feat: added account creation authz check (#8)

OlegErshov · aaronschweig · web-flow · commit 347f84799f6b · 2025-08-06T10:53:46.000+02:00
* feat: added account creation authz check

* fix: changed authz checks logic

* feat: added cached orgs workspace and store id

* fix: correct retrieval of the workspaceID

* chore: linting issues

* fix: fixed account info nil error

* chore: minor refactoring

* chore: more refactoring

* fix: fixed nil mapper in tests

---------

Co-authored-by: aaronschweig &lt;aaron.schweig@gmail.com&gt;
diff --git a/cmd/serve.go b/cmd/serve.go
@@ -3,7 +3,10 @@ package cmd
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net/http"
+	"net/url"
+	"path"
 
 	kcpcorev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
 	"github.com/kcp-dev/multicluster-provider/apiexport"
@@ -25,10 +28,15 @@ import (
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/tools/clientcmd"
 
+	tenancyv1alpha1 "github.com/kcp-dev/kcp/sdk/apis/tenancy/v1alpha1"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/client"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/config"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/handler"
+
+	kcpclient "github.com/kcp-dev/kcp/pkg/client/clientset/versioned"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	"github.com/platform-mesh/rebac-authz-webhook/pkg/mapperprovider"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 var (
@@ -66,11 +74,22 @@ func serve() { // coverage-ignore
 	kcpScheme := runtime.NewScheme()
 	utilruntime.Must(kcpcorev1alpha1.AddToScheme(kcpScheme))
 	utilruntime.Must(accountsv1alpha1.AddToScheme(kcpScheme))
+	utilruntime.Must(tenancyv1alpha1.AddToScheme(kcpScheme))
 
 	srv := mgr.GetWebhookServer()
 	cmw := &ContextMiddleware{Logger: log}
 
-	authHandler, err := handler.NewAuthorizationHandler(fga, mgr, serverCfg.Kcp.AccountInfoName, mps)
+	orgsWorkspaceID, err := getOrgWorkspaceID(ctx, serverCfg)
+	if err != nil {
+		log.Fatal().Err(err).Msg("cannot get organization's workspace ID")
+	}
+
+	orgsStoreID, err := getOrgStoreID(ctx, fga, "orgs")
+	if err != nil {
+		log.Fatal().Err(err).Msg("cannot get organization's store ID")
+	}
+
+	authHandler, err := handler.NewAuthorizationHandler(fga, mgr, serverCfg.Kcp.AccountInfoName, orgsStoreID, orgsWorkspaceID, mps)
 	if err != nil {
 		log.Fatal().Err(err).Msg("could not create authorization handler")
 	}
@@ -169,3 +188,48 @@ func (c *ContextMiddleware) Middleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
+
+func getOrgWorkspaceID(ctx context.Context, serviceCfg config.Config) (string, error) {
+
+	kubeconfigPath := serviceCfg.Kcp.KubeconfigPath
+	kcpCfg, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to build config from kubeconfig: %w", err)
+	}
+
+	parsed, err := url.Parse(kcpCfg.Host)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse host URL: %w", err)
+	}
+
+	parsed.Path = path.Join("clusters", "root")
+
+	wsCfg := rest.CopyConfig(kcpCfg)
+	wsCfg.Host = parsed.String()
+
+	kcpClientSet, err := kcpclient.NewForConfig(wsCfg)
+	if err != nil {
+		return "", err
+	}
+
+	orgWorkspace, err := kcpClientSet.TenancyV1alpha1().Workspaces().Get(ctx, "orgs", metav1.GetOptions{})
+	if err != nil {
+		return "", err
+	}
+
+	return orgWorkspace.Spec.Cluster, nil
+}
+
+func getOrgStoreID(ctx context.Context, fga openfgav1.OpenFGAServiceClient, storeName string) (string, error) {
+	stores, err := fga.ListStores(ctx, &openfgav1.ListStoresRequest{})
+	if err != nil {
+		return "", err
+	}
+
+	for _, store := range stores.Stores {
+		if store.Name == storeName {
+			return store.Id, nil
+		}
+	}
+	return "", fmt.Errorf("store %s doesn't exist", storeName)
+}
diff --git a/go.mod b/go.mod
@@ -11,6 +11,7 @@ replace (
 
