chore: cleanup for checkPermission.ts and fixes error in /access endpoint

Author: PreetiW

workspaces/redhat-resource-optimization/plugins/redhat-resource-optimization-backend/src/routes/access.ts

@@ -23,9 +23,6 @@ import {
 import { rosPluginPermissions } from '@red-hat-developer-hub/plugin-redhat-resource-optimization-common/permissions';
 import { getTokenFromApi } from '../util/tokenUtil';
 import { AuthorizeResult } from '@backstage/plugin-permission-common';
-import { deepMapKeys } from '@red-hat-developer-hub/plugin-redhat-resource-optimization-common/json-utils';
-import camelCase from 'lodash/camelCase';
-import { RecommendationList } from '@red-hat-developer-hub/plugin-redhat-resource-optimization-common';
 
 export const getAccess: (options: RouterOptions) => RequestHandler =
   options => async (_, response) => {
@@ -72,39 +69,51 @@ export const getAccess: (options: RouterOptions) => RequestHandler =
       clusterDataMap = clusterMapDataFromCache;
       allProjects = projectDataFromCache;
     } else {
-      // token
-      const token = await getTokenFromApi(options);
-
-      // hit /recommendation API endpoint
-      const optimizationResponse = await optimizationApi.getRecommendationList(
-        {
-          query: {
-            limit: -1,
-            orderHow: 'desc',
-            orderBy: 'last_reported',
-          },
-        },
-        { token },
-      );
-
-      if (optimizationResponse.ok) {
-        const data = await optimizationResponse.json();
-        const camelCaseTransformedResponse = deepMapKeys(
-          data,
-          camelCase as (value: string | number) => string,
-        ) as RecommendationList;
+      try {
+        // token
+        const token = await getTokenFromApi(options);
+
+        // hit /recommendation API endpoint
+        const optimizationResponse =
+          await optimizationApi.getRecommendationList(
+            {
+              query: {
+                limit: -1,
+                orderHow: 'desc',
+                orderBy: 'last_reported',
+              },
+            },
+            { token },
+          );
+
+        // OptimizationsClient already transforms to camelCase when token is provided
+        const recommendationList = await optimizationResponse.json();
+
+        // Check if response contains errors
+        if ((recommendationList as any).errors) {
+          logger.error(
+            'API returned errors:',
+            (recommendationList as any).errors,
+          );
+          return response.status(500).json({
+            decision: AuthorizeResult.DENY,
+            error: 'API returned errors',
+            authorizeClusterIds: [],
+            authorizeProjects: [],
+          });
+        }
 
         // retrive cluster data from the API result
-        if (camelCaseTransformedResponse.data) {
-          camelCaseTransformedResponse.data.map(recommendation => {
+        if (recommendationList.data) {
+          recommendationList.data.map(recommendation => {
             if (recommendation.clusterAlias && recommendation.clusterUuid)
               clusterDataMap[recommendation.clusterAlias] =
                 recommendation.clusterUuid;
           });
 
           allProjects = [
             ...new Set(
-              camelCaseTransformedResponse.data.map(
+              recommendationList.data.map(
                 recommendation => recommendation.project,
               ),
             ),
@@ -118,19 +127,16 @@ export const getAccess: (options: RouterOptions) => RequestHandler =
             ttl: 15 * 60 * 1000,
           });
         }
-      } else {
-        const errorText = await optimizationResponse
-          .text()
-          .catch(() => 'No error details');
-        logger.error(
-          `Failed to fetch recommendations: ${optimizationResponse.status} ${optimizationResponse.statusText}`,
-          { errorDetails: errorText },
-        );
-        throw new Error(
-          `Failed to fetch recommendations: ${optimizationResponse.status} ${
-            optimizationResponse.statusText || 'Unknown error'
-          }`,
-        );
+      } catch (error) {
+        logger.error('Error fetching recommendations', error);
+
+        // Return unauthorized response on any error
+        return response.status(500).json({
+          decision: AuthorizeResult.DENY,
+          error: 'Failed to fetch cluster data',
+          authorizeClusterIds: [],
+          authorizeProjects: [],
+        });
       }
     }
 

workspaces/redhat-resource-optimization/plugins/redhat-resource-optimization-backend/src/routes/costManagementAccess.ts

