feat(api-server): RBAC enforcement with scope-aware authorization

.github/workflows/e2e.yml

@@ -317,6 +317,33 @@ jobs:
         done
         ./scripts/run-tests.sh
 
+    - name: Run RBAC enforcement E2E tests
+      run: |
+        # Port-forward api-server for RBAC tests
+        kubectl port-forward -n ambient-code svc/ambient-api-server 13592:8000 &
+        APIPF=$!
+        sleep 2
+
+        # Enable JWT + RBAC enforcement on api-server
+        kubectl set env deployment/ambient-api-server -n ambient-code \
+          AMBIENT_ENV=production \
+          JWK_CERT_URL=http://keycloak-service:8080/realms/ambient-code/protocol/openid-connect/certs
+        kubectl get deployment ambient-api-server -n ambient-code -o json \
+          | sed 's/--enable-jwt=false/--enable-jwt=true/' \
+          | sed 's/--enable-authz=false/--enable-authz=true/' \
+          | kubectl apply -f -
+        kubectl rollout status deployment/ambient-api-server -n ambient-code --timeout=120s
+
+        # Restart port-forward after rollout
+        kill $APIPF 2>/dev/null || true
+        kubectl port-forward -n ambient-code svc/ambient-api-server 13592:8000 &
+        sleep 2
+
+        # Run RBAC e2e tests (Keycloak on NodePort 30090)
+        API_URL=http://localhost:13592/api/ambient/v1 \
+        KC_URL=http://localhost:30090 \
+        bash components/ambient-api-server/test/e2e/rbac_e2e_test.sh
+
     - name: Upload test results
       if: failure()
       uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6

components/ambient-api-server/cmd/ambient-api-server/environments/e_integration_testing.go

@@ -33,7 +33,6 @@ func (e *IntegrationTestingEnvImpl) OverrideConfig(c *config.ApplicationConfig)
 }
 
 func (e *IntegrationTestingEnvImpl) OverrideServices(s *pkgenv.Services) error {
-	s.SetService("RBACMiddleware", nil)
 	return nil
 }
 
@@ -52,7 +51,7 @@ func (e *IntegrationTestingEnvImpl) Flags() map[string]string {
 		"api-base-url":                    "https://api.integration.openshift.com",
 		"enable-https":                    "false",
 		"enable-metrics-https":            "false",
-		"enable-authz":                    "true",
+		"enable-authz":                    "false",
 		"debug":                           "false",
 		"enable-mock":                     "true",
 		"api-server-bindaddress":          "localhost:0",

components/ambient-api-server/cmd/ambient-api-server/main.go

@@ -36,6 +36,7 @@ func main() {
 		pkgcmd.NewMigrateCommand("ambient-api-server"),
 		pkgcmd.NewServeCommand(localapi.GetOpenAPISpec),
 		localcmd.NewEncryptCredentialsCommand(),
+		localcmd.NewSeedAdminCommand(),
 	)
 
 	if err := rootCmd.Execute(); err != nil {

components/ambient-api-server/pkg/cmd/seed_admin.go

@@ -0,0 +1,82 @@
+package cmd
+
+import (
+	"context"
+	"flag"
+	"fmt"
+
+	"github.com/golang/glog"
+	"github.com/openshift-online/rh-trex-ai/pkg/api"
+	"github.com/openshift-online/rh-trex-ai/pkg/config"
+	"github.com/openshift-online/rh-trex-ai/pkg/db/db_session"
+	"github.com/spf13/cobra"
+)
+
+func NewSeedAdminCommand() *cobra.Command {
+	dbConfig := config.NewDatabaseConfig()
+	var username string
+
+	cmd := &cobra.Command{
+		Use:   "seed-admin",
+		Short: "Create the initial platform:admin RoleBinding",
+		Long:  "Seeds the first platform:admin user. This breaks the bootstrap chicken-and-egg: RBAC endpoints are themselves gated, so the first admin cannot grant themselves access through the API.",
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := dbConfig.ReadFiles(); err != nil {
+				glog.Fatal(err)
+			}
+
+			connection := db_session.NewProdFactory(dbConfig)
+			db := connection.New(context.Background())
+
+			// Upsert user
+			userID := api.NewID()
+			result := db.Exec(
+				`INSERT INTO users (id, username, name, created_at, updated_at)
+				 VALUES (?, ?, ?, NOW(), NOW())
+				 ON CONFLICT (username) WHERE deleted_at IS NULL DO NOTHING`,
+				userID, username, username,
+			)
+			if result.Error != nil {
+				glog.Fatalf("Failed to upsert user: %v", result.Error)
+			}
+
+			// Resolve actual user ID (may already exist)
+			var resolvedUserID string
+			if err := db.Raw(`SELECT id FROM users WHERE username = ? AND deleted_at IS NULL`, username).Scan(&resolvedUserID).Error; err != nil {
+				glog.Fatalf("Failed to resolve user ID: %v", err)
+			}
+
+			// Look up platform:admin role
+			var roleID string
+			if err := db.Raw(`SELECT id FROM roles WHERE name = 'platform:admin' AND deleted_at IS NULL`).Scan(&roleID).Error; err != nil || roleID == "" {
+				glog.Fatal("platform:admin role not found — run migrations first")
+			}
+
+			// Create global binding (idempotent)
+			bindingResult := db.Exec(
+				`INSERT INTO role_bindings (id, role_id, scope, user_id, created_at, updated_at)
+				 SELECT ?, ?, 'global', ?, NOW(), NOW()
+				 WHERE NOT EXISTS (
+				   SELECT 1 FROM role_bindings
+				   WHERE role_id = ? AND scope = 'global' AND user_id = ? AND deleted_at IS NULL
+				 )`,
+				api.NewID(), roleID, resolvedUserID, roleID, resolvedUserID,
+			)
+			if bindingResult.Error != nil {
+				glog.Fatalf("Failed to create admin binding: %v", bindingResult.Error)
+			}
+
+			if bindingResult.RowsAffected == 0 {
+				fmt.Printf("platform:admin binding already exists for user %q\n", username)
+			} else {
+				fmt.Printf("platform:admin binding created for user %q (id=%s)\n", username, resolvedUserID)
+			}
+		},
+	}
+
+	cmd.Flags().StringVar(&username, "username", "", "Username of the admin to seed (required)")
+	_ = cmd.MarkFlagRequired("username")
+	dbConfig.AddFlags(cmd.PersistentFlags())
+	cmd.PersistentFlags().AddGoFlagSet(flag.CommandLine)
+	return cmd
+}

