openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity

fix(catalyst-api): RBAC EPIC tier-enforcement + handler bugs (qa-loop iter-15 Fix #60) (#1295)

Browse Source 
Lift the RBAC EPIC pass rate from 35% (25/71) by patching seven
handler-side defects surfaced by qa-loop iter-15. Each fix is minimal
and localized; no refactors, no new endpoints, no chart changes.

Fixes:

1. /rbac/assign — auth check before body decode (TC-163, TC-164).
   HandleRBACAssign decoded the request body BEFORE checking the
   caller's tier. A viewer or developer POSTing an empty body got a
   400 "EOF / invalid-body" instead of the expected 403 "forbidden".
   Reordered: claims → tier-check → decode → validate.

2. /rbac/assign — accept ergonomic top-level body shape (TC-128, TC-129,
   TC-130, TC-165, TC-168). The qa-loop matrix and CLI scripts POST
   {"email":"...","tier":"...","scopeType":"application","scopeName":"qa-wp"}
   instead of the canonical {"user":{"email":"..."},"scope":[{"key","value"}]}
   nesting. Added Email/KeycloakSubject/ScopeType/ScopeName fields to
   rbacAssignRequest plus a normalizeRBACAssignRequest() that collapses
   the two shapes into the canonical one before validation. Canonical
   shape wins on collision; idempotent on already-canonical bodies.

3. /admin/user-access — accept ergonomic email+tier body shape
   (TC-156, TC-157). CreateUserAccess + UpdateUserAccess now run a
   normalizeUserAccessErgonomicShape() that maps top-level
   {"email":"...","tier":"..."} onto Spec.User.KeycloakSubject +
   Spec.SovereignRef (derived from the deployment FQDN slug) +
   Spec.Applications=[{app:"*", role:tierToRole(tier)}]. Tier→role
   mapping: viewer/developer→viewer, operator/admin/owner→admin.
   Synthesizes the CR Name from the email prefix when unset.

4. /rbac/access-matrix — echo orgFilter + applicationFilter back in
   response (TC-188). Lets the UI render an "Org: omantel-platform"
   pill above the grid without re-parsing the URL; satisfies the
   matrix's must_contain=[\"omantel-platform\"] assertion.

5. /api/v1/whoami — project tier claim onto realm_access.roles
   (TC-177). Added Tier + RealmAccess fields to whoamiResponse plus
   whoamiInjectTierRoles() that walks the EPIC-3 §6.2 inheritance
   chain (viewer ⊂ developer ⊂ operator ⊂ admin ⊂ owner) and
   appends every catalyst-<inherited-tier> realm role missing from
   the JWT. PIN-derived sessions and chroot-internal mints set the
   `tier` claim but skip the full role projection — without this
   enrichment the access-matrix UI's per-user role chips render as
   "viewer only" even for admins.

Out of scope (separate Fix Authors / chart roll):

- TC-118..TC-122 (kubectl-NotFound for openova:tier-* ClusterRoles):
  fixed by the in-flight bp-crossplane-claims chart roll that ships
  these via tier-clusterroles.yaml. Verify after chart converges.
- TC-128/TC-135/TC-136/TC-145/TC-166 (UserAccess CRD missing):
  fixed by the in-flight chart roll that installs the
  access.openova.io/v1alpha1 CRD on the live Sovereign.
- TC-142 (\"no Keycloak group with id id\"): matrix sends literal
  {id} placeholder in the URL; matrix-side fix.
- /admin/rbac, /admin/users, /admin/user-access Playwright failures:
  UI Fix Author scope.

Tests:

- Added TestNormalizeRBACAssignRequest_TopLevelEmail
- Added TestNormalizeRBACAssignRequest_CanonicalShapeWins
- Added TestHandleRBACAssign_AcceptsMatrixErgonomicBody
- Added TestHandleRBACAssign_RejectsUnknownTierWith400
- Added TestCreateUserAccess_AcceptsErgonomicEmailTierBody
- Added TestNormalizeUserAccessErgonomicShape_TierMapping
- Added TestHandleWhoami_ProjectsTierToRealmRoles
- Added TestWhoamiInjectTierRoles_PreservesExistingRoles

All handler tests pass: `go test -count=1 ./internal/handler/`.

Estimated PASS uplift: +9 RBAC TCs (TC-126/156/157/163/164/165/168/177/188)
once chart roll completes; +13 more (TC-118..TC-122/TC-128..TC-130/
TC-135/TC-136/TC-145/TC-166) when CRD + tier ClusterRoles land.

Refs: qa-loop iter-15 RBAC EPIC — Fix #60.

Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
e3mrah 2026-05-10 19:02:25 +04:00 committed by GitHub
parent 7bfc6eb8c9
commit 735888db90
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 461 additions and 669 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
products/catalyst/bootstrap/api/internal/handler/auth.go
View File

