[RHCLOUD-35545] Update user id for Kessel (RedHatInsights#3050)

* [RHCLOUD-35545] Update user id for Kessel

.rhcicd/clowdapp-backend.yaml

@@ -206,6 +206,8 @@ objects:
               name: sources-api-psk
               key: psk
               optional: true
+        - name: KESSEL_DOMAIN
+          value: ${KESSEL_DOMAIN}
 - apiVersion: v1
   kind: ConfigMap
   metadata:
@@ -312,3 +314,5 @@ parameters:
   value: "false"
 - name: QUARKUS_HIBERNATE_ORM_LOG_SQL
   value: "false"
+- name: KESSEL_DOMAIN
+  value: "redhat"

backend/src/main/java/com/redhat/cloud/notifications/auth/kessel/KesselAuthorization.java

@@ -3,6 +3,7 @@
 import com.redhat.cloud.notifications.auth.kessel.permission.IntegrationPermission;
 import com.redhat.cloud.notifications.auth.kessel.permission.KesselPermission;
 import com.redhat.cloud.notifications.auth.principal.rhid.RhIdentity;
+import com.redhat.cloud.notifications.config.BackendConfig;
 import com.redhat.cloud.notifications.routers.SecurityContextUtil;
 import io.micrometer.core.instrument.MeterRegistry;
 import io.micrometer.core.instrument.Tags;
@@ -63,6 +64,9 @@ public class KesselAuthorization {
     @Inject
     MeterRegistry meterRegistry;
 
+    @Inject
+    BackendConfig backendConfig;
+
     /**
      * Checks if the subject on the security context has permission on the
      * given resource. Throws
@@ -189,7 +193,7 @@ protected CheckRequest buildCheckRequest(final RhIdentity identity, final Kessel
                     .setSubject(
                         ObjectReference.newBuilder()
                             .setType(ObjectType.newBuilder().setNamespace(KESSEL_RBAC_NAMESPACE).setName(KESSEL_IDENTITY_SUBJECT_TYPE).build())
-                            .setId(identity.getName())
+                            .setId(getUserId(identity))
                             .build()
                     ).build()
             ).build();
@@ -210,10 +214,14 @@ protected LookupResourcesRequest buildLookupResourcesRequest(final RhIdentity id
                     .setSubject(
                         ObjectReference.newBuilder()
                             .setType(ObjectType.newBuilder().setNamespace(KESSEL_RBAC_NAMESPACE).setName(KESSEL_IDENTITY_SUBJECT_TYPE).build())
-                            .setId(identity.getName())
+                            .setId(getUserId(identity))
                     ).build()
             ).setRelation(kesselPermission.getKesselPermissionName())
             .setResourceType(ResourceType.INTEGRATION.getKesselObjectType())
             .build();
     }
+
+    private String getUserId(RhIdentity identity) {
+        return backendConfig.getKesselDomain() + "/" + identity.getUserId();
+    }
 }

backend/src/main/java/com/redhat/cloud/notifications/auth/principal/rhid/RhIdentity.java

@@ -9,4 +9,6 @@ public abstract class RhIdentity extends ConsoleIdentity {
     public String getAccountNumber() {
         return null;
     }
+
+    public abstract String getUserId();
 }

backend/src/main/java/com/redhat/cloud/notifications/auth/principal/rhid/RhServiceAccountIdentity.java

@@ -29,22 +29,35 @@ public static class ServiceAccount {
         @JsonProperty("client_id")
         private String clientId;
 
+        @JsonProperty("user_id")
+        private String userId;
+
         public String getClientId() {
             return clientId;
         }
+
+        public String getUserId() {
+            return userId;
+        }
     }
 
     @Override
     public String getName() {
         return getServiceAccount().getClientId();
     }
 
