Change authorization logic against rhsso

Author: dudyas6

pkg/auth/rhsso_authz_handler.go

@@ -76,16 +76,15 @@ func (a *AuthzHandler) OwnedBy(ctx context.Context, db *gorm.DB, resource Resour
 		return db, nil
 	}
 	if a.isOcmAuthzEnabled() {
-		accessibleClusterIDs, err := a.listAccessibleResource(ocm.UserNameFromContext(ctx), ocm.AMSActionGet, ClusterResource)
+		allowedClusterID, allowedClusterUuids, err := a.listAccessibleResource(ocm.UserNameFromContext(ctx), ocm.AMSActionGet, ClusterResource)
 		if err != nil {
 			return nil, err
 		}
-		query := "id"
 		if resource != ClusterResource {
-			query = "cluster_id"
+			return db.Where("cluster_id IN ?", allowedClusterID), nil
 		}
 
-		return db.Where(query+"IN ?", accessibleClusterIDs), nil
+		return db.Where("id IN ? OR openshift_cluster_id IN ?", allowedClusterID, allowedClusterUuids), nil
 	}
 	if a.isTenancyEnabled() {
 		return db.Where("org_id = ?", ocm.OrgIDFromContext(ctx)), nil
@@ -106,10 +105,11 @@ func (a *AuthzHandler) OwnedByUser(ctx context.Context, db *gorm.DB, resource Re
 		return nil, err
 	}
 
-	if username == "" {
-		return res, nil
+	if username != "" {
+		res = res.Where("user_name = ?", username)
 	}
-	return res.Where("user_name = ?", username), nil
+
+	return res, nil
 }
 
 func (a *AuthzHandler) isObjectOwnedByUser(id string, obj interface{}, payload *ocm.AuthPayload) (bool, error) {
@@ -152,7 +152,7 @@ func (a *AuthzHandler) hasSubscriptionAccess(clusterId string, action string, pa
 		return true, nil
 	}
 
-	if a.isTenancyEnabled() {
+	if a.isTenancyEnabled() || a.isOcmAuthzEnabled() {
 		var cluster common.Cluster
 		err = a.db.Select("ams_subscription_id", "openshift_cluster_id", "kind").
 			First(&cluster, "id = ?", clusterId).Error
@@ -401,7 +401,7 @@ func (a *AuthzHandler) allowedToUseAssistedInstaller(username string) (bool, err
 		context.Background(), username, ocm.AMSActionCreate, "", ocm.BareMetalClusterResource)
 }
 
-func (a *AuthzHandler) listAccessibleResource(username, action, resource string) ([]string, error) {
+func (a *AuthzHandler) listAccessibleResource(username, action, resource string) ([]string, []string, error) {
 	return a.client.Authorization.ResourceReview(
 		context.Background(), username, action, resource)
 }

pkg/ocm/authorization.go

@@ -13,7 +13,7 @@ import (
 
 //go:generate mockgen -source=authorization.go -package=ocm -destination=mock_authorization.go
 type OCMAuthorization interface {
-	ResourceReview(ctx context.Context, username, action, resourceType string) (allowed []string, err error)
+	ResourceReview(ctx context.Context, username, action, resourceType string) (clusterIds []string, clusterUuids []string, err error)
 	AccessReview(ctx context.Context, username, action, subscriptionId, resourceType string) (allowed bool, err error)
 	CapabilityReview(ctx context.Context, username, capabilityName, capabilityType string) (allowed bool, err error)
 }
@@ -22,7 +22,7 @@ type authorization struct {
 	client *Client
 }
 
-func (a authorization) ResourceReview(ctx context.Context, username, action, resourceType string) (allowed []string, err error) {
+func (a authorization) ResourceReview(ctx context.Context, username, action, resourceType string) (clusterIds []string, clusterUuids []string, err error) {
 	defer commonutils.MeasureOperation("OCM-ResourceReview", a.client.log, a.client.metricsApi)()
 	resourceReview := a.client.connection.Authorizations().V1().ResourceReview()
 
@@ -33,7 +33,7 @@ func (a authorization) ResourceReview(ctx context.Context, username, action, res
 
 	request, err := requestBuilder.Build()
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	postResp, err := resourceReview.Post().
@@ -43,25 +43,30 @@ func (a authorization) ResourceReview(ctx context.Context, username, action, res
 		if postResp != nil {
 			a.client.logger.Error(context.Background(), "Fail to send ResourceReview. Response: %v", postResp)
 			if postResp.Status() >= 400 && postResp.Status() < 500 {
-				return nil, common.NewInfraError(http.StatusUnauthorized, err)
+				return nil, nil, common.NewInfraError(http.StatusUnauthorized, err)
 			}
 			if postResp.Status() >= 500 {
-				return nil, common.NewApiError(http.StatusServiceUnavailable, err)
+				return nil, nil, common.NewApiError(http.StatusServiceUnavailable, err)
 			}
 		}
-		return nil, common.NewApiError(http.StatusServiceUnavailable, err)
+		return nil, nil, common.NewApiError(http.StatusServiceUnavailable, err)
 	}
 
 	response, ok := postResp.GetReview()
 	if !ok {
-		return nil, errors.Errorf("Empty response from authorization post request")
+		return nil, nil, errors.Errorf("Empty response from authorization post request")
 	}
 
-	clusterIDs, ok := response.GetClusterIDs()
+	clusterIds, ok = response.GetClusterIDs()
 	if !ok {
-		return nil, errors.Errorf("Failed to get cluster IDs from the response")
+		return nil, nil, errors.Errorf("Failed to get cluster IDs from the response")
 	}
-	return clusterIDs, nil
+
+	clusterUuids, ok = response.GetClusterUUIDs()
+	if !ok {
+		return nil, nil, errors.Errorf("Failed to get cluster UUIDs from the response")
+	}
+	return clusterIds, clusterUuids, nil
 }
 
 func (a authorization) AccessReview(ctx context.Context, username, action, subscriptionId, resourceType string) (allowed bool, err error) {