From cb56558531f68bbe22c41eff545abb256d1cdcc1 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Fri, 28 Jul 2017 09:11:24 -0700 Subject: [PATCH] csr: add resync to csr approver --- pkg/controller/certificates/approver/sarapprove.go | 10 ++++++++++ .../certificates/approver/sarapprove_test.go | 6 ++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkg/controller/certificates/approver/sarapprove.go b/pkg/controller/certificates/approver/sarapprove.go index fdcc8c8b312..66d5e28cd2c 100644 --- a/pkg/controller/certificates/approver/sarapprove.go +++ b/pkg/controller/certificates/approver/sarapprove.go @@ -91,10 +91,15 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error { return fmt.Errorf("unable to parse csr %q: %v", csr.Name, err) } + tried := []string{} + for _, r := range a.recognizers { if !r.recognize(csr, x509cr) { continue } + + tried = append(tried, r.permission.Subresource) + approved, err := a.authorize(csr, r.permission) if err != nil { return err @@ -108,6 +113,11 @@ func (a *sarApprover) handle(csr *capi.CertificateSigningRequest) error { return nil } } + + if len(tried) != 0 { + return fmt.Errorf("recognized csr %q as %v but subject access review was not approved", csr.Name, tried) + } + return nil } diff --git a/pkg/controller/certificates/approver/sarapprove_test.go b/pkg/controller/certificates/approver/sarapprove_test.go index 3dcc1d044fa..f17b9cebec4 100644 --- a/pkg/controller/certificates/approver/sarapprove_test.go +++ b/pkg/controller/certificates/approver/sarapprove_test.go @@ -89,6 +89,7 @@ func TestHandle(t *testing.T) { message string allowed bool recognized bool + err bool verify func(*testing.T, []testclient.Action) }{ { @@ -119,6 +120,7 @@ func TestHandle(t *testing.T) { } _ = as[0].(testclient.CreateActionImpl) }, + err: true, }, { recognized: true, @@ -155,7 +157,7 @@ func TestHandle(t *testing.T) { } for _, c := range cases { - t.Run(fmt.Sprintf("recognized:%v,allowed: %v", c.recognized, c.allowed), func(t *testing.T) { + t.Run(fmt.Sprintf("recognized:%v,allowed: %v,err: %v", c.recognized, c.allowed, c.err), func(t *testing.T) { client := &fake.Clientset{} client.AddReactor("create", "subjectaccessreviews", func(action testclient.Action) (handled bool, ret runtime.Object, err error) { return true, &authorization.SubjectAccessReview{ @@ -177,7 +179,7 @@ func TestHandle(t *testing.T) { }, } csr := makeTestCsr() - if err := approver.handle(csr); err != nil { + if err := approver.handle(csr); err != nil && !c.err { t.Errorf("unexpected err: %v", err) } c.verify(t, client.Actions())