+    @Override
+    public String getUserId() {
+        return getServiceAccount().getUserId();
+    }
+
     @Override
     public String toString() {
         return "RhServiceAccountIdentity{" +
             "orgId='" + this.orgId + '\'' +
             ", serviceAccount=" + this.serviceAccount.username +
             ", type='" + this.type + '\'' +
+            ", userId=" + this.getUserId() +
             '}';
     }
 }

backend/src/main/java/com/redhat/cloud/notifications/auth/principal/rhid/RhUserIdentity.java

@@ -33,22 +33,35 @@ public static class User {
         @JsonProperty("username")
         private String username;
 
+        @JsonProperty("user_id")
+        private String userId;
+
         public String getUsername() {
             return username;
         }
+
+        public String getUserId() {
+            return userId;
+        }
     }
 
     @Override
     public String getName() {
         return getUser().getUsername();
     }
 
+    @Override
+    public String getUserId() {
+        return getUser().getUserId();
+    }
+
     @Override
     public String toString() {
         return "RhUserIdentity{" +
             "accountNumber='" + this.accountNumber + '\'' +
             ", orgId='" + this.orgId + '\'' +
             ", username='" + this.user.username + '\'' +
+            ", userid='" + this.user.userId + '\'' +
             ", type='" + this.type + '\'' +
             '}';
     }

backend/src/main/java/com/redhat/cloud/notifications/config/BackendConfig.java

@@ -27,6 +27,7 @@ public class BackendConfig {
     private static final String KESSEL_INVENTORY_ENABLED = "notifications.kessel-inventory.enabled";
     private static final String KESSEL_INVENTORY_INTEGRATIONS_REMOVAL_ENABLED = "notifications.kessel-inventory.integrations-removal.enabled";
     private static final String KESSEL_RELATIONS_ENABLED = "notifications.kessel-relations.enabled";
+    private static final String KESSEL_DOMAIN = "notifications.kessel.domain";
     private static final String UNLEASH = "notifications.unleash.enabled";
 
     /*
@@ -76,6 +77,9 @@ private static String toggleName(String feature) {
     @ConfigProperty(name = ERRATA_MIGRATION_BATCH_SIZE, defaultValue = "1000")
     int errataMigrationBatchSize;
 
+    @ConfigProperty(name = KESSEL_DOMAIN, defaultValue = "redhat")
+    String kesselDomain;
+
     @Inject
     ToggleRegistry toggleRegistry;
 
@@ -101,6 +105,7 @@ void logConfigAtStartup(@Observes Startup event) {
         config.put(KESSEL_INVENTORY_INTEGRATIONS_REMOVAL_ENABLED, areKesselInventoryIntegrationRemovalsEnabled());
         config.put(KESSEL_RELATIONS_ENABLED, isKesselRelationsEnabled());
         config.put(INSTANT_EMAILS, isInstantEmailsEnabled());
+        config.put(KESSEL_DOMAIN, getKesselDomain());
         config.put(UNLEASH, unleashEnabled);
 
         Log.info("=== Startup configuration ===");
@@ -178,4 +183,8 @@ public boolean isKesselRelationsEnabled() {
             return kesselRelationsEnabled;
         }
     }
+
+    public String getKesselDomain() {
+        return kesselDomain;
+    }
 }

backend/src/test/java/com/redhat/cloud/notifications/TestHelpers.java

@@ -20,6 +20,7 @@ public static String encodeRHIdentityInfo(String accountId, String orgId, String
         JsonObject identity = new JsonObject();
         JsonObject user = new JsonObject();
         user.put("username", username);
+        user.put("user_id", username);
         identity.put("account_number", accountId);
         identity.put("org_id", orgId);
         identity.put("user", user);
@@ -35,6 +36,7 @@ public static String encodeRHServiceAccountIdentityInfo(String orgId, String use
         JsonObject serviceAccount = new JsonObject();
         serviceAccount.put("username", username);
         serviceAccount.put("client_id", uuid);
+        serviceAccount.put("user_id", uuid);
         identity.put("org_id", orgId);
         identity.put("service_account", serviceAccount);
         identity.put("type", "ServiceAccount");

backend/src/test/java/com/redhat/cloud/notifications/auth/kessel/KesselAuthorizationTest.java