components/ambient-api-server/pkg/rbac/context.go

@@ -0,0 +1,62 @@
+package rbac
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/openshift-online/rh-trex-ai/pkg/services"
+)
+
+type authResultKey struct{}
+
+type AuthResult struct {
+	Username      string
+	IsGlobalAdmin bool
+	ProjectIDs    []string // nil = global access (all projects)
+	CredentialIDs []string // nil = global access (all credentials)
+}
+
+func SetAuthResult(ctx context.Context, result *AuthResult) context.Context {
+	return context.WithValue(ctx, authResultKey{}, result)
+}
+
+func GetAuthResult(ctx context.Context) *AuthResult {
+	v, _ := ctx.Value(authResultKey{}).(*AuthResult)
+	return v
+}
+
+// ApplyListFilter restricts list results to the caller's authorized scope.
+// filterColumn is the DB column to filter on (e.g. "id" for projects, "project_id" for sessions).
+// useCredentialIDs controls whether to filter by credential IDs instead of project IDs.
+// Returns false if the user has zero authorized IDs (caller should return empty list).
+func ApplyListFilter(ctx context.Context, listArgs *services.ListArguments, filterColumn string, useCredentialIDs bool) bool {
+	auth := GetAuthResult(ctx)
+	if auth == nil || auth.IsGlobalAdmin {
+		return true
+	}
+
+	var ids []string
+	if useCredentialIDs {
+		ids = auth.CredentialIDs
+	} else {
+		ids = auth.ProjectIDs
+	}
+
+	if len(ids) == 0 {
+		return false
+	}
+
+	quoted := make([]string, len(ids))
+	for i, id := range ids {
+		quoted[i] = fmt.Sprintf("'%s'", strings.ReplaceAll(id, "'", "''"))
+	}
+	scopeFilter := fmt.Sprintf("%s in (%s)", filterColumn, strings.Join(quoted, ","))
+
+	if listArgs.Search != "" {
+		listArgs.Search = fmt.Sprintf("(%s) and (%s)", listArgs.Search, scopeFilter)
+	} else {
+		listArgs.Search = scopeFilter
+	}
+	return true
+}

