feat: add Public-Viewer support

go.mod

@@ -4,8 +4,8 @@ go 1.20
 
 require (
 	github.com/aws/aws-sdk-go v1.44.100
-	github.com/codeready-toolchain/api v0.0.0-20240607180719-368c7afbaebe
-	github.com/codeready-toolchain/toolchain-common v0.0.0-20240613121043-7e6ef858cdff
+	github.com/codeready-toolchain/api v0.0.0-20240708122235-0af5a9a178bb
+	github.com/codeready-toolchain/toolchain-common v0.0.0-20240711082950-c7f9f4442ae0
 	github.com/go-logr/logr v1.4.1
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/pkg/errors v0.9.1

go.sum

@@ -48,10 +48,10 @@ github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtM
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/codeready-toolchain/api v0.0.0-20240607180719-368c7afbaebe h1:l+KsEXkNe1mZ14Z/RaTgeUkEuX9r56mSZC6xlu5H6zY=
-github.com/codeready-toolchain/api v0.0.0-20240607180719-368c7afbaebe/go.mod h1:ie9p4LenCCS0LsnbWp6/xwpFDdCWYE0KWzUO6Sk1g0E=
-github.com/codeready-toolchain/toolchain-common v0.0.0-20240613121043-7e6ef858cdff h1:bVWL+2eayFKUnEzdEAwltPs+pzbGlGDSmrM3oOV2Ams=
-github.com/codeready-toolchain/toolchain-common v0.0.0-20240613121043-7e6ef858cdff/go.mod h1:cyHrUfvBYEtsf+FbqQYmR9y0AQi9QAVtM3SUWLA5bd4=
+github.com/codeready-toolchain/api v0.0.0-20240708122235-0af5a9a178bb h1:Wc9CMsv0ODZv9dM5qF3OI0mFDO95YNIXV/8oRvoz8aE=
+github.com/codeready-toolchain/api v0.0.0-20240708122235-0af5a9a178bb/go.mod h1:ie9p4LenCCS0LsnbWp6/xwpFDdCWYE0KWzUO6Sk1g0E=
+github.com/codeready-toolchain/toolchain-common v0.0.0-20240711082950-c7f9f4442ae0 h1:v7Z5i0JaF1H9SYxK/uEjWgH8Vpm4Eg3OJep/Pl/2iyM=
+github.com/codeready-toolchain/toolchain-common v0.0.0-20240711082950-c7f9f4442ae0/go.mod h1:8M9k7w2VSyRKSK6P08Jo2ddW3uyGgxCcSitnYa3HK9o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

pkg/application/service/services.go

@@ -38,7 +38,7 @@ type VerificationService interface {
 }
 
 type MemberClusterService interface {
-	GetClusterAccess(userID, username, workspace, proxyPluginName string) (*access.ClusterAccess, error)
+	GetClusterAccess(userID, username, workspace, proxyPluginName string, publicViewerEnabled bool) (*access.ClusterAccess, error)
 }
 
 type Services interface {

pkg/configuration/configuration.go

@@ -121,6 +121,10 @@ func (r RegistrationServiceConfig) Print() {
 	logger.Info("Registration Service Configuration", "config", r.cfg.Host.RegistrationService)
 }
 
+func (r RegistrationServiceConfig) PublicViewerEnabled() bool {
+	return r.cfg.Host.PublicViewerConfig != nil && r.cfg.Host.PublicViewerConfig.Enabled
+}
+
 func (r RegistrationServiceConfig) Environment() string {
 	return commonconfig.GetString(r.cfg.Host.RegistrationService.Environment, prodEnvironment)
 }

pkg/configuration/configuration_test.go

@@ -3,6 +3,7 @@ package configuration_test
 import (
 	"testing"
 
