ARO-RP/pkg/util/platformworkloadidentity/platformworkloadidentityrol...

package platformworkloadidentity

// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.

import (
	"context"
	"fmt"
	"net/http"

	"github.com/Azure/ARO-RP/pkg/api"
	"github.com/Azure/ARO-RP/pkg/database"
	"github.com/Azure/ARO-RP/pkg/util/version"
)

// PlatformWorkloadIdentityRolesByVersion is the interface that validates and obtains the version from an PlatformWorkloadIdentityRoleSetDocument.
type PlatformWorkloadIdentityRolesByVersion interface {
	GetPlatformWorkloadIdentityRolesByRoleName() map[string]api.PlatformWorkloadIdentityRole
	PopulatePlatformWorkloadIdentityRolesByVersion(ctx context.Context, oc *api.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets) error
}

// platformWorkloadIdentityRolesByVersionService is the default implementation of the PlatformWorkloadIdentityRolesByVersion interface.
type PlatformWorkloadIdentityRolesByVersionService struct {
	platformWorkloadIdentityRoles []api.PlatformWorkloadIdentityRole
}

var _ PlatformWorkloadIdentityRolesByVersion = &PlatformWorkloadIdentityRolesByVersionService{}

func NewPlatformWorkloadIdentityRolesByVersionService() *PlatformWorkloadIdentityRolesByVersionService {
	return &PlatformWorkloadIdentityRolesByVersionService{
		platformWorkloadIdentityRoles: []api.PlatformWorkloadIdentityRole{},
	}
}

// PopulatePlatformWorkloadIdentityRolesByVersion aims to populate platformWorkloadIdentityRoles for current OpenShift minor version and also for UpgradeableTo minor version if provided and is greater than the current version
func (service *PlatformWorkloadIdentityRolesByVersionService) PopulatePlatformWorkloadIdentityRolesByVersion(ctx context.Context, oc *api.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets) error {
	if !oc.UsesWorkloadIdentity() {
		return fmt.Errorf("PopulatePlatformWorkloadIdentityRolesByVersion called for a Cluster Service Principal cluster")
	}
	currentOpenShiftVersion, err := version.ParseVersion(oc.Properties.ClusterProfile.Version)
	if err != nil {
		return err
	}
	currentMinorVersion := currentOpenShiftVersion.MinorVersion()
	requiredMinorVersions := map[string]bool{currentMinorVersion: false}

	docs, err := dbPlatformWorkloadIdentityRoleSets.ListAll(ctx)
	if err != nil {
		return err
	}

	if oc.Properties.PlatformWorkloadIdentityProfile.UpgradeableTo != nil {
		upgradeableVersion, err := version.ParseVersion(string(*oc.Properties.PlatformWorkloadIdentityProfile.UpgradeableTo))
		if err != nil {
			return err
		}
		upgradeableMinorVersion := upgradeableVersion.MinorVersion()
		if currentMinorVersion != upgradeableMinorVersion && currentOpenShiftVersion.Lt(upgradeableVersion) {
			requiredMinorVersions[upgradeableMinorVersion] = false
		}
	}

	for _, doc := range docs.PlatformWorkloadIdentityRoleSetDocuments {
		for version := range requiredMinorVersions {
			if version == doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion {
				service.platformWorkloadIdentityRoles = append(service.platformWorkloadIdentityRoles, doc.PlatformWorkloadIdentityRoleSet.Properties.PlatformWorkloadIdentityRoles...)
				requiredMinorVersions[version] = true
			}
		}
	}

	for version, exists := range requiredMinorVersions {
		if !exists {
			return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "", "No PlatformWorkloadIdentityRoleSet found for the requested or upgradeable OpenShift minor version '%s'. Please retry with different OpenShift version, and if the issue persists, raise an Azure support ticket", version)
		}
	}

	return nil
}

func (service *PlatformWorkloadIdentityRolesByVersionService) GetPlatformWorkloadIdentityRolesByRoleName() map[string]api.PlatformWorkloadIdentityRole {
	platformWorkloadIdentityRolesByRoleName := map[string]api.PlatformWorkloadIdentityRole{}
	for _, role := range service.platformWorkloadIdentityRoles {
		platformWorkloadIdentityRolesByRoleName[role.OperatorName] = role
	}
	return platformWorkloadIdentityRolesByRoleName
}
Dynamic validation for workload identity permissions and requirements (#3619) * ARO-4376 Track2 authorization api addition for roledefinitions * ARO-4376 add a stringutil funcs * ARO-4376 use dbPlatformWorkloadIdentityRoleSets to get platform identity roles for cluster version * ARO-4376 add dynamic validation for platformworkloadidentityprofile * ARO-4376 resolve initial comments * ARO-4376 refactor error messages and checkaccess action crosscheck * ARO-4376 Add unit tests and comments resolution * ARO-4376 add validation for upgradeableTo * ARO-4376 Comment resoultion and additional unit tests * ARO-4376 minor version comparison handling * ARO-4376 update permission error messaging handling for MIWI * ARO-4376 update constructors to return non-interface type * ARO-4376 add unit tests for GroupsIntersect * ARO-4376 update generate files to support bingo 2024-09-10 23:32:25 +03:00			`package platformworkloadidentity`

			`// Copyright (c) Microsoft Corporation.`
			`// Licensed under the Apache License 2.0.`

			`import (`
			`"context"`
			`"fmt"`
			`"net/http"`

			`"github.com/Azure/ARO-RP/pkg/api"`
			`"github.com/Azure/ARO-RP/pkg/database"`
			`"github.com/Azure/ARO-RP/pkg/util/version"`
			`)`