@@ -11,6 +11,7 @@
 import com.redhat.cloud.notifications.config.BackendConfig;
 import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.junit.mockito.InjectSpy;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.ForbiddenException;
 import jakarta.ws.rs.core.SecurityContext;
@@ -32,7 +33,7 @@
 
 @QuarkusTest
 public class KesselAuthorizationTest {
-    @InjectMock
+    @InjectSpy
     BackendConfig backendConfig;
 
     @InjectMock
@@ -189,12 +190,12 @@ public String toString() {
         // Create a user identity object.
         final String username = "Red Hat user";
         final RhIdentity userIdentity = Mockito.mock(RhUserIdentity.class);
-        Mockito.when(userIdentity.getName()).thenReturn(username);
+        Mockito.when(userIdentity.getUserId()).thenReturn(username);
 
         // Create a service account identity object.
         final String serviceAccountName = String.format("service-account-%s", UUID.randomUUID());
         final RhIdentity serviceAccountIdentity = Mockito.mock(RhServiceAccountIdentity.class);
-        Mockito.when(serviceAccountIdentity.getName()).thenReturn(serviceAccountName);
+        Mockito.when(serviceAccountIdentity.getUserId()).thenReturn(serviceAccountName);
 
         // Loop through the supported identities.
         final List<TestCase> testCases = List.of(
@@ -217,7 +218,7 @@ public String toString() {
 
             final SubjectReference subjectReference = checkRequest.getSubject();
             Assertions.assertEquals(KesselAuthorization.KESSEL_IDENTITY_SUBJECT_TYPE, subjectReference.getSubject().getType().getName(), String.format("unexpected resource type obtained for the subject's reference on test case: %s", tc));
-            Assertions.assertEquals(tc.identity().getName(), subjectReference.getSubject().getId(), String.format("unexpected resource ID obtained for the subject's reference on test case: %s", tc));
+            Assertions.assertEquals(backendConfig.getKesselDomain() + "/" + tc.identity().getUserId(), subjectReference.getSubject().getId(), String.format("unexpected resource ID obtained for the subject's reference on test case: %s", tc));
         }
     }
 
@@ -260,7 +261,7 @@ public String toString() {
             // Make sure the request was built appropriately.
             final SubjectReference subjectReference = lookupResourcesRequest.getSubject();
             Assertions.assertEquals(KesselAuthorization.KESSEL_IDENTITY_SUBJECT_TYPE, subjectReference.getSubject().getType().getName(), String.format("unexpected resource type obtained for the subject's reference on test case: %s", tc));
-            Assertions.assertEquals(tc.identity().getName(), subjectReference.getSubject().getId(), String.format("unexpected resource ID obtained for the subject's reference on test case: %s", tc));
+            Assertions.assertEquals(backendConfig.getKesselDomain() + "/" + tc.identity().getUserId(), subjectReference.getSubject().getId(), String.format("unexpected resource ID obtained for the subject's reference on test case: %s", tc));
 
             Assertions.assertEquals(tc.permission().getKesselPermissionName(), lookupResourcesRequest.getRelation(), String.format("unexpected relation obtained on test case: %s", tc));
 

backend/src/test/java/com/redhat/cloud/notifications/auth/kessel/KesselTestHelper.java

@@ -105,7 +105,7 @@ public void mockKesselPermission(final String subjectUsername, final KesselPermi
                             .setSubject(
                                 ObjectReference.newBuilder()
                                     .setType(ObjectType.newBuilder().setName(KesselAuthorization.KESSEL_IDENTITY_SUBJECT_TYPE).setNamespace(KesselAuthorization.KESSEL_RBAC_NAMESPACE).build())
-                                    .setId(subjectUsername)
+                                    .setId(backendConfig.getKesselDomain() + "/" + subjectUsername)
                                     .build()
                             ).build()
                     ).build()