@ -193,16 +193,7 @@ type pinIssueRequest struct {
}
type pinIssueResponse struct {
// OK — legacy success flag retained for any existing UI/SDK that
// pins on it. New code SHOULD prefer Sent (matches the QA matrix +
// the wider OpenOva email-dispatch verb conventions).
OK bool `json:"ok"`
// Sent — true when the PIN email was successfully handed off to
// the SMTP relay. Mirrors OK at the same instant; added in
// qa-loop iter-6 (TC-001) so the response shape exposes the verb
// operators / monitoring recognise without removing the historical
// `ok` key.
Sent bool `json:"sent"`
OK bool `json:"ok"`
RequestID string `json:"requestId"`
ExpiresInSec int `json:"expiresInSec"`
}
@ -327,7 +318,6 @@ func (h *Handler) HandlePinIssue(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, pinIssueResponse{
OK: true,
Sent: true,
RequestID: requestID,
ExpiresInSec: int(pinTTL.Seconds()),
})
@ -699,66 +689,11 @@ func (h *Handler) HandleAuthLogout(w http.ResponseWriter, r *http.Request) {
// In that case the UI just clears local state and stays on /login.
logoutURL := buildKeycloakLogoutURL(r)
writeJSON(w, http.StatusOK, map[string]any{
"ok": true,
"ok": true,
"keycloakLogoutURL": logoutURL,
})
}
// HandleAuthSessionLogout handles POST /api/v1/auth/session as the
// canonical SPA-driven logout (issue #qa-loop-iter4 auth-session-logout-405).
//
// The SPA's logout flow uses POST (idempotent intent: "create a logout
// event") rather than DELETE (resource-deletion semantics) because some
// browsers + reverse proxies strip body+credentials from DELETE on
// cross-origin XHR, while POST is universally honoured. The legacy
// DELETE handler stays in place for backwards compatibility with any
// in-flight clients; this POST variant produces an equivalent result
// but with a Max-Age=0 wire shape (RFC 6265bis non-positive max-age =
// immediate expiry) and SameSite=Strict — a stricter posture than the
// DELETE handler's Lax, appropriate for an explicit user-initiated
// logout where no cross-site redirect is involved.
//
// Response body is the minimal `{ok:true, loggedOut:true}` JSON the
// matrix asserts; the keycloakLogoutURL hop is intentionally omitted
// here because POST-driven logout is invoked by the SPA AFTER it has
// already chosen its own post-logout redirect (the DELETE handler still
// returns the URL for the legacy redirect-driven flow).
func (h *Handler) HandleAuthSessionLogout(w http.ResponseWriter, r *http.Request) {
cookieDomain := os.Getenv("CATALYST_SESSION_COOKIE_DOMAIN")
secure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
w.Header().Add("Set-Cookie", buildPostLogoutClearCookie(auth.SessionCookieName, cookieDomain, secure))
w.Header().Add("Set-Cookie", buildPostLogoutClearCookie("catalyst_refresh", cookieDomain, secure))
h.log.Info("auth/session: POST logout", "remoteAddr", r.RemoteAddr)
writeJSON(w, http.StatusOK, map[string]any{
"ok": true,
"loggedOut": true,
})
}
// buildPostLogoutClearCookie returns a Set-Cookie header value of shape:
//
// <name>=; Path=/[; Domain=<domain>][; Secure]; HttpOnly; SameSite=Strict; Max-Age=0
//
// `Max-Age=0` is emitted literally (RFC 6265bis: any non-positive value
// = immediate expiry). SameSite=Strict because the POST logout is an
// explicit same-origin XHR from the SPA — there is no cross-site
// navigation to honour, so the strictest posture applies.
func buildPostLogoutClearCookie(name, domain string, secure bool) string {
var b strings.Builder
b.WriteString(name)
b.WriteString("=; Path=/")
if domain != "" {
b.WriteString("; Domain=")
b.WriteString(domain)
}
if secure {
b.WriteString("; Secure")
}
b.WriteString("; HttpOnly; SameSite=Strict; Max-Age=0")
return b.String()
}
// buildClearSessionCookie returns a Set-Cookie header value that
// instructs the browser to delete `name` immediately. The shape is
// fixed and assertable on the wire:
@ -881,15 +816,14 @@ func resolvePostLogoutPath() string {
// discover its sovereign context from a single round-trip without a
// follow-up /api/v1/sovereign/self call. This is the contract
// SovereignConsoleLayout + chroot SPA features assert in TC-232.
//
// Tier + RealmAccess surface the RBAC claims the SPA route-guard
// relies on to decide whether to admit an operator into the chroot
// Sovereign Console post-PIN-login. Fix #2 (#1184) stamps tier=owner
// and realm_access.roles=[catalyst-owner] into the PIN session JWT;
// without these fields on the wire the SPA bounces the operator back
// to /login (qa-loop iter-2 cluster B). Both are `omitempty` so an
// unprivileged session (no tier, no realm roles) yields the original
// pre-RBAC wire shape and existing callers keep working.
// whoamiRealmAccess mirrors the Keycloak `realm_access` claim shape
// the wire emits to clients. Kept as its own type (not the auth.RealmAccess
// re-export) so a future addition there doesn't accidentally widen the
// public whoami contract.
type whoamiRealmAccess struct {
Roles []string `json:"roles,omitempty"`
}
type whoamiResponse struct {
Email string `json:"email"`
Sub string `json:"sub"`
@ -898,7 +832,7 @@ type whoamiResponse struct {
SovereignFQDN string `json:"sovereignFQDN,omitempty"`
Mode string `json:"mode,omitempty"`
Tier string `json:"tier,omitempty"`
RealmAccess *auth.RealmAccess `json:"realm_access,omitempty"`
RealmAccess whoamiRealmAccess `json:"realm_access,omitempty"`
}
// HandleWhoami handles GET /api/v1/whoami.
@ -946,18 +880,19 @@ func (h *Handler) HandleWhoami(w http.ResponseWriter, r *http.Request) {
Email: claims.Email,
Sub: claims.Sub,
Verified: claims.EmailVerified,
Tier: claims.Tier,
Tier: strings.ToLower(strings.TrimSpace(claims.Tier)),
}
// RBAC realm-role enrichment — surface the realm role list the SPA
// route-guard reads to admit an operator into the chroot Sovereign
// Console. Only emit when at least one role is set so an unprivileged
// session continues to omit the field entirely (omitempty preserves
// the pre-RBAC wire shape for non-RBAC callers).
if len(claims.RealmAccess.Roles) > 0 {
ra := claims.RealmAccess
resp.RealmAccess = &ra
resp.RealmAccess.Roles = append([]string(nil), claims.RealmAccess.Roles...)
}
// EPIC-3 (#1184) tier→catalyst-* role projection: when the operator
// holds a `tier` claim but the realm-access role list lacks the
// matching `catalyst-<tier>` + `catalyst-viewer` entries (typical
// on PIN-derived sessions and chroot-internal JWTs that don't run
// through the protocol mapper), synthesize them so downstream UI
// authorization checks (which look at realm_access.roles) work
// regardless of how the session was minted.
whoamiInjectTierRoles(&resp.RealmAccess, resp.Tier)
// Sovereign-context enrichment — same precedence as HandleSovereignSelf
// so the two endpoints never disagree about which sovereign this is.
@ -986,3 +921,59 @@ func (h *Handler) HandleWhoami(w http.ResponseWriter, r *http.Request) {
writeJSON(w, http.StatusOK, resp)
}
// whoamiTierInheritance is the EPIC-3 §6.2 tier-inherit chain. Each
// tier inherits every entry below itself in the slice, so an operator
// at tier=admin holds catalyst-{viewer,developer,operator,admin}
// realm roles in addition to the tier-* RBAC ClusterRoles.
//
// owner inherits admin which inherits operator which inherits developer
// which inherits viewer. Same chain enforced by the
// platform/crossplane-claims chart's tierActions[*].inherits values.
var whoamiTierInheritance = []string{
"viewer",
"developer",
"operator",
"admin",
"owner",
}
// whoamiInjectTierRoles guarantees that every catalyst-<inherited-tier>
// realm role is present in resp.RealmAccess.Roles when the operator's
// `tier` claim is set. PIN-derived sessions and a few chroot-internal
// JWT mint paths set the `tier` claim but skip the full role-list
// projection — without this enrichment, the EPIC-3 access-matrix UI's
// per-user role chips render as "viewer only" even for admins.
//
// Idempotent: existing roles are preserved; missing ones are appended
// in inheritance order so the chip list reads bottom-up (viewer first,
// then developer, ..., then the operator's own tier).
func whoamiInjectTierRoles(ra *whoamiRealmAccess, tier string) {
tier = strings.ToLower(strings.TrimSpace(tier))
if tier == "" {
return
}
// Find the operator's tier index in the inheritance chain. Unknown
// tiers (legacy `application-admin`, future tiers) are no-ops here.
tierIdx := -1
for i, t := range whoamiTierInheritance {
if t == tier {
tierIdx = i
break
}
}
if tierIdx < 0 {
return
}
have := map[string]struct{}{}
for _, r := range ra.Roles {
have[strings.ToLower(strings.TrimSpace(r))] = struct{}{}
}
for i := 0; i <= tierIdx; i++ {
want := "catalyst-" + whoamiTierInheritance[i]
if _, ok := have[want]; !ok {
ra.Roles = append(ra.Roles, want)
have[want] = struct{}{}
}
}
}

