feat: adjusting role name convention to include objectType (#34)

nexus49 · web-flow · commit 9caea341932b · 2025-09-16T07:03:49.000Z
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -3,12 +3,12 @@ version: '3'
 dotenv: ['.taskenv', '.secret/.env', '{{.HOME}}/.env' ]
 vars:
   LOCAL_BIN: bin
-  CONTROLLER_TOOLS_VERSION: v0.14.0
+  CONTROLLER_TOOLS_VERSION: v0.19.0
   ENVTEST_K8S_VERSION: "1.29.0"
   ENVTEST_VERSION: release-0.17
   CRD_DIRECTORY: config/crd
   TEST_SETUP_DIRECTORY: test/setup/01-platform-mesh-system
-  KCP_APIGEN_VERSION: v0.21.0
+  KCP_APIGEN_VERSION: v0.27.1
   KCP_VERSION: 0.27.1
   GOMPLATE_VERSION: v4.3.0
   GOARCH:
@@ -77,13 +77,6 @@ tasks:
       - task: envtest
         vars:
           ADDITIONAL_COMMAND_ARGS: -coverprofile=./cover.out -covermode=atomic -coverpkg=./...
-  helm-unittest:
-    cmds:
-      - helm unittest chart
-  validate:
-    cmds:
-      - task: lint
-      - task: test
   start-kcp:
     deps: [setup:kcp]
     cmds:
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/core.platform-mesh.io_accountinfos.yaml b/config/crd/core.platform-mesh.io_accountinfos.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: accountinfos.core.platform-mesh.io
 spec:
   group: core.platform-mesh.io
diff --git a/config/crd/core.platform-mesh.io_accounts.yaml b/config/crd/core.platform-mesh.io_accounts.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.14.0
+    controller-gen.kubebuilder.io/version: v0.19.0
   name: accounts.core.platform-mesh.io
 spec:
   group: core.platform-mesh.io
@@ -110,16 +110,8 @@ spec:
             properties:
               conditions:
                 items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource.\n---\nThis struct is intended for
-                    direct use as an array at the field path .status.conditions.  For
-                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
-                    observations of a foo's current state.\n\t    // Known .status.conditions.type
-                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
-                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
-                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                    \   // other fields\n\t}"
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
                   properties:
                     lastTransitionTime:
                       description: |-
@@ -160,12 +152,7 @@ spec:
                       - Unknown
                       type: string
                     type:
-                      description: |-
-                        type of condition in CamelCase or in foo.example.com/CamelCase.
-                        ---
-                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                        useful (see .node.status.conditions), the ability to deconflict is important.
-                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
                       maxLength: 316
                       pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                       type: string
diff --git a/config/resources/apiexport-core.platform-mesh.io.yaml b/config/resources/apiexport-core.platform-mesh.io.yaml
@@ -5,6 +5,17 @@ metadata:
   name: core.platform-mesh.io
 spec:
   latestResourceSchemas:
-  - v250715-5b899f6.accountinfos.core.platform-mesh.io
-  - v250715-5b899f6.accounts.core.platform-mesh.io
+    - v250715-5b899f6.accountinfos.core.platform-mesh.io
+    - v250915-1185c0b.accounts.core.platform-mesh.io
+  permissionClaims:
+    - resource: namespaces
+      all: true
+    - group: tenancy.kcp.io
+      identityHash: '{{ .data.apiExportRootTenancyKcpIoIdentityHash }}'
+      resource: workspaces
+      all: true
+    - group: tenancy.kcp.io
+      identityHash: '{{ .data.apiExportRootTenancyKcpIoIdentityHash }}'
+      resource: workspacetypes
+      all: true
 status: {}
diff --git a/config/resources/apiresourceschema-accounts.core.platform-mesh.io.yaml b/config/resources/apiresourceschema-accounts.core.platform-mesh.io.yaml
@@ -2,7 +2,7 @@ apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
   creationTimestamp: null
-  name: v250715-5b899f6.accounts.core.platform-mesh.io
+  name: v250915-1185c0b.accounts.core.platform-mesh.io
 spec:
   group: core.platform-mesh.io
   names:
@@ -106,16 +106,8 @@ spec:
           properties:
             conditions:
               items:
-                description: "Condition contains details for one aspect of the current
-                  state of this API Resource.\n---\nThis struct is intended for direct
-                  use as an array at the field path .status.conditions.  For example,\n\n\n\ttype
-                  FooStatus struct{\n\t    // Represents the observations of a foo's
-                  current state.\n\t    // Known .status.conditions.type are: \"Available\",
-                  \"Progressing\", and \"Degraded\"\n\t    // +patchMergeKey=type\n\t
-                  \   // +patchStrategy=merge\n\t    // +listType=map\n\t    // +listMapKey=type\n\t
-                  \   Conditions []metav1.Condition `json:\"conditions,omitempty\"
-                  patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
-                  \   // other fields\n\t}"
+                description: Condition contains details for one aspect of the current
+                  state of this API Resource.
                 properties:
                   lastTransitionTime:
                     description: |-
@@ -156,12 +148,7 @@ spec:
                     - Unknown
                     type: string
                   type:
-                    description: |-
-                      type of condition in CamelCase or in foo.example.com/CamelCase.
-                      ---
-                      Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
-                      useful (see .node.status.conditions), the ability to deconflict is important.
-                      The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                    description: type of condition in CamelCase or in foo.example.com/CamelCase.
                     maxLength: 316
                     pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
                     type: string
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -19,7 +19,7 @@ type OperatorConfig struct {
 			Enabled         bool   `mapstructure:"subroutines-fga-enabled" default:"true"`
 			RootNamespace   string `mapstructure:"subroutines-fga-root-namespace" default:"platform-mesh-root"`
 			GrpcAddr        string `mapstructure:"subroutines-fga-grpc-addr" default:"localhost:8081"`
-			ObjectType      string `mapstructure:"subroutines-fga-object-type" default:"account"`
+			ObjectType      string `mapstructure:"subroutines-fga-object-type" default:"core_platform-mesh_io_account"`
 			ParentRelation  string `mapstructure:"subroutines-fga-parent-relation" default:"parent"`
 			CreatorRelation string `mapstructure:"subroutines-fga-creator-relation" default:"owner"`
 		} `mapstructure:",squash"`
diff --git a/pkg/subroutines/fga.go b/pkg/subroutines/fga.go
@@ -94,9 +94,9 @@ func (e *FGASubroutine) Process(ctx context.Context, ro runtimeobject.RuntimeObj
 
