fix: update tenant annotations to be taken from root level.

JoseSzycho · JoseSzycho · commit 814dbebe006d · 2026-03-26T12:15:10.000-03:00
diff --git a/internal/indexer/consumer.go b/internal/indexer/consumer.go
@@ -23,8 +23,12 @@ type Indexer struct {
 }
 
 type auditEvent struct {
-	AuditID   string `json:"auditID"`
-	Verb      string `json:"verb"`
+	AuditID     string            `json:"auditID"`
+	Verb        string            `json:"verb"`
+	Annotations map[string]string `json:"annotations"`
+	User        struct {
+		Extra map[string][]string `json:"extra"`
+	} `json:"user"`
 	ObjectRef struct {
 		APIGroup   string `json:"apiGroup"`
 		APIVersion string `json:"apiVersion"`
@@ -37,25 +41,22 @@ type auditEvent struct {
 }
 
 // extractTenantFromAuditEvent extracts tenant identity from the audit event.
-// It reads exclusively from ResponseObject metadata annotations:
+// It reads exclusively from the top-level audit event annotations:
 //   - ScopeTypeAnnotationKey ("platform.miloapis.com/scope.type") for the tenant type
 //   - ScopeNameAnnotationKey ("platform.miloapis.com/scope.name") for the tenant name
 //
-// Falls back to "platform"/"platform" when the ResponseObject is absent or the
-// annotations are not set.
+// Falls back to "platform"/"platform" when the annotations are absent or not set.
 func extractTenantFromAuditEvent(event *auditEvent) (tenantName string, tenantType string) {
 	tenantName = tenantTypePlatform
 	tenantType = tenantTypePlatform
 
-	if event.ResponseObject == nil {
+	if event.Annotations == nil {
 		return
 	}
 
 	caser := cases.Title(language.Und)
-	obj := &unstructured.Unstructured{Object: event.ResponseObject}
-	annotations := obj.GetAnnotations()
 
-	if v, ok := annotations[ScopeTypeAnnotationKey]; ok && v != "" {
+	if v, ok := event.Annotations[ScopeTypeAnnotationKey]; ok && v != "" {
 		// Normalize to title-case to match Milo's scope annotation conventions
 		// (e.g. the annotation value "project" becomes "Project").
 		// Exception: "platform" is a fallback default and stays lowercase.
@@ -66,7 +67,7 @@ func extractTenantFromAuditEvent(event *auditEvent) (tenantName string, tenantTy
 		}
 	}
 
-	if v, ok := annotations[ScopeNameAnnotationKey]; ok && v != "" {
+	if v, ok := event.Annotations[ScopeNameAnnotationKey]; ok && v != "" {
 		tenantName = v
 	}
 
diff --git a/internal/indexer/consumer_test.go b/internal/indexer/consumer_test.go
@@ -172,15 +172,11 @@ func TestExtractTenantFromAuditEvent_NilResponseObject(t *testing.T) {
 }
 
 func TestExtractTenantFromAuditEvent_WithAnnotations(t *testing.T) {
-	// Both scope annotations present — should be extracted and type normalized to title-case.
+	// Both scope annotations present at the top level — should be extracted and type normalized to title-case.
 	event := &auditEvent{
-		ResponseObject: map[string]any{
-			"metadata": map[string]any{
-				"annotations": map[string]any{
-					ScopeTypeAnnotationKey: "project",
-					ScopeNameAnnotationKey: "my-project",
-				},
-			},
+		Annotations: map[string]string{
+			ScopeTypeAnnotationKey: "project",
+			ScopeNameAnnotationKey: "my-project",
 		},
 	}
 
@@ -195,15 +191,11 @@ func TestExtractTenantFromAuditEvent_WithAnnotations(t *testing.T) {
 }
 
 func TestExtractTenantFromAuditEvent_PartialAnnotations_TypeOnly(t *testing.T) {
-	// Only scope.type annotation is set; scope.name is absent.
+	// Only scope.type annotation is set at the top level; scope.name is absent.
 	// Expect: tenantType is extracted, tenantName falls back to "platform".
 	event := &auditEvent{
-		ResponseObject: map[string]any{
-			"metadata": map[string]any{
-				"annotations": map[string]any{
-					ScopeTypeAnnotationKey: "Project",
-				},
-			},
+		Annotations: map[string]string{
+			ScopeTypeAnnotationKey: "Project",
 		},
 	}
 
