Fix ldap SA when email has _ (#87)

vigohe · web-flow · commit de34b5ebfda6 · 2021-09-15T16:16:43.000+02:00
* Fix ldap Service Account when email has `_`
* bump up helm chart
* Add Test for emails with special characters
Signed-off-by: Victor  Godoy Hernández &lt;vigohe@gmail.com&gt;
diff --git a/charts/jwt-to-rbac/Chart.yaml b/charts/jwt-to-rbac/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 0.6.3
+appVersion: 0.6.4
 description: A Helm chart for Kubernetes
 name: jwt-to-rbac
-version: 0.6.3
+version: 0.6.4
 home: https://github.com/banzaicloud/jwt-to-rbac
 maintainers:
 - name: BanzaiCloud
diff --git a/pkg/rbachandler/rbac_handler.go b/pkg/rbachandler/rbac_handler.go
@@ -422,7 +422,7 @@ func generateRbacResources(user *tokenhandler.User, config *Config, nameSpaces [
 		saName = user.FederatedClaims.UserID
 		groupList = githubRoleParser(user.Groups, config.GithubOrg)
 	case "ldap", "local":
-		r := strings.NewReplacer("@", "-", ".", "-")
+		r := strings.NewReplacer("@", "-", ".", "-", "_", "-")
 		saName = r.Replace(user.Email)
 		groupList = user.Groups
 	default:
diff --git a/pkg/rbachandler/rbac_handler_test.go b/pkg/rbachandler/rbac_handler_test.go
@@ -187,6 +187,50 @@ func TestGenerateRbacResourcesWithNameSpaces(t *testing.T) {
 
 }
 
+func TestGenerateRbacResourcesWithEmailWithSpecialCharacters(t *testing.T) {
+	logger := createLogger()
+	assert := assert.New(t)
+	groups := []string{"admins", "developers"}
+	federatedClaims := tokenhandler.FederatedClaims{
+		ConnectorID: "ldap",
+		UserID:      "cn=jane,ou=People,dc=example,dc=org",
+	}
+	user := &tokenhandler.User{
+		Email:           "jane.doe_foo@example.com",
+		Groups:          groups,
+		FederatedClaims: federatedClaims,
+	}
+	testRbacResources, err := generateRbacResources(user, createFakeConfig("developers"), []string{"default"}, logger)
+	assert.NoError(err)
+	roleSuccess := assert.Equal(len(testRbacResources.clusterRoles), 1)
+	assert.Equal(len(testRbacResources.clusterRoleBindings), 2)
+	assert.Equal(testRbacResources.serviceAccount.Name, "jane-doe-foo-example-com")
+	if roleSuccess {
+		assert.Equal(testRbacResources.clusterRoles[0].name, "developers-from-jwt")
+	}
+	var bindNames, roleNames []string
+	for _, crBind := range testRbacResources.clusterRoleBindings {
+		bindNames = append(bindNames, crBind.name)
+		roleNames = append(roleNames, crBind.roleName)
+	}
+	assert.ElementsMatch(bindNames, []string{"jane-doe-foo-example-com-admin-binding", "jane-doe-foo-example-com-developers-from-jwt-binding"})
+	assert.ElementsMatch(roleNames, []string{"admin", "developers-from-jwt"})
+
+	testRbacResources, err = generateRbacResources(user, createFakeConfig("fakegroup"), []string{"default"}, logger)
+	assert.NoError(err)
+	assert.Equal(len(testRbacResources.clusterRoles), 0)
+	assert.Equal(len(testRbacResources.clusterRoleBindings), 1)
+	assert.Equal(testRbacResources.serviceAccount.Name, "jane-doe-foo-example-com")
+	bindNames = nil
+	roleNames = nil
+	for _, crBind := range testRbacResources.clusterRoleBindings {
+		bindNames = append(bindNames, crBind.name)
+		roleNames = append(roleNames, crBind.roleName)
+	}
+	assert.ElementsMatch(bindNames, []string{"jane-doe-foo-example-com-admin-binding"})
+	assert.ElementsMatch(roleNames, []string{"admin"})
+}
+
 func TestGenerateClusterRole(t *testing.T) {
 	assert := assert.New(t)
 	cRole, err := generateClusterRole("developers", createFakeConfig("developers"))
