UPDATE: black&whitelist

ca-gip · Apr 4, 2022 · ba4dfe0 · ba4dfe0
1 parent 0972f7a
commit ba4dfe0
Show file tree

Hide file tree

Showing 3 changed files with 282 additions and 43 deletions.
diff --git a/internal/services/blackwhitelist.go b/internal/services/blackwhitelist.go
@@ -2,13 +2,13 @@ package services
 
 import (
 	"context"
-	"errors"
+	"strings"
+
 	"github.com/ca-gip/kubi/internal/utils"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	"github.com/ca-gip/kubi/pkg/types"
-	"github.com/mitchellh/mapstructure"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -17,7 +17,7 @@ func GetBlackWhitelistCM(api v1.CoreV1Interface) (*corev1.ConfigMap, error) {
 	blacklistCM, errRB := api.ConfigMaps(utils.Config.BlackWhitelistNamespace).Get(context.TODO(), "blackwhitelist", metav1.GetOptions{})
 	if errRB != nil {
 		utils.Log.Info().Msg("Blacklist or Whitelist not present")
-		return nil, nil
+		return nil, errRB
 	}
 
 	return blacklistCM, nil
@@ -43,14 +43,13 @@ func CreateBlackWhitelistEvent(errEvent string, api v1.CoreV1Interface) error {
 	return nil
 }
 
-func MakeBlackWhitelist(blackWhiteCMData map[string]string) (*types.BlackWhitelist, error) {
-
-	blackWhiteList := types.BlackWhitelist{}
+func MakeBlackWhitelist(blackWhiteCMData map[string]string) types.BlackWhitelist {
 
-	if err := mapstructure.Decode(blackWhiteCMData, &blackWhiteList); err != nil {
-		return nil, errors.New("Cannot unmarshal json from black&white config map, you missing something, read the doc")
+	blackWhiteList := types.BlackWhitelist{
+		Blacklist: strings.Split(blackWhiteCMData["blacklist"], ","),
+		Whitelist: strings.Split(blackWhiteCMData["whitelist"], ","),
 	}
 
