Add authorization client

Adds authorization client to authorization package which helps with
testing.

Also makes errors more descriptive.

Signed-off-by: Tayler Geiger <[email protected]>
Co-authored-by: Brett Tofel <[email protected]>

Author: trgeiger

internal/operator-controller/applier/helm.go

@@ -82,13 +82,13 @@ func shouldSkipPreflight(ctx context.Context, preflight Preflight, ext *ocv1.Clu
 
 func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels map[string]string, storageLabels map[string]string) ([]client.Object, string, error) {
 	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		authclient, err := h.AuthorizationClientMapper.GetAuthorizationClient(ctx, ext)
+		rawAuthClient, err := h.AuthorizationClientMapper.GetAuthorizationClient(ctx, ext)
 		if err != nil {
-			return nil, "", err
+			return nil, "", fmt.Errorf("failed to get authorization client: %w", err)
 		}
 
-		err = h.AuthorizationClientMapper.CheckContentPermissions(ctx, contentFS, authclient, ext)
-		if err != nil {
+		authClient := authorization.NewClient(rawAuthClient)
+		if err := h.checkContentPermissions(ctx, contentFS, authClient, ext); err != nil {
 			return nil, "", fmt.Errorf("failed checking content permissions: %w", err)
 		}
 	}
@@ -102,7 +102,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 
 	ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext)
 	if err != nil {
-		return nil, "", err
+		return nil, "", fmt.Errorf("failed to get action client: %w", err)
 	}
 
 	post := &postrenderer{
@@ -120,14 +120,12 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 		}
 		switch state {
 		case StateNeedsInstall:
-			err := preflight.Install(ctx, desiredRel)
-			if err != nil {
-				return nil, state, err
+			if err := preflight.Install(ctx, desiredRel); err != nil {
+				return nil, state, fmt.Errorf("preflight install check failed: %w", err)
 			}
 		case StateNeedsUpgrade:
-			err := preflight.Upgrade(ctx, desiredRel)
-			if err != nil {
-				return nil, state, err
+			if err := preflight.Upgrade(ctx, desiredRel); err != nil {
+				return nil, state, fmt.Errorf("preflight upgrade check failed: %w", err)
 			}
 		}
 	}
@@ -140,7 +138,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 			return nil
 		}, helmclient.AppendInstallPostRenderer(post))
 		if err != nil {
-			return nil, state, err
+			return nil, state, fmt.Errorf("failed to install release: %w", err)
 		}
 	case StateNeedsUpgrade:
 		rel, err = ac.Upgrade(ext.GetName(), ext.Spec.Namespace, chrt, values, func(upgrade *action.Upgrade) error {
@@ -149,24 +147,39 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 			return nil
 		}, helmclient.AppendUpgradePostRenderer(post))
 		if err != nil {
-			return nil, state, err
+			return nil, state, fmt.Errorf("failed to upgrade release: %w", err)
 		}
 	case StateUnchanged:
 		if err := ac.Reconcile(rel); err != nil {
-			return nil, state, err
+			return nil, state, fmt.Errorf("failed to reconcile release: %w", err)
 		}
 	default:
 		return nil, state, fmt.Errorf("unexpected release state %q", state)
 	}
 
 	relObjects, err := util.ManifestObjects(strings.NewReader(rel.Manifest), fmt.Sprintf("%s-release-manifest", rel.Name))
 	if err != nil {
-		return nil, state, err
+		return nil, state, fmt.Errorf("failed to convert manifest to objects: %w", err)
 	}
 
 	return relObjects, state, nil
 }
 
+// Check if RBAC allows the installer service account necessary permissions on the objects in the contentFS
+func (h *Helm) checkContentPermissions(ctx context.Context, contentFS fs.FS, authClient authorization.AuthorizationClient, ext *ocv1.ClusterExtension) error {
+	reg, err := convert.ParseFS(ctx, contentFS)
+	if err != nil {
+		return fmt.Errorf("failed to parse content FS: %w", err)
+	}
+
+	plain, err := convert.Convert(reg, ext.Spec.Namespace, []string{corev1.NamespaceAll})
+	if err != nil {
+		return fmt.Errorf("failed to convert registry: %w", err)
+	}
+
+	return authClient.CheckContentPermissions(ctx, plain.Objects, ext)
+}
+
 func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterExtension, chrt *chart.Chart, values chartutil.Values, post postrender.PostRenderer) (*release.Release, *release.Release, string, error) {
 	currentRelease, err := cl.Get(ext.GetName())
 
