Use pointer for AutzPolicy field

claudiolor · claudiolor · commit 81e0bc7d4d69 · 2024-10-15T15:42:14.000+02:00
diff --git a/apis/authentication/v1beta1/tenant_types.go b/apis/authentication/v1beta1/tenant_types.go
@@ -25,11 +25,13 @@ import (
 type AuthzPolicy string
 
 const (
-	// KeyExchange indicates that a key exchange must be performed before accepting any ResourceSlice.
-	KeyExchange AuthzPolicy = "KeyExchange"
+	// KeysExchange indicates that a keys exchange must be performed before accepting any ResourceSlice.
+	KeysExchange AuthzPolicy = "KeysExchange"
 	// TolerateNoHandshake indicates that the local cluster accepts ResourceSlices even when there
 	// never have been a key exchange with the peer cluster.
 	TolerateNoHandshake AuthzPolicy = "TolerateNoHandshake"
+	// DefaultAuthzPolicy is the default authorization policy if nothing is provided.
+	DefaultAuthzPolicy AuthzPolicy = KeysExchange
 )
 
 // TenantResource is the name of the tenant resources.
@@ -44,15 +46,23 @@ var TenantGroupResource = schema.GroupResource{Group: GroupVersion.Group, Resour
 // TenantGroupVersionResource is groupResourceVersion used to register these objects.
 var TenantGroupVersionResource = GroupVersion.WithResource(TenantResource)
 
+// GetAuthzPolicyValue returns the value of the pointer to an AuthzPolicy type, if the pointer is nil it returns the default value.
+func GetAuthzPolicyValue(policy *AuthzPolicy) AuthzPolicy {
+	if policy == nil {
+		return DefaultAuthzPolicy
+	}
+	return *policy
+}
+
 // TenantSpec defines the desired state of Tenant.
 type TenantSpec struct {
 	// ClusterID is the id of the consumer cluster.
 	ClusterID liqov1beta1.ClusterID `json:"clusterID,omitempty"`
 	// AuthzPolicy is the policy used by the cluster to authorize or reject an incoming ResourceSlice.
-	// Default is KeyExchange.
-	// +kubebuilder:validation:Enum=KeyExchange;TolerateNoHandshake
-	// +kubebuilder:default=KeyExchange
-	AuthzPolicy `json:"authzPolicy"`
+	// Default is KeysExchange.
+	// +kubebuilder:validation:Enum=KeysExchange;TolerateNoHandshake
+	// +kubebuilder:default=KeysExchange
+	*AuthzPolicy `json:"authzPolicy,omitempty"`
 	// PublicKey is the public key of the tenant cluster.
 	PublicKey []byte `json:"publicKey,omitempty"`
 	// CSR is the Certificate Signing Request of the tenant cluster.
diff --git a/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller/remoteresourceslice_controller.go b/pkg/liqo-controller-manager/authentication/remoteresourceslice-controller/remoteresourceslice_controller.go
@@ -165,7 +165,7 @@ func (r *RemoteResourceSliceReconciler) Reconcile(ctx context.Context, req ctrl.
 func (r *RemoteResourceSliceReconciler) handleAuthenticationStatus(ctx context.Context,
 	resourceSlice *authv1beta1.ResourceSlice, tenant *authv1beta1.Tenant) error {
 	// check that the CSR is valid
-	shouldCheckPublicKey := tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake
+	shouldCheckPublicKey := authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake
 	if err := authentication.CheckCSRForResourceSlice(tenant.Spec.PublicKey, resourceSlice, shouldCheckPublicKey); err != nil {
 		klog.Errorf("Invalid CSR for the ResourceSlice %q: %s", client.ObjectKeyFromObject(resourceSlice), err)
 		r.eventRecorder.Event(resourceSlice, corev1.EventTypeWarning, "InvalidCSR", err.Error())
diff --git a/pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go b/pkg/liqo-controller-manager/authentication/tenant-controller/tenant_controller.go
@@ -135,7 +135,7 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	clusterID := tenant.Spec.ClusterID
 
 	// If no handshake is tolerated, then do not perform the checks on the exchanged keys.
-	if tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake {
+	if authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake {
 		// get the nonce for the tenant
 
 		nonceSecret, err := getters.GetNonceSecretByClusterID(ctx, r.Client, clusterID)
@@ -196,7 +196,7 @@ func (r *TenantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res
 	}()
 
 	// If no handshake is performed, then the user is charge of creating the authentication params and bind the right permissions.
-	if tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake {
+	if authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake {
 		// create the CSR and forge the AuthParams
 
 		authParams, err := r.IdentityProvider.ForgeAuthParams(ctx, &identitymanager.SigningRequestOptions{
diff --git a/pkg/liqo-controller-manager/core/foreigncluster-controller/status.go b/pkg/liqo-controller-manager/core/foreigncluster-controller/status.go
@@ -191,7 +191,9 @@ func (r *ForeignClusterReconciler) handleAuthenticationModuleStatus(ctx context.
 			fc.Status.TenantNamespace.Local = tenant.Status.TenantNamespace
 		}
 
-		if tenant.Spec.AuthzPolicy != authv1beta1.TolerateNoHandshake && tenant.Status.AuthParams == nil || tenant.Status.TenantNamespace == "" {
+		// Define the status of the authentication module based on whether the keys exchange has been performed.
+		expectKeysExchange := authv1beta1.GetAuthzPolicyValue(tenant.Spec.AuthzPolicy) != authv1beta1.TolerateNoHandshake
+		if expectKeysExchange && tenant.Status.AuthParams == nil || tenant.Status.TenantNamespace == "" {
 			fcutils.EnsureModuleCondition(&fc.Status.Modules.Authentication,
 				liqov1beta1.AuthTenantStatusCondition, liqov1beta1.ConditionStatusNotReady,
 				tenantNotReadyReason, tenantNotReadyMessage)