 		// Determine parent account to create parent relation
 		writes = append(writes, &openfgav1.TupleKey{
-			Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.GetName()),
-			Relation: e.parentRelation,
 			User:     fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.ParentAccount.OriginClusterId, parentAccountName),
+			Relation: e.parentRelation,
+			Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.GetName()),
 		})
 	}
 
@@ -110,15 +110,15 @@ func (e *FGASubroutine) Process(ctx context.Context, ro runtimeobject.RuntimeObj
 		creator := formatUser(*account.Spec.Creator)
 
 		writes = append(writes, &openfgav1.TupleKey{
-			Object:   fmt.Sprintf("role:%s/%s/owner", accountInfo.Spec.Account.OriginClusterId, account.Name),
-			Relation: "assignee",
 			User:     fmt.Sprintf("user:%s", creator),
+			Relation: "assignee",
+			Object:   fmt.Sprintf("role:%s/%s/%s/owner", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
 		})
 
 		writes = append(writes, &openfgav1.TupleKey{
-			Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
+			User:     fmt.Sprintf("role:%s/%s/%s/owner#assignee", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
 			Relation: e.creatorRelation,
-			User:     fmt.Sprintf("role:%s/%s/owner#assignee", accountInfo.Spec.Account.OriginClusterId, account.Name),
+			Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
 		})
 	}
 
@@ -167,24 +167,24 @@ func (e *FGASubroutine) Finalize(ctx context.Context, runtimeObj runtimeobject.R
 			parentAccountName := accountInfo.Spec.Account.Name
 
 			deletes = append(deletes, &openfgav1.TupleKeyWithoutCondition{
-				User:     fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, parentAccountName),
+				User:     fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.ParentAccount.OriginClusterId, parentAccountName),
 				Relation: e.parentRelation,
-				Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.GeneratedClusterId, account.GetName()),
+				Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.GetName()),
 			})
 		}
 
 		if account.Spec.Creator != nil {
 			creator := formatUser(*account.Spec.Creator)
 			deletes = append(deletes, &openfgav1.TupleKeyWithoutCondition{
-				Object:   fmt.Sprintf("role:%s/%s/owner", accountInfo.Spec.Account.GeneratedClusterId, account.Name),
-				Relation: "assignee",
 				User:     fmt.Sprintf("user:%s", creator),
+				Relation: "assignee",
+				Object:   fmt.Sprintf("role:%s/%s/%s/owner", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
 			})
 
 			deletes = append(deletes, &openfgav1.TupleKeyWithoutCondition{
-				Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.GeneratedClusterId, account.Name),
+				User:     fmt.Sprintf("role:%s/%s/%s/owner#assignee", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
 				Relation: e.creatorRelation,
-				User:     fmt.Sprintf("role:%s/%s/owner#assignee", accountInfo.Spec.Account.GeneratedClusterId, account.Name),
+				Object:   fmt.Sprintf("%s:%s/%s", e.objectType, accountInfo.Spec.Account.OriginClusterId, account.Name),
 			})
 		}
 
