fix: Create project using server SA (#996)

* fix: Create project using server SA

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

Author: tolusha

assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties

@@ -64,17 +64,6 @@ che.limits.user.workspaces.count=-1
 # stop a running workspace to activate another.
 che.limits.user.workspaces.run.count=1
 
-
-### Multi-user-specific OpenShift infrastructure configuration
-
-# Alias of the OpenShift identity provider registered in Keycloak
-# that should be used to create workspace OpenShift resources in
-# OpenShift namespaces owned by the current Che user.
-# Set it to `NULL` if `che.infra.openshift.project`
-# is set to a non-empty value.
-# See: link:https://www.keycloak.org/docs/latest/server_admin/#openshift-4[OpenShift identity provider]
-che.infra.openshift.oauth_identity_provider=NULL
-
 ### OIDC configuration
 
 # Url to OIDC identity provider server.

infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactory.java

@@ -11,7 +11,6 @@
  */
 package org.eclipse.che.workspace.infrastructure.openshift.project;
 
-import static com.google.common.base.Strings.isNullOrEmpty;
 import static java.lang.String.format;
 import static java.util.Collections.emptyList;
 import static java.util.Collections.emptyMap;
@@ -66,8 +65,6 @@ public class OpenShiftProjectFactory extends KubernetesNamespaceFactory {
 
   private final CheServerKubernetesClientFactory cheServerKubernetesClientFactory;
 
-  private final String oAuthIdentityProvider;
-
   @Inject
   public OpenShiftProjectFactory(
       @Nullable @Named("che.infra.kubernetes.namespace.default") String defaultNamespaceName,
@@ -84,9 +81,7 @@ public OpenShiftProjectFactory(
       PreferenceManager preferenceManager,
       KubernetesSharedPool sharedPool,
       AuthorizationChecker authorizationChecker,
-      PermissionsCleaner permissionsCleaner,
-      @Nullable @Named("che.infra.openshift.oauth_identity_provider")
-          String oAuthIdentityProvider) {
+      PermissionsCleaner permissionsCleaner) {
     super(
         defaultNamespaceName,
         namespaceCreationAllowed,
@@ -104,7 +99,6 @@ public OpenShiftProjectFactory(
     this.cheServerKubernetesClientFactory = cheServerKubernetesClientFactory;
     this.cheServerOpenshiftClientFactory = cheServerOpenshiftClientFactory;
     this.openShiftClientFactory = openShiftClientFactory;
-    this.oAuthIdentityProvider = oAuthIdentityProvider;
   }
 
   public OpenShiftProject getOrCreate(RuntimeIdentity identity) throws InfrastructureException {
@@ -121,7 +115,7 @@ public OpenShiftProject getOrCreate(RuntimeIdentity identity) throws Infrastruct
 
     osProject.prepare(
         canCreateNamespace(),
-        initWithCheServerSa && !isNullOrEmpty(oAuthIdentityProvider),
+        initWithCheServerSa,
         labelNamespaces ? namespaceLabels : emptyMap(),
         annotateNamespaces ? namespaceAnnotationsEvaluated : emptyMap());
 

infrastructures/openshift/src/test/java/org/eclipse/che/workspace/infrastructure/openshift/project/OpenShiftProjectFactoryTest.java

@@ -101,8 +101,6 @@ public class OpenShiftProjectFactoryTest {
 
   private static final String USER_ID = "2342-2559-234";
   private static final String USER_NAME = "johndoe";
-  private static final String NO_OAUTH_IDENTITY_PROVIDER = null;
-  private static final String OAUTH_IDENTITY_PROVIDER = "openshift-v4";
   private static final String NAMESPACE_LABEL_NAME = "component";
   private static final String NAMESPACE_LABELS = NAMESPACE_LABEL_NAME + "=workspace";
   private static final String NAMESPACE_ANNOTATION_NAME = "owner";
@@ -177,8 +175,7 @@ public void shouldNotThrowExceptionIfDefaultNamespaceIsSpecifiedOnCheckingIfName
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     projectFactory.checkIfNamespaceIsAllowed(USER_NAME + "-che");
   }
@@ -209,8 +206,7 @@ public void shouldNotThrowExceptionIfDefaultNamespaceIsSpecifiedOnCheckingIfName
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
     try {
       projectFactory.checkIfNamespaceIsAllowed("any-namespace");
     } catch (ValidationException e) {
@@ -241,8 +237,7 @@ public void shouldNotThrowExceptionIfDefaultNamespaceIsSpecifiedOnCheckingIfName
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
   }
 
   @Test
@@ -278,8 +273,7 @@ public void shouldReturnPreparedNamespacesWhenFound() throws InfrastructureExcep
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
     EnvironmentContext.getCurrent()
         .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
 
@@ -317,8 +311,7 @@ public void shouldNotThrowAnExceptionWhenNotAllowedToListNamespaces() throws Exc
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
     EnvironmentContext.getCurrent()
         .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "u123", null, false));
 
