chore: get tenant annotation from annotations

JoseSzycho · JoseSzycho · commit 7edc77234ead · 2026-03-23T22:01:30.000-03:00
diff --git a/internal/indexer/consumer.go b/internal/indexer/consumer.go
@@ -34,30 +34,40 @@ type auditEvent struct {
 		UID        string `json:"uid"`
 	} `json:"objectRef"`
 	ResponseObject map[string]any `json:"responseObject"`
-	// User carries authenticated user information including tenant context in extra fields.
-	User *struct {
-		Extra map[string][]string `json:"extra,omitempty"`
-	} `json:"user,omitempty"`
 }
 
-// extractTenantFromAuditEvent extracts tenant identity from audit event user extra fields.
-// Mirrors processor.ExtractTenant() in the Activity repo.
-// Falls back to "platform"/"platform" when fields are absent.
+// extractTenantFromAuditEvent extracts tenant identity from the audit event.
+// It reads exclusively from ResponseObject metadata annotations:
+//   - ScopeTypeAnnotationKey ("platform.miloapis.com/scope.type") for the tenant type
+//   - ScopeNameAnnotationKey ("platform.miloapis.com/scope.name") for the tenant name
+//
+// Falls back to "platform"/"platform" when the ResponseObject is absent or the
+// annotations are not set.
 func extractTenantFromAuditEvent(event *auditEvent) (tenantName string, tenantType string) {
-	tenantName = "platform"
-	tenantType = "platform"
+	tenantName = tenantTypePlatform
+	tenantType = tenantTypePlatform
 
-	if event.User == nil || event.User.Extra == nil {
+	if event.ResponseObject == nil {
 		return
 	}
 
-	if values, ok := event.User.Extra["iam.miloapis.com/parent-type"]; ok && len(values) > 0 {
+	caser := cases.Title(language.Und)
+	obj := &unstructured.Unstructured{Object: event.ResponseObject}
+	annotations := obj.GetAnnotations()
+
+	if v, ok := annotations[ScopeTypeAnnotationKey]; ok && v != "" {
 		// Normalize to title-case to match Milo's scope annotation conventions
 		// (e.g. the annotation value "project" becomes "Project").
-		tenantType = cases.Title(language.Und).String(values[0])
+		// Exception: "platform" is a fallback default and stays lowercase.
+		if v != tenantTypePlatform {
+			tenantType = caser.String(v)
+		} else {
+			tenantType = v
+		}
 	}
-	if values, ok := event.User.Extra["iam.miloapis.com/parent-name"]; ok && len(values) > 0 {
-		tenantName = values[0]
+
+	if v, ok := annotations[ScopeNameAnnotationKey]; ok && v != "" {
+		tenantName = v
 	}
 
 	return
@@ -81,6 +91,11 @@ const (
 	// to avoid an import cycle: internal/tenant/project_watcher.go already
 	// imports internal/indexer, so internal/indexer cannot import internal/tenant.
 	tenantTypePlatform = "platform"
+
+	// Scope annotation keys from resource metadata. Tenant identity is derived
+	// exclusively from these annotations on the ResponseObject.
+	ScopeTypeAnnotationKey = "platform.miloapis.com/scope.type"
+	ScopeNameAnnotationKey = "platform.miloapis.com/scope.name"
 )
 
 // Start starts the indexer consumer loop.
diff --git a/internal/indexer/consumer_test.go b/internal/indexer/consumer_test.go
@@ -157,50 +157,53 @@ func TestIndexer_Start_ConsumeFlow(t *testing.T) {
 	msg.AssertExpectations(t)
 }
 
-func TestExtractTenantFromAuditEvent_WithUserExtra(t *testing.T) {
+func TestExtractTenantFromAuditEvent_NilResponseObject(t *testing.T) {
+	// No ResponseObject — should fall back to platform/platform.
 	event := &auditEvent{}
-	event.User = &struct {
-		Extra map[string][]string `json:"extra,omitempty"`
-	}{
-		Extra: map[string][]string{
-			"iam.miloapis.com/parent-type": {"Project"},
-			"iam.miloapis.com/parent-name": {"my-project"},
-		},
-	}
 
 	name, typ := extractTenantFromAuditEvent(event)
 
