Creating project into sandbox has user limitation #3336

Fixes: #3336

Signed-off-by: Victor Rubezhny <[email protected]>

Author: vrubezhny

package.json

@@ -1521,7 +1521,7 @@
 				},
 				{
 					"command": "openshift.project.create",
-					"when": "view == openshiftProjectExplorer && viewItem == openshift.k8sContext",
+					"when": "view == openshiftProjectExplorer && viewItem == openshift.k8sContext && canCreateNamespace",
 					"group": "c1"
 				},
 				{
@@ -1667,7 +1667,7 @@
 				},
 				{
 					"command": "openshift.project.set",
-					"when": "view == openshiftProjectExplorer && viewItem == openshift.k8sContext || viewItem == openshift.project",
+					"when": "view == openshiftProjectExplorer && (viewItem == openshift.k8sContext || viewItem == openshift.project) && canCreateNamespace",
 					"group": "inline"
 				},
 				{

src/explorer.ts

@@ -179,6 +179,8 @@ export class OpenShiftExplorer implements TreeDataProvider<ExplorerItem>, Dispos
                 result = [this.kubeContext];
                 if (this.kubeContext) {
                     const config = getKubeConfigFiles();
+                    const canCreateNamespace = await Oc.Instance.canCreateNamespace();
+                    void commands.executeCommand('setContext', 'canCreateNamespace', canCreateNamespace);
                     result.unshift({label: process.env.KUBECONFIG ? 'Custom KubeConfig' : 'Default KubeConfig', description: config.join(':')})
                 }
             } catch (err) {

src/oc/ocWrapper.ts

@@ -175,6 +175,25 @@ export class Oc {
         return false;
     }
 
+    /**
+     * Returns true if the current user is authorized to create a namespace on the cluster, and false otherwise.
+     *
+     * @returns true if the current user is authorized to create namespace on the cluster, and false otherwise
+     */
+    public async canCreateNamespace(): Promise<boolean> {
+        try {
+            const result = await CliChannel.getInstance().executeTool(
+                new CommandText('oc', 'auth can-i create projectrequests'),
+            );
+            if (result.stdout === 'yes') {
+                return true;
+            }
+        } catch {
+            //ignore
+        }
+        return false;
+    }
+
     /**
      * Deletes all deployments in the current namespace that have a label "component" with a value `componentName`.
      *

test/integration/ocWrapper.test.ts

@@ -63,6 +63,19 @@ suite('./oc/ocWrapper.ts', function () {
         }
     });
 
+    test('canCreateNamespace()', async function () {
+        const canCreateNamespace1 = await Oc.Instance.canCreateNamespace();
+        expect(canCreateNamespace1).to.exist;
+        expect(canCreateNamespace1).to.equal(true);
+        if (isOpenShift) {
+            await Oc.Instance.logout();
+            const canCreateNamespace2 = await Oc.Instance.canCreateNamespace();
+            expect(canCreateNamespace2).to.exist;
+            expect(canCreateNamespace2).to.equal(false);
+            await Oc.Instance.loginWithUsernamePassword(clusterUrl, username, password);
+        }
+    });
+
     suite('create, list, and delete kubernetes objects', function () {
         const serviceName = 'my-test-service';
         const projectName = 'my-test-service-project2';