+	"github.com/codeready-toolchain/api/api/v1alpha1"
 	"github.com/codeready-toolchain/registration-service/pkg/configuration"
 	"github.com/codeready-toolchain/registration-service/test"
 	commonconfig "github.com/codeready-toolchain/toolchain-common/pkg/configuration"
@@ -68,6 +69,7 @@ func TestRegistrationService(t *testing.T) {
 		assert.InDelta(t, float32(0), regServiceCfg.Verification().CaptchaRequiredScore(), 0.01)
 		assert.True(t, regServiceCfg.Verification().CaptchaAllowLowScoreReactivation())
 		assert.Empty(t, regServiceCfg.Verification().CaptchaServiceAccountFileContents())
+		assert.False(t, regServiceCfg.PublicViewerEnabled())
 	})
 	t.Run("non-default", func(t *testing.T) {
 		// given
@@ -151,5 +153,42 @@ func TestRegistrationService(t *testing.T) {
 		assert.InDelta(t, float32(0.5), regServiceCfg.Verification().CaptchaRequiredScore(), 0.01)
 		assert.False(t, regServiceCfg.Verification().CaptchaAllowLowScoreReactivation())
 		assert.Equal(t, "example-content", regServiceCfg.Verification().CaptchaServiceAccountFileContents())
+		assert.False(t, regServiceCfg.PublicViewerEnabled())
 	})
 }
+
+func TestPublicViewer(t *testing.T) {
+	tt := map[string]struct {
+		name               string
+		expectedValue      bool
+		publicViewerConfig *v1alpha1.PublicViewerConfiguration
+	}{
+		"public-viewer is explicitly enabled": {
+			expectedValue:      true,
+			publicViewerConfig: &v1alpha1.PublicViewerConfiguration{Enabled: true},
+		},
+		"public-viewer is explicitly disabled": {
+			expectedValue:      false,
+			publicViewerConfig: &v1alpha1.PublicViewerConfiguration{Enabled: false},
+		},
+		"public-viewer config not set, assume disabled": {
+			expectedValue:      false,
+			publicViewerConfig: nil,
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			// given
+			cfg := commonconfig.NewToolchainConfigObjWithReset(t)
+			cfg.Spec.Host.PublicViewerConfig = tc.publicViewerConfig
+			secrets := make(map[string]map[string]string)
+			regServiceCfg := configuration.NewRegistrationServiceConfig(cfg, secrets)
+
+			// then
+
+			// when
+			assert.Equal(t, tc.expectedValue, regServiceCfg.PublicViewerEnabled())
+		})
+	}
+}

pkg/context/keys.go

@@ -25,4 +25,8 @@ const (
 	WorkspaceKey = "workspace"
 	// RequestReceivedTime is the context key for the starting time of a request made
 	RequestReceivedTime = "requestReceivedTime"
+	// PublicViewerEnabled is a boolean value indicating whether PublicViewer support is enabled
+	PublicViewerEnabled = "publicViewerEnabled"
+	// ImpersonateUser is the content key for the impersonated user in proxied call
+	ImpersonateUser = "impersonateUser"
 )

pkg/context/public_viewer.go

@@ -0,0 +1,10 @@
+package context
+
+import "github.com/labstack/echo/v4"
+
+// IsPublicViewerEnabled retrieves from the context the boolean value associated to the PublicViewerEnabled key.
+// If the key is not set it returns false, otherwise it returns the boolean value stored in the context.
+func IsPublicViewerEnabled(ctx echo.Context) bool {
+	publicViewerEnabled, _ := ctx.Get(PublicViewerEnabled).(bool)
+	return publicViewerEnabled
+}

pkg/log/log.go

@@ -149,6 +149,14 @@ func (l *Logger) InfoEchof(ctx echo.Context, msg string, args ...string) {
 	ctxFields = append(ctxFields, "url")
 	ctxFields = append(ctxFields, ctx.Request().URL)
 
+	if impersonateUser, ok := ctx.Get(context.ImpersonateUser).(string); ok {
+		ctxFields = append(ctxFields, "impersonate-user", impersonateUser)
+	}
+
+	if publicViewerEnabled, ok := ctx.Get(context.PublicViewerEnabled).(bool); ok {
+		ctxFields = append(ctxFields, "public-viewer-enabled", publicViewerEnabled)
+	}
+
 	l.infof(ctxFields, msg, args...)
 }
 

pkg/log/log_test.go

@@ -60,25 +60,68 @@ func TestLog(t *testing.T) {
 	})
 