-	if name != "my-project" {
-		t.Errorf("tenantName: got %q, want %q", name, "my-project")
+	if name != "platform" {
+		t.Errorf("tenantName: got %q, want %q", name, "platform")
 	}
-	if typ != "Project" {
-		t.Errorf("tenantType: got %q, want %q", typ, "Project")
+	if typ != "platform" {
+		t.Errorf("tenantType: got %q, want %q", typ, "platform")
 	}
 }
 
-func TestExtractTenantFromAuditEvent_NoUserExtra(t *testing.T) {
-	event := &auditEvent{}
-	// User.Extra is nil by default.
+func TestExtractTenantFromAuditEvent_WithAnnotations(t *testing.T) {
+	// Both scope annotations present — should be extracted and type normalized to title-case.
+	event := &auditEvent{
+		ResponseObject: map[string]any{
+			"metadata": map[string]any{
+				"annotations": map[string]any{
+					ScopeTypeAnnotationKey: "project",
+					ScopeNameAnnotationKey: "my-project",
+				},
+			},
+		},
+	}
 
 	name, typ := extractTenantFromAuditEvent(event)
 
-	if name != "platform" {
-		t.Errorf("tenantName: got %q, want %q", name, "platform")
+	if name != "my-project" {
+		t.Errorf("tenantName: got %q, want %q", name, "my-project")
 	}
-	if typ != "platform" {
-		t.Errorf("tenantType: got %q, want %q", typ, "platform")
+	if typ != "Project" {
+		t.Errorf("tenantType: got %q, want %q", typ, "Project")
 	}
 }
 
-func TestExtractTenantFromAuditEvent_PartialUserExtra_TypeOnlyNoName(t *testing.T) {
-	// Only parent-type is set; parent-name is absent.
-	// Expect: tenantType reflects the extra field, tenantName falls back to "platform".
-	event := &auditEvent{}
-	event.User = &struct {
-		Extra map[string][]string `json:"extra,omitempty"`
-	}{
-		Extra: map[string][]string{
-			"iam.miloapis.com/parent-type": {"Project"},
+func TestExtractTenantFromAuditEvent_PartialAnnotations_TypeOnly(t *testing.T) {
+	// Only scope.type annotation is set; scope.name is absent.
+	// Expect: tenantType is extracted, tenantName falls back to "platform".
+	event := &auditEvent{
+		ResponseObject: map[string]any{
+			"metadata": map[string]any{
+				"annotations": map[string]any{
+					ScopeTypeAnnotationKey: "Project",
+				},
+			},
 		},
 	}
 
@@ -214,15 +217,13 @@ func TestExtractTenantFromAuditEvent_PartialUserExtra_TypeOnlyNoName(t *testing.
 	}
 }
 
-func TestExtractTenantFromAuditEvent_EmptySliceValues(t *testing.T) {
-	// Keys present but with empty slices should not override the defaults.
-	event := &auditEvent{}
-	event.User = &struct {
-		Extra map[string][]string `json:"extra,omitempty"`
-	}{
-		Extra: map[string][]string{
-			"iam.miloapis.com/parent-type": {},
-			"iam.miloapis.com/parent-name": {},
+func TestExtractTenantFromAuditEvent_NoAnnotations(t *testing.T) {
+	// ResponseObject present but no scope annotations — should fall back to platform/platform.
+	event := &auditEvent{
+		ResponseObject: map[string]any{
+			"metadata": map[string]any{
+				"name": "some-resource",
+			},
 		},
 	}
 