			`// PlatformWorkloadIdentityRolesByVersion is the interface that validates and obtains the version from an PlatformWorkloadIdentityRoleSetDocument.`
			`type PlatformWorkloadIdentityRolesByVersion interface {`
			`GetPlatformWorkloadIdentityRolesByRoleName() map[string]api.PlatformWorkloadIdentityRole`
			`PopulatePlatformWorkloadIdentityRolesByVersion(ctx context.Context, oc *api.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets) error`
			`}`

			`// platformWorkloadIdentityRolesByVersionService is the default implementation of the PlatformWorkloadIdentityRolesByVersion interface.`
			`type PlatformWorkloadIdentityRolesByVersionService struct {`
			`platformWorkloadIdentityRoles []api.PlatformWorkloadIdentityRole`
			`}`

			`var _ PlatformWorkloadIdentityRolesByVersion = &PlatformWorkloadIdentityRolesByVersionService{}`

			`func NewPlatformWorkloadIdentityRolesByVersionService() *PlatformWorkloadIdentityRolesByVersionService {`
			`return &PlatformWorkloadIdentityRolesByVersionService{`
			`platformWorkloadIdentityRoles: []api.PlatformWorkloadIdentityRole{},`
			`}`
			`}`

			`// PopulatePlatformWorkloadIdentityRolesByVersion aims to populate platformWorkloadIdentityRoles for current OpenShift minor version and also for UpgradeableTo minor version if provided and is greater than the current version`
			`func (service PlatformWorkloadIdentityRolesByVersionService) PopulatePlatformWorkloadIdentityRolesByVersion(ctx context.Context, oc api.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets) error {`
			`if !oc.UsesWorkloadIdentity() {`
Migrate Storage sdk to Track2 for allowing Managed Identity Cluster feature to disable shared access keys (#3878) * ARO-9711 assign cluster storage blob contributor to fpsp/wimi * ARO-9711 migrate armstorage sdk to track2 * ARO-9711-use-non-account-key-auth-for-blobs-miwi-only * ARO-9711 update mock import to uber mocks * ARO-9711 fix e2e error for blob access * ARO-9711 resolve PR comments * ARO-9711 update Blob Client naming and comments * ARO-9711 resolved comments and removed repeated blobClient * ARO-9711 add clientOptions to blobManager constructor 2024-10-22 22:54:06 +03:00			`return fmt.Errorf("PopulatePlatformWorkloadIdentityRolesByVersion called for a Cluster Service Principal cluster")`
Dynamic validation for workload identity permissions and requirements (#3619) * ARO-4376 Track2 authorization api addition for roledefinitions * ARO-4376 add a stringutil funcs * ARO-4376 use dbPlatformWorkloadIdentityRoleSets to get platform identity roles for cluster version * ARO-4376 add dynamic validation for platformworkloadidentityprofile * ARO-4376 resolve initial comments * ARO-4376 refactor error messages and checkaccess action crosscheck * ARO-4376 Add unit tests and comments resolution * ARO-4376 add validation for upgradeableTo * ARO-4376 Comment resoultion and additional unit tests * ARO-4376 minor version comparison handling * ARO-4376 update permission error messaging handling for MIWI * ARO-4376 update constructors to return non-interface type * ARO-4376 add unit tests for GroupsIntersect * ARO-4376 update generate files to support bingo 2024-09-10 23:32:25 +03:00			`}`
			`currentOpenShiftVersion, err := version.ParseVersion(oc.Properties.ClusterProfile.Version)`
			`if err != nil {`
			`return err`
			`}`
			`currentMinorVersion := currentOpenShiftVersion.MinorVersion()`
			`requiredMinorVersions := map[string]bool{currentMinorVersion: false}`

			`docs, err := dbPlatformWorkloadIdentityRoleSets.ListAll(ctx)`
			`if err != nil {`
			`return err`
			`}`

			`if oc.Properties.PlatformWorkloadIdentityProfile.UpgradeableTo != nil {`
			`upgradeableVersion, err := version.ParseVersion(string(*oc.Properties.PlatformWorkloadIdentityProfile.UpgradeableTo))`
			`if err != nil {`
			`return err`
			`}`
			`upgradeableMinorVersion := upgradeableVersion.MinorVersion()`
			`if currentMinorVersion != upgradeableMinorVersion && currentOpenShiftVersion.Lt(upgradeableVersion) {`
			`requiredMinorVersions[upgradeableMinorVersion] = false`
			`}`
			`}`

			`for _, doc := range docs.PlatformWorkloadIdentityRoleSetDocuments {`
			`for version := range requiredMinorVersions {`
			`if version == doc.PlatformWorkloadIdentityRoleSet.Properties.OpenShiftVersion {`
			`service.platformWorkloadIdentityRoles = append(service.platformWorkloadIdentityRoles, doc.PlatformWorkloadIdentityRoleSet.Properties.PlatformWorkloadIdentityRoles...)`
			`requiredMinorVersions[version] = true`
			`}`
			`}`
			`}`

			`for version, exists := range requiredMinorVersions {`
			`if !exists {`
			`return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "", "No PlatformWorkloadIdentityRoleSet found for the requested or upgradeable OpenShift minor version '%s'. Please retry with different OpenShift version, and if the issue persists, raise an Azure support ticket", version)`
			`}`
			`}`

			`return nil`
			`}`

			`func (service *PlatformWorkloadIdentityRolesByVersionService) GetPlatformWorkloadIdentityRolesByRoleName() map[string]api.PlatformWorkloadIdentityRole {`
			`platformWorkloadIdentityRolesByRoleName := map[string]api.PlatformWorkloadIdentityRole{}`
			`for _, role := range service.platformWorkloadIdentityRoles {`
			`platformWorkloadIdentityRolesByRoleName[role.OperatorName] = role`
			`}`
			`return platformWorkloadIdentityRolesByRoleName`
			`}`