MINOR: replace positional string params in IsAccessGranted with typed structs

ivanmatmati · ivanmatmati · commit 21cfda02defc · 2026-05-20T14:33:47.000+02:00
IsAccessGranted previously took seven positional string parameters
(fromGroup, fromKind, fromNamespace, toGroup, toKind, toNamespace, toName),
which the compiler cannot distinguish — an incorrectly ordered call site is
a silent bug waiting to happen.

Introduce GrantFrom{Group, Kind, Namespace} and GrantTo{Group, Kind,
Namespace, Name}, mirroring the From/To triples of the Gateway API spec.
IsAccessGranted now accepts these two structs, making each field explicit and
compiler-verified at every call site.

Move the key-building helpers onto the types themselves as methods:
- GrantFrom.ToKey() From
- GrantTo.ToKey() To
- GrantTo.wildcardKey() To  (name-stripped variant for wildcard grant lookup)

Replace string concatenation in those methods with strings.Join.

Remove the now-redundant package-level ConvertTo/ConvertFrom functions.
Update all call sites: gateway_listener.go, route-rule.go,
tls-route-rule.go, and reference_grant_manager_test.go.

make removeReferenceGrantWithCheck private

The method was only ever called from within the tree package — once by
UpsertReferenceGrant (check=false) and once by RemoveReferenceGrant
(check=true). Exposing it as a public method leaked an implementation
detail and invited callers to pass the bool flag directly instead of
going through the two clearly-named entry points.

Rename to removeReferenceGrantWithCheck and update all internal call
sites and comments accordingly.
diff --git a/k8s/gate/tree/gateway_listener.go b/k8s/gate/tree/gateway_listener.go
@@ -280,8 +280,9 @@ func (l *Listener) checkCertificateRefs(treeGw *Gateway, gateSecrets map[types.N
 			continue
 		}
 		isAccessGranted := referenceGrantManager.IsAccessGranted(
-			gatewayv1.GroupName, "Gateway", treeGw.K8sResource.GetNamespace(),
-			"", "Secret", treeSecret.K8sResource.GetNamespace(), treeSecret.K8sResource.GetName())
+			GrantFrom{Group: gatewayv1.GroupName, Kind: "Gateway", Namespace: treeGw.K8sResource.GetNamespace()},
+			GrantTo{Group: "", Kind: "Secret", Namespace: treeSecret.K8sResource.GetNamespace(), Name: treeSecret.K8sResource.GetName()},
+		)
 		if !isAccessGranted {
 			msg := fmt.Sprintf("Secret reference %s/%s is not granted for listener in gateway %s/%s", nsName.Namespace, nsName.Name, treeGw.K8sResource.GetNamespace(), treeGw.K8sResource.GetName())
 			l.CheckSecret = CheckResult{
diff --git a/k8s/gate/tree/reference_grant_manager.go b/k8s/gate/tree/reference_grant_manager.go
@@ -1,6 +1,8 @@
 package tree
 
 import (
+	"strings"
+
 	"github.com/haproxytech/haproxy-unified-gateway/k8s/gate/store"
 	"github.com/haproxytech/haproxy-unified-gateway/k8s/gate/utils"
 	"k8s.io/apimachinery/pkg/types"
@@ -13,6 +15,37 @@ type To string
 // From identifies a source resource type as "namespace/group/kind".
 type From string
 
+// GrantFrom identifies the source side of a ReferenceGrant check.
+type GrantFrom struct {
+	Group     string
+	Kind      string
+	Namespace string
+}
+
+// ToKey converts the descriptor to the internal From key.
+func (f GrantFrom) ToKey() From {
+	return From(strings.Join([]string{f.Namespace, f.Group, f.Kind}, "/"))
+}
+
+// GrantTo identifies the target side of a ReferenceGrant check.
+type GrantTo struct {
+	Group     string
+	Kind      string
+	Namespace string
+	Name      string
+}
+
+// ToKey converts the descriptor to the internal To key.
+// An empty Name represents a wildcard (any resource name).
+func (t GrantTo) ToKey() To {
+	return To(strings.Join([]string{t.Namespace, t.Group, t.Kind, t.Name}, "/"))
+}
+
+// wildcardKey returns the To key with an empty name, matching wildcard grants.
+func (t GrantTo) wildcardKey() To {
+	return To(strings.Join([]string{t.Namespace, t.Group, t.Kind, ""}, "/"))
+}
+
 // ReferenceGrantNamespacedName is the namespace/name key of a ReferenceGrant.
 type ReferenceGrantNamespacedName types.NamespacedName
 
@@ -33,18 +66,6 @@ type ReferenceGrantManager struct {
 	toFrom               map[To]map[From]struct{}
 }
 