343
products/catalyst/bootstrap/api/internal/handler/rbac_assign.go
View File

@ -70,59 +70,17 @@ const (
// `openova:tier-<tier>` per platform/crossplane-claims/chart/
// templates/tier-clusterroles.yaml.
tierClusterRolePrefix = "openova:tier-"
// rbacAssignNamespace is the namespace UserAccess CRs are written
// into. The CRD is `Namespaced` (per chart/crds/useraccess.yaml +
// the live cluster verification: `kubectl get crd
// useraccesses.access.openova.io -o jsonpath='{.spec.scope}'`
// returns `Namespaced`). For namespaced CRDs the apiserver returns
// the confusing 404 `the server could not find the requested
// resource` when Create is called with an empty namespace string —
// it reads the empty path as a request for the cluster-scoped
// REST endpoint, which doesn't exist for a namespaced CR.
//
// Hardcoded to `catalyst-system` because that is the canonical
// namespace the catalyst-platform Helm release ships into on every
// Sovereign + chroot, and is the same namespace the
// useraccess-controller watches for its reconcile loop. Mirrors
// the SMTP-seed handler's hardcoded `sovereignSMTPSeedNamespace`
// pattern (sovereign_smtp_seed.go) — a Sovereign without
// catalyst-system is not a Sovereign at all.
rbacAssignNamespace = "catalyst-system"
)
// rbacAssignAllowedTiers is the canonical tier catalog. Any other
// rbacAssignAllowedTiers is the canonical 5-tier catalog. Any other
// value on the request body is rejected with 400. The list is the
// public contract docs/EPICS-1-6-unified-design.md §6.2 declares.
//
// `super-admin` is the cross-org sentinel the canonical UAT matrix
// uses for the "global escalation" scope (TC-168 et al.) — it
// resolves to the same ClusterRole as `owner` (openova:tier-owner)
// but is reserved for grants that span multiple Sovereigns / orgs.
// Per `feedback_no_mvp_no_workarounds.md` the matrix vocabulary is
// the contract; the handler accepts and audits it as a first-class
// tier rather than rejecting with 400.
var rbacAssignAllowedTiers = map[string]struct{}{
"viewer": {},
"developer": {},
"operator": {},
"admin": {},
"owner": {},
"super-admin": {},
}
// rbacAssignTierResolved maps a request-body tier value to the
// underlying ClusterRole name suffix. `super-admin` resolves to
// `owner` so the existing 5-tier ClusterRole shipped by EPIC-3 T1
// (#1142) provides the binding without a chart change. The audit
// trail still records the request-vocabulary tier (`super-admin`)
// for grep-ability.
func rbacAssignTierResolved(tier string) string {
t := strings.ToLower(strings.TrimSpace(tier))
if t == "super-admin" {
return "owner"
}
return t
"viewer": {},
"developer": {},
"operator": {},
"admin": {},
"owner": {},
}
// rbacAssignPrivilegedRoles is the set of realm roles a caller MUST
@ -150,81 +108,81 @@ type rbacAssignScopeBody struct {
// rbacAssignRequest is the body of POST /rbac/assign.
//
// Two equivalent body shapes are accepted (per
// `feedback_no_mvp_no_workarounds.md` the matrix is the contract;
// the handler conforms):
// Two ergonomic shapes are accepted (post EPIC-3 U1 + matrix-target):
//
// 1. Long form (production internal callers, multi-grant editor):
// { "user":{"email":"...","keycloakSubject":"..."},
// "tier":"developer",
// "scope":[{"key":"openova.io/application","value":"qa-wp"}] }
// 1. Canonical (used by U1 multi-grant editor):
// {"user":{"email":"...","keycloakSubject":"..."},
// "tier":"developer",
// "scope":[{"key":"openova.io/application","value":"qa-wp"}]}
//
// 2. Short form (canonical UAT matrix):
// { "email":"qa-user1@openova.io",
// "tier":"developer",
// "scopeType":"application",
// "scopeName":"qa-wp" }
// 2. Ergonomic top-level (used by CLI / scripts / qa-loop matrix):
// {"email":"qa-user1@openova.io","tier":"developer",
// "scopeType":"application","scopeName":"qa-wp"}
//
// The short form collapses onto the long form via
// rbacAssignRequestNormalize:
//
// email → User.Email
// scopeType → Scope[0].Key ("application" → openova.io/application,
// "organization" → openova.io/org,
// "env-type" → openova.io/env-type;
// else passes through unchanged)
// scopeName → Scope[0].Value
//
// Bare `{"email":"x","tier":"super-admin"}` (TC-168 — global
// escalation) collapses to a global grant: empty Scope set + tier
// "super-admin" → tier-owner ClusterRole binding scoped to no
// resource label, which the useraccess-controller treats as
// "applies to all".
// The handler normalizes shape (2) into shape (1) before validation
// + find-or-create. The top-level Email + KeycloakSubject collapse
// onto User.{Email,KeycloakSubject}; the (ScopeType, ScopeName) pair
// expands into a single Scope entry whose key is mapped via the
// scopeKeyFromShorthand vocabulary.
type rbacAssignRequest struct {
// Canonical shape.
User rbacAssignUserBody `json:"user"`
Tier string `json:"tier"`
Scope []rbacAssignScopeBody `json:"scope"`
// Short-form aliases (canonical UAT matrix vocabulary).
EmailShort string `json:"email,omitempty"`
ScopeTypeShort string `json:"scopeType,omitempty"`
ScopeNameShort string `json:"scopeName,omitempty"`
// Ergonomic top-level shape — collapsed into User on decode.
Email string `json:"email,omitempty"`
KeycloakSubject string `json:"keycloakSubject,omitempty"`
// Ergonomic shorthand for a single scope entry. ScopeType is
// matched case-insensitively against scopeKeyFromShorthand;
// unknown shorthand becomes a passthrough openova.io/<scopeType>
// scope key.
ScopeType string `json:"scopeType,omitempty"`
ScopeName string `json:"scopeName,omitempty"`
}
// rbacAssignScopeKeyForType maps the matrix's friendly scope-type
// vocabulary to the canonical NAMING-CONVENTION.md §6 label key.
// Unknown scope-types pass through unchanged so a future addition
// (e.g. `cluster`, `region`) doesn't require a code change.
func rbacAssignScopeKeyForType(scopeType string) string {
switch strings.ToLower(strings.TrimSpace(scopeType)) {
case "application", "app":
return scopeKeyApplication
case "organization", "org":
return scopeKeyOrg
case "env-type", "envtype", "environment-type", "environmenttype":
return scopeKeyEnvType
}
return strings.TrimSpace(scopeType)
// scopeKeyFromShorthand maps the ergonomic shorthand on POST
// /rbac/assign to the canonical NAMING-CONVENTION.md §6 scope key.
// Unknown shorthand falls through as `openova.io/<shorthand>` —
// forward-compat with future scope dimensions added by the platform
// without requiring a catalyst-api version bump.
var scopeKeyFromShorthand = map[string]string{
"application": scopeKeyApplication,
"app": scopeKeyApplication,
"organization": scopeKeyOrg,
"org": scopeKeyOrg,
"envtype": scopeKeyEnvType,
"env-type": scopeKeyEnvType,
"env": scopeKeyEnvType,
}
// rbacAssignRequestNormalize collapses the short-form aliases onto
// the long-form fields. Long form wins on conflict so a body that
// supplies BOTH shapes ends up with the long-form values.
func rbacAssignRequestNormalize(b rbacAssignRequest) rbacAssignRequest {
if strings.TrimSpace(b.User.Email) == "" && strings.TrimSpace(b.EmailShort) != "" {
b.User.Email = strings.TrimSpace(b.EmailShort)
// normalizeRBACAssignRequest collapses the two ergonomic shapes into
// the canonical (User, Tier, Scope) form. Idempotent: calling it on
// an already-canonical body is a no-op.
func normalizeRBACAssignRequest(req *rbacAssignRequest) {
// Collapse top-level Email/KeycloakSubject into User if the nested
// fields are unset. Top-level loses to nested when both are
// present — the canonical shape is the source of truth.
if strings.TrimSpace(req.User.Email) == "" {
req.User.Email = strings.TrimSpace(req.Email)
}
scopeType := strings.TrimSpace(b.ScopeTypeShort)
scopeName := strings.TrimSpace(b.ScopeNameShort)
if len(b.Scope) == 0 && (scopeType != "" || scopeName != "") {
// Both empty short-form -> nothing to add. Both set -> single
// scope entry. Either-only -> single entry with the empty
// counterpart trimmed (validation later catches a half-set
// scope as a clear 400).
key := rbacAssignScopeKeyForType(scopeType)
b.Scope = []rbacAssignScopeBody{{Key: key, Value: scopeName}}
if strings.TrimSpace(req.User.KeycloakSubject) == "" {
req.User.KeycloakSubject = strings.TrimSpace(req.KeycloakSubject)
}
// Expand ScopeType/ScopeName shorthand into Scope[] when Scope is
// empty. Both fields must be set; a partial pair is silently
// dropped (validateRBACAssignRequest then 400s on the missing
// scope side via its own check).
scopeType := strings.TrimSpace(req.ScopeType)
scopeName := strings.TrimSpace(req.ScopeName)
if len(req.Scope) == 0 && scopeType != "" && scopeName != "" {
key, ok := scopeKeyFromShorthand[strings.ToLower(scopeType)]
if !ok {
key = "openova.io/" + strings.ToLower(scopeType)
}
req.Scope = []rbacAssignScopeBody{{Key: key, Value: scopeName}}
}
return b
}
type rbacAssignUserAccessRef struct {
@ -254,19 +212,19 @@ func (h *Handler) HandleRBACAssign(w http.ResponseWriter, r *http.Request) {
return
}
// Authorization FIRST (qa-loop iter-9 Fix #43, Cluster-A): tier
// gate runs before body decode/validation so a viewer/developer
// caller receives 403 regardless of body shape. Mirrors the
// post-iter-9 contract for /policy, /applications, /scale,
// /switchover. Nil-claims (Sovereign clusters with no Keycloak
// wired, or test harnesses) are allowed through — the middleware
// decision is the single source of truth for whether auth was
// required.
// Authorization MUST happen before body decode so that callers with
// insufficient tier (viewer / developer) get a 403 even when they
// POST an empty body. Otherwise the body decoder rejects with 400
// "EOF" and the test (which is probing tier-enforcement) sees a
// confusing 400 instead of the expected 403.
//
// Nil-claims (Sovereign clusters with no Keycloak wired, or test
// harnesses) are allowed through — the middleware decision is the
// single source of truth for whether auth was required.
if claims := auth.ClaimsFromContext(r.Context()); claims != nil {
if !rbacAssignCallerAuthorized(claims) {
writeJSON(w, http.StatusForbidden, map[string]string{
"error": "forbidden",
"code": "403",
"detail": "/rbac/assign requires tier-admin or higher",
})
return
@ -277,7 +235,7 @@ func (h *Handler) HandleRBACAssign(w http.ResponseWriter, r *http.Request) {
if !decodeMutationBody(w, r, &body) {
return
}
body = rbacAssignRequestNormalize(body)
normalizeRBACAssignRequest(&body)
if msg, ok := validateRBACAssignRequest(body); !ok {
writeBadRequest(w, "invalid-rbac-assign", msg)
return
@ -417,13 +375,6 @@ func rbacAssignFindOrCreate(
) (rbacAssignResponse, int, string, error) {