@@ -177,16 +190,12 @@ func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterE
 			return nil
 		}, helmclient.AppendInstallPostRenderer(post))
 		if err != nil {
-			if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-				_ = struct{}{} // minimal no-op to satisfy linter
-				// probably need to break out this error as it's the one for helm dry-run as opposed to any returned later
-			}
-			return nil, nil, StateError, err
+			return nil, nil, StateError, fmt.Errorf("failed dry-run install: %w", err)
 		}
 		return nil, desiredRelease, StateNeedsInstall, nil
 	}
 	if err != nil {
-		return nil, nil, StateError, err
+		return nil, nil, StateError, fmt.Errorf("failed to get current release: %w", err)
 	}
 
 	desiredRelease, err := cl.Upgrade(ext.GetName(), ext.Spec.Namespace, chrt, values, func(upgrade *action.Upgrade) error {
@@ -196,7 +205,7 @@ func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterE
 		return nil
 	}, helmclient.AppendUpgradePostRenderer(post))
 	if err != nil {
-		return currentRelease, nil, StateError, err
+		return currentRelease, nil, StateError, fmt.Errorf("failed dry-run upgrade: %w", err)
 	}
 	relState := StateUnchanged
 	if desiredRelease.Manifest != currentRelease.Manifest ||

internal/operator-controller/applier/helm_test.go

@@ -24,6 +24,7 @@ import (
 
 	v1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 )
 
@@ -121,7 +122,7 @@ func newPassingAuthorizationClientMapper() applier.AuthorizationClientMapper {
 	mockRCM := func(ctx context.Context, obj client.Object, cfg *rest.Config) (*rest.Config, error) {
 		return cfg, nil
 	}
-	acm := applier.NewAuthorizationClientMapper(mockRCM, fakeRestConfig)
+	acm := authorization.NewAuthorizationClientMapper(mockRCM, fakeRestConfig)
 	acm.NewForConfig = func(*rest.Config) (authorizationv1client.AuthorizationV1Interface, error) {
 		return newPassingSSRRAuthClient(), nil
 	}

internal/operator-controller/authorization/authorization.go

@@ -4,14 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io/fs"
 	"slices"
 	"strings"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
 	authv1 "k8s.io/api/authorization/v1"
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -20,15 +17,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-const (
-	SelfSubjectRulesReview  string = "SelfSubjectRulesReview"
-	SelfSubjectAccessReview string = "SelfSubjectAccessReview"
-)
-
 type RestConfigMapper func(context.Context, client.Object, *rest.Config) (*rest.Config, error)
 
-type NewForConfigFunc func(*rest.Config) (authorizationv1client.AuthorizationV1Interface, error)
-
 type AuthorizationClientMapper struct {
 	rcm          RestConfigMapper
 	baseCfg      *rest.Config
@@ -47,28 +37,11 @@ func (acm *AuthorizationClientMapper) GetAuthorizationClient(ctx context.Context
 	if err != nil {
 		return nil, err
 	}
-
 	return acm.NewForConfig(authcfg)
 }
 