 require (
 	github.com/go-logr/logr v1.4.3
+	github.com/kcp-dev/kcp/pkg/client v0.0.0-20230328080949-0f3bb69fdc08
 	github.com/kcp-dev/kcp/sdk v0.27.1
 	github.com/kcp-dev/logicalcluster/v3 v3.0.5
 	github.com/kcp-dev/multicluster-provider v0.1.0
@@ -64,6 +65,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250223115924-431177b024f3 // indirect
+	github.com/kcp-dev/kcp/pkg/apis v0.11.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
diff --git a/go.sum b/go.sum
@@ -95,6 +95,10 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250223115924-431177b024f3 h1:YwNX7ZIpQXg9u5vav/fobmf4nnO0WhbELWaL3X74Oe4=
 github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20250223115924-431177b024f3/go.mod h1:n0+EV+LGKl1MXXqGbGcn0AaBv7hdKsdazSYuq8nM8Us=
+github.com/kcp-dev/kcp/pkg/apis v0.11.0 h1:K6p+tNHNcvfACCPLcHgY0EMLeaIwR1jS491FyLfXMII=
+github.com/kcp-dev/kcp/pkg/apis v0.11.0/go.mod h1:8cUAmfMJcksauz53UtsLYG8Phhx62rvuCnd/5t/Zihk=
+github.com/kcp-dev/kcp/pkg/client v0.0.0-20230328080949-0f3bb69fdc08 h1:0blsXyXkTOvlNDk0w76LjQ2TsE3GWhfhS2gnDnj0Ic8=
+github.com/kcp-dev/kcp/pkg/client v0.0.0-20230328080949-0f3bb69fdc08/go.mod h1:RbjVziId9vruNj7tvsM+awj8kmO3EfV//xkYCDX8mPY=
 github.com/kcp-dev/kcp/sdk v0.27.1 h1:jBVdrZoJd5hy2RqaBnmCCzldimwOqDkf8FXtNq5HaWA=
 github.com/kcp-dev/kcp/sdk v0.27.1/go.mod h1:3eRgW42d81Ng60DbG1xbne0FSS2znpcN/GUx4rqJgUo=
 github.com/kcp-dev/logicalcluster/v3 v3.0.5 h1:JbYakokb+5Uinz09oTXomSUJVQsqfxEvU4RyHUYxHOU=
diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go
@@ -15,6 +15,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	mcmanager "sigs.k8s.io/multicluster-runtime/pkg/manager"
@@ -28,6 +29,8 @@ import (
 type AuthorizationHandler struct {
 	fga             openfgav1.OpenFGAServiceClient
 	accountInfoName string
+	orgStoreID      string
+	orgWorkspaceID  string
 	mgr             mcmanager.Manager
 	mps             *mapperprovider.MapperProviders
 }
@@ -40,12 +43,15 @@ var (
 	})
 )
 
-func NewAuthorizationHandler(fga openfgav1.OpenFGAServiceClient, mgr mcmanager.Manager, accountInfoName string, mps *mapperprovider.MapperProviders) (*AuthorizationHandler, error) {
+const rootOrgName = "tenancy_kcp_io_workspace:orgs"
 
