@@ -206,10 +206,8 @@ func (gamh GetAllMachineHandler) Handle(c echo.Context) error {
206206 // request the privileged-tenant pre-gate here (requirePrivilegedTenant=false):
207207 // that gate keys off a Ready TenantAccount without site context and would
208208 // reject site-privileged tenants (or those whose privilege is per-site)
209- // before machine.SiteID is known. The site-scoped
210- // EffectiveTargetedInstanceCreation checks below are authoritative and
211- // filter results to the providers/sites where the capability is effective,
212- // yielding an empty list rather than a spurious 403.
209+ // before siteId is known. Privileged Tenant access is resolved below via
210+ // GetPrivilegedAccessSiteIDsForTenant, which honors per-site overrides.
213211 infrastructureProvider , tenant , apiError := common .IsProviderOrTenant (ctx , logger , gamh .dbSession , org , dbUser , true , false )
214212 if apiError != nil {
215213 return cutil .NewAPIErrorResponse (c , apiError .Code , apiError .Message , apiError .Data )
@@ -238,35 +236,27 @@ func (gamh GetAllMachineHandler) Handle(c echo.Context) error {
238236 return cutil .NewAPIErrorResponse (c , http .StatusBadRequest , errMsg , nil )
239237 }
240238
241- filterInput := cdbm.MachineFilterInput {
242- InfrastructureProviderIDs : []uuid.UUID {},
243- }
239+ filterInput := cdbm.MachineFilterInput {}
244240
245- // Validate other query params
246241 if infrastructureProvider != nil {
247- filterInput .InfrastructureProviderIDs = append ( filterInput . InfrastructureProviderIDs , infrastructureProvider .ID )
242+ filterInput .InfrastructureProviderIDs = []uuid. UUID { infrastructureProvider .ID }
248243 }
249244
250- var tenantAccountProviderIDs []uuid.UUID
245+ var privilegedSiteIDs []uuid.UUID
251246 if tenant != nil {
252- taDAO := cdbm .NewTenantAccountDAO (gamh .dbSession )
253- tas , _ , serr := taDAO .GetAll (ctx , nil , cdbm.TenantAccountFilterInput {
254- TenantIDs : []uuid.UUID {tenant .ID },
255- Statuses : []string {cdbm .TenantAccountStatusReady },
256- }, cdbp.PageInput {Limit : cutil .GetPtr (cdbp .TotalLimit )}, []string {})
247+ var serr error
248+ privilegedSiteIDs , serr = common .GetPrivilegedAccessSiteIDsForTenant (ctx , nil , gamh .dbSession , tenant )
257249 if serr != nil {
258- logger .Error ().Err (serr ).Msg ("error retrieving Tenant Accounts for Tenant" )
259- return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Error retrieving Tenant Accounts for Tenant" , nil )
250+ logger .Error ().Err (serr ).Msg ("error resolving privileged Site access for Tenant" )
251+ return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Failed to verify privileges for Tenant" , nil )
260252 }
261-
262- for _ , ta := range tas {
263- tenantAccountProviderIDs = append (tenantAccountProviderIDs , ta .InfrastructureProviderID )
253+ if len (privilegedSiteIDs ) == 0 {
254+ return cutil .NewAPIErrorResponse (c , http .StatusForbidden , "Tenant does not have Targeted Instance Creation capability enabled for any Site" , nil )
264255 }
265256 }
266257
267258 // Validate site id if provided
268259 qSiteID := c .QueryParam ("siteId" )
269- var filterSite * cdbm.Site
270260 if qSiteID != "" {
271261 site , serr := common .GetSiteFromIDString (ctx , nil , qSiteID , gamh .dbSession )
272262 if serr != nil {
@@ -276,71 +266,22 @@ func (gamh GetAllMachineHandler) Handle(c echo.Context) error {
276266 logger .Error ().Err (serr ).Str ("Site ID" , qSiteID ).Msg ("error retrieving Site specified in query" )
277267 return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Error retrieving Site specified in query" , nil )
278268 }
279- filterSite = site
280269
281- isAssociated := false
282270 if infrastructureProvider != nil {
283- // Check if Site belongs to org's Infrastructure Provider
284- if site . InfrastructureProviderID == infrastructureProvider . ID {
285- isAssociated = true
271+ if site . InfrastructureProviderID != infrastructureProvider . ID {
272+ logger . Error (). Msg ( "Site is not associated with org" )
273+ return cutil . NewAPIErrorResponse ( c , http . StatusForbidden , "Current org is not associated with the Site specified in query" , nil )
286274 }
287- }
288-
289- if ! isAssociated && tenant != nil {
290- isAssociated = slices .Contains (tenantAccountProviderIDs , site .InfrastructureProviderID )
291- }
292-
293- if isAssociated {
294275 filterInput .SiteIDs = []uuid.UUID {site .ID }
295276 } else {
296- logger .Error ().Msg ("Site is not associated with org" )
297- return cutil .NewAPIErrorResponse (c , http .StatusForbidden , "Current org is not associated with the Site specified in query" , nil )
298- }
299- }
300-
301- if tenant != nil {
302- if filterSite != nil {