diff --git a/pkg/subroutines/fga_test.go b/pkg/subroutines/fga_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	kcpcorev1alpha1 "github.com/kcp-dev/kcp/sdk/apis/core/v1alpha1"
+	pmconfig "github.com/platform-mesh/golang-commons/config"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/kontext"
@@ -18,6 +19,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	"github.com/platform-mesh/account-operator/api/v1alpha1"
+	"github.com/platform-mesh/account-operator/internal/config"
 	"github.com/platform-mesh/account-operator/pkg/subroutines"
 	"github.com/platform-mesh/account-operator/pkg/subroutines/mocks"
 )
@@ -51,7 +53,7 @@ func TestFGASubroutine_Finalizers(t *testing.T) {
 
 func TestFGASubroutine_Process(t *testing.T) {
 	creator := "test-creator"
-
+	defaultContext := pmconfig.SetConfigInContext(context.Background(), config.OperatorConfig{})
 	testCases := []struct {
 		name          string
 		expectedError bool
@@ -62,7 +64,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 	}{
 		{
 			name:          "should_fail_if_no_cluster_in_context",
-			ctx:           context.Background(),
+			ctx:           defaultContext,
 			expectedPanic: true,
 			account: &v1alpha1.Account{
 				Spec: v1alpha1.AccountSpec{
@@ -80,7 +82,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name: "should_skip_processing_if_subroutine_ran_before",
-			ctx:  kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:  kontext.WithCluster(defaultContext, "some-cluster"),
 			account: &v1alpha1.Account{
 				Spec: v1alpha1.AccountSpec{
 					Type: v1alpha1.AccountTypeOrg,
@@ -129,7 +131,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name:          "should_fail_if_get_store_id_fails",
-			ctx:           kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:           kontext.WithCluster(defaultContext, "some-cluster"),
 			expectedError: true,
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
@@ -168,7 +170,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name:          "should_fail_if_get_parent_account_fails",
-			ctx:           kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:           kontext.WithCluster(defaultContext, "some-cluster"),
 			expectedError: true,
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
@@ -183,7 +185,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name:          "should_fail_if_write_fails",
-			ctx:           kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:           kontext.WithCluster(defaultContext, "some-cluster"),
 			expectedError: true,
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
@@ -234,7 +236,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name: "should_ignore_error_if_duplicate_write_error",
-			ctx:  kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:  kontext.WithCluster(defaultContext, "some-cluster"),
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-account",
@@ -286,7 +288,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name: "should_succeed",
-			ctx:  kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:  kontext.WithCluster(defaultContext, "some-cluster"),
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-account",
@@ -337,7 +339,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name: "should_succeed_with_creator_for_sa",
-			ctx:  kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:  kontext.WithCluster(defaultContext, "some-cluster"),
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-account",
@@ -397,7 +399,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name:          "should_fail_with_creator_in_sa_range",
-			ctx:           kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:           kontext.WithCluster(defaultContext, "some-cluster"),
 			expectedError: true,
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
@@ -448,7 +450,7 @@ func TestFGASubroutine_Process(t *testing.T) {
 		},
 		{
 			name: "should_succeed_with_creator",
-			ctx:  kontext.WithCluster(context.Background(), "some-cluster"),
+			ctx:  kontext.WithCluster(defaultContext, "some-cluster"),
 			account: &v1alpha1.Account{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-account",
@@ -789,7 +791,7 @@ func TestCreatorSubroutine_Finalize(t *testing.T) {
 			},
 		},
 	}
-
+	defaultContext := pmconfig.SetConfigInContext(context.Background(), config.OperatorConfig{})
 	for _, test := range testCases {
 		t.Run(test.name, func(t *testing.T) {
 
@@ -801,7 +803,7 @@ func TestCreatorSubroutine_Finalize(t *testing.T) {
 			}
 
 			routine := subroutines.NewFGASubroutine(k8sClient, openFGAClient, "owner", "parent", "account")
-			ctx := kontext.WithCluster(context.Background(), "abcdefghi")
+			ctx := kontext.WithCluster(defaultContext, "abcdefghi")
 			_, err := routine.Finalize(ctx, test.account)
 			if test.expectedError {
 				assert.NotNil(t, err)
diff --git a/test/setup/01-platform-mesh-system/apiexport-core.platform-mesh.io.yaml b/test/setup/01-platform-mesh-system/apiexport-core.platform-mesh.io.yaml
diff --git a/test/setup/01-platform-mesh-system/apiresourceschema-accounts.core.platform-mesh.io.yaml b/test/setup/01-platform-mesh-system/apiresourceschema-accounts.core.platform-mesh.io.yaml