+func NewAuthorizationHandler(fga openfgav1.OpenFGAServiceClient, mgr mcmanager.Manager, accountInfoName string, orgStoreID, orgWorkspaceID string, mps *mapperprovider.MapperProviders) (*AuthorizationHandler, error) {
 	return &AuthorizationHandler{
 		fga:             fga,
 		accountInfoName: accountInfoName,
 		mgr:             mgr,
+		orgStoreID:      orgStoreID,
+		orgWorkspaceID:  orgWorkspaceID,
 		mps:             mps,
 	}, nil
 }
@@ -55,10 +61,12 @@ var ErrNoStoreID = errors.New("no store ID found")
 func (a *AuthorizationHandler) getAccountInfo(ctx context.Context, sar authorizationv1.SubjectAccessReview) (*corev1alpha1.AccountInfo, error) {
 	log := logger.LoadLoggerFromContext(ctx)
 	info := &corev1alpha1.AccountInfo{}
+
 	clusterNameAttr, ok := sar.Spec.Extra["authorization.kubernetes.io/cluster-name"]
 	if !ok || len(clusterNameAttr) == 0 {
 		return nil, errors.New("no cluster name found in the request")
 	}
+
 	log.Debug().Str("cluster", clusterNameAttr[0]).Str("accountInfoName", a.accountInfoName).Msg("Looking for AccountInfo")
 
 	cluster, err := a.mgr.GetCluster(ctx, clusterNameAttr[0])
@@ -76,6 +84,7 @@ func (a *AuthorizationHandler) getAccountInfo(ctx context.Context, sar authoriza
 		log.Error().Msg("AccountInfo found but Store.Id is empty")
 		return nil, ErrNoStoreID
 	}
+
 	log.Debug().Str("storeId", info.Spec.FGA.Store.Id).Msg("Retrieved Store ID")
 
 	return info, nil
@@ -91,6 +100,7 @@ func (a *AuthorizationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
+
 	err = r.Body.Close()
 	if err != nil {
 		log.Error().Err(err).Msg("unable to close the request body")
@@ -128,28 +138,14 @@ func (a *AuthorizationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 
 	log.Debug().Str("sar", fmt.Sprintf("%+v", sar)).Msg("Received SubjectAccessReview")
 
-	// For resource attributes, we need to get the store ID
-	accountInfo, err := a.getAccountInfo(r.Context(), sar)
-	if err != nil {
-		log.Error().Err(err).Str("user", sar.Spec.User).Msg("error getting store ID from account info, responding with no opinion")
-		noOpinion(w, sar)
-		return
-	}
-
-	group := util.CapGroupToRelationLength(sar, 50)
-	group = strings.ReplaceAll(group, ".", "_")
-	relation := sar.Spec.ResourceAttributes.Verb
-
 	var clusterName string
 	if sar.Spec.Extra != nil {
 		if clusterNames, exists := sar.Spec.Extra["authorization.kubernetes.io/cluster-name"]; exists && len(clusterNames) > 0 {
 			clusterName = clusterNames[0]
 		}
 	}
-	log = log.ChildLogger("clusterName", clusterName)
 
-	var namespaced bool
-	var gvk schema.GroupVersionKind
+	log = log.ChildLogger("clusterName", clusterName)
 
