first draft

internal/startup/startup.go

@@ -3,6 +3,7 @@ package startup
 import (
 	"errors"
 	"fmt"
+	"github.com/datreeio/admission-webhook-datree/pkg/openshiftClient"
 
 	"net/http"
 	"os"
@@ -43,6 +44,7 @@ func Start() {
 	basicCliClient := clients.NewCliServiceClient(deploymentConfig.URL, basicNetworkValidator, state)
 	errorReporter := errorReporter.NewErrorReporter(basicCliClient, state)
 	internalLogger := logger.New("", errorReporter)
+	openshiftClientInstance, err := openshiftClient.NewOpenshiftClient()
 
 	defer func() {
 		if panicErr := recover(); panicErr != nil {
@@ -87,7 +89,7 @@ func Start() {
 		panic(err)
 	}
 
-	validationController := controllers.NewValidationController(basicCliClient, state, errorReporter, k8sMetadataUtilInstance)
+	validationController := controllers.NewValidationController(basicCliClient, state, errorReporter, k8sMetadataUtilInstance, &internalLogger, openshiftClientInstance)
 	healthController := controllers.NewHealthController()
 	// set routes
 	http.HandleFunc("/validate", validationController.Validate)

pkg/controllers/validationController.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/datreeio/admission-webhook-datree/pkg/openshiftClient"
 	"io"
 	"net/http"
 
@@ -27,12 +28,14 @@ type ValidationController struct {
 	ErrorReporter     *errorReporter.ErrorReporter
 }
 
-func NewValidationController(cliServiceClient *clients.CliClient, state *servicestate.ServiceState, errorReporter *errorReporter.ErrorReporter, k8sMetadataUtilInstance *k8sMetadataUtil.K8sMetadataUtil) *ValidationController {
+func NewValidationController(cliServiceClient *clients.CliClient, state *servicestate.ServiceState, errorReporter *errorReporter.ErrorReporter, k8sMetadataUtilInstance *k8sMetadataUtil.K8sMetadataUtil, logger *logger.Logger, openshiftClient *openshiftClient.OpenshiftClient) *ValidationController {
 	validationService := &services.ValidationService{
 		CliServiceClient: cliServiceClient,
 		State:            state,
 		K8sMetadataUtil:  k8sMetadataUtilInstance,
 		ErrorReporter:    errorReporter,
+		OpenshiftClient:  openshiftClient,
+		Logger:           logger,
 	}
 
 	return &ValidationController{

pkg/controllers/validationController_test.go

@@ -4,6 +4,8 @@ import (
 	_ "embed"
 	"encoding/json"
 	"fmt"
+	"github.com/datreeio/admission-webhook-datree/pkg/logger"
+	"github.com/datreeio/admission-webhook-datree/pkg/openshiftClient"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -310,7 +312,11 @@ func mockValidationController(mockedResponse httpClient.Response) *ValidationCon
 	mockErrorReporterClient.On("ReportError", mock.Anything, mock.Anything).Return(200, nil)
 	mockErrorReporter := errorReporter.NewErrorReporter(mockErrorReporterClient, mockState)
 
-	return NewValidationController(mockedCliServiceClient, mockState, mockErrorReporter, mockK8sMetadataUtil)
+	mockLogger := &logger.Logger{}
+
+	mockOpenshiftClient := &openshiftClient.OpenshiftClient{}
+
+	return NewValidationController(mockedCliServiceClient, mockState, mockErrorReporter, mockK8sMetadataUtil, mockLogger, mockOpenshiftClient)
 }
 
 func convertPrerunResponseJsonToStruct(prerunResponse []byte) *clients.ClusterEvaluationPrerunDataResponse {

pkg/openshiftClient/openshiftClient.go

@@ -1,4 +1,4 @@
-package main
+package openshiftClient
 
 import (
 	"context"
@@ -60,20 +60,15 @@ func (oc *OpenshiftClient) getGroupsByUsers() (GroupsByUsers, error) {
 	oc.cache.Set(groupsByUsersCacheKey, groupsByUsers, 1*time.Minute)
 	return groupsByUsers, nil
 }
-
 func (oc *OpenshiftClient) GetGroupsUserBelongsTo(username string) ([]string, error) {
-	groups, err := oc.userClientV1.Groups().List(context.TODO(), metav1.ListOptions{})
+	groupsByUsers, err := oc.getGroupsByUsers()
 	if err != nil {
 		return nil, err
 	}
 
-	var groupsUserBelongsTo []string
-	for _, group := range groups.Items {
-		for _, user := range group.Users {
-			if user == username {
-				groupsUserBelongsTo = append(groupsUserBelongsTo, group.Name)
-			}
-		}
+	groups, found := groupsByUsers[username]
+	if !found {
+		return []string{}, nil
 	}
-	return groupsUserBelongsTo, nil
+	return groups, nil
 }

pkg/services/validationService.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/datreeio/admission-webhook-datree/pkg/openshiftClient"
 	"net/http"
 	"os"
 	"regexp"
@@ -59,6 +60,8 @@ type ValidationService struct {
 	K8sMetadataUtil  *k8sMetadataUtil.K8sMetadataUtil
 	ErrorReporter    *errorReporter.ErrorReporter
 	State            *servicestate.ServiceState
+	OpenshiftClient  *openshiftClient.OpenshiftClient
+	Logger           *logger.Logger
 }
 
 func (vs *ValidationService) Validate(admissionReviewReq *admission.AdmissionReview, warningMessages *[]string, internalLogger logger.Logger) (admissionReview *admission.AdmissionReview, isSkipped bool) {
@@ -402,8 +405,17 @@ func (vs *ValidationService) shouldBypassByPermissions(userInfo authenticationv1
 	}
 
 	userName := userInfo.Username
+	groups := userInfo.Groups
 	if openShiftRequester != "" {
+		// override username
 		userName = openShiftRequester
+
+		// override groups
+		groupsFromOpenshiftClient, err := vs.OpenshiftClient.GetGroupsUserBelongsTo(openShiftRequester)
+		if err != nil {
+			vs.Logger.LogError(fmt.Sprintf("Failed to get groups for user %s from openshift client: %s", openShiftRequester, err.Error()))
+		}
+		groups = groupsFromOpenshiftClient
 	}
 
 	for _, userAccount := range bypassPermissions.UserAccounts {
@@ -419,7 +431,7 @@ func (vs *ValidationService) shouldBypassByPermissions(userInfo authenticationv1
 	}
 
 	for _, bypassGroup := range bypassPermissions.Groups {
-		for _, userInfoGroup := range userInfo.Groups {
+		for _, userInfoGroup := range groups {
 			if match, _ := regexp.MatchString(bypassGroup, userInfoGroup); match {
 				return true
 			}