-// ConvertTo builds a To key from the target resource's namespace, API group,
-// kind, and name. An empty name represents a wildcard (any resource name).
-func ConvertTo(namespace string, group string, kind, name string) To {
-	return To(namespace + "/" + group + "/" + kind + "/" + name)
-}
-
-// ConvertFrom builds a From key from the source resource's namespace, API group,
-// and kind.
-func ConvertFrom(namespace, group, kind string) From {
-	return From(namespace + "/" + group + "/" + kind)
-}
-
 // ConvertReferenceGrantNamespacedName extracts the namespace/name identity of a
 // ReferenceGrant from its K8sResource. K8sResource must not be nil.
 func ConvertReferenceGrantNamespacedName(referenceGrant ReferenceGrant) ReferenceGrantNamespacedName {
@@ -64,21 +85,18 @@ func NewReferenceGrantManager() *ReferenceGrantManager {
 	}
 }
 
-// IsAccessGranted reports whether a resource of type (fromGroup, fromKind) in
-// fromNamespace may reference a resource of type (toGroup, toKind) named toName
-// in toNamespace. Same-namespace references are always permitted. Cross-namespace
-// access requires a matching entry in toFrom, covering both named grants and
-// wildcard grants (empty name).
-func (mgr *ReferenceGrantManager) IsAccessGranted(fromGroup, fromKind, fromNamespace,
-	toGroup, toKind, toNamespace, toName string,
-) bool {
+// IsAccessGranted reports whether the resource described by from may reference
+// the resource described by to. Same-namespace references are always permitted.
+// Cross-namespace access requires a matching entry in toFrom, covering both
+// named grants and wildcard grants (empty name).
+func (mgr *ReferenceGrantManager) IsAccessGranted(from GrantFrom, to GrantTo) bool {
 	// Same namespace access is always granted
-	if toNamespace == fromNamespace {
+	if to.Namespace == from.Namespace {
 		return true
 	}
-	convertedTo := ConvertTo(toNamespace, toGroup, toKind, toName)
-	convertedToWithoutName := ConvertTo(toNamespace, toGroup, toKind, "")
-	convertedFrom := ConvertFrom(fromNamespace, fromGroup, fromKind)
+	convertedTo := to.ToKey()
+	convertedToWithoutName := to.wildcardKey()
+	convertedFrom := from.ToKey()
 	froms := mgr.toFrom[convertedTo]
 	fromsWithoutName := mgr.toFrom[convertedToWithoutName]
 	if froms == nil && fromsWithoutName == nil {
@@ -105,20 +123,24 @@ func (mgr *ReferenceGrantManager) UpsertReferenceGrant(referenceGrant ReferenceG
 
 	referenceGrantNamespacedName := ConvertReferenceGrantNamespacedName(referenceGrant)
 	// We remove any previous association
-	mgr.RemoveReferenceGrantWithCheck(referenceGrant, false)
+	mgr.removeReferenceGrantWithCheck(referenceGrant, false)
 	// For each 'To' of the ReferenceGrant
 	for _, to := range referenceGrant.K8sResource.Spec.To {
-		convertedTo := ConvertTo(referenceGrant.K8sResource.Namespace,
-			string(to.Group),
-			string(to.Kind),
-			string(utils.PointerDefaultValueIfNil(to.Name)))
+		convertedTo := (GrantTo{
+			Namespace: referenceGrant.K8sResource.Namespace,
+			Group:     string(to.Group),
+			Kind:      string(to.Kind),
+			Name:      string(utils.PointerDefaultValueIfNil(to.Name)),
+		}).ToKey()
 		// ___________________________
 		// Update toReferenceGrantFrom
 		referenceGrantFrom := mgr.toReferenceGrantFrom[convertedTo]
 		for _, from := range referenceGrant.K8sResource.Spec.From {
-			convertedFrom := ConvertFrom(string(from.Namespace),
-				string(from.Group),
-				string(from.Kind))
+			convertedFrom := (GrantFrom{
+				Namespace: string(from.Namespace),
+				Group:     string(from.Group),
+				Kind:      string(from.Kind),
+			}).ToKey()
 			// We associate the 'To' with the couple 'ReferenceGrant' and 'From'
 			if referenceGrantFrom == nil {
 				// First association so we create the map
@@ -152,12 +174,12 @@ func (mgr *ReferenceGrantManager) UpsertReferenceGrant(referenceGrant ReferenceG
 	}
 }
 