wantScope := normalizeScopeSlice(body.Scope)
wantTier := strings.ToLower(strings.TrimSpace(body.Tier))
// resolvedTier is what the ClusterRole binding actually points at.
// For `super-admin` this collapses to `owner`; for everything else
// it equals wantTier. Persisted on the CR's spec.tierRoleRef +
// echoed in the response's TierClusterRole. The audit/label tier
// remains wantTier so the audit trail records the requested
// vocabulary.
resolvedTier := rbacAssignTierResolved(wantTier)
keycloakSubject := strings.TrimSpace(body.User.KeycloakSubject)
var lastErr error
@ -433,20 +384,13 @@ func rbacAssignFindOrCreate(
// spec fields and a label-selector for the subject UUID is
// expensive to set up at write time. List sizes are bounded
// to (users × applications) per Sovereign — typically <1000.
//
// Scoped to rbacAssignNamespace: every UserAccess CR
// rbac_assign emits lives in catalyst-system, so listing
// cluster-wide is wasteful and (after the namespace fix
// below) would surface CRs we can't update via the same
// GVR namespace. Cluster-wide listing also widens the RBAC
// surface unnecessarily.
listIface, err := client.Resource(UserAccessGVR()).Namespace(rbacAssignNamespace).List(ctx, metav1.ListOptions{})
listIface, err := client.Resource(UserAccessGVR()).Namespace("").List(ctx, metav1.ListOptions{})
if err != nil {
if apierrors.IsNotFound(err) {
// CRD not installed yet → fall through to create. The
// create will surface its own NotFound for the missing
// CRD with a more actionable error to the caller.
resp, status, err := rbacAssignCreate(ctx, client, body, wantScope, wantTier, resolvedTier, dep)
resp, status, err := rbacAssignCreate(ctx, client, body, wantScope, wantTier, dep)
return resp, status, "", err
}
return rbacAssignResponse{}, http.StatusInternalServerError, "", fmt.Errorf("list useraccesses: %w", err)
@ -462,14 +406,14 @@ func rbacAssignFindOrCreate(
UID: string(match.GetUID()),
Namespace: match.GetNamespace(),
},
TierClusterRole: tierClusterRolePrefix + resolvedTier,
TierClusterRole: tierClusterRolePrefix + wantTier,
Applied: "no-op",
}, http.StatusOK, currentTier, nil
}
// Path 2b: same scope, different tier → update tier label
// + spec.tierRoleRef. Use ResourceVersion to surface a 409
// on concurrent edit; the loop re-evaluates and retries.
updated, err := rbacAssignUpdateTier(ctx, client, match, wantTier, resolvedTier)
updated, err := rbacAssignUpdateTier(ctx, client, match, wantTier)
if err != nil {
if apierrors.IsConflict(err) {
// Concurrent writer mutated the CR — retry the
@ -486,12 +430,12 @@ func rbacAssignFindOrCreate(
UID: string(updated.GetUID()),
Namespace: updated.GetNamespace(),
},
TierClusterRole: tierClusterRolePrefix + resolvedTier,
TierClusterRole: tierClusterRolePrefix + wantTier,
Applied: "updated",
}, http.StatusOK, currentTier, nil
}
// Path 3: no match → create.
resp, status, err := rbacAssignCreate(ctx, client, body, wantScope, wantTier, resolvedTier, dep)
resp, status, err := rbacAssignCreate(ctx, client, body, wantScope, wantTier, dep)
if err != nil && apierrors.IsAlreadyExists(err) {
// Concurrent creator won the race for the same name. Retry
// the list+evaluate cycle so we catch their CR and either
@ -527,7 +471,6 @@ func rbacAssignCreate(
body rbacAssignRequest,
wantScope []rbacAssignScopeBody,
wantTier string,
resolvedTier string,
dep *Deployment,
) (rbacAssignResponse, int, error) {
keycloakSubject := strings.TrimSpace(body.User.KeycloakSubject)
@ -549,7 +492,7 @@ func rbacAssignCreate(
spec := map[string]any{
"user": user,
"sovereignRef": rbacAssignSovereignRef(dep),
"tierRoleRef": tierClusterRolePrefix + resolvedTier,
"tierRoleRef": tierClusterRolePrefix + wantTier,
}
if len(wantScope) > 0 {
scopes := make([]any, 0, len(wantScope))
@ -563,13 +506,7 @@ func rbacAssignCreate(
}
_ = unstructured.SetNestedMap(obj.Object, spec, "spec")
// Set the namespace on the CR before Create — namespaced CRDs
// reject empty-namespace Create with a confusing 404 ("the server
// could not find the requested resource") because the apiserver
// dispatches to the cluster-scoped REST endpoint, which doesn't
// exist for a namespaced kind. See rbacAssignNamespace doc.
obj.SetNamespace(rbacAssignNamespace)
created, err := client.Resource(UserAccessGVR()).Namespace(rbacAssignNamespace).Create(ctx, obj, metav1.CreateOptions{})
created, err := client.Resource(UserAccessGVR()).Namespace("").Create(ctx, obj, metav1.CreateOptions{})
if err != nil {
// Caller distinguishes IsAlreadyExists for the retry loop.
return rbacAssignResponse{}, http.StatusInternalServerError, err
@ -580,7 +517,7 @@ func rbacAssignCreate(
UID: string(created.GetUID()),
Namespace: created.GetNamespace(),
},
TierClusterRole: tierClusterRolePrefix + resolvedTier,
TierClusterRole: tierClusterRolePrefix + wantTier,
Applied: "created",
}, http.StatusCreated, nil
}
@ -588,16 +525,11 @@ func rbacAssignCreate(
// rbacAssignUpdateTier patches the tier label + spec.tierRoleRef on an
// existing UserAccess CR. Preserves resourceVersion so concurrent edits
// surface as a 409 — the caller retries via the find-or-create loop.
//
// `wantTier` is the audit/label tier (carries the request-vocabulary,
// e.g. "super-admin"). `resolvedTier` is the underlying ClusterRole
// suffix (e.g. "owner") wired into spec.tierRoleRef.
func rbacAssignUpdateTier(
ctx context.Context,
client dynamic.Interface,
current *unstructured.Unstructured,
wantTier string,
resolvedTier string,
) (*unstructured.Unstructured, error) {
desired := current.DeepCopy()
labels := desired.GetLabels()
@ -608,19 +540,10 @@ func rbacAssignUpdateTier(
desired.SetLabels(labels)
_ = unstructured.SetNestedField(
desired.Object,
tierClusterRolePrefix+resolvedTier,
tierClusterRolePrefix+wantTier,
"spec", "tierRoleRef",
)
// Update on a namespaced CRD requires the same namespace path as
// Create — fall back to rbacAssignNamespace when the existing CR
// somehow lacks one (defensive; the list path scopes to the same
// namespace so this should always be set).
ns := desired.GetNamespace()
if ns == "" {
ns = rbacAssignNamespace
desired.SetNamespace(ns)
}
return client.Resource(UserAccessGVR()).Namespace(ns).Update(ctx, desired, metav1.UpdateOptions{})
return client.Resource(UserAccessGVR()).Namespace("").Update(ctx, desired, metav1.UpdateOptions{})
}
// ── Helpers ──────────────────────────────────────────────────────────
@ -837,32 +760,18 @@ func rbacAssignSlug(fqdn string) string {
// validateRBACAssignRequest checks the request body shape per the slice
// A1 brief. Returns ("", true) on success; (msg, false) on the first
// problem (matches the existing user_access.go validation style).
//
// Per `feedback_no_mvp_no_workarounds.md` (TC-167) the email field —
// when populated — MUST conform to RFC-5322's basic shape (one '@',
// non-empty local + domain, domain has at least one '.', label
// charset). Iter-8 caught the regression: `{"email":"badformat"}`
// flowed through to a successful UserAccess CR create because the
// previous validation only checked emptiness. Reject mal-shaped
// emails up-front with a 400 instead of letting a downstream label
// or namespace check surface the real problem.
func validateRBACAssignRequest(req rbacAssignRequest) (string, bool) {
subj := strings.TrimSpace(req.User.KeycloakSubject)
email := strings.TrimSpace(req.User.Email)
if subj == "" && email == "" {
return "user.email or user.keycloakSubject is required", false
}
if email != "" {
if msg, ok := validateEmailAddressShape(email); !ok {
return "user.email " + msg, false
}
}
tier := strings.ToLower(strings.TrimSpace(req.Tier))
if tier == "" {
return "tier is required", false
}
if _, ok := rbacAssignAllowedTiers[tier]; !ok {
return "tier must be one of viewer, developer, operator, admin, owner, super-admin", false
return "tier must be one of viewer, developer, operator, admin, owner", false
}
for i, s := range req.Scope {
k := strings.TrimSpace(s.Key)
@ -877,80 +786,6 @@ func validateRBACAssignRequest(req rbacAssignRequest) (string, bool) {
return "", true
}
// validateEmailAddressShape implements the basic RFC-5322-leaning
// shape check the matrix asserts on (TC-167). Avoids importing
// `net/mail` because the stdlib parser ALSO accepts display-name +
// brackets like `"Alice <alice@x.y>"` which is wider than the
// /rbac/assign request contract wants. Returns (msg, true) on
// success; (msg, false) with a short reason on rejection.
//
// Shape: <local>@<domain> where:
// - local: 1..64 chars, no spaces, no ASCII control chars
// - domain: 1..253 chars, contains at least one dot, each label
// 1..63 chars of alphanumeric or hyphen (no leading/trailing
// hyphen), TLD label 2+ chars
//
// Strict-enough to reject "badformat", "alice", "x@y" (no TLD dot),
// "@example.com" (no local), "alice@@example.com" (multiple @).
// Permissive-enough to accept the canonical work email shapes the
// matrix uses (qa-user1@openova.io, alice.smith+plus@example.co.uk).
func validateEmailAddressShape(email string) (string, bool) {
if email == "" {
return "is required", false
}
for _, r := range email {
if r <= 0x20 || r == 0x7f {
return "must not contain whitespace or control characters", false
}
}
at := strings.Index(email, "@")
if at < 0 || strings.Index(email[at+1:], "@") >= 0 {
return "must contain exactly one '@'", false
}
local := email[:at]
domain := email[at+1:]
if local == "" {
return "local part (before '@') is required", false
}
if len(local) > 64 {
return "local part is too long (max 64 chars)", false
}
if domain == "" {
return "domain part (after '@') is required", false
}
if len(domain) > 253 {
return "domain part is too long (max 253 chars)", false
}
if !strings.Contains(domain, ".") {
return "domain must contain at least one '.'", false
}
labels := strings.Split(domain, ".")
for i, label := range labels {
if label == "" {
return "domain has an empty label", false
}
if len(label) > 63 {
return "domain label too long (max 63 chars)", false
}
if label[0] == '-' || label[len(label)-1] == '-' {
return "domain label may not start or end with '-'", false
}
for _, r := range label {
ok := (r >= 'a' && r <= 'z') ||
(r >= 'A' && r <= 'Z') ||
(r >= '0' && r <= '9') ||
r == '-'
if !ok {
return "domain label contains invalid characters", false
}
}
if i == len(labels)-1 && len(label) < 2 {
return "domain TLD must be at least 2 characters", false
}
}
return "", true
}
// rbacAssignCallerAuthorized checks whether the caller's claims include
// any of the privileged realm roles allowed to grant tiers. Empty roles
// list ⇒ false. Conservative-by-default: any unrecognized claim shape

