Merge pull request #700 from mindw/apply_namespace_to_connection_secret

Fix issue with RabbitmqClusterReference Namespace Namespace and ConnectionSecret
rabbitmq · Nov 23, 2023 · 4f07a2c · 4f07a2c
2 parents 8be43c2 + eba0f5e
commit 4f07a2c
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 8 deletions.
diff --git a/rabbitmqclient/cluster_reference.go b/rabbitmqclient/cluster_reference.go
@@ -35,21 +35,24 @@ var (
 )
 
 func ParseReference(ctx context.Context, c client.Client, rmq topology.RabbitmqClusterReference, requestNamespace string, clusterDomain string, connectUsingHTTP bool) (map[string]string, bool, error) {
-	if rmq.ConnectionSecret != nil {
-		secret := &corev1.Secret{}
-		if err := c.Get(ctx, types.NamespacedName{Namespace: requestNamespace, Name: rmq.ConnectionSecret.Name}, secret); err != nil {
-			return nil, false, err
-		}
-		return readCredentialsFromKubernetesSecret(secret)
-	}
-
 	var namespace string
 	if rmq.Namespace == "" {
 		namespace = requestNamespace
 	} else {
 		namespace = rmq.Namespace
 	}
 
+	if rmq.ConnectionSecret != nil {
+		secret := &corev1.Secret{}
+		if err := c.Get(ctx, types.NamespacedName{Namespace: namespace, Name: rmq.ConnectionSecret.Name}, secret); err != nil {
+			return nil, false, err
+		}
+		if !AllowedNamespaceSecret(rmq, requestNamespace, secret) {
+			return nil, false, ResourceNotAllowedError
+		}
+		return readCredentialsFromKubernetesSecret(secret)
+	}
+
 	cluster := &rabbitmqv1beta1.RabbitmqCluster{}
 	if err := c.Get(ctx, types.NamespacedName{Name: rmq.Name, Namespace: namespace}, cluster); err != nil {
 		return nil, false, fmt.Errorf("failed to get cluster from reference: %s Error: %w", err, NoSuchRabbitmqClusterError)
@@ -144,6 +147,24 @@ func AllowedNamespace(rmq topology.RabbitmqClusterReference, requestNamespace st
 	return true
 }
 
+func AllowedNamespaceSecret(rmq topology.RabbitmqClusterReference, requestNamespace string, secret *corev1.Secret) bool {
+	if rmq.Namespace != "" && rmq.Namespace != requestNamespace {
+		var isAllowed bool
+		if allowedNamespaces, ok := secret.Annotations["rabbitmq.com/topology-allowed-namespaces"]; ok {
+			for _, allowedNamespace := range strings.Split(allowedNamespaces, ",") {
+				if requestNamespace == allowedNamespace || allowedNamespace == "*" {
+					isAllowed = true
+					break
+				}
+			}
+		}
+		if !isAllowed {
+			return false
+		}
+	}
+	return true
+}
+
 func readCredentialsFromKubernetesSecret(secret *corev1.Secret) (map[string]string, bool, error) {
 	if secret == nil {
 		return nil, false, fmt.Errorf("unable to retrieve information from Kubernetes secret %s: %w", secret.Name, errors.New("nil secret"))

diff --git a/rabbitmqclient/cluster_reference_test.go b/rabbitmqclient/cluster_reference_test.go
@@ -29,6 +29,7 @@ var _ = Describe("ParseReference", func() {
 		existingService          *corev1.Service
 		ctx                      = context.Background()
 		namespace                = "rabbitmq-system"
+		namespaceClient          = "client"
 		uriAnnotationKey         = "rabbitmq.com/operator-connection-uri"
 	)
 
@@ -478,6 +479,48 @@ var _ = Describe("ParseReference", func() {
 			})
 		})
 
+		When("when object is placed in another namespace", func() {
+			BeforeEach(func() {
+				noSchemeSecret := &corev1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "rmq-connection-info",
+						Namespace: namespace,
+						Annotations: map[string]string{
+							"rabbitmq.com/topology-allowed-namespaces": "*",
+						},
+					},
+					Data: map[string][]byte{
+						"uri":      []byte("10.0.0.0:15672"),
+						"username": []byte("test-user"),
+						"password": []byte("test-password"),
+					},
+				}
+				objs = []runtime.Object{noSchemeSecret}
+			})
+
+			It("returns the expected connection information", func() {
+				creds, tlsEnabled, err := rabbitmqclient.ParseReference(ctx, fakeClient,
+					topology.RabbitmqClusterReference{
+						Namespace: namespace,
+						ConnectionSecret: &corev1.LocalObjectReference{
+							Name: "rmq-connection-info",
+						},
+					},
+					namespaceClient,
+					"",
+					false)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(tlsEnabled).To(BeFalse())
+				returnedUser, _ := creds["username"]
+				returnedPass, _ := creds["password"]
+				returnedURI, _ := creds["uri"]
+				Expect(returnedUser).To(Equal("test-user"))
+				Expect(returnedPass).To(Equal("test-password"))
+				Expect(returnedURI).To(Equal("http://10.0.0.0:15672"))
+			})
+		})
+
 		When("uri sets http as the scheme", func() {
 			BeforeEach(func() {
 				httpSchemeSecret := &corev1.Secret{