-// RemoveReferenceGrantWithCheck removes all entries for a ReferenceGrant.
+// removeReferenceGrantWithCheck removes all entries for a ReferenceGrant.
 // When check is true, the function validates that the grant's status is StatusDeleted
 // and operates on OldTreeResource (the pre-deletion snapshot). When check is false,
 // it operates on the grant as given; this is used by UpsertReferenceGrant to clear
 // the previous footprint before reinserting updated rules.
-func (mgr *ReferenceGrantManager) RemoveReferenceGrantWithCheck(referenceGrant ReferenceGrant, check bool) {
+func (mgr *ReferenceGrantManager) removeReferenceGrantWithCheck(referenceGrant ReferenceGrant, check bool) {
 	if check && referenceGrant.TreeStatus.Status != store.StatusDeleted {
 		return
 	}
@@ -203,9 +225,8 @@ func (mgr *ReferenceGrantManager) RemoveReferenceGrantWithCheck(referenceGrant R
 }
 
 // RemoveReferenceGrant removes all entries for a deleted ReferenceGrant.
-// It is the public counterpart of RemoveReferenceGrantWithCheck with check=true.
 func (mgr *ReferenceGrantManager) RemoveReferenceGrant(referenceGrant ReferenceGrant) {
-	mgr.RemoveReferenceGrantWithCheck(referenceGrant, true)
+	mgr.removeReferenceGrantWithCheck(referenceGrant, true)
 }
 
 // ComputeToFrom rebuilds the toFrom map from toReferenceGrantFrom. It must be called
diff --git a/k8s/gate/tree/reference_grant_manager_test.go b/k8s/gate/tree/reference_grant_manager_test.go
@@ -67,11 +67,11 @@ func TestReferenceGrantManager_WildcardTo(t *testing.T) {
 	mgr.UpsertReferenceGrant(upserted(k8s))
 	mgr.ComputeToFrom()
 
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns", "", "Service", "backend-ns", "svc-a"),
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc-a"}),
 		"wildcard grant should permit any named service")
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns", "", "Service", "backend-ns", "svc-b"),
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc-b"}),
 		"wildcard grant should permit a different service name")
-	assert.False(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "other-ns", "", "Service", "backend-ns", "svc-a"),
+	assert.False(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "other-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc-a"}),
 		"grant should not cover a route from a different namespace")
 }
 
@@ -99,15 +99,15 @@ func TestReferenceGrantManager_NamedTo(t *testing.T) {
 	mgr.UpsertReferenceGrant(upserted(k8s))
 	mgr.ComputeToFrom()
 
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns", "", "Service", "backend-ns", "my-svc"),
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "my-svc"}),
 		"named grant should permit the exact service")
-	assert.False(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns", "", "Service", "backend-ns", "other-svc"),
+	assert.False(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "other-svc"}),
 		"named grant must not permit a different service name")
 }
 
 // TestReferenceGrantManager_UpdateWipesPreviousFootprint verifies that upserting a
 // modified grant clears the old From entries before inserting the new ones.
-// This exercises the RemoveReferenceGrantWithCheck(_, false) call inside Upsert.
+// This exercises the removeReferenceGrantWithCheck(_, false) call inside Upsert.
 func TestReferenceGrantManager_UpdateWipesPreviousFootprint(t *testing.T) {
 	mgr := NewReferenceGrantManager()
 
@@ -129,7 +129,7 @@ func TestReferenceGrantManager_UpdateWipesPreviousFootprint(t *testing.T) {
 
 	mgr.UpsertReferenceGrant(upserted(k8sV1))
 	mgr.ComputeToFrom()
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-old", "", "Service", "backend-ns", "svc"))
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-old"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc"}))
 
 	// Update the grant: only route-ns-new is now authorised.
 	k8sV2 := &gatewayv1beta1.ReferenceGrant{
@@ -151,9 +151,9 @@ func TestReferenceGrantManager_UpdateWipesPreviousFootprint(t *testing.T) {
 	mgr.UpsertReferenceGrant(upserted(k8sV2))
 	mgr.ComputeToFrom()
 
-	assert.False(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-old", "", "Service", "backend-ns", "svc"),
+	assert.False(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-old"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc"}),
 		"old From must be revoked after update")
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-new", "", "Service", "backend-ns", "svc"),
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-new"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc"}),
 		"new From must be allowed after update")
 }
 
@@ -186,16 +186,16 @@ func TestReferenceGrantManager_DeleteMultiToNoLeftovers(t *testing.T) {
 
 	assert.Empty(t, mgr.toReferenceGrantFrom, "ToReferenceGrantFrom must be empty after delete")
 	assert.Empty(t, mgr.referenceGrantsTo, "ReferenceGrantsTo must be empty after delete")
-	assert.False(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns", "", "Service", "backend-ns", "svc-a"))
-	assert.False(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns", "", "Service", "backend-ns", "svc-b"))
+	assert.False(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc-a"}))
+	assert.False(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "svc-b"}))
 }
 
