RHINENG-21230: update Kessel middleware after v2 permission changes

Author: Dugowitch

manager/middlewares/kessel.go

@@ -1,31 +1,22 @@
 package middlewares
 
 import (
-	"app/base/rbac"
 	"app/base/utils"
 	"context"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 
-	"github.com/bytedance/sonic"
 	"github.com/gin-gonic/gin"
 	"github.com/pkg/errors"
 	"github.com/redhatinsights/platform-go-middlewares/identity"
-	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 
 	"github.com/project-kessel/kessel-sdk-go/kessel/auth"
 	kesselv2 "github.com/project-kessel/kessel-sdk-go/kessel/inventory/v1beta2"
 )
 
-var granularPermissions = map[string]string{
-	"TemplateSystemsUpdateHandler": "patch_template_edit",
-	"TemplateSystemsDeleteHandler": "patch_template_edit",
-	"SystemDeleteHandler":          "patch_system_edit",
-}
-
 var credentials = auth.NewOAuth2ClientCredentials(
 	utils.CoreCfg.KesselAuthClientID,
 	utils.CoreCfg.KesselAuthClientSecret,
@@ -72,102 +63,30 @@ func processWorkspaces(workspaces []*kesselv2.StreamedListObjectsResponse) (map[
 	return map[string]string{utils.KeyGrouped: fmt.Sprintf("{%s}", strings.Join(groups, ","))}, nil
 }
 
-func getToken(ctx context.Context) (string, error) {
-	tokenReqCtx, tokenCtxCancel := context.WithCancel(ctx)
-	defer tokenCtxCancel()
-	res, err := credentials.GetToken(tokenReqCtx, auth.GetTokenOptions{})
-	if err != nil {
-		return "", err
-	}
-	return res.AccessToken, nil
-}
-
-func getDefaultWorkspaceID(ctx context.Context, xrhid *identity.XRHID) (string, error) {
-	workspaceReqCtx, workspaceCtxCancel := context.WithCancel(ctx)
-	defer workspaceCtxCancel()
-
-	req, err := http.NewRequestWithContext(
-		workspaceReqCtx, http.MethodGet, utils.CoreCfg.RbacURL+"/v2/workspaces/?type=default", nil)
-	if err != nil {
-		return "", errors.Wrap(err, "Failed to create a request for default workspaceID")
-	}
-	req.Header.Add("x-rh-rbac-org-id", xrhid.Identity.OrgID)
-
-	if utils.CoreCfg.KesselAuthEnabled {
-		token, err := getToken(workspaceReqCtx)
-		if err != nil {
-			return "", errors.Wrap(err, "Request for RBAC token failed")
-		}
-		req.Header.Add("authorization", fmt.Sprintf("Bearer %s", token))
-	}
-
-	httpRes, err := utils.CallAPI(&http.Client{}, req, log.IsLevelEnabled(log.TraceLevel))
-	if err != nil {
-		if httpRes != nil && httpRes.Body != nil {
-			httpRes.Body.Close()
-		}
-		return "", errors.Wrap(err, "Request failed")
-	}
-
-	var res rbac.DefaultWorkspaceResponse
-	err = sonic.ConfigDefault.NewDecoder(httpRes.Body).Decode(&res)
-	if err != nil && err != io.EOF {
-		return "", errors.Wrap(err, "Response body reading failed")
+func buildPermission(c *gin.Context) string {
+	permission := "patch_system_"
+	nameSplit := strings.Split(c.HandlerName(), ".")
+	handlerName := nameSplit[len(nameSplit)-1]
+	if strings.HasPrefix(handlerName, "Template") {
+		permission = "patch_template_"
 	}
 
-	if len(res.Data) != 1 {
-		return "", errors.New("RBAC returned an unexpected number of default workspaces")
+	switch c.Request.Method {
+	case http.MethodGet, http.MethodPost:
+		permission += "view"
+	case http.MethodPatch, http.MethodPut, http.MethodDelete:
+		permission += "edit"
 	}
 