components/ambient-api-server/pkg/rbac/evaluator.go

@@ -0,0 +1,194 @@
+package rbac
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+
+	"github.com/openshift-online/rh-trex-ai/pkg/db"
+	"gorm.io/gorm"
+)
+
+type bindingRow struct {
+	RoleID       string
+	RoleName     string
+	Scope        string
+	UserID       *string
+	ProjectID    *string
+	AgentID      *string
+	SessionID    *string
+	CredentialID *string
+	Permissions  string
+}
+
+type Evaluator struct {
+	sessionFactory *db.SessionFactory
+}
+
+func NewEvaluator(sessionFactory *db.SessionFactory) *Evaluator {
+	return &Evaluator{sessionFactory: sessionFactory}
+}
+
+func (e *Evaluator) fetchBindings(g *gorm.DB, username string) ([]bindingRow, error) {
+	var rows []bindingRow
+	err := g.Raw(`
+		SELECT rb.role_id, r.name AS role_name, rb.scope,
+		       rb.user_id, rb.project_id, rb.agent_id,
+		       rb.session_id, rb.credential_id,
+		       r.permissions
+		FROM role_bindings rb
+		JOIN roles r ON r.id = rb.role_id
+		WHERE rb.user_id = ?
+		  AND rb.deleted_at IS NULL
+		  AND r.deleted_at IS NULL
+	`, username).Scan(&rows).Error
+	return rows, err
+}
+
+func (e *Evaluator) Evaluate(ctx context.Context, username string, resource Resource, action Action, scope RequestScope) (bool, error) {
+	g := (*e.sessionFactory).New(ctx)
+
+	bindings, err := e.fetchBindings(g, username)
+	if err != nil {
+		return false, err
+	}
+	if len(bindings) == 0 {
+		return false, nil
+	}
+
+	requiredPerm := string(resource) + ":" + string(action)
+
+	if scope.SessionID != "" && scope.ProjectID == "" {
+		projectID, lookupErr := e.resolveSessionProject(g, scope.SessionID)
+		if lookupErr == nil && projectID != "" {
+			scope.ProjectID = projectID
+		}
+	}
+
+	for _, b := range bindings {
+		if !bindingMatchesPermission(b.Permissions, requiredPerm) {
+			continue
+		}
+		if bindingCoversScope(b, scope) {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (e *Evaluator) AuthorizedProjectIDs(ctx context.Context, username string) (projectIDs []string, isGlobal bool, err error) {
+	g := (*e.sessionFactory).New(ctx)
+
+	bindings, fetchErr := e.fetchBindings(g, username)
+	if fetchErr != nil {
+		return nil, false, fetchErr
+	}
+
+	seen := map[string]bool{}
+	for _, b := range bindings {
+		if b.Scope == string(ScopeGlobal) {
+			return nil, true, nil
+		}
+		if b.Scope == string(ScopeProject) && b.ProjectID != nil {
+			if !seen[*b.ProjectID] {
+				seen[*b.ProjectID] = true
+				projectIDs = append(projectIDs, *b.ProjectID)
+			}
+		}
+	}
+	return projectIDs, false, nil
+}
+
+func (e *Evaluator) AuthorizedCredentialIDs(ctx context.Context, username string) (credentialIDs []string, isGlobal bool, err error) {
+	g := (*e.sessionFactory).New(ctx)
+
+	bindings, fetchErr := e.fetchBindings(g, username)
+	if fetchErr != nil {
+		return nil, false, fetchErr
+	}
+
+	seen := map[string]bool{}
+	for _, b := range bindings {
+		if b.Scope == string(ScopeGlobal) {
+			return nil, true, nil
+		}
+		if b.Scope == string(ScopeCredential) && b.CredentialID != nil {
+			if !seen[*b.CredentialID] {
+				seen[*b.CredentialID] = true
+				credentialIDs = append(credentialIDs, *b.CredentialID)
+			}
+		}
+	}
+	return credentialIDs, false, nil
+}
+
+func (e *Evaluator) resolveSessionProject(g *gorm.DB, sessionID string) (string, error) {
+	var projectID string
+	err := g.Raw(`SELECT COALESCE(project_id, '') FROM sessions WHERE id = ? AND deleted_at IS NULL`, sessionID).Scan(&projectID).Error
+	return projectID, err
+}
+
+func bindingMatchesPermission(permissionsJSON, required string) bool {
+	var perms []string
+	if err := json.Unmarshal([]byte(permissionsJSON), &perms); err != nil {
+		return false
+	}
+
+	reqParts := strings.SplitN(required, ":", 2)
+	if len(reqParts) != 2 {
+		return false
+	}
+	reqResource, reqAction := reqParts[0], reqParts[1]
+
+	for _, perm := range perms {
+		if perm == "*:*" {
+			return true
+		}
+		parts := strings.SplitN(perm, ":", 2)
+		if len(parts) != 2 {
+			continue
+		}
+		r, a := parts[0], parts[1]
+		resourceMatch := r == "*" || r == reqResource
+		actionMatch := a == "*" || a == reqAction
+		if resourceMatch && actionMatch {
+			return true
+		}
+	}
+	return false
+}
+
+func bindingCoversScope(b bindingRow, reqScope RequestScope) bool {
+	switch ScopeLevel(b.Scope) {
+	case ScopeGlobal:
+		return true
+
+	case ScopeProject:
+		if b.ProjectID == nil {
+			return false
+		}
+		return reqScope.ProjectID == *b.ProjectID
+
+	case ScopeAgent:
+		if b.AgentID == nil {
+			return false
+		}
+		return reqScope.AgentID == *b.AgentID
+
+	case ScopeSession:
+		if b.SessionID == nil {
+			return false
+		}
+		return reqScope.SessionID == *b.SessionID
+
+	case ScopeCredential:
+		if b.CredentialID == nil {
+			return false
+		}
+		return reqScope.CredentialID == *b.CredentialID
+
+	default:
+		return false
+	}
+}