@@ -352,8 +345,7 @@ public void throwAnExceptionWhenErrorListingNamespaces() throws Exception {
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     // when
     projectFactory.list();
@@ -396,8 +388,7 @@ public void shouldReturnDefaultProjectWhenItExistsAndUserDefinedIsNotAllowed() t
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     List<KubernetesNamespaceMeta> availableNamespaces = projectFactory.list();
     assertEquals(availableNamespaces.size(), 1);
@@ -434,8 +425,7 @@ public void shouldReturnDefaultProjectWhenItDoesNotExistAndUserDefinedIsNotAllow
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     List<KubernetesNamespaceMeta> availableNamespaces = projectFactory.list();
     assertEquals(availableNamespaces.size(), 1);
@@ -472,8 +462,7 @@ public void shouldThrowExceptionWhenFailedToGetInfoAboutDefaultNamespace() throw
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     projectFactory.list();
   }
@@ -500,8 +489,7 @@ public void shouldThrowExceptionWhenFailedToGetNamespaces() throws Exception {
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     projectFactory.list();
   }
@@ -533,8 +521,7 @@ public void shouldRequireNamespacePriorExistenceIfDifferentFromDefaultAndUserDef
                 preferenceManager,
                 pool,
                 authorizationChecker,
-                permissionsCleaner,
-                NO_OAUTH_IDENTITY_PROVIDER));
+                permissionsCleaner));
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
     prepareProject(toReturnProject);
     doReturn(toReturnProject).when(projectFactory).doCreateProjectAccess(any(), any());
@@ -546,7 +533,7 @@ public void shouldRequireNamespacePriorExistenceIfDifferentFromDefaultAndUserDef
 
     // then
     assertEquals(toReturnProject, project);
-    verify(toReturnProject).prepare(eq(true), eq(false), any(), any());
+    verify(toReturnProject).prepare(eq(true), eq(true), any(), any());
   }
 
   @Test
@@ -569,8 +556,7 @@ public void shouldCreatePreferencesConfigmapIfNotExists() throws Exception {
                 preferenceManager,
                 pool,
                 authorizationChecker,
-                permissionsCleaner,
-                NO_OAUTH_IDENTITY_PROVIDER));
+                permissionsCleaner));
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
     doReturn(toReturnProject).when(projectFactory).doCreateProjectAccess(any(), any());
     when(toReturnProject.getName()).thenReturn("namespace123");
@@ -613,8 +599,7 @@ public void shouldNotCreatePreferencesConfigmapIfExist() throws Exception {
                 preferenceManager,
                 pool,
                 authorizationChecker,
-                permissionsCleaner,
-                NO_OAUTH_IDENTITY_PROVIDER));
+                permissionsCleaner));
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
     prepareProject(toReturnProject);
     doReturn(toReturnProject).when(projectFactory).doCreateProjectAccess(any(), any());
@@ -659,8 +644,7 @@ public void shouldCallStopWorkspaceRoleProvisionWhenIdentityProviderIsDefined()
                 preferenceManager,
                 pool,
                 authorizationChecker,
-                permissionsCleaner,
-                OAUTH_IDENTITY_PROVIDER));
+                permissionsCleaner));
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
     when(toReturnProject.getName()).thenReturn("workspace123");
     prepareProject(toReturnProject);
@@ -711,8 +695,7 @@ public void testEvalNamespaceNameWhenPreparedNamespacesFound() throws Infrastruc
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
 
     String namespace =
         projectFactory.evaluateNamespaceName(
@@ -745,8 +728,7 @@ public void testUsernamePlaceholderInLabelsIsNotEvaluated() throws Infrastructur
             preferenceManager,
             pool,
             authorizationChecker,
-            permissionsCleaner,
-            NO_OAUTH_IDENTITY_PROVIDER);
+            permissionsCleaner);
     EnvironmentContext.getCurrent()
         .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     projectFactory.list();
@@ -774,8 +756,7 @@ public void testUsernamePlaceholderInAnnotationsIsEvaluated() throws Infrastruct
                 preferenceManager,
                 pool,
                 authorizationChecker,
-                permissionsCleaner,
-                NO_OAUTH_IDENTITY_PROVIDER));
+                permissionsCleaner));
     EnvironmentContext.getCurrent()
         .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));
     OpenShiftProject toReturnProject = mock(OpenShiftProject.class);
@@ -789,7 +770,7 @@ public void testUsernamePlaceholderInAnnotationsIsEvaluated() throws Infrastruct
     // then
     assertEquals(toReturnProject, project);
     verify(toReturnProject)
-        .prepare(eq(true), eq(false), any(), eq(Map.of("try_placeholder_here", "jondoe")));
+        .prepare(eq(true), eq(true), any(), eq(Map.of("try_placeholder_here", "jondoe")));
   }
 
   @Test
@@ -817,8 +798,7 @@ public void testAllConfiguratorsAreCalledWhenCreatingProject() throws Infrastruc
                 preferenceManager,
                 pool,
                 authorizationChecker,
-                permissionsCleaner,
-                NO_OAUTH_IDENTITY_PROVIDER));
+                permissionsCleaner));
     EnvironmentContext.getCurrent()
         .setSubject(new SubjectImpl("jondoe", Collections.emptyList(), "123", null, false));