Skip to content
This repository was archived by the owner on Oct 14, 2020. It is now read-only.

Commit 8e06d72

Browse files
jorgestigajorgestiga
authored
Merge pull request #44 from secureCodeBox/fix/prevent-duplicated-hooks
Prevent duplicated hooks
2 parents 11ecd8b + b0ceaa7 commit 8e06d72

File tree

1 file changed

+39
-13
lines changed

1 file changed

+39
-13
lines changed

operator/controllers/execution/scan_controller.go

Lines changed: 39 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -711,22 +711,22 @@ func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error {
711711
return nil
712712
}
713713

714-
rules := []rbacv1.PolicyRule{
715-
{
716-
APIGroups: []string{"execution.experimental.securecodebox.io"},
717-
Resources: []string{"scans"},
718-
Verbs: []string{"get", "create", "list"},
719-
},
714+
// Get all read-only-hooks for scan to later check that they weren't already created
715+
jobs, err := r.getJobsForScan(scan, client.MatchingLabels{
716+
"experimental.securecodebox.io/job-type": "read-only-hook",
717+
})
718+
if err != nil {
719+
return err
720720
}
721-
serviceAccountName := "scan-completion-hook"
722-
r.ensureServiceAccountExists(
723-
scan.Namespace,
724-
serviceAccountName,
725-
"ScanCompletionHooks need to access the current scan to view where its results are stored",
726-
rules,
727-
)
728721

729722
for _, hook := range readOnlyHooks {
723+
// Check if hook was already executed
724+
if containsJobForHook(jobs, hook) == true {
725+
r.Log.V(4).Info("Skipping creation of job for hook '%s' as it already exists", hook.Name)
726+
// Job was already created
727+
continue
728+
}
729+
730730
rawFileURL, err := r.PresignedGetURL(scan.UID, scan.Status.RawResultFile)
731731
if err != nil {
732732
return err
@@ -758,6 +758,20 @@ func (r *ScanReconciler) startReadOnlyHooks(scan *executionv1.Scan) error {
758758
return nil
759759
}
760760

761+
func containsJobForHook(jobs *batch.JobList, hook executionv1.ScanCompletionHook) bool {
762+
if len(jobs.Items) == 0 {
763+
return false
764+
}
765+
766+
for _, job := range jobs.Items {
767+
if job.ObjectMeta.Labels["experimental.securecodebox.io/hook-name"] == hook.Name {
768+
return true
769+
}
770+
}
771+
772+
return false
773+
}
774+
761775
func (r *ScanReconciler) checkIfReadOnlyHookIsCompleted(scan *executionv1.Scan) error {
762776
ctx := context.Background()
763777
readOnlyHookCompletion, err := r.checkIfJobIsCompleted(scan, client.MatchingLabels{"experimental.securecodebox.io/job-type": "read-only-hook"})
@@ -1135,6 +1149,18 @@ func (r *ScanReconciler) executeReadAndWriteHooks(scan *executionv1.Scan) error
11351149
return err
11361150
}
11371151

1152+
jobs, err := r.getJobsForScan(scan, client.MatchingLabels{
1153+
"experimental.securecodebox.io/job-type": "read-and-write-hook",
1154+
"experimental.securecodebox.io/hook-name": nonCompletedHook.HookName,
1155+
})
1156+
if err != nil {
1157+
return err
1158+
}
1159+
if len(jobs.Items) > 0 {
1160+
// Job already exists
1161+
return nil
1162+
}
1163+
11381164
jobName, err := r.createJobForHook(
11391165
&hook,
11401166
scan,

0 commit comments

Comments
 (0)