@@ -123,8 +123,15 @@ export const getCostManagementAccess: (
         }),
       ]);
     } catch (error) {
-      logger.error(`Failed to fetch data from Cost Management API`, error);
-      throw error;
+      logger.error('Error fetching cost management data', error);
+
+      // Return unauthorized response on any error
+      return response.status(500).json({
+        decision: AuthorizeResult.DENY,
+        error: 'Failed to fetch cluster data',
+        authorizedClusterNames: [],
+        authorizeProjects: [],
+      });
     }
   }
 

workspaces/redhat-resource-optimization/plugins/redhat-resource-optimization-backend/src/service/optimizationsService.ts

@@ -21,7 +21,7 @@ import {
 } from '@backstage/backend-plugin-api';
 import type { OptimizationsApi } from '@red-hat-developer-hub/plugin-redhat-resource-optimization-common/clients';
 import { OptimizationsClient } from '@red-hat-developer-hub/plugin-redhat-resource-optimization-common/clients';
-import { DEFAULT_API_BASE_URL } from '../util/constant';
+import { DEFAULT_COST_MANAGEMENT_PROXY_BASE_URL } from '../util/constant';
 
 export const optimizationServiceRef = createServiceRef<OptimizationsApi>({
   id: 'optimization-client',
@@ -32,9 +32,10 @@ export const optimizationServiceRef = createServiceRef<OptimizationsApi>({
         configApi: coreServices.rootConfig,
       },
       async factory({ configApi }): Promise<OptimizationsApi> {
+        // Base URL without /cost-management/v1 since OptimizationsClient appends it
         const baseUrl =
           configApi.getOptionalString('optimizationsBaseUrl') ??
-          DEFAULT_API_BASE_URL;
+          DEFAULT_COST_MANAGEMENT_PROXY_BASE_URL;
 
         return new OptimizationsClient({
           discoveryApi: {

workspaces/redhat-resource-optimization/plugins/redhat-resource-optimization-backend/src/util/checkPermissions.ts

@@ -82,134 +82,6 @@ export const authorize = async (
   );
 };
 