 	restMapper, ok := a.mps.GetMapper(logicalcluster.Name(clusterName))
 	if !ok {
@@ -158,6 +154,46 @@ func (a *AuthorizationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	group := util.CapGroupToRelationLength(sar, 50)
+	group = strings.ReplaceAll(group, ".", "_")
+	relation := sar.Spec.ResourceAttributes.Verb
+
+	user := fmt.Sprintf("user:%s", sar.Spec.User)
+
+	// request to orgs workspace
+	if a.orgWorkspaceID == clusterName {
+		relation = fmt.Sprintf("%s_%s_%s", sar.Spec.ResourceAttributes.Verb, group, sar.Spec.ResourceAttributes.Resource)
+		object := rootOrgName
+
+		allowed, err := a.checkPermissions(r.Context(), object, relation, user, a.orgStoreID, nil)
+		if err != nil {
+			log.Error().Err(err).Str("storeId", a.orgStoreID).Str("object", object).Str("relation", relation).Str("user", user).Msg("unable to call upstream openfga")
+			noOpinion(w, sar)
+			return
+		}
+
+		log.Info().Str("allowed", fmt.Sprintf("%t", allowed)).Str("user", user).Str("object", object).Str("relation", relation).Msg("sar response")
+
+		if !allowed {
+			noOpinion(w, sar)
+			return
+		}
+
+		writeResponse(w, sar, allowed)
+		return
+	}
+
+	// For resource attributes, we need to get the store ID
+	accountInfo, err := a.getAccountInfo(r.Context(), sar)
+	if err != nil {
+		log.Error().Err(err).Str("user", sar.Spec.User).Msg("error getting store ID from account info")
+		noOpinion(w, sar)
+		return
+	}
+
+	var namespaced bool
+	var gvk schema.GroupVersionKind
+
 	gvr := schema.GroupVersionResource{
 		Group:    sar.Spec.ResourceAttributes.Group,
 		Resource: sar.Spec.ResourceAttributes.Resource,
@@ -240,46 +276,64 @@ func (a *AuthorizationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	allowed, err := a.checkPermissions(r.Context(), object, relation, user, accountInfo.Spec.FGA.Store.Id, contextualTuples)
+	if err != nil {
+		log.Error().Err(err).Str("storeId", a.orgStoreID).Str("object", object).Str("relation", relation).Str("user", user).Msg("unable to call upstream openfga")
+		noOpinion(w, sar)
+		return
+	}
+	log.Info().Str("allowed", fmt.Sprintf("%t", allowed)).Str("user", user).Str("object", object).Str("relation", relation).Msg("sar response")
+
+	if !allowed {
+		noOpinion(w, sar)
+		return
+	}
+
+	writeResponse(w, sar, allowed)
+}
+
+func (a *AuthorizationHandler) checkPermissions(ctx context.Context, object, relation, user, storeID string, contextualTuples []*openfgav1.TupleKey) (bool, error) {
 	preReq := time.Now()
-	res, err := a.fga.Check(r.Context(), &openfgav1.CheckRequest{
-		StoreId: accountInfo.Spec.FGA.Store.Id,
+
+	checkReq := &openfgav1.CheckRequest{
+		StoreId: storeID,
 		TupleKey: &openfgav1.CheckRequestTupleKey{
 			Object:   object,
 			Relation: relation,
-			User:     fmt.Sprintf("user:%s", sar.Spec.User),
+			User:     user,
 		},
-		ContextualTuples: &openfgav1.ContextualTupleKeys{
+	}
+
+	if contextualTuples != nil {
+		checkReq.ContextualTuples = &openfgav1.ContextualTupleKeys{
 			TupleKeys: contextualTuples,
-		},
-	})
+		}
+	}
 
+	res, err := a.fga.Check(ctx, checkReq)
 	openfgaLatency.Observe(time.Since(preReq).Seconds())
 	if err != nil {
-		log.Error().Err(err).Str("storeId", accountInfo.Spec.FGA.Store.Id).Str("object", object).Str("relation", relation).Str("user", sar.Spec.User).Msg("unable to call upstream openfga")
-		noOpinion(w, sar)
-		return
-	}
-	log.Info().Str("allowed", fmt.Sprintf("%t", res.Allowed)).Str("user", sar.Spec.User).Str("object", object).Str("relation", relation).Msg("sar response")
-	if !res.Allowed {
-		noOpinion(w, sar)
-		return
+		return false, err
 	}
+	return res.Allowed, nil
+}
 
+func noOpinion(w http.ResponseWriter, sar authorizationv1.SubjectAccessReview) {
 	sar.Status = authorizationv1.SubjectAccessReviewStatus{
-		Allowed: res.Allowed,
-		Denied:  !res.Allowed,
+		Allowed: false,
+		Reason:  "NoOpinion",
 	}
-
 	if err := json.NewEncoder(w).Encode(&sar); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
 }
 
-func noOpinion(w http.ResponseWriter, sar authorizationv1.SubjectAccessReview) {
+func writeResponse(w http.ResponseWriter, sar authorizationv1.SubjectAccessReview, allowed bool) {
 	sar.Status = authorizationv1.SubjectAccessReviewStatus{
-		Allowed: false,
-		Reason:  "NoOpinion",
+		Allowed: allowed,
+		Denied:  !allowed,
 	}
+
 	if err := json.NewEncoder(w).Encode(&sar); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go
