diff --git a/config/samples/iam_v1alpha2_user.yaml b/config/samples/iam_v1alpha2_user.yaml index e8661efb2072e66684e3f6d81cbab0d536a269c9..88b72cb5528f9b29d7e4287287875ff85749f802 100644 --- a/config/samples/iam_v1alpha2_user.yaml +++ b/config/samples/iam_v1alpha2_user.yaml @@ -6,4 +6,4 @@ metadata: name: admin spec: email: admin@kubesphere.io - password: $2a$04$wr/XmTQ99uQpgi335xPyoOM08h34ZQk265pdqHMv5Yw6Xo2vfiO/6 + password: P@88w0rd diff --git a/config/webhook/iam.yaml b/config/webhook/iam.yaml index 5f2cf652269e5ad11f8b3ac07d95e7855c0c0893..a4418b750c0f44402e7b0d15d2a2ca5029b12aeb 100644 --- a/config/webhook/iam.yaml +++ b/config/webhook/iam.yaml @@ -1,5 +1,3 @@ - ---- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: @@ -53,3 +51,19 @@ webhooks: - UPDATE resources: - users + + +--- + +apiVersion: v1 +kind: Service +metadata: + name: webhook-service + namespace: kubesphere-system +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: ks-controller-manager + tier: backend \ No newline at end of file diff --git a/pkg/apis/iam/v1alpha2/register.go b/pkg/apis/iam/v1alpha2/register.go index a2abceb52a48c615f41ca21de95cbb1d3a45184a..69c539720ed20b3a04d7c96f7e9f1981bc93865d 100644 --- a/pkg/apis/iam/v1alpha2/register.go +++ b/pkg/apis/iam/v1alpha2/register.go @@ -50,6 +50,7 @@ func Resource(resource string) schema.GroupResource { func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &User{}, + &UserList{}, &Role{}, &RoleList{}, &RoleBinding{}, diff --git a/pkg/controller/user/user_webhook.go b/pkg/controller/user/user_webhook.go index dc8631d9f55363ae17fffad916e7bf408ce48f97..65c90dba88297c6ecd8fb94d8f617fed6a63ce43 100644 --- a/pkg/controller/user/user_webhook.go +++ b/pkg/controller/user/user_webhook.go @@ -21,7 +21,6 @@ package user import ( "context" "encoding/json" - "fmt" "golang.org/x/crypto/bcrypt" "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" "net/http" @@ -51,28 +50,26 @@ func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admi return admission.Errored(http.StatusBadRequest, err) } - email := user.Spec.Email - allUsers := v1alpha2.UserList{} - err = a.Client.List(ctx, &v1alpha2.UserList{}, &client.ListOptions{}) + err = a.Client.List(ctx, &allUsers, &client.ListOptions{}) if err != nil { return admission.Errored(http.StatusInternalServerError, err) } - found := emailAlreadyExist(allUsers, email) + alreadyExist := emailAlreadyExist(allUsers, user) - if !found { - return admission.Denied(fmt.Sprintf("email %s must be unique", email)) + if alreadyExist { + return admission.Denied("user email already exists") } return admission.Allowed("") } -func emailAlreadyExist(users v1alpha2.UserList, email string) bool { - for _, user := range users.Items { - if user.Spec.Email == email { +func emailAlreadyExist(users v1alpha2.UserList, user *v1alpha2.User) bool { + for _, exist := range users.Items { + if exist.Spec.Email == user.Spec.Email && exist.Name != user.Name { return true } } @@ -109,3 +106,15 @@ func hashPassword(password string) (string, error) { bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost) return string(bytes), err } + +// InjectDecoder injects the decoder. +func (a *PasswordCipher) InjectDecoder(d *admission.Decoder) error { + a.decoder = d + return nil +} + +// InjectDecoder injects the decoder. +func (a *EmailValidator) InjectDecoder(d *admission.Decoder) error { + a.decoder = d + return nil +}