fix iam admission webhook (#2008)

Signed-off-by: Nhongming <talonwan@yunify.com>

config/samples/iam_v1alpha2_user.yaml

@@ -6,4 +6,4 @@ metadata:
   name: admin
 spec:
   email: admin@kubesphere.io
-  password: $2a$04$wr/XmTQ99uQpgi335xPyoOM08h34ZQk265pdqHMv5Yw6Xo2vfiO/6
+  password: P@88w0rd

config/webhook/iam.yaml

-
----
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -53,3 +51,19 @@ webhooks:
           - UPDATE
         resources:
           - users
+
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-service
+  namespace: kubesphere-system
+spec:
+  ports:
+    - port: 443
+      targetPort: 443
+  selector:
+    app: ks-controller-manager
+    tier: backend
\ No newline at end of file

pkg/apis/iam/v1alpha2/register.go

@@ -50,6 +50,7 @@ func Resource(resource string) schema.GroupResource {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&User{},
+		&UserList{},
 		&Role{},
 		&RoleList{},
 		&RoleBinding{},

pkg/controller/user/user_webhook.go

@@ -21,7 +21,6 @@ package user
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"golang.org/x/crypto/bcrypt"
 	"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 	"net/http"
@@ -51,28 +50,26 @@ func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admi
 		return admission.Errored(http.StatusBadRequest, err)
 	}
 
-	email := user.Spec.Email
-
 	allUsers := v1alpha2.UserList{}
 
-	err = a.Client.List(ctx, &v1alpha2.UserList{}, &client.ListOptions{})
+	err = a.Client.List(ctx, &allUsers, &client.ListOptions{})
 
 	if err != nil {
 		return admission.Errored(http.StatusInternalServerError, err)
 	}
 
-	found := emailAlreadyExist(allUsers, email)
+	alreadyExist := emailAlreadyExist(allUsers, user)
 
-	if !found {
-		return admission.Denied(fmt.Sprintf("email %s must be unique", email))
+	if alreadyExist {
+		return admission.Denied("user email already exists")
 	}
 
 	return admission.Allowed("")
 }
 
-func emailAlreadyExist(users v1alpha2.UserList, email string) bool {
-	for _, user := range users.Items {
-		if user.Spec.Email == email {
+func emailAlreadyExist(users v1alpha2.UserList, user *v1alpha2.User) bool {
+	for _, exist := range users.Items {
+		if exist.Spec.Email == user.Spec.Email && exist.Name != user.Name {
 			return true
 		}
 	}
@@ -109,3 +106,15 @@ func hashPassword(password string) (string, error) {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
 	return string(bytes), err
 }
+
+// InjectDecoder injects the decoder.
+func (a *PasswordCipher) InjectDecoder(d *admission.Decoder) error {
+	a.decoder = d
+	return nil
+}
+
+// InjectDecoder injects the decoder.
+func (a *EmailValidator) InjectDecoder(d *admission.Decoder) error {
+	a.decoder = d
+	return nil
+}