-	return &blackWhiteList, nil
+	return blackWhiteList
 
 }
diff --git a/internal/services/blackwhitelist_test.go b/internal/services/blackwhitelist_test.go
@@ -0,0 +1,236 @@
+package services_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/ca-gip/kubi/internal/services"
+	"github.com/ca-gip/kubi/internal/utils"
+	v12 "github.com/ca-gip/kubi/pkg/apis/ca-gip/v1"
+	"github.com/ca-gip/kubi/pkg/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBlackWhiteList(t *testing.T) {
+
+	fakeProjectJson := []byte(`{
+		"apiVersion": "ca-gip.github.com/v1",
+		"kind": "Project",
+		"metadata": {
+			"labels": {
+				"creator": "kubi"
+			},
+			"name": "native-development",
+		},
+		"spec": {
+			"environment": "development",
+			"project": "native",
+			"sourceDN": "CN=DL_KUB_CAGIP-DEVOPS-HP_NATIVE-DEVELOPMENT_ADMIN,OU=DEVOPS-HORS-PROD,OU=CAGIP,OU=PAAS_CONTAINER,OU=Applications,OU=Groupes,O=CA",
+			"sourceEntity": "DL_KUB_CAGIP-DEVOPS-HP_NATIVE-DEVELOPMENT_ADMIN",
+			"stages": [
+				"scratch",
+				"staging",
+				"stable"
+			],
+			"tenant": "cagip"
+		}
+	}`)
+
+	fakeProject := &v12.Project{}
+
+	json.Unmarshal(fakeProjectJson, fakeProject)
+
+	t.Run("with_nil_object", func(t *testing.T) {
+
+		result := services.MakeBlackWhitelist(nil)
+		assert.Equal(t, []string([]string{""}), result.Blacklist)
+		assert.Equal(t, []string([]string{""}), result.Whitelist)
+	})
+
+	t.Run("with_empty_map", func(t *testing.T) {
+		blackWhitelistData := map[string]string{}
+
+		result := services.MakeBlackWhitelist(blackWhitelistData)
+		assert.Equal(t, []string([]string{""}), result.Blacklist)
+		assert.Equal(t, []string([]string{""}), result.Whitelist)
+	})
+
+	t.Run("with_non_sense_data", func(t *testing.T) {
+		blackWhitelistData := map[string]string{
+			"blacldzada":    "dzadzdaz",
+			"dzadz$Ùdzadza": "fefezfez, 6z556/*/R/ÉR*/",
+		}
+
+		result := services.MakeBlackWhitelist(blackWhitelistData)
+		assert.Equal(t, []string([]string{""}), result.Blacklist)
+		assert.Equal(t, []string([]string{""}), result.Whitelist)
+	})
+
+	t.Run("with_real_data", func(t *testing.T) {
+		blackWhitelistData := map[string]string{
+			"blacklist": "native-developpement, native-integration",
+			"whitelist": "",
+		}
+
+		result := services.MakeBlackWhitelist(blackWhitelistData)
+		assert.Equal(t, []string([]string{"native-developpement", " native-integration"}), result.Blacklist)
+		assert.Equal(t, []string([]string{""}), result.Whitelist)
+	})
+
+}
+
+func TestGenerateProjects(t *testing.T) {
+
+	fakeProject := []*types.Project{
+		{
+			Project:     "native",
+			Environment: "development",
+		},
+	}
+
+	//WHITELIST
+	t.Run("with_empty_whitelist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blacklist": "native-development,native-integration",
+			"whitelist": "",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: true}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{false}, result)
+	})
+
+	t.Run("with_equal_whitelist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blacklist": "native-development,native-integration",
+			"whitelist": "native-development",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: true}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{true}, result)
+	})
+
+	t.Run("with_not_equal_whitelist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blacklist": "native-development,native-integration",
+			"whitelist": "native-divelopment",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: true}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{false}, result)
+	})
+
+	t.Run("with_faildata_whitelist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blaaeza": "rrzerzF",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: true}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{false}, result)
+	})
+
+	//BLACKLIST
+	t.Run("with_empty_blacklist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blacklist": "",
+			"whitelist": "native-development",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: false}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{false}, result)
+	})
+
+	t.Run("with_equal_blacklist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blacklist": "native-development,native-integration",
+			"whitelist": "native-development",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: false}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{true}, result)
+	})
+
+	t.Run("with_not_equal_blacklist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blacklist": "native-devilopment,native-integration",
+			"whitelist": "native-divelopment",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: false}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{false}, result)
+	})
+
+	t.Run("with_faildata_blacklist", func(t *testing.T) {
+
+		blackWhitelistData := map[string]string{
+			"blaaeza": "rrzerzF",
+		}
+
+		blackWhitelist := services.MakeBlackWhitelist(blackWhitelistData)
+
+		utils.Config = &types.Config{Whitelist: false}
+		result := GenerateProjects(fakeProject, &blackWhitelist)
+		assert.Equal(t, []bool{false}, result)
+	})
+
+}
+
+// Mock of GenerateProjects func from provisionner. TODO : refacto to be testable
+func GenerateProjects(context []*types.Project, blackWhiteList *types.BlackWhitelist) []bool {
+
+	var boolList []bool
+
+	for _, auth := range context {
+
+		// if whitelist boolean set we search namespace in configmap whitelist
+		if utils.Config.Whitelist { // if configmap with whitelist exist and not empty
+			if blackWhiteList.Whitelist[0] != "" && utils.Include(blackWhiteList.Whitelist, auth.Namespace()) {
+				utils.Log.Info().Msgf("Project %s is whitelisted", auth.Namespace())
+				boolList = append(boolList, true)
+			} else {
+				utils.Log.Error().Msgf("Cannot find project %s in whitelist", auth.Namespace())
+				boolList = append(boolList, false)
+			}
+		} else if blackWhiteList.Blacklist[0] != "" { // if configmap with blacklist exist and not empty
+			if utils.Include(blackWhiteList.Blacklist, auth.Namespace()) {
+				utils.Log.Info().Msgf("delete project %s in blacklist", auth.Namespace())
+				boolList = append(boolList, true)
+			} else {
+				utils.Log.Info().Msgf("Cannot find project %s in blacklist", auth.Namespace())
+				boolList = append(boolList, false)
+			}
+		} else { // if configmap not exist and bool whitelist is false
+			boolList = append(boolList, false)
+		}
+
+	}
+
+	return boolList
+}
diff --git a/internal/services/provisionner.go b/internal/services/provisionner.go
@@ -4,14 +4,18 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"github.com/ca-gip/kubi/internal/authprovider"
+	"reflect"
+	"strings"
+	"time"
+
+	ldap "github.com/ca-gip/kubi/internal/authprovider"
 	"github.com/ca-gip/kubi/internal/utils"
 	v12 "github.com/ca-gip/kubi/pkg/apis/ca-gip/v1"
 	"github.com/ca-gip/kubi/pkg/generated/clientset/versioned"
 	"github.com/ca-gip/kubi/pkg/types"
 	corev1 "k8s.io/api/core/v1"
 	v1n "k8s.io/api/networking/v1"
-	"k8s.io/api/rbac/v1"
+	v1 "k8s.io/api/rbac/v1"
 	kerror "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -21,9 +25,6 @@ import (
 	v14 "k8s.io/client-go/kubernetes/typed/rbac/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
-	"reflect"
-	"strings"
-	"time"
 )
 