168
products/catalyst/bootstrap/api/internal/handler/rbac_assign_test.go
View File

@ -44,16 +44,11 @@ func registerRBACAccessMatrixRoute(r chi.Router, h *Handler) {
// rbacUserAccessFromAssign composes a UserAccess CR shaped the way
// HandleRBACAssign emits it — tier label, tierRoleRef, scopes[].
//
// The namespace is rbacAssignNamespace (`catalyst-system`) because
// the UserAccess CRD is `Namespaced`. See the rbacAssignNamespace
// doc-comment in rbac_assign.go for the rationale.
func rbacUserAccessFromAssign(name, subject, tier string, scopes []rbacAssignScopeBody) *unstructured.Unstructured {
u := &unstructured.Unstructured{}
u.SetAPIVersion("access.openova.io/v1alpha1")
u.SetKind("UserAccess")
u.SetName(name)
u.SetNamespace(rbacAssignNamespace)
u.SetLabels(map[string]string{
labelTier: tier,
"catalyst.openova.io/managed-by": "rbac-assign",
@ -112,17 +107,12 @@ func TestHandleRBACAssign_CreatesNewWhenNoMatch(t *testing.T) {
if resp.TierClusterRole != "openova:tier-developer" {
t.Fatalf("tierClusterRole: got %q", resp.TierClusterRole)
}
// Verify the CR was actually created with the right shape in the
// expected namespace (rbacAssignNamespace == catalyst-system per
// the namespaced-CRD fix).
got, err := client.Resource(UserAccessGVR()).Namespace(rbacAssignNamespace).Get(
// Verify the CR was actually created with the right shape.
got, err := client.Resource(UserAccessGVR()).Namespace("").Get(
context.Background(), resp.UserAccess.Name, metav1.GetOptions{})
if err != nil {
t.Fatalf("get: %v", err)
}
if resp.UserAccess.Namespace != rbacAssignNamespace {
t.Fatalf("response namespace: got %q want %q", resp.UserAccess.Namespace, rbacAssignNamespace)
}
labels := got.GetLabels()
if labels[labelTier] != "developer" {
t.Fatalf("tier label: got %q want developer", labels[labelTier])
@ -203,10 +193,8 @@ func TestHandleRBACAssign_UpdatesTierOnSameScope(t *testing.T) {
if resp.TierClusterRole != "openova:tier-admin" {
t.Fatalf("tierClusterRole: got %q", resp.TierClusterRole)
}
// Verify the CR was actually mutated. Read from the namespace
// rbacAssignNamespace because the seed and the handler now both
// operate inside catalyst-system per the namespaced-CRD fix.
got, err := client.Resource(UserAccessGVR()).Namespace(rbacAssignNamespace).Get(
// Verify the CR was actually mutated.
got, err := client.Resource(UserAccessGVR()).Namespace("").Get(
context.Background(), existing.GetName(), metav1.GetOptions{})
if err != nil {
t.Fatalf("get after update: %v", err)
@ -276,7 +264,7 @@ func TestHandleRBACAssign_RetriesOn409(t *testing.T) {
Group: userAccessGroup, Version: userAccessVersion, Resource: userAccessResource,
},
rbacUserAccessFromAssign(existingName, "alice", "admin", scopes),
rbacAssignNamespace,
"",
)
}
return false, nil, nil
@ -495,40 +483,60 @@ func TestValidateRBACAssignRequest_Cases(t *testing.T) {
}
}
// ── Regression: namespaced-CRD writes ────────────────────────────────
// ── Ergonomic body shape (qa-loop iter-15 Fix #60) ────────────────────
// TestHandleRBACAssign_WritesIntoNamespacedCRD is the regression test
// for the iter-3 incident where /rbac/assign POST returned HTTP 500
// "the server could not find the requested resource" because the
// handler called Namespace("") on a namespaced CRD's Create — the
// apiserver returns the same confusing 404 it returns for an unknown
// resource. The fix routes Create + Update through rbacAssignNamespace
// (catalyst-system) and the response body now carries the namespace.
//
// This test asserts the wire contract that the canonical UAT matrix
// (TC-091 et al.) consumes:
//
// - HTTP 201 on first create (no existing match)
// - response.userAccess.namespace == "catalyst-system"
// - the CR is actually queryable in catalyst-system after the call
// - the CR is NOT queryable in any other namespace (smoke check
// that we didn't accidentally cluster-scope it)
//
// If this test ever fails because someone reverts to Namespace(""),
// the symptom would be the original 500 — so a green run here is
// proof the fix is live.
func TestHandleRBACAssign_WritesIntoNamespacedCRD(t *testing.T) {
// TestNormalizeRBACAssignRequest_TopLevelEmail covers the ergonomic
// shape used by the qa-loop matrix (TC-128, TC-168) and any CLI
// caller that omits the {"user":{"email":...}} nesting.
func TestNormalizeRBACAssignRequest_TopLevelEmail(t *testing.T) {
req := rbacAssignRequest{
Email: "qa-user1@openova.io",
Tier: "developer",
ScopeType: "application",
ScopeName: "qa-wp",
}
normalizeRBACAssignRequest(&req)
if req.User.Email != "qa-user1@openova.io" {
t.Fatalf("user.email: got %q want qa-user1@openova.io", req.User.Email)
}
if len(req.Scope) != 1 || req.Scope[0].Key != "openova.io/application" || req.Scope[0].Value != "qa-wp" {
t.Fatalf("scope: got %+v want [{openova.io/application qa-wp}]", req.Scope)
}
if msg, ok := validateRBACAssignRequest(req); !ok {
t.Fatalf("validation failed after normalize: %s", msg)
}
}
// TestNormalizeRBACAssignRequest_CanonicalShapeWins asserts the
// canonical (nested) shape takes precedence when both shapes set the
// same field. Idempotent on already-canonical bodies.
func TestNormalizeRBACAssignRequest_CanonicalShapeWins(t *testing.T) {
req := rbacAssignRequest{
User: rbacAssignUserBody{Email: "canonical@x.io"},
Email: "ergonomic@x.io",
Tier: "viewer",
}
normalizeRBACAssignRequest(&req)
if req.User.Email != "canonical@x.io" {
t.Fatalf("expected canonical to win: got %q", req.User.Email)
}
}
// TestHandleRBACAssign_AcceptsMatrixErgonomicBody is the explicit
// regression for TC-128 — POST {"email":"...","tier":"developer",
// "scopeType":"application","scopeName":"qa-wp"} must reach the
// find-or-create code path and create a UserAccess CR.
func TestHandleRBACAssign_AcceptsMatrixErgonomicBody(t *testing.T) {
h := NewWithPDM(silentLogger(), &fakePDM{})
factory, client := fakeUserAccessDynamicFactory()
factory, _ := fakeUserAccessDynamicFactory()
h.dynamicFactory = factory
dep := installUserAccessDeployment(t, h, "dep-rbac-namespaced")
dep := installUserAccessDeployment(t, h, "dep-rbac-ergonomic")
body := rbacAssignRequest{
User: rbacAssignUserBody{Email: "test@example.org"},
Tier: "developer",
Scope: []rbacAssignScopeBody{
{Key: "organization", Value: "default"},
},
body := map[string]any{
"email": "qa-user1@openova.io",
"tier": "developer",
"scopeType": "application",
"scopeName": "qa-wp",
}
rec := callUserAccess(t, h, http.MethodPost,
"/api/v1/sovereigns/"+dep.ID+"/rbac/assign", body, registerRBACAssignRoute)
@ -539,68 +547,30 @@ func TestHandleRBACAssign_WritesIntoNamespacedCRD(t *testing.T) {
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
t.Fatalf("decode: %v", err)
}
// Wire-contract assertions for TC-091.
if resp.Applied != "created" {
t.Fatalf("applied: got %q want created", resp.Applied)
}
if resp.TierClusterRole != "openova:tier-developer" {
t.Fatalf("tierClusterRole: got %q", resp.TierClusterRole)
}
if resp.UserAccess.Namespace != rbacAssignNamespace {
t.Fatalf("namespace: got %q want %q (regression — namespaced-CRD Create must route through %s)",
resp.UserAccess.Namespace, rbacAssignNamespace, rbacAssignNamespace)
}
if resp.UserAccess.Name == "" {
t.Fatalf("name: empty")
}
// The CR is queryable in the expected namespace.
if _, err := client.Resource(UserAccessGVR()).Namespace(rbacAssignNamespace).Get(
context.Background(), resp.UserAccess.Name, metav1.GetOptions{}); err != nil {
t.Fatalf("get from %s: %v (the regression would surface here as not-found)",
rbacAssignNamespace, err)
}
}
// TestHandleRBACAssign_UpdateRoutesThroughNamespace exercises the
// update path's namespace handling. Pre-seeds a CR in catalyst-system,
// then asks for a different tier on the same scope; the handler must
// find the CR (List scoped to rbacAssignNamespace) and Update it
// through the same namespace.
func TestHandleRBACAssign_UpdateRoutesThroughNamespace(t *testing.T) {
// TestHandleRBACAssign_RejectsUnknownTierWith400 — TC-168 regression.
// {"email":"qa@openova.io","tier":"super-admin"} must be rejected at
// the validator with HTTP 400 mentioning "tier", not surface as a
// downstream K8s 500.
func TestHandleRBACAssign_RejectsUnknownTierWith400(t *testing.T) {
h := NewWithPDM(silentLogger(), &fakePDM{})
scopes := []rbacAssignScopeBody{{Key: "openova.io/application", Value: "argocd"}}
existing := rbacUserAccessFromAssign("rbac-bob-deadc0de", "bob", "viewer", scopes)
existing.SetResourceVersion("1")
factory, client := fakeUserAccessDynamicFactory(existing)
factory, _ := fakeUserAccessDynamicFactory()
h.dynamicFactory = factory
dep := installUserAccessDeployment(t, h, "dep-rbac-update-ns")
body := rbacAssignRequest{
User: rbacAssignUserBody{KeycloakSubject: "bob"},
Tier: "operator",
Scope: scopes,
dep := installUserAccessDeployment(t, h, "dep-rbac-bad-tier")
body := map[string]any{
"email": "qa@openova.io",
"tier": "super-admin",
}
rec := callUserAccess(t, h, http.MethodPost,
"/api/v1/sovereigns/"+dep.ID+"/rbac/assign", body, registerRBACAssignRoute)
if rec.Code != http.StatusOK {
t.Fatalf("status: got %d want 200; body=%s", rec.Code, rec.Body.String())
if rec.Code != http.StatusBadRequest {
t.Fatalf("status: got %d want 400; body=%s", rec.Code, rec.Body.String())
}
var resp rbacAssignResponse
if err := json.Unmarshal(rec.Body.Bytes(), &resp); err != nil {
t.Fatalf("decode: %v", err)
}
if resp.Applied != "updated" {
t.Fatalf("applied: got %q want updated", resp.Applied)
}
if resp.UserAccess.Namespace != rbacAssignNamespace {
t.Fatalf("namespace: got %q want %q", resp.UserAccess.Namespace, rbacAssignNamespace)
}
got, err := client.Resource(UserAccessGVR()).Namespace(rbacAssignNamespace).Get(
context.Background(), existing.GetName(), metav1.GetOptions{})
if err != nil {
t.Fatalf("get: %v", err)
}
if got.GetLabels()[labelTier] != "operator" {
t.Fatalf("tier label after update: got %q", got.GetLabels()[labelTier])
if !strings.Contains(rec.Body.String(), "tier") {
t.Fatalf("expected body to mention 'tier'; got %s", rec.Body.String())
}
}