-	return res.Data[0].ID, nil
+	return permission
 }
 
-func useCheckForUpdate(
+func useStreamedListObjects(
 	c *gin.Context, client kesselv2.KesselInventoryServiceClient, xrhid *identity.XRHID, permission string,
-) error {
-	checkReqCtx, checkCtxCancel := context.WithCancel(c)
-	defer checkCtxCancel()
-
-	workspaceID, err := getDefaultWorkspaceID(checkReqCtx, xrhid)
-	if err != nil {
-		return errors.Wrap(err, "could not get default workspaceID")
-	}
-
-	res, err := client.CheckForUpdate(checkReqCtx, &kesselv2.CheckForUpdateRequest{
-		Object: &kesselv2.ResourceReference{
-			ResourceType: "workspace",
-			ResourceId:   workspaceID,
-			Reporter: &kesselv2.ReporterReference{
-				Type: "rbac",
-			},
-		},
-		Relation: permission,
-		Subject:  buildSubject(xrhid),
-	})
-	if err != nil {
-		return errors.Wrap(err, "failed to communicate with Kessel")
-	}
-
-	if res.Allowed != kesselv2.Allowed_ALLOWED_TRUE {
-		c.AbortWithStatusJSON(http.StatusUnauthorized, utils.ErrorResponse{
-			Error: "Missing permission", // does not have granular permission
-		})
-	}
-	return nil
-}
-
-func useStreamedListObjects(c *gin.Context, client kesselv2.KesselInventoryServiceClient, xrhid *identity.XRHID) error {
+) ([]*kesselv2.StreamedListObjectsResponse, error) {
 	sloReqContext, sloContextCancel := context.WithCancel(c)
 	defer sloContextCancel()
 
-	var permission string
-	switch c.Request.Method {
-	case http.MethodGet, http.MethodPost:
-		permission = "patch_all_view"
-	case http.MethodPut, http.MethodDelete:
-		permission = "patch_all_edit"
-	}
-
 	resourceType := "rbac"
 	stream, err := client.StreamedListObjects(sloReqContext, &kesselv2.StreamedListObjectsRequest{
 		ObjectType: &kesselv2.RepresentationType{
@@ -178,26 +97,18 @@ func useStreamedListObjects(c *gin.Context, client kesselv2.KesselInventoryServi
 		Subject:  buildSubject(xrhid),
 	})
 	if err != nil {
-		return errors.Wrap(err, "failed to establish a gRPC stream with Kessel")
+		return nil, errors.Wrap(err, "failed to establish a gRPC stream with Kessel")
 	}
 
 	workspaces := make([]*kesselv2.StreamedListObjectsResponse, 0)
 	for res, err := stream.Recv(); err != io.EOF; res, err = stream.Recv() {
 		if err != nil {
-			return errors.Wrap(err, "failed to receive all from Kessel")
+			return nil, errors.Wrap(err, "failed to receive all from Kessel")
 		}
 		workspaces = append(workspaces, res)
 	}
 
-	inventoryGroups, err := processWorkspaces(workspaces)
-	if err != nil {
-		utils.LogError("err", err.Error(), "processWorkspaces")
-		c.AbortWithStatusJSON(http.StatusUnauthorized, utils.ErrorResponse{
-			Error: "You don't have access to this application",
-		})
-	}
-	c.Set(utils.KeyInventoryGroups, inventoryGroups)
-	return nil
+	return workspaces, nil
 }
 
 func hasPermissionKessel(c *gin.Context) {
@@ -216,24 +127,19 @@ func hasPermissionKessel(c *gin.Context) {
 		c.AbortWithStatusJSON(http.StatusUnauthorized, utils.ErrorResponse{Error: "Invalid x-rh-identity header"})
 	}
 
-	// Require granular permission if set for handler
-	nameSplit := strings.Split(c.HandlerName(), ".")
-	handlerName := nameSplit[len(nameSplit)-1]
-	if permission, has := granularPermissions[handlerName]; has {
-		err = useCheckForUpdate(c, client, xrhid, permission)
-		if err != nil {
-			utils.LogError("err", err.Error(), "useCheckForUpdate failed")
-			c.AbortWithStatus(http.StatusInternalServerError)
-		}
-		return
-	}
-
-	// Require method-derived permission otherwise
-	err = useStreamedListObjects(c, client, xrhid)
+	permission := buildPermission(c)
+	workspaces, err := useStreamedListObjects(c, client, xrhid, permission)
 	if err != nil {
 		utils.LogError("err", err.Error(), "useStreamedListObjects failed")
 		c.AbortWithStatus(http.StatusInternalServerError)
 	}
+
+	inventoryGroups, err := processWorkspaces(workspaces)
+	if err != nil {
+		utils.LogError("err", err.Error(), "processWorkspaces")
+		c.AbortWithStatusJSON(http.StatusUnauthorized, utils.ErrorResponse{Error: "Missing permission"})
+	}
+	c.Set(utils.KeyInventoryGroups, inventoryGroups)
 }
 
 func Kessel() gin.HandlerFunc {

manager/middlewares/kessel_test.go

@@ -2,7 +2,6 @@ package middlewares
 
 import (
 	"app/base/utils"
-	"context"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -15,6 +14,7 @@ import (
 	kesselv2 "github.com/project-kessel/kessel-sdk-go/kessel/inventory/v1beta2"
 	"github.com/redhatinsights/platform-go-middlewares/identity"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestSetupClient(t *testing.T) {
@@ -78,31 +78,24 @@ func TestProcessWorkspaces(t *testing.T) {
 	}
 }
 
