Prevent unbounded growth in SCC due to duplicates

smarterclayton · smarterclayton · commit 64a84dc7757a · 2017-11-04T18:38:06.000-04:00
People patching SCCs in a declarative fashion can cause unbounded struct
growth. Strike a balance between simple code and efficient (since some
SCCs can have hundreds of users).
diff --git a/pkg/security/registry/securitycontextconstraints/strategy.go b/pkg/security/registry/securitycontextconstraints/strategy.go
@@ -50,7 +50,27 @@ func (strategy) PrepareForCreate(_ genericapirequest.Context, obj runtime.Object
 func (strategy) PrepareForUpdate(_ genericapirequest.Context, obj, old runtime.Object) {
 }
 
+// Canonicalize removes duplicate user and group values, preserving order.
 func (strategy) Canonicalize(obj runtime.Object) {
+	scc := obj.(*securityapi.SecurityContextConstraints)
+	scc.Users = uniqueStrings(scc.Users)
+	scc.Groups = uniqueStrings(scc.Groups)
+}
+
+func uniqueStrings(values []string) []string {
+	if len(values) < 2 {
+		return values
+	}
+	updated := make([]string, 0, len(values))
+	existing := make(map[string]struct{})
+	for _, value := range values {
+		if _, ok := existing[value]; ok {
+			continue
+		}
+		existing[value] = struct{}{}
+		updated = append(updated, value)
+	}
+	return updated
 }
 
 func (strategy) Validate(ctx genericapirequest.Context, obj runtime.Object) field.ErrorList {
diff --git a/pkg/security/registry/securitycontextconstraints/strategy_test.go b/pkg/security/registry/securitycontextconstraints/strategy_test.go
@@ -0,0 +1,54 @@
+package securitycontextconstraints
+
+import (
+	"reflect"
+	"testing"
+
+	securityapi "github.com/openshift/origin/pkg/security/apis/security"
+)
+
+func TestCanonicalize(t *testing.T) {
+	testCases := []struct {
+		obj    *securityapi.SecurityContextConstraints
+		expect *securityapi.SecurityContextConstraints
+	}{
+		{
+			obj:    &securityapi.SecurityContextConstraints{},
+			expect: &securityapi.SecurityContextConstraints{},
+		},
+		{
+			obj: &securityapi.SecurityContextConstraints{
+				Users: []string{"a"},
+			},
+			expect: &securityapi.SecurityContextConstraints{
+				Users: []string{"a"},
+			},
+		},
+		{
+			obj: &securityapi.SecurityContextConstraints{
+				Users:  []string{"a", "a"},
+				Groups: []string{"b", "b"},
+			},
+			expect: &securityapi.SecurityContextConstraints{
+				Users:  []string{"a"},
+				Groups: []string{"b"},
+			},
+		},
+		{
+			obj: &securityapi.SecurityContextConstraints{
+				Users:  []string{"a", "b", "a"},
+				Groups: []string{"c", "d", "c"},
+			},
+			expect: &securityapi.SecurityContextConstraints{
+				Users:  []string{"a", "b"},
+				Groups: []string{"c", "d"},
+			},
+		},
+	}
+	for _, testCase := range testCases {
+		Strategy.Canonicalize(testCase.obj)
+		if !reflect.DeepEqual(testCase.expect, testCase.obj) {
+			t.Errorf("%d: unexpected object: %#v", testCase.obj)
+		}
+	}
+}