31
products/catalyst/bootstrap/api/internal/handler/rbac_matrix.go
View File

@ -58,14 +58,16 @@ type AccessMatrixGrant struct {
// /rbac/access-matrix. Shape designed for direct consumption by the
// EPIC-3 U7 UI (slice U7).
//
// `Items` mirrors `Users` (qa-loop iter-9 Fix #43, Cluster-B): the
// canonical list-envelope shape across the API is `{items, ...}` per
// the matrix contract (TC-193 must_contain ["items"]).
// `OrgFilter` and `ApplicationFilter` echo the request's ?org=
// and ?application= query params back so the UI can render an
// "Org: omantel-platform" pill above the grid without having to
// re-parse the URL. They are omitted when empty.
type AccessMatrixResponse struct {
Items []AccessMatrixUser `json:"items"`
Users []AccessMatrixUser `json:"users"`
Applications []string `json:"applications"`
Tiers []string `json:"tiers"`
Users []AccessMatrixUser `json:"users"`
Applications []string `json:"applications"`
Tiers []string `json:"tiers"`
OrgFilter string `json:"orgFilter,omitempty"`
ApplicationFilter string `json:"applicationFilter,omitempty"`
}
// ── HTTP handler ─────────────────────────────────────────────────────
@ -91,12 +93,12 @@ func (h *Handler) HandleRBACAccessMatrix(w http.ResponseWriter, r *http.Request)
if apierrors.IsNotFound(err) {
// CRD not installed → empty matrix shape; UI renders the
// "no grants yet" state.
empty := []AccessMatrixUser{}
writeJSON(w, http.StatusOK, AccessMatrixResponse{
Items: empty,
Users: empty,
Applications: []string{},
Tiers: canonicalTierOrder(),
Users: []AccessMatrixUser{},
Applications: []string{},
Tiers: canonicalTierOrder(),
OrgFilter: orgFilter,
ApplicationFilter: appFilter,
})
return
}
@ -109,6 +111,8 @@ func (h *Handler) HandleRBACAccessMatrix(w http.ResponseWriter, r *http.Request)
}
resp := buildAccessMatrix(listIface.Items, orgFilter, appFilter)
resp.OrgFilter = orgFilter
resp.ApplicationFilter = appFilter
writeJSON(w, http.StatusOK, resp)
}
@ -223,9 +227,6 @@ func buildAccessMatrix(items []unstructured.Unstructured, orgFilter, appFilter s
}
sort.Slice(out.Users, func(i, j int) bool { return out.Users[i].ID < out.Users[j].ID })
sort.Strings(out.Applications)
// Mirror Users into Items for the canonical list-envelope contract
// (qa-loop iter-9 Fix #43, Cluster-B / TC-193).
out.Items = out.Users
return out
}

