Browse code
Reap OAuthClientAuthorizations
Jordan Liggitt authored on 2016/11/17 00:59:55Showing 3 changed files
| ... | ... |
@@ -371,6 +371,7 @@ func NewFactory(clientConfig kclientcmd.ClientConfig) *Factory {
|
| 371 | 371 |
client.GroupsInterface(oc), |
| 372 | 372 |
client.ClusterRoleBindingsInterface(oc), |
| 373 | 373 |
client.RoleBindingsNamespacer(oc), |
| 374 |
+ client.OAuthClientAuthorizationsInterface(oc), |
|
| 374 | 375 |
kclient.SecurityContextConstraintsInterface(kc), |
| 375 | 376 |
), nil |
| 376 | 377 |
case userapi.Kind("Group"):
|
| ... | ... |
@@ -17,6 +17,7 @@ func NewUserReaper( |
| 17 | 17 |
groupClient client.GroupsInterface, |
| 18 | 18 |
clusterBindingClient client.ClusterRoleBindingsInterface, |
| 19 | 19 |
bindingClient client.RoleBindingsNamespacer, |
| 20 |
+ authorizationsClient client.OAuthClientAuthorizationsInterface, |
|
| 20 | 21 |
sccClient kclient.SecurityContextConstraintsInterface, |
| 21 | 22 |
) kubectl.Reaper {
|
| 22 | 23 |
return &UserReaper{
|
| ... | ... |
@@ -24,6 +25,7 @@ func NewUserReaper( |
| 24 | 24 |
groupClient: groupClient, |
| 25 | 25 |
clusterBindingClient: clusterBindingClient, |
| 26 | 26 |
bindingClient: bindingClient, |
| 27 |
+ authorizationsClient: authorizationsClient, |
|
| 27 | 28 |
sccClient: sccClient, |
| 28 | 29 |
} |
| 29 | 30 |
} |
| ... | ... |
@@ -33,6 +35,7 @@ type UserReaper struct {
|
| 33 | 33 |
groupClient client.GroupsInterface |
| 34 | 34 |
clusterBindingClient client.ClusterRoleBindingsInterface |
| 35 | 35 |
bindingClient client.RoleBindingsNamespacer |
| 36 |
+ authorizationsClient client.OAuthClientAuthorizationsInterface |
|
| 36 | 37 |
sccClient kclient.SecurityContextConstraintsInterface |
| 37 | 38 |
} |
| 38 | 39 |
|
| ... | ... |
@@ -91,6 +94,21 @@ func (r *UserReaper) Stop(namespace, name string, timeout time.Duration, gracePe |
| 91 | 91 |
} |
| 92 | 92 |
} |
| 93 | 93 |
|
| 94 |
+ // Remove the user's OAuthClientAuthorizations |
|
| 95 |
+ // Once https://github.com/kubernetes/kubernetes/pull/28112 is fixed, use a field selector |
|
| 96 |
+ // to filter on the userName, rather than fetching all authorizations and filtering client-side |
|
| 97 |
+ authorizations, err := r.authorizationsClient.OAuthClientAuthorizations().List(kapi.ListOptions{})
|
|
| 98 |
+ if err != nil {
|
|
| 99 |
+ return err |
|
| 100 |
+ } |
|
| 101 |
+ for _, authorization := range authorizations.Items {
|
|
| 102 |
+ if authorization.UserName == name {
|
|
| 103 |
+ if err := r.authorizationsClient.OAuthClientAuthorizations().Delete(authorization.Name); err != nil && !kerrors.IsNotFound(err) {
|
|
| 104 |
+ return err |
|
| 105 |
+ } |
|
| 106 |
+ } |
|
| 107 |
+ } |
|
| 108 |
+ |
|
| 94 | 109 |
// Intentionally leave identities that reference the user |
| 95 | 110 |
// The user does not "own" the identities |
| 96 | 111 |
// If the admin wants to remove the identities, that is a distinct operation |
| ... | ... |
@@ -12,6 +12,7 @@ import ( |
| 12 | 12 |
|
| 13 | 13 |
authorizationapi "github.com/openshift/origin/pkg/authorization/api" |
| 14 | 14 |
"github.com/openshift/origin/pkg/client/testclient" |
| 15 |
+ oauthapi "github.com/openshift/origin/pkg/oauth/api" |
|
| 15 | 16 |
authenticationapi "github.com/openshift/origin/pkg/user/api" |
| 16 | 17 |
) |
| 17 | 18 |
|
| ... | ... |
@@ -173,6 +174,32 @@ func TestUserReaper(t *testing.T) {
|
| 173 | 173 |
ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "users"}, Name: "bob"},
|
| 174 | 174 |
}, |
| 175 | 175 |
}, |
| 176 |
+ {
|
|
| 177 |
+ name: "oauth client authorizations", |
|
| 178 |
+ user: "bob", |
|
| 179 |
+ objects: []runtime.Object{
|
|
| 180 |
+ &oauthapi.OAuthClientAuthorization{
|
|
| 181 |
+ ObjectMeta: kapi.ObjectMeta{Name: "other-user"},
|
|
| 182 |
+ UserName: "alice", |
|
| 183 |
+ UserUID: "123", |
|
| 184 |
+ }, |
|
| 185 |
+ &oauthapi.OAuthClientAuthorization{
|
|
| 186 |
+ ObjectMeta: kapi.ObjectMeta{Name: "bob-authorization-1"},
|
|
| 187 |
+ UserName: "bob", |
|
| 188 |
+ UserUID: "234", |
|
| 189 |
+ }, |
|
| 190 |
+ &oauthapi.OAuthClientAuthorization{
|
|
| 191 |
+ ObjectMeta: kapi.ObjectMeta{Name: "bob-authorization-2"},
|
|
| 192 |
+ UserName: "bob", |
|
| 193 |
+ UserUID: "345", |
|
| 194 |
+ }, |
|
| 195 |
+ }, |
|
| 196 |
+ expected: []interface{}{
|
|
| 197 |
+ ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "oauthclientauthorizations"}, Name: "bob-authorization-1"},
|
|
| 198 |
+ ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "oauthclientauthorizations"}, Name: "bob-authorization-2"},
|
|
| 199 |
+ ktestclient.DeleteActionImpl{ActionImpl: ktestclient.ActionImpl{Verb: "delete", Resource: "users"}, Name: "bob"},
|
|
| 200 |
+ }, |
|
| 201 |
+ }, |
|
| 176 | 202 |
} |
| 177 | 203 |
|
| 178 | 204 |
for _, test := range tests {
|
| ... | ... |
@@ -190,7 +217,7 @@ func TestUserReaper(t *testing.T) {
|
| 190 | 190 |
ktc.PrependReactor("update", "*", reactor)
|
| 191 | 191 |
ktc.PrependReactor("delete", "*", reactor)
|
| 192 | 192 |
|
| 193 |
- reaper := NewUserReaper(tc, tc, tc, tc, ktc) |
|
| 193 |
+ reaper := NewUserReaper(tc, tc, tc, tc, tc, ktc) |
|
| 194 | 194 |
err := reaper.Stop("", test.user, 0, nil)
|
| 195 | 195 |
if err != nil {
|
| 196 | 196 |
t.Errorf("%s: unexpected error: %v", test.name, err)
|