 	t.Run("log infoEchof", func(t *testing.T) {
-		buf.Reset()
-		req := httptest.NewRequest(http.MethodGet, "https://api-server.com/api/workspaces/path", strings.NewReader("{}"))
-		rec := httptest.NewRecorder()
-		ctx := echo.New().NewContext(req, rec)
-		ctx.Set(context.SubKey, "test")
-		ctx.Set(context.UsernameKey, "usernametest")
-		ctx.Set(context.WorkspaceKey, "coolworkspace")
+		tt := map[string]struct {
+			name        string
+			contains    string
+			notContains string
+			ctxSet      map[string]interface{}
+		}{
+			"default": {},
+			"impersonateUser is set": {
+				ctxSet:   map[string]interface{}{context.ImpersonateUser: "user"},
+				contains: `"impersonate-user":"user"`,
+			},
+			"impersonateUser is not set": {
+				ctxSet:      map[string]interface{}{},
+				notContains: `impersonate-user`,
+			},
+			"public-viewer-enabled is set to true": {
+				ctxSet:   map[string]interface{}{context.PublicViewerEnabled: true},
+				contains: `"public-viewer-enabled":true`,
+			},
+			"public-viewer-enabled is set to false": {
+				ctxSet:   map[string]interface{}{context.PublicViewerEnabled: false},
+				contains: `"public-viewer-enabled":false`,
+			},
+			"public-viewer-enabled is not set": {
+				ctxSet:      map[string]interface{}{},
+				notContains: `public-viewer-enabled`,
+			},
+		}
 
-		InfoEchof(ctx, "test %s", "info")
-		value := buf.String()
-		assert.Contains(t, value, `"logger":"logger_tests"`)
-		assert.Contains(t, value, `"msg":"test info"`)
-		assert.Contains(t, value, `"user_id":"test"`) // subject -> user_id
-		assert.Contains(t, value, `"username":"usernametest"`)
-		assert.Contains(t, value, `"level":"info"`)
-		assert.Contains(t, value, `"timestamp":"`)
-		assert.Contains(t, value, `"workspace":"coolworkspace"`)
-		assert.Contains(t, value, `"method":"GET"`)
-		assert.Contains(t, value, `"url":"https://api-server.com/api/workspaces/path"`)
+		for _, tc := range tt {
+			t.Run(tc.name, func(t *testing.T) {
+				buf.Reset()
+				req := httptest.NewRequest(http.MethodGet, "https://api-server.com/api/workspaces/path", strings.NewReader("{}"))
+				rec := httptest.NewRecorder()
+				ctx := echo.New().NewContext(req, rec)
+				ctx.Set(context.SubKey, "test")
+				ctx.Set(context.UsernameKey, "usernametest")
+				ctx.Set(context.WorkspaceKey, "coolworkspace")
+				for k, v := range tc.ctxSet {
+					ctx.Set(k, v)
+				}
+
+				InfoEchof(ctx, "test %s", "info")
+				value := buf.String()
+				assert.Contains(t, value, `"logger":"logger_tests"`)
+				assert.Contains(t, value, `"msg":"test info"`)
+				assert.Contains(t, value, `"user_id":"test"`) // subject -> user_id
+				assert.Contains(t, value, `"username":"usernametest"`)
+				assert.Contains(t, value, `"level":"info"`)
+				assert.Contains(t, value, `"timestamp":"`)
+				assert.Contains(t, value, `"workspace":"coolworkspace"`)
+				assert.Contains(t, value, `"method":"GET"`)
+				assert.Contains(t, value, `"url":"https://api-server.com/api/workspaces/path"`)
+
+				if tc.contains != "" {
+					assert.Contains(t, value, tc.contains)
+				}
+				if tc.notContains != "" {
+					assert.NotContains(t, value, tc.notContains)
+				}
+			})
+		}
 	})
 
 	t.Run("log infof with no arguments", func(t *testing.T) {

pkg/proxy/handlers/spacelister_get.go

@@ -8,6 +8,8 @@ import (
 	"time"
 