303- enabledForSite , serr := common .EffectiveTargetedInstanceCreation (ctx , nil , gamh .dbSession , tenant , filterSite .ID )
304- if serr != nil {
305- logger .Error ().Err (serr ).Msg ("error checking effective targeted instance creation for Site" )
306- return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Failed to verify privileges for Site" , nil )
307- }
308- if enabledForSite {
309- filterInput .InfrastructureProviderIDs = append (filterInput .InfrastructureProviderIDs , filterSite .InfrastructureProviderID )
310- }
311- } else {
312- siteDAO := cdbm .NewSiteDAO (gamh .dbSession )
313- privilegedProviderIDs := make (map [uuid.UUID ]struct {})
314- for _ , providerID := range tenantAccountProviderIDs {
315- if _ , listed := privilegedProviderIDs [providerID ]; listed {
316- continue
317- }
318-
319- sites , _ , serr := siteDAO .GetAll (ctx , nil , cdbm.SiteFilterInput {
320- InfrastructureProviderIDs : []uuid.UUID {providerID },
321- }, cdbp.PageInput {Limit : cutil .GetPtr (cdbp .TotalLimit )}, nil )
322- if serr != nil {
323- logger .Error ().Err (serr ).Msg ("error retrieving Sites for privileged Tenant" )
324- return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Error retrieving Sites for privileged Tenant" , nil )
325- }
326-
327- for _ , site := range sites {
328- enabledForSite , serr := common .EffectiveTargetedInstanceCreation (ctx , nil , gamh .dbSession , tenant , site .ID )
329- if serr != nil {
330- logger .Error ().Err (serr ).Msg ("error checking effective targeted instance creation for Site" )
331- return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Failed to verify privileges for Site" , nil )
332- }
333- if enabledForSite {
334- privilegedProviderIDs [providerID ] = struct {}{}
335- break
336- }
337- }
338- }
339-
340- for providerID := range privilegedProviderIDs {
341- filterInput .InfrastructureProviderIDs = append (filterInput .InfrastructureProviderIDs , providerID )
277+ if ! slices .Contains (privilegedSiteIDs , site .ID ) {
278+ logger .Error ().Msg ("Site is not associated with org" )
279+ return cutil .NewAPIErrorResponse (c , http .StatusForbidden , "Current org is not associated with the Site specified in query" , nil )
342280 }
281+ filterInput .SiteIDs = []uuid.UUID {site .ID }
343282 }
283+ } else if tenant != nil {
284+ filterInput .SiteIDs = privilegedSiteIDs
344285 }
345286
346287 // Validate InstanceType ID if provided
@@ -665,7 +606,10 @@ func (gmh GetMachineHandler) Handle(c echo.Context) error {
665606 isAssociated = true
666607 isProviderOrPrivilegedTenant = true
667608 } else if tenant != nil {
668- enabledForSite , serr := common .EffectiveTargetedInstanceCreation (ctx , nil , gmh .dbSession , tenant , machine .SiteID )
609+ enabledForSite , serr := common .TenantHasTargetedInstanceCreation (ctx , nil , gmh .dbSession , tenant , & cdbm.Site {
610+ ID : machine .SiteID ,
611+ InfrastructureProviderID : machine .InfrastructureProviderID ,
612+ })
669613 if serr != nil {
670614 logger .Error ().Err (serr ).Msg ("error checking effective targeted instance creation for Machine's Site" )
671615 return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Error verifying capability for Machine's Site" , nil )
@@ -766,7 +710,7 @@ func (umh UpdateMachineHandler) Handle(c echo.Context) error {
766710 // pre-gate here (requirePrivilegedTenant=false): that gate keys off the
767711 // legacy tenant-level flag and would reject TenantAccount-privileged
768712 // tenants before machine.SiteID is known. The site-scoped
769- // EffectiveTargetedInstanceCreation check is the authoritative decision.
713+ // TenantHasTargetedInstanceCreation check is the authoritative decision.
770714 infrastructureProvider , tenant , apiError := common .IsProviderOrTenant (ctx , logger , umh .dbSession , org , dbUser , false , false )
771715 if apiError != nil {
772716 return cutil .NewAPIErrorResponse (c , apiError .Code , apiError .Message , apiError .Data )
@@ -807,7 +751,10 @@ func (umh UpdateMachineHandler) Handle(c echo.Context) error {
807751 // Validate if Tenant is allowed to update Machine
808752 if tenant != nil {
809753 // Check if Tenant is privileged
810- enabledForSite , serr := common .EffectiveTargetedInstanceCreation (ctx , nil , umh .dbSession , tenant , machine .SiteID )
754+ enabledForSite , serr := common .TenantHasTargetedInstanceCreation (ctx , nil , umh .dbSession , tenant , & cdbm.Site {
755+ ID : machine .SiteID ,
756+ InfrastructureProviderID : machine .InfrastructureProviderID ,
757+ })
811758 if serr != nil {
812759 logger .Error ().Err (serr ).Msg ("error checking effective targeted instance creation for Machine's Site" )
813760 return cutil .NewAPIErrorResponse (c , http .StatusInternalServerError , "Error verifying capability for Machine's Site, DB error" , nil )
0 commit comments