 // TestReferenceGrantManager_SameNamespaceAlwaysGranted verifies that same-namespace
 // references are always allowed regardless of whether any grant exists.
 func TestReferenceGrantManager_SameNamespaceAlwaysGranted(t *testing.T) {
 	mgr := NewReferenceGrantManager()
 
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "ns", "", "Service", "ns", "svc"),
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "ns"}, GrantTo{Kind: "Service", Namespace: "ns", Name: "svc"}),
 		"same-namespace access must be permitted with no grants at all")
 }
 
@@ -231,15 +231,15 @@ func TestReferenceGrantManager_TwoGrantsSameTo_DeleteOneKeepsOther(t *testing.T)
 	mgr.UpsertReferenceGrant(upserted(k8sB))
 	mgr.ComputeToFrom()
 
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-a", "", "Service", "backend-ns", "shared-svc"))
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-b", "", "Service", "backend-ns", "shared-svc"))
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-a"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "shared-svc"}))
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-b"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "shared-svc"}))
 
 	// Delete grant-a only.
 	mgr.RemoveReferenceGrant(deleted(k8sA))
 	mgr.ComputeToFrom()
 
-	assert.False(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-a", "", "Service", "backend-ns", "shared-svc"),
+	assert.False(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-a"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "shared-svc"}),
 		"route-ns-a must lose access after its grant is deleted")
-	assert.True(t, mgr.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", "route-ns-b", "", "Service", "backend-ns", "shared-svc"),
+	assert.True(t, mgr.IsAccessGranted(GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: "route-ns-b"}, GrantTo{Kind: "Service", Namespace: "backend-ns", Name: "shared-svc"}),
 		"route-ns-b must retain access via its own grant")
 }
diff --git a/k8s/gate/tree/route-rule.go b/k8s/gate/tree/route-rule.go
@@ -66,8 +66,10 @@ func (r *HTTPRouteRule) checkBackendRef(httpRoute *HTTPRoute, controllerStore Co
 		// 3- Check if a ReferenceGrant is needed and if so is it valid
 		backendNs := getNamespace(backendRef.BackendObjectReference.Namespace, httpRoute.K8sResource.Namespace)
 		accessGranted := backendNs == httpRoute.K8sResource.Namespace ||
-			referenceGrantManager.IsAccessGranted(gatewayv1.GroupName, "HTTPRoute", httpRoute.K8sResource.Namespace,
-				"", "Service", backendNs, string(backendRef.BackendObjectReference.Name))
+			referenceGrantManager.IsAccessGranted(
+				GrantFrom{Group: gatewayv1.GroupName, Kind: "HTTPRoute", Namespace: httpRoute.K8sResource.Namespace},
+				GrantTo{Group: "", Kind: "Service", Namespace: backendNs, Name: string(backendRef.BackendObjectReference.Name)},
+			)
 		if !accessGranted {
 			cond := rc.ConditionKORefNotPermitted(utils.BackendObjectReferenceToKey(backendRef.BackendObjectReference))
 			r.CheckBackendRef.Set(backendRef.BackendObjectReference, CheckResult{
diff --git a/k8s/gate/tree/tls-route-rule.go b/k8s/gate/tree/tls-route-rule.go
@@ -62,8 +62,10 @@ func (r *TLSRouteRule) checkBackendRef(tlsRoute *TLSRoute, controllerStore Contr
 		// 3- Check if a ReferenceGrant is needed and if so is it valid
 		backendNs := getNamespace(backendRef.BackendObjectReference.Namespace, tlsRoute.K8sResource.Namespace)
 		accessGranted := backendNs == tlsRoute.K8sResource.Namespace ||
-			referenceGrantManager.IsAccessGranted(gatewayv1.GroupName, "TLSRoute", tlsRoute.K8sResource.Namespace,
-				"", "Service", backendNs, string(backendRef.BackendObjectReference.Name))
+			referenceGrantManager.IsAccessGranted(
+				GrantFrom{Group: gatewayv1.GroupName, Kind: "TLSRoute", Namespace: tlsRoute.K8sResource.Namespace},
+				GrantTo{Group: "", Kind: "Service", Namespace: backendNs, Name: string(backendRef.BackendObjectReference.Name)},
+			)
 		if !accessGranted {
 			cond := rc.ConditionKORefNotPermitted(utils.BackendObjectReferenceToKey(backendRef.BackendObjectReference))
 			r.CheckBackendRef.Set(backendRef.BackendObjectReference, CheckResult{