 	toolchainv1alpha1 "github.com/codeready-toolchain/api/api/v1alpha1"
+	"github.com/codeready-toolchain/registration-service/pkg/configuration"
+	"github.com/codeready-toolchain/registration-service/pkg/context"
 	regsercontext "github.com/codeready-toolchain/registration-service/pkg/context"
 	"github.com/codeready-toolchain/registration-service/pkg/proxy/metrics"
 	"github.com/codeready-toolchain/registration-service/pkg/signup"
@@ -27,6 +29,8 @@ func HandleSpaceGetRequest(spaceLister *SpaceLister, GetMembersFunc cluster.GetM
 	// get specific workspace
 	return func(ctx echo.Context) error {
 		requestReceivedTime := ctx.Get(regsercontext.RequestReceivedTime).(time.Time)
+		publicViewerEnabled := configuration.GetRegistrationServiceConfig().PublicViewerEnabled()
+		ctx.Set(context.PublicViewerEnabled, publicViewerEnabled)
 		workspace, err := GetUserWorkspaceWithBindings(ctx, spaceLister, ctx.Param("workspace"), GetMembersFunc)
 		if err != nil {
 			spaceLister.ProxyMetrics.RegServWorkspaceHistogramVec.WithLabelValues(fmt.Sprintf("%d", http.StatusInternalServerError), metrics.MetricsLabelVerbGet).Observe(time.Since(requestReceivedTime).Seconds()) // using list as the default value for verb to minimize label combinations for prometheus to process
@@ -43,7 +47,7 @@ func HandleSpaceGetRequest(spaceLister *SpaceLister, GetMembersFunc cluster.GetM
 	}
 }
 
-// GetUserWorkspace returns a workspace object with the required fields used by the proxy
+// GetUserWorkspace returns a workspace object with the required fields used by the proxy.
 func GetUserWorkspace(ctx echo.Context, spaceLister *SpaceLister, workspaceName string) (*toolchainv1alpha1.Workspace, error) {
 	userSignup, space, err := getUserSignupAndSpace(ctx, spaceLister, workspaceName)
 	if err != nil {
@@ -54,6 +58,56 @@ func GetUserWorkspace(ctx echo.Context, spaceLister *SpaceLister, workspaceName
 		return nil, nil
 	}
 
+	// retrieve user space binding
+	userSpaceBinding, err := getUserOrPublicViewerSpaceBinding(ctx, spaceLister, space, userSignup, workspaceName)
+	if err != nil {
+		return nil, err
+	}
+	// consider this as not found
+	if userSpaceBinding == nil {
+		return nil, nil
+	}
+
+	// create and return the result workspace object
+	return createWorkspaceObject(userSignup.Name, space, userSpaceBinding), nil
+}
+
+// getUserOrPublicViewerSpaceBinding retrieves the user space binding for an user and a space.
+// If the SpaceBinding is not found and the PublicViewer feature is enabled, it will retry
+// with the PublicViewer credentials.
+func getUserOrPublicViewerSpaceBinding(ctx echo.Context, spaceLister *SpaceLister, space *toolchainv1alpha1.Space, userSignup *signup.Signup, workspaceName string) (*toolchainv1alpha1.SpaceBinding, error) {
+	userSpaceBinding, err := getUserSpaceBinding(ctx, spaceLister, space, userSignup)
+	if err != nil {
+		return nil, err
+	}
+
+	// if user space binding is not found and PublicViewer is enabled,
+	// retry with PublicViewer's signup
+	if userSpaceBinding == nil {
+		if context.IsPublicViewerEnabled(ctx) {
+			publicViewerUserSignup := signup.Signup{
+				Name:              toolchainv1alpha1.KubesawAuthenticatedUsername,
+				CompliantUsername: toolchainv1alpha1.KubesawAuthenticatedUsername,
+			}
+			pvSb, err := getUserSpaceBinding(ctx, spaceLister, space, &publicViewerUserSignup)
+			if err != nil {
+				ctx.Logger().Error(fmt.Sprintf("error checking if SpaceBinding is present for user %s and the workspace %s", publicViewerUserSignup.CompliantUsername, workspaceName))
+				return nil, err
+			}
+			if pvSb == nil {
+				ctx.Logger().Error(fmt.Sprintf("unauthorized access - there is no SpaceBinding present for the user %s and the workspace %s", userSignup.CompliantUsername, workspaceName))
+				return nil, nil
+			}
+			return pvSb, nil
+		}
+		ctx.Logger().Error(fmt.Sprintf("unauthorized access - there is no SpaceBinding present for the user %s and the workspace %s", userSignup.CompliantUsername, workspaceName))
+	}
+
+	return userSpaceBinding, nil
+}
+
+// getUserSpaceBinding retrieves the user space binding for an user and a space.
+func getUserSpaceBinding(ctx echo.Context, spaceLister *SpaceLister, space *toolchainv1alpha1.Space, userSignup *signup.Signup) (*toolchainv1alpha1.SpaceBinding, error) {
 	// recursively get all the spacebindings for the current workspace
 	listSpaceBindingsFunc := func(spaceName string) ([]toolchainv1alpha1.SpaceBinding, error) {
 		spaceSelector, err := labels.NewRequirement(toolchainv1alpha1.SpaceBindingSpaceLabelKey, selection.Equals, []string{spaceName})
@@ -74,7 +128,6 @@ func GetUserWorkspace(ctx echo.Context, spaceLister *SpaceLister, workspaceName
 	}
 	if len(userSpaceBindings) == 0 {
 		//  let's only log the issue and consider this as not found
-		ctx.Logger().Error(fmt.Sprintf("unauthorized access - there is no SpaceBinding present for the user %s and the workspace %s", userSignup.CompliantUsername, workspaceName))
 		return nil, nil
 	}
 