-// Check if RBAC allows the installer service account necessary permissions on the objects in the contentFS
-func (acm *AuthorizationClientMapper) CheckContentPermissions(ctx context.Context, contentFS fs.FS, authcl authorizationv1client.AuthorizationV1Interface, ext *ocv1.ClusterExtension) error {
-	reg, err := convert.ParseFS(ctx, contentFS)
-	if err != nil {
-		return err
-	}
-
-	plain, err := convert.Convert(reg, ext.Spec.Namespace, []string{corev1.NamespaceAll})
-	if err != nil {
-		return err
-	}
-
-	err = checkObjectPermissions(ctx, authcl, plain.Objects, ext)
-
-	return err
-}
-
-func checkObjectPermissions(ctx context.Context, authcl authorizationv1client.AuthorizationV1Interface, objects []client.Object, ext *ocv1.ClusterExtension) error {
+// CheckObjectPermissions verifies that the given objects have the required permissions.
+func CheckObjectPermissions(ctx context.Context, authcl authorizationv1client.AuthorizationV1Interface, objects []client.Object, ext *ocv1.ClusterExtension) error {
 	ssrr := &authv1.SelfSubjectRulesReview{
 		Spec: authv1.SelfSubjectRulesReviewSpec{
 			Namespace: ext.Spec.Namespace,
@@ -78,7 +51,7 @@ func checkObjectPermissions(ctx context.Context, authcl authorizationv1client.Au
 	opts := v1.CreateOptions{}
 	ssrr, err := authcl.SelfSubjectRulesReviews().Create(ctx, ssrr, opts)
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to create SelfSubjectRulesReview: %w", err)
 	}
 
 	rules := []rbacv1.PolicyRule{}
@@ -118,25 +91,26 @@ func checkObjectPermissions(ctx context.Context, authcl authorizationv1client.Au
 	for _, resAttr := range resAttrs {
 		if !canI(resAttr, rules) {
 			if resAttr.Namespace != "" {
-				namespacedErrs = append(namespacedErrs, fmt.Errorf("cannot %q %q %q in namespace %q",
+				namespacedErrs = append(namespacedErrs, fmt.Errorf("cannot %s %q %q in namespace %q",
 					resAttr.Verb,
 					strings.TrimSuffix(resAttr.Resource, "s"),
 					resAttr.Name,
 					resAttr.Namespace))
 				continue
 			}
-			clusterScopedErrs = append(clusterScopedErrs, fmt.Errorf("cannot %s %s %s",
+			clusterScopedErrs = append(clusterScopedErrs, fmt.Errorf("cannot %s %q %q",
 				resAttr.Verb,
 				strings.TrimSuffix(resAttr.Resource, "s"),
 				resAttr.Name))
 		}
 	}
-	errs := append(namespacedErrs, clusterScopedErrs...)
-	if len(errs) > 0 {
-		errs = append([]error{fmt.Errorf("installer service account %s is missing required permissions", ext.Spec.ServiceAccount.Name)}, errs...)
+
+	allErrs := append(namespacedErrs, clusterScopedErrs...)
+	if len(allErrs) > 0 {
+		return fmt.Errorf("installer service account %q is missing required permissions: %w", ext.Spec.ServiceAccount.Name, errors.Join(allErrs...))
 	}
 
-	return errors.Join(errs...)
+	return nil
 }
 
 // Checks if the rules allow the verb on the GroupVersionKind in resAttr

internal/operator-controller/authorization/client.go

@@ -0,0 +1,33 @@
+package authorization
+
+import (
+	"context"
+
+	authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	ocv1 "github.com/operator-framework/operator-controller/api/v1"
+)
+
+type NewForConfigFunc func(*rest.Config) (authorizationv1client.AuthorizationV1Interface, error)
+
+// AuthorizationClient is an interface exposing only the needed functionality
+type AuthorizationClient interface {
+	CheckContentPermissions(ctx context.Context, objects []client.Object, ext *ocv1.ClusterExtension) error
+}
+
+// clientImpl wraps the underlying authorization client
+type clientImpl struct {
+	authClient authorizationv1client.AuthorizationV1Interface
+}
+
+// NewClient wraps an authorizationv1client.AuthorizationV1Interface
+func NewClient(authClient authorizationv1client.AuthorizationV1Interface) AuthorizationClient {
+	return &clientImpl{authClient: authClient}
+}
+
+// CheckContentPermissions is the public method that internally calls the generic check
+func (c *clientImpl) CheckContentPermissions(ctx context.Context, objects []client.Object, ext *ocv1.ClusterExtension) error {
+	return CheckObjectPermissions(ctx, c.authClient, objects, ext)
+}