 // Handler to regenerate all resources created by kubi
@@ -36,6 +37,11 @@ func RefreshK8SResources() {
 
 // Generate Namespaces and Rolebinding from Ldap groups
 func GenerateResources() error {
+	kconfig, _ := rest.InClusterConfig()
+	clientSet, _ := kubernetes.NewForConfig(kconfig)
+	api := clientSet.CoreV1()
+	blackWhiteList := types.BlackWhitelist{}
+
 	groups, err := ldap.GetAllGroups()
 	if err != nil {
 		utils.Log.Error().Msg(err.Error())
@@ -45,46 +51,44 @@ func GenerateResources() error {
 		return errors.New("LDAP, no ldap groups found!")
 	}
 	auths := GetUserNamespaces(groups)
-	GenerateProjects(auths)
+
+	blacklistCM, errRB := GetBlackWhitelistCM(api)
+	if errRB != nil {
+		utils.Log.Info().Msg("Can't get Black&Whitelist")
+	} else {
+		blackWhiteList = MakeBlackWhitelist(blacklistCM.Data)
+	}
+
+	GenerateProjects(auths, &blackWhiteList)
 	return nil
 }
 
 // A loop wrapper for generateProject
 // splitted for unit test !
-func GenerateProjects(context []*types.Project) {
-	kconfig, _ := rest.InClusterConfig()
-	clientSet, _ := kubernetes.NewForConfig(kconfig)
-	api := clientSet.CoreV1()
+func GenerateProjects(context []*types.Project, blackWhiteList *types.BlackWhitelist) {
 
-	blacklistCM, errRB := GetBlackWhitelistCM(api)
-	if errRB != nil {
-		utils.Log.Error().Msg("Can't get Blacklist")
-	}
+	for _, auth := range context {
 
-	blackWhiteList, errBWL := MakeBlackWhitelist(blacklistCM.Data)
-	if errBWL != nil {
-		utils.Log.Error().Msg(errBWL.Error())
-		CreateBlackWhitelistEvent(errBWL.Error(), api)
-	} else {
-		for _, auth := range context {
-
-			// if whitelist boolean set we search namespace in configmap whitelist
-			if utils.Config.Whitelist {
-				if blackWhiteList != nil && utils.Include(blackWhiteList.Whitelist, auth.Namespace()) {
-					generateProject(auth)
-				}
-			} else if blackWhiteList != nil { // if configmap with blacklist exist
-				if utils.Include(blackWhiteList.Blacklist, auth.Namespace()) {
-					utils.Log.Info().Msgf("Project %s is blacklisted", auth.Namespace())
-					deleteProject(auth)
-				}
-			} else { // if configmap not exist and bool whitelist is false
+		// if whitelist boolean set we search namespace in configmap whitelist
+		if utils.Config.Whitelist { // if configmap with whitelist exist and not empty
+			if blackWhiteList.Whitelist[0] != "" && utils.Include(blackWhiteList.Whitelist, auth.Namespace()) {
+				utils.Log.Info().Msgf("Project %s is whitelisted", auth.Namespace())
 				generateProject(auth)
+			} else {
+				utils.Log.Error().Msgf("Cannot find project %s in whitelist", auth.Namespace())
 			}
-
+		} else if blackWhiteList.Blacklist[0] != "" { // if configmap with blacklist exist and not empty
+			if utils.Include(blackWhiteList.Blacklist, auth.Namespace()) {
+				utils.Log.Info().Msgf("delete project %s in blacklist", auth.Namespace())
+				deleteProject(auth)
+			} else {
+				utils.Log.Info().Msgf("Cannot find project %s in blacklist", auth.Namespace())
+			}
+		} else { // if configmap not exist and bool whitelist is false
+			generateProject(auth)
 		}
-	}
 
+	}
 }
 
 // generate a project config or update it if exists