diff --git a/test/e2e/search-flow-multi-tenant-audit/chainsaw-test.yaml b/test/e2e/search-flow-multi-tenant-audit/chainsaw-test.yaml
@@ -100,13 +100,13 @@ spec:
               # user.extra carries iam.miloapis.com/parent-type and parent-name so the
               # indexer's extractTenantFromAuditEvent() will resolve the tenant as
               # type="Project", name="e2e-audit-test-project".
-              EVENT_A='{"auditID":"e2e-audit-project-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-project-service-mt-rn2"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]},"user":{"extra":{"iam.miloapis.com/parent-type":["project"],"iam.miloapis.com/parent-name":["e2e-audit-test-project"]}}}'
+              EVENT_A='{"auditID":"e2e-audit-project-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-project-role","namespace":"default","uid":"e2e-audit-project-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-project-service-mt-rn2","platform.miloapis.com/scope.type":"Project","platform.miloapis.com/scope.name":"e2e-audit-test-project"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]},"user":{"extra":{"iam.miloapis.com/parent-type":["project"],"iam.miloapis.com/parent-name":["e2e-audit-test-project"]}}}'
 
               # Event B: platform-tenant resource.
               # No "user" field at all — exercises the fallback path in
               # extractTenantFromAuditEvent() that returns "platform"/"platform"
               # when user.extra is nil.
-              EVENT_B='{"auditID":"e2e-audit-platform-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-platform-service-mt-rn2"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]}}'
+              EVENT_B='{"auditID":"e2e-audit-platform-event-001","verb":"create","objectRef":{"apiGroup":"rbac.authorization.k8s.io","apiVersion":"v1","resource":"rolebindings","name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001"},"responseObject":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"name":"e2e-audit-platform-role","namespace":"default","uid":"e2e-audit-platform-uid-00000001","labels":{"e2e-multi-tenant-audit":"true"},"annotations":{"e2e.search.test/service":"audit-platform-service-mt-rn2","platform.miloapis.com/scope.type":"platform","platform.miloapis.com/scope.name":"platform"}},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"view"},"subjects":[]}}'
 
               # Store event payloads in a ConfigMap so they can be mounted into the
               # Job container without shell escaping issues.
diff --git a/test/e2e/search-flow-multi-tenant/chainsaw-test.yaml b/test/e2e/search-flow-multi-tenant/chainsaw-test.yaml
@@ -94,11 +94,11 @@ spec:
               # Build event JSON with INDEX_NAME substituted.
               # SpecHash is intentionally omitted so the consumer skips the hash check.
               EVENT1=$(printf \
-                '{"id":"e2e-mt-project-resource-001","policyName":"e2e-multi-tenant-role-policy","indexName":"%s","tenant":"e2e-test-project","tenantType":"Project","resource":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"e2e-project-role","uid":"e2e-project-uid-00000001","labels":{"e2e-multi-tenant":"true"},"annotations":{"e2e.search.test/service":"project-service-mt-rn1"}},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]}]}}' \
+                '{"id":"e2e-mt-project-resource-001","policyName":"e2e-multi-tenant-role-policy","indexName":"%s","tenant":"e2e-test-project","tenantType":"Project","resource":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"e2e-project-role","uid":"e2e-project-uid-00000001","labels":{"e2e-multi-tenant":"true"},"annotations":{"e2e.search.test/service":"project-service-mt-rn1","platform.miloapis.com/scope.type":"Project","platform.miloapis.com/scope.name":"e2e-test-project"}},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]}]}}' \
                 "$INDEX_NAME")
 
               EVENT2=$(printf \
-                '{"id":"e2e-mt-platform-resource-001","policyName":"e2e-multi-tenant-role-policy","indexName":"%s","tenant":"platform","tenantType":"platform","resource":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"e2e-platform-role","uid":"e2e-platform-uid-00000001","labels":{"e2e-multi-tenant":"true"},"annotations":{"e2e.search.test/service":"platform-service-mt-rn1"}},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]}]}}' \
+                '{"id":"e2e-mt-platform-resource-001","policyName":"e2e-multi-tenant-role-policy","indexName":"%s","tenant":"platform","tenantType":"platform","resource":{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"name":"e2e-platform-role","uid":"e2e-platform-uid-00000001","labels":{"e2e-multi-tenant":"true"},"annotations":{"e2e.search.test/service":"platform-service-mt-rn1","platform.miloapis.com/scope.type":"platform","platform.miloapis.com/scope.name":"platform"}},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get"]}]}}' \
                 "$INDEX_NAME")
 
               # Store event payloads in a ConfigMap so they can be mounted into the