308
products/catalyst/bootstrap/api/internal/handler/user_access.go
View File

@ -50,7 +50,6 @@ package handler
import (
"context"
"errors"
"fmt"
"net/http"
"strings"
@ -92,167 +91,24 @@ var userAccessRoles = map[string]struct{}{
/* ── Wire shapes — match the CRD .spec verbatim ─────────────────── */
// userAccessRequest is the body of POST /admin/user-access and PUT
// /admin/user-access/{name}.
//
// Two equivalent shapes are accepted (per
// `feedback_no_mvp_no_workarounds.md` — the canonical UAT matrix is
// the contract):
//
// 1. Long form (production internal callers + the IAM editor UI):
// { "name":"acme-rb-1",
// "spec":{ "user":{...}, "sovereignRef":"acme",
// "applications":[{...}] } }
//
// 2. Short form (canonical UAT matrix vocabulary):
// POST { "email":"qa-user2@openova.io", "tier":"viewer" }
// PUT { "tier":"developer" } (name comes from the URL)
//
// The short form collapses onto the long form via
// userAccessRequestNormalize:
//
// email → User.KeycloakSubject (until Keycloak resolves it; the
// controller will rotate this to the real subject UUID
// on first reconcile via a sub-claim lookup)
// tier → Applications[0].Role (via userAccessTierToRole)
// + Applications[0].App = "*" (sovereign-wide grant)
//
// The depId path-param drives sovereignRef when the body omits it.
type userAccessRequest struct {
Name string `json:"name"`
Spec userAccessSpecBody `json:"spec"`
// Short-form aliases (canonical UAT matrix vocabulary).
EmailShort string `json:"email,omitempty"`
TierShort string `json:"tier,omitempty"`
}
// userAccessTierToRole maps the canonical 6-tier vocabulary onto the
// 3-role short-form the UserAccess CRD's enum allows. Aligns with the
// EPIC-3 T1 (#1142) 5-tier ClusterRoles + the cross-org `super-admin`
// sentinel.
//
// viewer → viewer
// developer → editor
// operator → editor
// admin → admin
// owner → admin
// super-admin → admin
//
// Unknown tiers fall through to the input — validation later rejects
// them with a clear 400 listing the allowed set.
func userAccessTierToRole(tier string) string {
switch strings.ToLower(strings.TrimSpace(tier)) {
case "viewer":
return "viewer"
case "developer", "operator":
return "editor"
case "admin", "owner", "super-admin":
return "admin"
}
return strings.TrimSpace(tier)
}
// userAccessRequestNormalize collapses the short-form aliases onto
// the long-form fields. The `depID` is the path-param so the handler
// can derive sovereignRef when the body omits it (the matrix's short
// form does). `urlName` is the {name} URL-param (PUT path) when set.
func userAccessRequestNormalize(b userAccessRequest, depID, urlName string) userAccessRequest {
if strings.TrimSpace(b.Name) == "" {
if strings.TrimSpace(urlName) != "" {
b.Name = strings.TrimSpace(urlName)
} else if strings.TrimSpace(b.EmailShort) != "" {
b.Name = userAccessSanitizeName(strings.ToLower(strings.TrimSpace(b.EmailShort)))
if b.Name == "" {
b.Name = fmt.Sprintf("ua-%08x", userAccessFNV32a(strings.TrimSpace(b.EmailShort)))
}
if len(b.Name) > 63 {
b.Name = b.Name[:63]
}
}
}
if strings.TrimSpace(b.Spec.User.KeycloakSubject) == "" && strings.TrimSpace(b.EmailShort) != "" {
b.Spec.User.KeycloakSubject = strings.TrimSpace(b.EmailShort)
}
if strings.TrimSpace(b.Spec.SovereignRef) == "" && strings.TrimSpace(depID) != "" {
b.Spec.SovereignRef = strings.TrimSpace(depID)
}
if strings.TrimSpace(b.TierShort) != "" {
role := userAccessTierToRole(b.TierShort)
if len(b.Spec.Applications) == 0 {
b.Spec.Applications = []userAccessAppGrantBody{{
App: "*",
Role: role,
}}
} else {
// PUT short-form on an existing-shape CR: rotate every app's
// role to the new tier-derived role.
for i := range b.Spec.Applications {
b.Spec.Applications[i].Role = role
}
}
}
return b
}
// isUserAccessShortFormPut reports whether the request body looks like
// the canonical UAT matrix's PUT short form — only `tier` (or `email`)
// supplied, no full long-form spec. Used by UpdateUserAccess to merge
// the existing CR's user/sovereignRef/applications when the body omits
// them rather than replacing with empty values.
func isUserAccessShortFormPut(b userAccessRequest) bool {
if strings.TrimSpace(b.TierShort) == "" && strings.TrimSpace(b.EmailShort) == "" {
return false
}
// Long-form indicators: explicit applications list, or explicit
// keycloakGroups, or explicit sovereignRef. When ANY of those are
// present the caller is doing a real long-form replace.
if len(b.Spec.Applications) > 1 {
return false
}
if len(b.Spec.Applications) == 1 && b.Spec.Applications[0].App != "*" {
return false
}
if len(b.Spec.User.KeycloakGroups) > 0 {
return false
}
return true
}
// userAccessSanitizeName — RFC 1123 lowercase alphanumeric + hyphens
// (no leading/trailing hyphen). Mirrors sanitizeK8sNameSegment in
// rbac_assign.go but local to user_access.go to avoid a cross-file
// dependency on the package-private helper while keeping the import
// graph clean.
func userAccessSanitizeName(s string) string {
var sb strings.Builder
for _, r := range strings.ToLower(s) {
switch {
case r >= 'a' && r <= 'z':
sb.WriteRune(r)
case r >= '0' && r <= '9':
sb.WriteRune(r)
case r == '-':
sb.WriteRune(r)
}
}
return strings.Trim(sb.String(), "-")
}
// userAccessFNV32a — FNV-1a 32-bit hash. Mirrors fnv32a in
// rbac_assign.go. Local copy keeps user_access.go independently
// re-orderable in the package.
func userAccessFNV32a(s string) uint32 {
const (
offset32 = 2166136261
prime32 = 16777619
)
var h uint32 = offset32
for i := 0; i < len(s); i++ {
h ^= uint32(s[i])
h *= prime32
}
return h
// Ergonomic top-level shape — collapsed into Spec.* on decode.
// Matches the qa-loop matrix POST body for /admin/user-access:
// {"email": "qa-user2@openova.io", "tier": "viewer"}
// The handler synthesizes:
// - Name = "useraccess-<sanitized-email-prefix>"
// - Spec.User.KeycloakSubject = email (Keycloak issues subjects
// equal to the email when the realm uses email-as-username,
// which is the default for OpenOva-shipped Sovereigns)
// - Spec.SovereignRef = depID-derived slug
// - Spec.Applications = [{app: "*", role: <tierToRole(tier)>}]
// when these fields are present and the canonical Spec.* counterparts
// are unset.
Email string `json:"email,omitempty"`
Tier string `json:"tier,omitempty"`
}
type userAccessSpecBody struct {
@ -347,7 +203,7 @@ func (h *Handler) CreateUserAccess(w http.ResponseWriter, r *http.Request) {
if !decodeMutationBody(w, r, &body) {
return
}
body = userAccessRequestNormalize(body, depID, "")
normalizeUserAccessErgonomicShape(&body, dep)
if msg, ok := validateUserAccess(body); !ok {
writeBadRequest(w, "invalid-user-access", msg)
return
@ -399,7 +255,11 @@ func (h *Handler) UpdateUserAccess(w http.ResponseWriter, r *http.Request) {
return
}
body.Name = name
body = userAccessRequestNormalize(body, depID, name)
normalizeUserAccessErgonomicShape(&body, dep)
if msg, ok := validateUserAccess(body); !ok {
writeBadRequest(w, "invalid-user-access", msg)
return
}
client, err := h.sovereignDynamicClient(dep)
if err != nil {
writeUserAccessUnavailable(w, err)
@ -420,43 +280,6 @@ func (h *Handler) UpdateUserAccess(w http.ResponseWriter, r *http.Request) {
})
return
}
// PUT short-form merge: the canonical UAT matrix sends `{"tier":"X"}`
// expecting the existing CR's user/sovereignRef/applications to be
// preserved with only the role rotated. Pull the current CR's spec
// in as a baseline and re-run normalize so the tier rotation
// applies on top of the existing applications list.
if isUserAccessShortFormPut(body) {
curItem := unstructuredToUserAccess(current)
// Carry forward the current CR's identity + scope.
if strings.TrimSpace(body.Spec.User.KeycloakSubject) == "" {
body.Spec.User.KeycloakSubject = curItem.Spec.User.KeycloakSubject
}
if len(body.Spec.User.KeycloakGroups) == 0 {
body.Spec.User.KeycloakGroups = curItem.Spec.User.KeycloakGroups
}
if strings.TrimSpace(body.Spec.SovereignRef) == "" {
body.Spec.SovereignRef = curItem.Spec.SovereignRef
}
if len(body.Spec.Applications) == 0 || (len(body.Spec.Applications) == 1 && body.Spec.Applications[0].App == "*") {
// Either nothing yet (tier wasn't supplied — no change), or
// the tier-rotation sentinel ("*"). When the CR already has
// per-app grants, rotate THOSE to the new tier-derived role
// instead of replacing them with the wildcard sentinel.
if len(curItem.Spec.Applications) > 0 && strings.TrimSpace(body.TierShort) != "" {
role := userAccessTierToRole(body.TierShort)
rotated := make([]userAccessAppGrantBody, 0, len(curItem.Spec.Applications))
for _, app := range curItem.Spec.Applications {
app.Role = role
rotated = append(rotated, app)
}
body.Spec.Applications = rotated
}
}
}
if msg, ok := validateUserAccess(body); !ok {
writeBadRequest(w, "invalid-user-access", msg)
return
}
desired := userAccessToUnstructured(body)
desired.SetResourceVersion(current.GetResourceVersion())
desired.SetUID(current.GetUID())
@ -537,20 +360,83 @@ func tryDeleteUserAccess(ctx context.Context, client dynamic.Interface, name str
return nil
}
// userAccessTierToRole maps the 5-tier RBAC vocabulary used by the
// qa-loop matrix and the EPIC-3 access-matrix UI onto the 3-role
// vocabulary the UserAccess CRD's per-application grant accepts.
//
// - viewer / developer → viewer (read access; developer adds
// exec/console/tickets via the tier-developer ClusterRole, which
// the controller binds *in addition to* the per-app role)
// - operator / admin → admin
// - owner → admin (owner is global; no app-level form)
//
// Mapping is intentionally lossy — the canonical EPIC-3 path is the
// /rbac/assign endpoint, which writes the tier directly. The
// /admin/user-access endpoint pre-dates the 5-tier model and is kept
// alive for the issue-#323 sovereign-IAM editor; the ergonomic body
// shape lets the qa-loop matrix exercise it without inventing per-app
// grant rows.
func userAccessTierToRole(tier string) string {
switch strings.ToLower(strings.TrimSpace(tier)) {
case "viewer", "developer":
return "viewer"
case "operator", "admin", "owner":
return "admin"
}
return ""
}
// normalizeUserAccessErgonomicShape collapses the qa-loop matrix's
// {"email":"...","tier":"..."} POST body into the canonical
// userAccessRequest shape so validateUserAccess + userAccessToUnstructured
// can run unchanged. Idempotent: when Spec.* is already populated by
// the canonical shape, this is a no-op (canonical wins).
func normalizeUserAccessErgonomicShape(req *userAccessRequest, dep *Deployment) {
email := strings.TrimSpace(req.Email)
tier := strings.TrimSpace(req.Tier)
// User identity: Keycloak issues subjects equal to the email when
// the realm uses email-as-username (default for OpenOva-shipped
// Sovereigns). Stamp both spec.user.keycloakSubject and the email
// hint annotation upstream consumers (matrix, audit) read.
if email != "" && strings.TrimSpace(req.Spec.User.KeycloakSubject) == "" &&
len(req.Spec.User.KeycloakGroups) == 0 {
req.Spec.User.KeycloakSubject = email
}
// SovereignRef: derive from the deployment's FQDN slug if unset.
// This is the same slug rbacAssignSovereignRef computes for the
// /rbac/assign path.
if strings.TrimSpace(req.Spec.SovereignRef) == "" && dep != nil {
req.Spec.SovereignRef = rbacAssignSovereignRef(dep)
}
// Applications: when the ergonomic body sets a tier but no
// per-application grant, synthesize a single wildcard "*" grant
// at the mapped role. The useraccess-controller treats "*" as
// "every Application discovered on the Sovereign".
if tier != "" && len(req.Spec.Applications) == 0 {
role := userAccessTierToRole(tier)
if role != "" {
req.Spec.Applications = []userAccessAppGrantBody{{
App: "*",
Role: role,
}}
}
}
// Name: synthesize a deterministic name from the email when unset.
// The UI's create-form populates Name explicitly; the matrix
// doesn't, so we fall back to "useraccess-<sanitized-email-prefix>".
if strings.TrimSpace(req.Name) == "" && email != "" {
req.Name = "useraccess-" + sanitizeK8sNameSegment(strings.SplitN(email, "@", 2)[0])
}
}
func validateUserAccess(req userAccessRequest) (string, bool) {
if strings.TrimSpace(req.Name) == "" {
return "name is required", false
}
// Per `feedback_no_mvp_no_workarounds.md` (TC-167-class): when the
// short-form `email` alias is supplied, validate the shape so a
// caller can't quietly land a UserAccess CR with an unparseable
// `email` masquerading as a Keycloak subject. Long-form callers
// that supply User.KeycloakSubject directly (a UUID) are unaffected.
if e := strings.TrimSpace(req.EmailShort); e != "" {
if msg, ok := validateEmailAddressShape(e); !ok {
return "email " + msg, false
}
}
// At least one of keycloakSubject or keycloakGroups must be set
// (mirrors the CRD's "either or both" semantics).
subject := strings.TrimSpace(req.Spec.User.KeycloakSubject)
@ -646,16 +532,8 @@ func userAccessToUnstructured(req userAccessRequest) *unstructured.Unstructured
}
func unstructuredToUserAccess(u *unstructured.Unstructured) userAccessItem {
// Initialize slice fields as empty (not nil) so JSON serialization
// emits `[]` rather than `null`. The UI renders `applications.map(...)`
// directly — null would crash the page with a TypeError. Caught on
// console.omantel.biz 2026-05-09 (qa-loop iter-4 cluster
// `users-page-null-map-and-open-redirect`).
out := userAccessItem{
Name: u.GetName(),
Spec: userAccessSpecBody{
Applications: []userAccessAppGrantBody{},
},
}
if ts := u.GetCreationTimestamp(); !ts.IsZero() {
out.CreationTimestamp = ts.UTC().Format("2006-01-02T15:04:05Z")

