From 1e1506332ed0820bfe252d427d5be7426f204376 Mon Sep 17 00:00:00 2001
From: huangyanfeng <huangyanfeng@cestc.com>
Date: Wed, 7 Dec 2022 14:34:25 +0800
Subject: [PATCH] generate PolicyRules from given subjects for impersonation
 deduplicate

Signed-off-by: huangyanfeng <huangyanfeng@cestc.com>

generate PolicyRules add ut case for check deduplicate

Signed-off-by: huangyanfeng <huangyanfeng@cestc.com>

import format

Signed-off-by: huangyanfeng <huangyanfeng@cestc.com>
---
 pkg/util/rbac.go      | 13 ++++++++++---
 pkg/util/rbac_test.go | 18 ++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/pkg/util/rbac.go b/pkg/util/rbac.go
index f48740a96..407afbe2e 100644
--- a/pkg/util/rbac.go
+++ b/pkg/util/rbac.go
@@ -7,6 +7,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubeclient "k8s.io/client-go/kubernetes"
+	stringslices "k8s.io/utils/strings/slices"
 )
 
 // IsClusterRoleExist tells if specific ClusterRole already exists.
@@ -136,11 +137,17 @@ func GenerateImpersonationRules(allSubjects []rbacv1.Subject) []rbacv1.PolicyRul
 	for _, subject := range allSubjects {
 		switch subject.Kind {
 		case rbacv1.UserKind:
-			users = append(users, subject.Name)
+			if !stringslices.Contains(users, subject.Name) {
+				users = append(users, subject.Name)
+			}
 		case rbacv1.ServiceAccountKind:
-			serviceAccounts = append(serviceAccounts, subject.Name)
+			if !stringslices.Contains(serviceAccounts, subject.Name) {
+				serviceAccounts = append(serviceAccounts, subject.Name)
+			}
 		case rbacv1.GroupKind:
-			groups = append(groups, subject.Name)
+			if !stringslices.Contains(groups, subject.Name) {
+				groups = append(groups, subject.Name)
+			}
 		}
 	}
 
diff --git a/pkg/util/rbac_test.go b/pkg/util/rbac_test.go
index f0d7bc0d0..b875de0db 100644
--- a/pkg/util/rbac_test.go
+++ b/pkg/util/rbac_test.go
@@ -237,6 +237,24 @@ func TestGenerateImpersonationRules(t *testing.T) {
 				{Verbs: []string{"impersonate"}, Resources: []string{"groups"}, APIGroups: []string{""}, ResourceNames: []string{"group1", "group2"}},
 			},
 		},
+		{
+			name: "generate and deduplicate subject success",
+			args: args{
+				allSubjects: []rbacv1.Subject{
+					{Kind: rbacv1.UserKind, Name: "user1"},
+					{Kind: rbacv1.UserKind, Name: "user1"},
+					{Kind: rbacv1.ServiceAccountKind, Name: "sa1"},
+					{Kind: rbacv1.ServiceAccountKind, Name: "sa1"},
+					{Kind: rbacv1.GroupKind, Name: "group1"},
+					{Kind: rbacv1.GroupKind, Name: "group1"},
+				},
+			},
+			want: []rbacv1.PolicyRule{
+				{Verbs: []string{"impersonate"}, Resources: []string{"users"}, APIGroups: []string{""}, ResourceNames: []string{"user1"}},
+				{Verbs: []string{"impersonate"}, Resources: []string{"serviceaccounts"}, APIGroups: []string{""}, ResourceNames: []string{"sa1"}},
+				{Verbs: []string{"impersonate"}, Resources: []string{"groups"}, APIGroups: []string{""}, ResourceNames: []string{"group1"}},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {