Fix the check for the password matching username (#1138)

Author: pmatseykanets

pkg/resources/core/v1/secret/mutator.go

@@ -220,28 +220,34 @@ func (m *Mutator) admitLocalUserPassword(secret *corev1.Secret, request *admissi
 			Allowed: true,
 		}, nil
 	}
+
 	user, err := m.userCache.Get(secret.Name)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			return admission.ResponseBadRequest(fmt.Sprintf("user %s does not exist. User must be created before the secret", secret.Name)), nil
 		}
 		return nil, err
 	}
+
 	password := string(secret.Data["password"])
 	passwordMinLength, err := m.getPasswordMinLength()
 	if err != nil {
 		return nil, err
 	}
+
 	if utf8.RuneCountInString(password) < passwordMinLength {
 		return admission.ResponseBadRequest(fmt.Sprintf("password must be at least %v characters", passwordMinLength)), nil
 	}
-	if request.UserInfo.Username == password {
+
+	if user.Username == password {
 		return admission.ResponseBadRequest("password cannot be the same as username"), nil
 	}
+
 	hashedPassword, salt, err := m.hasher(password)
 	if err != nil {
 		return nil, err
 	}
+
 	response := &admissionv1.AdmissionResponse{}
 	newSecret := secret.DeepCopy()
 	if newSecret.Annotations == nil {

pkg/resources/core/v1/secret/mutator_test.go

@@ -28,7 +28,7 @@ var (
 	secretGVK = metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Secret"}
 )
 
-func Test_roleBindingIndexer(t *testing.T) {
+func TestRoleBindingIndexer(t *testing.T) {
 	testNamespace := "test-ns"
 	createBinding := func(roleRefKind string, ownerRefs ...metav1.OwnerReference) rbacv1.RoleBinding {
 		return rbacv1.RoleBinding{
@@ -486,6 +486,17 @@ func TestAdmitLocalUserPassword(t *testing.T) {
 		},
 		Username: "test",
 	}
+
+	rawUsernameSecret, err := json.Marshal(&corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-user",
+		},
+		Data: map[string][]byte{
+			"password": []byte(fakeUser.Username),
+		},
+	})
+	assert.NoError(t, err)
+
 	tests := map[string]struct {
 		request           *admission.Request
 		hasher            passwordHasher
@@ -616,14 +627,14 @@ func TestAdmitLocalUserPassword(t *testing.T) {
 					Resource:        secretGVR,
 					RequestKind:     &secretGVK,
 					RequestResource: &secretGVR,
-					UserInfo:        authenicationv1.UserInfo{Username: "password"},
+					UserInfo:        authenicationv1.UserInfo{Username: "test-user"},
 					Object: runtime.RawExtension{
-						Raw: rawSecret,
+						Raw: rawUsernameSecret,
 					},
 				},
 			},
 			hasher: func(_ string) ([]byte, []byte, error) {
-				return []byte("hashedPassword"), []byte("salt"), nil
+				panic("should not be called")
 			},
 			mockSettingsCache: func() ctrlv3.SettingCache {
 				mock := fake.NewMockNonNamespacedCacheInterface[*v3.Setting](ctrl)
@@ -720,10 +731,10 @@ func TestAdmitLocalUserPassword(t *testing.T) {
 				assert.NoError(t, err)
 				assert.Equal(t, test.wantAllowed, response.Allowed)
 				if test.wantPatch != "" {
-					var wantPatch []interface{}
+					var wantPatch []any
 					err = json.Unmarshal([]byte(test.wantPatch), &wantPatch)
 					assert.NoError(t, err)
-					var patch []interface{}
+					var patch []any
 					err = json.Unmarshal(response.Patch, &patch)
 					assert.NoError(t, err)
 					sortPatch(patch)
@@ -737,10 +748,10 @@ func TestAdmitLocalUserPassword(t *testing.T) {
 	}
 }
 
-func sortPatch(patch []interface{}) {
+func sortPatch(patch []any) {
 	sort.Slice(patch, func(i, j int) bool {
-		pi := patch[i].(map[string]interface{})
-		pj := patch[j].(map[string]interface{})
+		pi := patch[i].(map[string]any)
+		pj := patch[j].(map[string]any)
 		return fmt.Sprint(pi["path"]) < fmt.Sprint(pj["path"])
 	})
 }