04-remove-synthetic-permissions

Author: joelanford

cmd/operator-controller/main.go

@@ -695,9 +695,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 	}
 	tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
 	clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
-	if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
-		clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper)
-	}
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(c.mgr.GetConfig(), c.mgr.GetRESTMapper(),
 		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, c.mgr.GetAPIReader(), cfg.systemNamespace)),

docs/draft/howto/use-synthetic-permissions.md

@@ -7,35 +7,12 @@ import (
 
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/rest"
-	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
 )
 
-const syntheticServiceAccountName = "olm.synthetic-user"
-
-// SyntheticUserRestConfigMapper returns an AuthConfigMapper that that impersonates synthetic users and groups for Object o.
-// o is expected to be a ClusterExtension. If the service account defined in o is different from 'olm.synthetic-user', the
-// defaultAuthMapper will be used
-func SyntheticUserRestConfigMapper(defaultAuthMapper func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error)) func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
-	return func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
-		cExt, err := validate(o, c)
-		if err != nil {
-			return nil, err
-		}
-		if cExt.Spec.ServiceAccount.Name != syntheticServiceAccountName {
-			return defaultAuthMapper(ctx, cExt, c)
-		}
-		cc := rest.CopyConfig(c)
-		cc.Wrap(func(rt http.RoundTripper) http.RoundTripper {
-			return transport.NewImpersonatingRoundTripper(authentication.SyntheticImpersonationConfig(*cExt), rt)
-		})
-		return cc, nil
-	}
-}
-
 // ServiceAccountRestConfigMapper returns an AuthConfigMapper scoped to the service account defined in o, which is expected to
 // be a ClusterExtension
 func ServiceAccountRestConfigMapper(tokenGetter *authentication.TokenGetter) func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {

hack/demo/resources/synthetic-user-perms/argocd-clusterextension.yaml

@@ -3,7 +3,6 @@ package action_test
 import (
 	"context"
 	"errors"
-	"net/http"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -74,104 +73,3 @@ func Test_ServiceAccountRestConfigMapper(t *testing.T) {
 		})
 	}
 }
-
-func Test_SyntheticUserRestConfigMapper_Fails(t *testing.T) {
-	for _, tc := range []struct {
-		description   string
-		obj           client.Object
-		cfg           *rest.Config
-		expectedError error
-	}{
-		{
-			description:   "return error if object is nil",
-			cfg:           &rest.Config{},
-			expectedError: errors.New("object is nil"),
-		}, {
-			description:   "return error if cfg is nil",
-			obj:           &ocv1.ClusterExtension{},
-			expectedError: errors.New("rest config is nil"),
-		}, {
-			description:   "return error if object is not a ClusterExtension",
-			obj:           &corev1.Secret{},
-			cfg:           &rest.Config{},
-			expectedError: errors.New("object is not a ClusterExtension"),
-		},
-	} {
-		t.Run(tc.description, func(t *testing.T) {
-			tokenGetter := &authentication.TokenGetter{}
-			saMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
-			actualCfg, err := saMapper(context.Background(), tc.obj, tc.cfg)
-			if tc.expectedError != nil {
-				require.Nil(t, actualCfg)
-				require.EqualError(t, err, tc.expectedError.Error())
-			} else {
-				require.NoError(t, err)
-				transport, err := rest.TransportFor(actualCfg)
-				require.NoError(t, err)
-				require.NotNil(t, transport)
-				tokenInjectionRoundTripper, ok := transport.(*authentication.TokenInjectingRoundTripper)
-				require.True(t, ok)
-				require.Equal(t, tokenGetter, tokenInjectionRoundTripper.TokenGetter)
-				require.Equal(t, types.NamespacedName{Name: "my-service-account", Namespace: "my-namespace"}, tokenInjectionRoundTripper.Key)
-			}
-		})
-	}
-}
-func Test_SyntheticUserRestConfigMapper_UsesDefaultConfigMapper(t *testing.T) {
-	isDefaultRequestMapperUsed := false
-	defaultServiceMapper := func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
-		isDefaultRequestMapperUsed = true
-		return c, nil
-	}
-	syntheticAuthServiceMapper := action.SyntheticUserRestConfigMapper(defaultServiceMapper)
-	obj := &ocv1.ClusterExtension{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "my-clusterextension",
-		},
-		Spec: ocv1.ClusterExtensionSpec{
-			ServiceAccount: ocv1.ServiceAccountReference{
-				Name: "my-service-account",
-			},
-			Namespace: "my-namespace",
-		},
-	}
-	actualCfg, err := syntheticAuthServiceMapper(context.Background(), obj, &rest.Config{})
-	require.NoError(t, err)
-	require.NotNil(t, actualCfg)
-	require.True(t, isDefaultRequestMapperUsed)
-}
-
-func Test_SyntheticUserRestConfigMapper_UsesSyntheticAuthMapper(t *testing.T) {
-	syntheticAuthServiceMapper := action.SyntheticUserRestConfigMapper(func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
-		return c, nil
-	})
-	obj := &ocv1.ClusterExtension{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "my-clusterextension",
-		},
-		Spec: ocv1.ClusterExtensionSpec{
-			ServiceAccount: ocv1.ServiceAccountReference{
-				Name: "olm.synthetic-user",
-			},
-			Namespace: "my-namespace",
-		},
-	}
-	actualCfg, err := syntheticAuthServiceMapper(context.Background(), obj, &rest.Config{})
-	require.NoError(t, err)
-	require.NotNil(t, actualCfg)
-
-	// test that the impersonation headers are appropriately injected into the request
-	// by wrapping a fake round tripper around the returned configurations transport
-	// nolint:bodyclose
-	_, _ = actualCfg.WrapTransport(fakeRoundTripper(func(req *http.Request) (*http.Response, error) {
-		require.Equal(t, "olm:clusterextension:my-clusterextension", req.Header.Get("Impersonate-User"))
-		require.Equal(t, "olm:clusterextensions", req.Header.Get("Impersonate-Group"))
-		return &http.Response{}, nil
-	})).RoundTrip(&http.Request{})
-}
-
-type fakeRoundTripper func(req *http.Request) (*http.Response, error)
-
-func (f fakeRoundTripper) RoundTrip(request *http.Request) (*http.Response, error) {
-	return f(request)
-}