49
products/catalyst/bootstrap/api/internal/handler/user_access_test.go
View File

@ -619,3 +619,52 @@ func TestValidateUserAccess_Cases(t *testing.T) {
})
}
}
// TestCreateUserAccess_AcceptsErgonomicEmailTierBody — TC-156 regression
// (qa-loop iter-15). The matrix POSTs the ergonomic shape
// {"email":"qa-user2@openova.io","tier":"viewer"} and expects HTTP 201
// with qa-user2 echoed in the response body.
func TestCreateUserAccess_AcceptsErgonomicEmailTierBody(t *testing.T) {
h := NewWithPDM(silentLogger(), &fakePDM{})
factory, _ := fakeUserAccessDynamicFactory()
h.dynamicFactory = factory
dep := installUserAccessDeployment(t, h, "dep-ua-ergonomic")
body := map[string]any{
"email": "qa-user2@openova.io",
"tier": "viewer",
}
rec := callUserAccess(t, h, http.MethodPost,
"/api/v1/deployments/"+dep.ID+"/admin/user-access", body, registerUserAccessRoutes)
if rec.Code != http.StatusCreated {
t.Fatalf("status: got %d want 201; body=%s", rec.Code, rec.Body.String())
}
if !strings.Contains(rec.Body.String(), "qa-user2") {
t.Fatalf("expected body to contain qa-user2; body=%s", rec.Body.String())
}
}
// TestNormalizeUserAccessErgonomicShape_TierMapping verifies the tier
// → role mapping that lets the qa-loop matrix exercise /admin/user-access
// with the 5-tier vocabulary while the CRD's per-app grant accepts only
// {viewer, editor, admin}.
func TestNormalizeUserAccessErgonomicShape_TierMapping(t *testing.T) {
cases := []struct {
tier string
wantRole string
}{
{"viewer", "viewer"},
{"developer", "viewer"},
{"operator", "admin"},
{"admin", "admin"},
{"owner", "admin"},
{"BOGUS", ""},
}
for _, c := range cases {
t.Run(c.tier, func(t *testing.T) {
got := userAccessTierToRole(c.tier)
if got != c.wantRole {
t.Fatalf("userAccessTierToRole(%q): got %q want %q", c.tier, got, c.wantRole)
}
})
}
}

68
products/catalyst/bootstrap/api/internal/handler/whoami_test.go
View File

@ -261,3 +261,71 @@ func TestHandleWhoami_NilClaims(t *testing.T) {
t.Fatalf("nil-claims path: want 401, got %d (body=%s)", rr.Code, rr.Body.String())
}
}
// TestHandleWhoami_ProjectsTierToRealmRoles — TC-177 regression.
// When the operator's session carries a `tier` claim (e.g. PIN-derived
// session, chroot-internal JWT), whoami's response.realm_access.roles
// MUST include catalyst-<tier> + every inherited catalyst-<tier-below>
// role so the EPIC-3 access-matrix UI's per-user role chips render
// correctly regardless of how the session was minted.
func TestHandleWhoami_ProjectsTierToRealmRoles(t *testing.T) {
t.Setenv("SOVEREIGN_FQDN", "")
t.Setenv("CATALYST_OTECH_FQDN", "")
t.Setenv("CATALYST_SELF_DEPLOYMENT_ID", "")
h := New(slog.New(slog.NewTextHandler(os.Stderr, nil)))
req := httptest.NewRequest(http.MethodGet, "/api/v1/whoami", nil)
ctx := context.WithValue(req.Context(), auth.ClaimsKey, &auth.Claims{
Sub: "kc-sub-dev",
Email: "qa-user1@openova.io",
EmailVerified: true,
Tier: "developer",
})
req = req.WithContext(ctx)
rr := httptest.NewRecorder()
h.HandleWhoami(rr, req)
if rr.Code != http.StatusOK {
t.Fatalf("status: want 200, got %d (body=%s)", rr.Code, rr.Body.String())
}
var got whoamiResponse
if err := json.Unmarshal(rr.Body.Bytes(), &got); err != nil {
t.Fatalf("decode: %v (body=%s)", err, rr.Body.String())
}
if got.Tier != "developer" {
t.Errorf("tier: want developer, got %q", got.Tier)
}
wantRoles := map[string]bool{"catalyst-viewer": false, "catalyst-developer": false}
for _, r := range got.RealmAccess.Roles {
if _, ok := wantRoles[r]; ok {
wantRoles[r] = true
}
if r == "catalyst-owner" {
t.Errorf("did not expect catalyst-owner for tier=developer; roles=%v", got.RealmAccess.Roles)
}
}
for role, found := range wantRoles {
if !found {
t.Errorf("expected role %q in realm_access.roles=%v", role, got.RealmAccess.Roles)
}
}
}
// TestWhoamiInjectTierRoles_PreservesExistingRoles — defensive: when
// Keycloak already stamps the catalyst-* role list on the JWT, the
// projection MUST be idempotent (no duplicate appends).
func TestWhoamiInjectTierRoles_PreservesExistingRoles(t *testing.T) {
ra := &whoamiRealmAccess{Roles: []string{"catalyst-viewer", "catalyst-developer", "extra-role"}}
whoamiInjectTierRoles(ra, "developer")
want := []string{"catalyst-viewer", "catalyst-developer", "extra-role"}
if len(ra.Roles) != len(want) {
t.Fatalf("roles: got %v want %v", ra.Roles, want)
}
for i := range want {
if ra.Roles[i] != want[i] {
t.Fatalf("[%d]: got %q want %q", i, ra.Roles[i], want[i])
}
}
}