@@ -218,14 +210,8 @@ func TestExtractTenantFromAuditEvent_PartialAnnotations_TypeOnly(t *testing.T) {
 }
 
 func TestExtractTenantFromAuditEvent_NoAnnotations(t *testing.T) {
-	// ResponseObject present but no scope annotations — should fall back to platform/platform.
-	event := &auditEvent{
-		ResponseObject: map[string]any{
-			"metadata": map[string]any{
-				"name": "some-resource",
-			},
-		},
-	}
+	// No top-level annotations — should fall back to platform/platform.
+	event := &auditEvent{}
 
 	name, typ := extractTenantFromAuditEvent(event)
 
diff --git a/test/e2e/search-flow-multi-tenant-audit/chainsaw-test.yaml b/test/e2e/search-flow-multi-tenant-audit/chainsaw-test.yaml
@@ -5,24 +5,24 @@ metadata:
 spec:
   description: |
     Validates that resources injected via NATS AUDIT_EVENTS with tenant metadata carried
-    in user.extra fields are correctly indexed with _tenant/_tenant_type fields and that
-    search results expose tenant.name and tenant.type. Since project control planes are
-    not available in the test environment, this test directly publishes crafted audit
-    events to NATS to simulate the multi-tenant audit event indexing path.
+    in top-level audit event annotations are correctly indexed with _tenant/_tenant_type
+    fields and that search results expose tenant.name and tenant.type. Since project
+    control planes are not available in the test environment, this test directly publishes
+    crafted audit events to NATS to simulate the multi-tenant audit event indexing path.
 
     This exercises the Indexer.Start() path (not ReindexConsumer), which:
       1. Consumes from the AUDIT_EVENTS stream on subject audit.k8s.activity.
       2. Iterates all active ResourceIndexPolicies and evaluates responseObject against
          each policy's CEL conditions.
-      3. Calls extractTenantFromAuditEvent() to read tenant identity from
-         user.extra["iam.miloapis.com/parent-type"] and
-         user.extra["iam.miloapis.com/parent-name"].
-      4. Falls back to "platform"/"platform" when user.extra is absent.
+      3. Calls extractTenantFromAuditEvent() to read tenant identity from the top-level
+         annotations["platform.miloapis.com/scope.type"] and
+         annotations["platform.miloapis.com/scope.name"] fields of the audit event.
+      4. Falls back to "platform"/"platform" when top-level annotations are absent.
 
     Covers:
       - A1: Project-tenant resource is searchable with tenant.name and tenant.type set.
-      - A2: Platform-tenant resource (no user.extra) is searchable with fallback
-            tenant.name="platform" and tenant.type="platform".
+      - A2: Platform-tenant resource (no top-level annotations) is searchable with
+            fallback tenant.name="platform" and tenant.type="platform".
       - A3: Mixed search returns both results with correct per-result tenant metadata.
       - _tenant/_tenant_type internal fields are not exposed on the resource object.
 
@@ -97,16 +97,16 @@ spec:
             timeout: 120s
             content: |
               # Event A: project-tenant resource.
-              # user.extra carries iam.miloapis.com/parent-type and parent-name so the
-              # indexer's extractTenantFromAuditEvent() will resolve the tenant as
-              # type="Project", name="e2e-audit-test-project".
-              EVENT_A='{"auditID":"e2e-audit-project-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-project-service-mt-rn2","platform.miloapis.com/scope.type":"Project","platform.miloapis.com/scope.name":"e2e-audit-test-project"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]},"user":{"extra":{"iam.miloapis.com/parent-type":["project"],"iam.miloapis.com/parent-name":["e2e-audit-test-project"]}}}'
+              # Top-level annotations field carries platform.miloapis.com/scope.type and
+              # scope.name so the indexer's extractTenantFromAuditEvent() will resolve
+              # the tenant as type="Project", name="e2e-audit-test-project".
+              EVENT_A='{"auditID":"e2e-audit-project-event-001","verb":"create","annotations":{"platform.miloapis.com/scope.type":"Project","platform.miloapis.com/scope.name":"e2e-audit-test-project"},"objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-project-service-mt-rn2"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]},"user":{"extra":{"iam.miloapis.com/parent-type":["project"],"iam.miloapis.com/parent-name":["e2e-audit-test-project"]}}}'
 
               # Event B: platform-tenant resource.
-              # No "user" field at all — exercises the fallback path in
+              # No top-level annotations field — exercises the fallback path in
               # extractTenantFromAuditEvent() that returns "platform"/"platform"
-              # when user.extra is nil.
-              EVENT_B='{"auditID":"e2e-audit-platform-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-platform-service-mt-rn2","platform.miloapis.com/scope.type":"platform","platform.miloapis.com/scope.name":"platform"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]}}'
+              # when top-level annotations are absent.
+              EVENT_B='{"auditID":"e2e-audit-platform-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-platform-service-mt-rn2"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]}}'
 
               # Store event payloads in a ConfigMap so they can be mounted into the
               # Job container without shell escaping issues.