-func TestGetDefaultWorkspaceID(t *testing.T) {
-	workspaceID, err := getDefaultWorkspaceID(context.Background(), mockXRHID())
-	if assert.NoError(t, err) {
-		assert.NotEqual(t, "", workspaceID)
-	}
-}
-
-func TestUseCheckForUpdate(t *testing.T) {
-	client, conn := mockClient(t)
-	defer conn.Close()
+func TestBuildPermission(t *testing.T) {
+	c := &gin.Context{Request: &http.Request{Method: http.MethodGet}}
+	permission := buildPermission(c)
+	assert.Equal(t, "patch_system_view", permission)
 
-	err := useCheckForUpdate(&gin.Context{}, client, mockXRHID(), "patch_template_view")
-	assert.Nil(t, err)
+	c = &gin.Context{Request: &http.Request{Method: http.MethodPut}}
+	permission = buildPermission(c)
+	assert.Equal(t, "patch_system_edit", permission)
 }
 
 func TestUseStreamedListObjects(t *testing.T) {
 	client, conn := mockClient(t)
 	defer conn.Close()
 
 	c := &gin.Context{Request: &http.Request{Method: http.MethodGet}}
-	err := useStreamedListObjects(c, client, mockXRHID())
+	workspaces, err := useStreamedListObjects(c, client, mockXRHID(), "demo_permission")
 	if assert.NoError(t, err) {
-		inventoryGroups, found := c.Get(utils.KeyInventoryGroups)
-		assert.True(t, found)
-		assert.NotEqual(t, "", inventoryGroups)
+		assert.Equal(t, 1, len(workspaces))
 	}
 }
 
@@ -111,8 +104,11 @@ func TestHasPermissionKessel(t *testing.T) {
 	c.Request.Header.Set("x-rh-identity", "eyJlbnRpdGxlbWVudHMiOnsiaW5zaWdodHMiOnsiaXNfZW50aXRsZWQiOnRydWV9LCJjb3N0X21hbmFnZW1lbnQiOnsiaXNfZW50aXRsZWQiOnRydWV9LCJhbnNpYmxlIjp7ImlzX2VudGl0bGVkIjp0cnVlfSwib3BlbnNoaWZ0Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwic21hcnRfbWFuYWdlbWVudCI6eyJpc19lbnRpdGxlZCI6dHJ1ZX0sIm1pZ3JhdGlvbnMiOnsiaXNfZW50aXRsZWQiOnRydWV9fSwiaWRlbnRpdHkiOnsiaW50ZXJuYWwiOnsiYXV0aF90aW1lIjoyOTksImF1dGhfdHlwZSI6ImJhc2ljLWF1dGgiLCJvcmdfaWQiOiIxMTc4OTc3MiJ9LCJhY2NvdW50X251bWJlciI6IjYwODk3MTkiLCJ1c2VyIjp7ImZpcnN0X25hbWUiOiJJbnNpZ2h0cyIsImlzX2FjdGl2ZSI6dHJ1ZSwiaXNfaW50ZXJuYWwiOmZhbHNlLCJsYXN0X25hbWUiOiJRQSIsImxvY2FsZSI6ImVuX1VTIiwiaXNfb3JnX2FkbWluIjp0cnVlLCJ1c2VybmFtZSI6Imluc2lnaHRzLXFhIiwiZW1haWwiOiJqbmVlZGxlK3FhQHJlZGhhdC5jb20ifSwidHlwZSI6IlVzZXIifX0=") //nolint:lll
 
 	hasPermissionKessel(c)
-	_, exists := c.Get(utils.KeyInventoryGroups)
-	assert.True(t, exists)
+	inventoryGroups, found := c.Get(utils.KeyInventoryGroups)
+	require.True(t, found)
+	inventoryGroupMap, ok := (inventoryGroups).(map[string]string)
+	require.True(t, ok)
+	assert.Equal(t, `{"[{\"id\":\"inventory-group-1\"}]"}`, inventoryGroupMap[utils.KeyGrouped])
 }
 
 func mockXRHID() *identity.XRHID {