fix: normalize Project to cammel case

Author: JoseSzycho

internal/indexer/consumer.go

@@ -7,6 +7,8 @@ import (
 	"sync"
 
 	"github.com/nats-io/nats.go/jetstream"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/klog/v2"
 )
@@ -50,7 +52,9 @@ func extractTenantFromAuditEvent(event *auditEvent) (tenantName string, tenantTy
 	}
 
 	if values, ok := event.User.Extra["iam.miloapis.com/parent-type"]; ok && len(values) > 0 {
-		tenantType = values[0]
+		// Normalize to title-case to match Milo's scope annotation conventions
+		// (e.g. the annotation value "project" becomes "Project").
+		tenantType = cases.Title(language.Und).String(values[0])
 	}
 	if values, ok := event.User.Extra["iam.miloapis.com/parent-name"]; ok && len(values) > 0 {
 		tenantName = values[0]

internal/indexer/consumer_test.go

@@ -163,7 +163,7 @@ func TestExtractTenantFromAuditEvent_WithUserExtra(t *testing.T) {
 		Extra map[string][]string `json:"extra,omitempty"`
 	}{
 		Extra: map[string][]string{
-			"iam.miloapis.com/parent-type": {"project"},
+			"iam.miloapis.com/parent-type": {"Project"},
 			"iam.miloapis.com/parent-name": {"my-project"},
 		},
 	}
@@ -173,8 +173,8 @@ func TestExtractTenantFromAuditEvent_WithUserExtra(t *testing.T) {
 	if name != "my-project" {
 		t.Errorf("tenantName: got %q, want %q", name, "my-project")
 	}
-	if typ != "project" {
-		t.Errorf("tenantType: got %q, want %q", typ, "project")
+	if typ != "Project" {
+		t.Errorf("tenantType: got %q, want %q", typ, "Project")
 	}
 }
 
@@ -200,7 +200,7 @@ func TestExtractTenantFromAuditEvent_PartialUserExtra_TypeOnlyNoName(t *testing.
 		Extra map[string][]string `json:"extra,omitempty"`
 	}{
 		Extra: map[string][]string{
-			"iam.miloapis.com/parent-type": {"project"},
+			"iam.miloapis.com/parent-type": {"Project"},
 		},
 	}
 
@@ -209,8 +209,8 @@ func TestExtractTenantFromAuditEvent_PartialUserExtra_TypeOnlyNoName(t *testing.
 	if name != "platform" {
 		t.Errorf("tenantName: got %q, want %q (expected fallback)", name, "platform")
 	}
-	if typ != "project" {
-		t.Errorf("tenantType: got %q, want %q", typ, "project")
+	if typ != "Project" {
+		t.Errorf("tenantType: got %q, want %q", typ, "Project")
 	}
 }
 

internal/tenant/registry.go

@@ -40,7 +40,7 @@ type TenantDisengagementCallback func(tenantName string)
 
 const (
 	TenantTypePlatform = "platform"
-	TenantTypeProject  = "project"
+	TenantTypeProject  = "Project"
 )
 
 // PlatformTenantInfo is the canonical TenantInfo for the platform tenant.

test/e2e/search-flow-multi-tenant-audit/chainsaw-test.yaml

@@ -99,7 +99,7 @@ spec:
               # Event A: project-tenant resource.
               # user.extra carries iam.miloapis.com/parent-type and parent-name so the
               # indexer's extractTenantFromAuditEvent() will resolve the tenant as
-              # type="project", name="e2e-audit-test-project".
+              # type="Project", name="e2e-audit-test-project".
               EVENT_A='{"auditID":"e2e-audit-project-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-project-service-mt-rn2"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]},"user":{"extra":{"iam.miloapis.com/parent-type":["project"],"iam.miloapis.com/parent-name":["e2e-audit-test-project"]}}}'
 
               # Event B: platform-tenant resource.
@@ -187,8 +187,8 @@ spec:
                 limit: 10
               EOF
               )
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-project-role")] | length > 0'
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-project-role") | select(.tenant.name == "e2e-audit-test-project") | select(.tenant.type == "project")] | length > 0'
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-project-role")] | length > 0' && \
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-project-role") | select(.tenant.name == "e2e-audit-test-project") | select(.tenant.type == "Project")] | length > 0' && \
               echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-project-role") | select(.resource._tenant != null)] | length == 0'
             check:
               ($error): ~
@@ -216,7 +216,7 @@ spec:
                 limit: 10
               EOF
               )
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-platform-role")] | length > 0'
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-platform-role")] | length > 0' && \
               echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-audit-platform-role") | select(.tenant.name == "platform") | select(.tenant.type == "platform")] | length > 0'
             check:
               ($error): ~
@@ -244,7 +244,7 @@ spec:
                 limit: 10
               EOF
               )
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.tenant.type == "project")] | length >= 1'
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.tenant.type == "Project")] | length >= 1' && \
               echo "$RESULT" | jq -e '[.status.results[]? | select(.tenant.type == "platform")] | length >= 1'
             check:
               ($error): ~

test/e2e/search-flow-multi-tenant/chainsaw-test.yaml

@@ -94,7 +94,7 @@ spec:
               # Build event JSON with INDEX_NAME substituted.
               # SpecHash is intentionally omitted so the consumer skips the hash check.
               EVENT1=$(printf \
-                '{"id":"e2e-mt-project-resource-001","policyName":"e2e-multi-tenant-role-policy","indexName":"%s","tenant":"e2e-test-project","tenantType":"project","resource":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"e2e-project-role","uid":"e2e-project-uid-00000001","labels":{"e2e-multi-tenant":"true"},"annotations":{"e2e.search.test/service":"project-service-mt-rn1"}},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]}]}}' \
+                '{"id":"e2e-mt-project-resource-001","policyName":"e2e-multi-tenant-role-policy","indexName":"%s","tenant":"e2e-test-project","tenantType":"Project","resource":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"e2e-project-role","uid":"e2e-project-uid-00000001","labels":{"e2e-multi-tenant":"true"},"annotations":{"e2e.search.test/service":"project-service-mt-rn1"}},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]}]}}' \
                 "$INDEX_NAME")
 
               EVENT2=$(printf \
@@ -178,8 +178,8 @@ spec:
                 limit: 10
               EOF
               )
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-project-role")] | length > 0'
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-project-role") | select(.tenant.name == "e2e-test-project") | select(.tenant.type == "project")] | length > 0'
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-project-role")] | length > 0' && \
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-project-role") | select(.tenant.name == "e2e-test-project") | select(.tenant.type == "Project")] | length > 0' && \
               echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-project-role") | select(.resource._tenant != null)] | length == 0'
             check:
               ($error): ~
@@ -207,7 +207,7 @@ spec:
                 limit: 10
               EOF
               )
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-platform-role")] | length > 0'
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-platform-role")] | length > 0' && \
               echo "$RESULT" | jq -e '[.status.results[]? | select(.resource.metadata.name == "e2e-platform-role") | select(.tenant.name == "platform") | select(.tenant.type == "platform")] | length > 0'
             check:
               ($error): ~
@@ -235,7 +235,7 @@ spec:
                 limit: 10
               EOF
               )
-              echo "$RESULT" | jq -e '[.status.results[]? | select(.tenant.type == "project")] | length >= 1'
+              echo "$RESULT" | jq -e '[.status.results[]? | select(.tenant.type == "Project")] | length >= 1' && \
               echo "$RESULT" | jq -e '[.status.results[]? | select(.tenant.type == "platform")] | length >= 1'
             check:
               ($error): ~