingAdmissionRequestAllowed(t *testing.T) {
 	t.Run("non sandbox user trying to create rolebinding is allowed", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "nonsandbox", false)
 		// when
-		response := v.validate(nonSandboxUserJSON)
+		response := v.validate(context.TODO(), nonSandboxUserJSON)
 		// then
 		test.VerifyRequestAllowed(t, response, "a68769e5-d817-4617-bec5-90efa2bad6f7")
 	})
 
 	t.Run("unable to find the requesting user, allow request", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "random-user", true)
 		// when
-		response := v.validate(sandboxUserForAllServiceAccountsJSON)
+		response := v.validate(context.TODO(), sandboxUserForAllServiceAccountsJSON)
 		// then
 		test.VerifyRequestAllowed(t, response, "a68769e5-d817-4617-bec5-90efa2bad6f6")
 	})
 
 	t.Run("sandbox user creating a rolebinding for a specific user is allowed", func(t *testing.T) {
 		v := newRoleBindingRequestValidator(t, "laracroft", true)
 		//when
-		response := v.validate(allowedRbJSON)
+		response := v.validate(context.TODO(), allowedRbJSON)
 		//then
 		test.VerifyRequestAllowed(t, response, "a68769e5-d817-4617-bec5-90efa2bad8g8")
 	})
@@ -114,7 +115,7 @@ func TestValidateRolebBndingAdmissionRequestFailsOnInvalidJson(t *testing.T) {
 	v := &RoleBindingRequestValidator{}
 
 	// when
-	response := v.validate(rawJSON)
+	response := v.validate(context.TODO(), rawJSON)
 
 	// then
 	test.VerifyRequestBlocked(t, response, "cannot unmarshal string into Go value of type struct", "")
@@ -125,7 +126,7 @@ func TestValidateRolebBndingAdmissionRequestFailsOnInvalidObjectJson(t *testing.
 	v := &RoleBindingRequestValidator{}
 
 	// when
-	response := v.validate(test.IncorrectRequestObjectJSON)
+	response := v.validate(context.TODO(), test.IncorrectRequestObjectJSON)
 
 	// then
 	test.VerifyRequestBlocked(t, response, "unable to unmarshal object or object is not a rolebinding", "a68769e5-d817-4617-bec5-90efa2bad6f8")

pkg/webhook/validatingwebhook/validate_spacebindingrequest.go

@@ -39,15 +39,15 @@ func (v SpaceBindingRequestValidator) HandleValidate(w http.ResponseWriter, r *h
 		respBody = []byte("unable to read the body of the request")
 	} else {
 		// validate the request
-		respBody = v.validate(body)
+		respBody = v.validate(r.Context(), body)
 		w.WriteHeader(http.StatusOK)
 	}
 	if _, err := io.WriteString(w, string(respBody)); err != nil {
 		log.Error(err, "unable to write response")
 	}
 }
 
-func (v SpaceBindingRequestValidator) validate(body []byte) []byte {
+func (v SpaceBindingRequestValidator) validate(ctx context.Context, body []byte) []byte {
 	admReview := admissionv1.AdmissionReview{}
 	if _, _, err := deserializer.Decode(body, nil, &admReview); err != nil {
 		//sanitize the body
@@ -66,7 +66,7 @@ func (v SpaceBindingRequestValidator) validate(body []byte) []byte {
 	}
 	// fetch SBR and check that MUR is unchanged
 	existingSBR := &toolchainv1alpha1.SpaceBindingRequest{}
-	if err := v.Client.Get(context.TODO(), types.NamespacedName{
+	if err := v.Client.Get(ctx, types.NamespacedName{
 		Name:      newSBR.GetName(),
 		Namespace: newSBR.GetNamespace(),
 	}, existingSBR); err != nil {

pkg/webhook/validatingwebhook/validate_spacebindingrequest_test.go

@@ -47,7 +47,7 @@ func TestHandleValidateSpaceBindingRequest(t *testing.T) {
 			})
 
 			// when
-			response := v.validate(req)
+			response := v.validate(context.TODO(), req)
 
 			// then
 			// it should not be allowed to update MUR field
@@ -65,7 +65,7 @@ func TestHandleValidateSpaceBindingRequest(t *testing.T) {
 			})
 
 			// when
-			response := v.validate(req)
+			response := v.validate(context.TODO(), req)
 
 			// then
 			// it should be allowed to update SpaceRole field
@@ -90,7 +90,7 @@ func TestHandleValidateSpaceBindingRequest(t *testing.T) {
 		})
 
 		// when
-		response := v.validate(req)
+		response := v.validate(context.TODO(), req)
 
 		// then
 		// it should not be allowed to create new SBR
@@ -104,7 +104,7 @@ func TestValidateSpaceBindingRequestFailsOnInvalidJson(t *testing.T) {
 
 	t.Run("object is not spacebindingrequest", func(t *testing.T) {
 		// when
-		response := v.validate(test.IncorrectRequestObjectJSON)
+		response := v.validate(context.TODO(), test.IncorrectRequestObjectJSON)
 
 		// then
 		test.VerifyRequestBlocked(t, response, "unable to unmarshal object or object is not a spacebindingrequest", "a68769e5-d817-4617-bec5-90efa2bad6f8")
@@ -113,7 +113,7 @@ func TestValidateSpaceBindingRequestFailsOnInvalidJson(t *testing.T) {
 	t.Run("json is invalid", func(t *testing.T) {
 		// when
 		rawJSON := []byte(`something wrong !`)
-		response := v.validate(rawJSON)
+		response := v.validate(context.TODO(), rawJSON)
 
 		// then
 		test.VerifyRequestBlocked(t, response, "cannot unmarshal string into Go value of type struct", "")
@@ -139,7 +139,7 @@ func TestValidateSpaceBindingRequestFailsOnGettingSBR(t *testing.T) {
 	})
 
 	// when
-	response := v.validate(req)
+	response := v.validate(context.TODO(), req)
 
 	// then
 	test.VerifyRequestBlocked(t, response, "unable to validate the SpaceBindingRequest. SpaceBindingRequest.Name: john-sbr: mock error", "xvadsfasdf")