-/**
- * Filters cluster IDs based on cluster-specific permissions.
- * @param request - The HTTP request
- * @param permissionsSvc - The permissions service
- * @param httpAuth - The HTTP auth service
- * @param clusterDataMap - Map of clusterName → clusterId
- * @param permissionType - 'ros' for ros.{clusterName} or 'cost' for cost.{clusterName} (defaults to 'ros')
- * @returns Array of authorized cluster IDs
- */
-export const filterAuthorizedClusterIds = async (
-  request: HttpRequest,
-  permissionsSvc: PermissionsService,
-  httpAuth: HttpAuthService,
-  clusterDataMap: Record<string, string>,
-  permissionType: ClusterPermissionType = 'ros',
-): Promise<string[]> => {
-  const credentials = await httpAuth.credentials(request);
-  const allClusterNames: string[] = Object.keys(clusterDataMap);
-
-  // Select the appropriate permission function based on type
-  const getClusterPermission =
-    permissionType === 'cost'
-      ? costClusterSpecificPermission
-      : rosClusterSpecificPermission;
-
-  const specificClusterRequests: AuthorizePermissionRequest[] =
-    allClusterNames.map(clusterName => ({
-      permission: getClusterPermission(clusterName),
-    }));
-
-  const decisions = await permissionsSvc.authorize(specificClusterRequests, {
-    credentials,
-  });
-
-  const authorizeClusterNames = allClusterNames.filter(
-    (_, idx) => decisions[idx].result === AuthorizeResult.ALLOW,
-  );
-
-  const authorizedClusterIds = authorizeClusterNames.map(
-    clusterName => clusterDataMap[clusterName],
-  );
-
-  return permissionType === 'cost'
-    ? authorizeClusterNames
-    : authorizedClusterIds;
-};
-
-/**
- * Filters cluster-project combinations based on cluster+project-specific permissions.
- * @param request - The HTTP request
- * @param permissionsSvc - The permissions service
- * @param httpAuth - The HTTP auth service
- * @param clusterDataMap - Map of clusterName → clusterId
- * @param allProjects - Array of all project names
- * @param permissionType - 'ros' for ros.{clusterName}.{projectName} or 'cost' for cost.{clusterName}.{projectName} (defaults to 'ros')
- * @returns Array of authorized cluster-project combinations
- */
-export const filterAuthorizedClusterProjectIds = async (
-  request: HttpRequest,
-  permissionsSvc: PermissionsService,
-  httpAuth: HttpAuthService,
-  clusterDataMap: Record<string, string>,
-  allProjects: string[],
-  permissionType: ClusterPermissionType = 'ros',
-): Promise<ClusterProjectResult[]> => {
-  const credentials = await httpAuth.credentials(request);
-  const allClusterNames: string[] = Object.keys(clusterDataMap);
-  const allClusterIds: string[] = Object.values(clusterDataMap);
-
-  // Pre-calculate total combinations for better performance
-  const totalCombinations = allClusterNames.length * allProjects.length;
-
-  // Early exit if no combinations to check
-  if (totalCombinations === 0) {
-    return [];
-  }
-
-  // Select the appropriate permission function based on type
-  const getClusterProjectPermission =
-    permissionType === 'cost'
-      ? costClusterProjectPermission
-      : rosClusterProjectPermission;
-
-  // Pre-allocate arrays with known size for better memory performance
-  const specificClusterProjectRequests: AuthorizePermissionRequest[] =
-    new Array(totalCombinations);
-  const clusterProjectMap: ClusterProjectResult[] = new Array(
-    totalCombinations,
-  );
-
-  // Build permission requests and mapping in a single pass
-  let idx = 0;
-  for (let i = 0; i < allClusterNames.length; i++) {
-    const clusterName = allClusterNames[i];
-    const clusterId = allClusterIds[i];
-
-    for (let j = 0; j < allProjects.length; j++) {
-      const projectName = allProjects[j];
-
-      specificClusterProjectRequests[idx] = {
-        permission: getClusterProjectPermission(clusterName, projectName),
-      };
-
-      clusterProjectMap[idx] = {
-        cluster: clusterId,
-        project: projectName,
-      };
-
-      idx++;
-    }
-  }
-
-  // Batch authorize all permissions in a single call
-  const decisions = await permissionsSvc.authorize(
-    specificClusterProjectRequests,
-    {
-      credentials,
-    },
-  );
-
-  // Filter authorized combinations
-  const finalResult = clusterProjectMap.filter(
-    (_, index) => decisions[index].result === AuthorizeResult.ALLOW,
-  );
-
-  return finalResult;
-};
-
 /**
  * Combines cluster-only and cluster-project permission checks into a single optimized flow.
  * Uses permission hierarchy where project-level access also grants cluster access.

workspaces/redhat-resource-optimization/plugins/redhat-resource-optimization-backend/src/util/constant.ts

@@ -15,8 +15,6 @@
  */
 
 export const DEFAULT_SSO_BASE_URL = 'https://sso.redhat.com';
-export const DEFAULT_API_BASE_URL =
-  'https://console.redhat.com/api/cost-management/v1';
 
 // Base URL without the /cost-management/v1 path since the client appends it
 export const DEFAULT_COST_MANAGEMENT_PROXY_BASE_URL =

workspaces/redhat-resource-optimization/plugins/redhat-resource-optimization-common/src/clients/optimizations/OptimizationsClient.ts

@@ -118,12 +118,34 @@ export class OptimizationsClient implements OptimizationsApi {
 
   public async getRecommendationList(
     request: GetRecommendationListRequest,
+    options?: RequestOptions,
   ): Promise<TypedResponse<RecommendationList>> {
     const snakeCaseTransformedRequest = deepMapKeys(
       request,
       snakeCase as (value: string | number) => string,
     ) as GetRecommendationListRequest;
 
+    // If token is provided in options (backend use case), skip access check
+    if (options?.token) {
+      const response = await this.defaultClient.getRecommendationList(
+        snakeCaseTransformedRequest,
+        options,
+      );
+
+      return {
+        ...response,
+        json: async () => {
+          const data = await response.json();
+          const camelCaseTransformedResponse = deepMapKeys(
+            data,
+            camelCase as (value: string | number) => string,
+          ) as RecommendationList;
+          return camelCaseTransformedResponse;
+        },
+      };
+    }
+
+    // Frontend use case - use fetchWithToken which includes access check
     const response = await this.fetchWithToken(
       this.defaultClient.getRecommendationList,
       snakeCaseTransformedRequest,