@@ -84,10 +137,10 @@ func GetUserWorkspace(ctx echo.Context, spaceLister *SpaceLister, workspaceName
 		return nil, userBindingsErr
 	}
 
-	return createWorkspaceObject(userSignup.Name, space, &userSpaceBindings[0]), nil
+	return &userSpaceBindings[0], nil
 }
 
-// GetUserWorkspaceWithBindings returns a workspace object with the required fields+bindings (the list with all the users access details)
+// GetUserWorkspaceWithBindings returns a workspace object with the required fields+bindings (the list with all the users access details).
 func GetUserWorkspaceWithBindings(ctx echo.Context, spaceLister *SpaceLister, workspaceName string, GetMembersFunc cluster.GetMemberClustersFunc) (*toolchainv1alpha1.Workspace, error) {
 	userSignup, space, err := getUserSignupAndSpace(ctx, spaceLister, workspaceName)
 	if err != nil {
@@ -116,9 +169,16 @@ func GetUserWorkspaceWithBindings(ctx echo.Context, spaceLister *SpaceLister, wo
 	// check if user has access to this workspace
 	userBinding := filterUserSpaceBinding(userSignup.CompliantUsername, allSpaceBindings)
 	if userBinding == nil {
-		//  let's only log the issue and consider this as not found
-		ctx.Logger().Error(fmt.Sprintf("unauthorized access - there is no SpaceBinding present for the user %s and the workspace %s", userSignup.CompliantUsername, workspaceName))
-		return nil, nil
+		// if PublicViewer is enabled, check if the Space is visibile to PublicViewer
+		if context.IsPublicViewerEnabled(ctx) && userSignup.CompliantUsername != toolchainv1alpha1.KubesawAuthenticatedUsername {
+			userBinding = filterUserSpaceBinding(toolchainv1alpha1.KubesawAuthenticatedUsername, allSpaceBindings)
+		}
+
+		if userBinding == nil {
+			//  let's only log the issue and consider this as not found
+			ctx.Logger().Error(fmt.Sprintf("unauthorized access - there is no SpaceBinding present for the user %s and the workspace %s", userSignup.CompliantUsername, workspaceName))
+			return nil, nil
+		}
 	}
 
 	// list all SpaceBindingRequests , just in case there might be some failing to create a SpaceBinding resource.
@@ -155,6 +215,12 @@ func getUserSignupAndSpace(ctx echo.Context, spaceLister *SpaceLister, workspace
 	if err != nil {
 		return nil, nil, err
 	}
+	if userSignup == nil && context.IsPublicViewerEnabled(ctx) {
+		userSignup = &signup.Signup{
+			CompliantUsername: toolchainv1alpha1.KubesawAuthenticatedUsername,
+			Name:              toolchainv1alpha1.KubesawAuthenticatedUsername,
+		}
+	}
 
 	space, err := spaceLister.GetInformerServiceFunc().GetSpace(workspaceName)
 	if err != nil {