update openapi spec and small fixes

Author: katieperry4

packages/maas/bff/internal/api/access_review_handler.go

@@ -56,6 +56,10 @@ func AccessReviewHandler(app *App, w http.ResponseWriter, r *http.Request, _ htt
 		app.badRequestResponse(w, r, err)
 		return
 	}
+	if request.Data.Resource == "" || request.Data.Verb == "" {
+		app.badRequestResponse(w, r, fmt.Errorf("resource and verb are required"))
+		return
+	}
 
 	client, err := k8s.NewTokenKubernetesClient(token, app.logger)
 	if err != nil {

packages/maas/bff/internal/api/app.go

@@ -34,7 +34,6 @@ const (
 	HealthCheckPath = "/healthcheck"
 	UserPath        = constants.ApiPathPrefix + "/user"
 	NamespacePath   = constants.ApiPathPrefix + "/namespaces"
-	IsMaasAdminPath = constants.ApiPathPrefix + "/is-maas-admin"
 )
 
 type App struct {
@@ -183,7 +182,8 @@ func (app *App) Routes() http.Handler {
 	attachSubscriptionHandlers(apiRouter, app)
 	attachMaaSModelRefHandlers(apiRouter, app)
 	apiRouter.GET(constants.ApiPathPrefix+"/models", handlerWithApp(app, ListModelsHandler))
-	apiRouter.GET(IsMaasAdminPath, handlerWithApp(app, IsMaasAdminHandler))
+	apiRouter.GET(constants.IsMaasAdminPath, handlerWithApp(app, IsMaasAdminHandler))
+	apiRouter.POST(constants.AccessReviewPath, handlerWithApp(app, AccessReviewHandler))
 
 	// Minimal Kubernetes-backed starter endpoints TODO: Remove?
 	apiRouter.GET(UserPath, app.UserHandler)

packages/maas/bff/internal/constants/api_routes.go

@@ -15,7 +15,8 @@ const (
 	APIKeyByIDPath       = ApiPathPrefix + "/api-keys/:id"
 
 	// Access review
-	IsMaasAdminPath = ApiPathPrefix + "/is-maas-admin"
+	IsMaasAdminPath  = ApiPathPrefix + "/is-maas-admin"
+	AccessReviewPath = ApiPathPrefix + "/access-review"
 
 	// Subscription routes
 	SubscriptionListPath     = ApiPathPrefix + "/all-subscriptions"

packages/maas/bff/openapi.yaml

@@ -55,6 +55,155 @@ paths:
         '500':
           description: Internal Server Error
 
+  /api/v1/is-maas-admin:
+    get:
+      summary: Check MaaS Admin Access
+      operationId: isMaasAdmin
+      description: >
+        Checks whether the requesting user has MaaS admin privileges by performing
+        a SelfSubjectAccessReview against the `maasauthpolicies` resource in the
+        `models-as-a-service` namespace. Returns `allowed: true` only for users
+        who can create MaaSAuthPolicy resources (i.e. cluster/MaaS admins).
+
+        Token resolution priority:
+
+        1. `Authorization: Bearer <token>` — used by the ODH dashboard backend;
+           correctly substituted with the impersonated user's token when the ODH
+           dev impersonation feature (`DEV_IMPERSONATE_USER`) is active.
+
+        2. `x-forwarded-access-token` — fallback for standalone federated dev mode
+           where the webpack proxy injects the real user's token directly.
+      responses:
+        '200':
+          description: Access check result
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  data:
+                    type: object
+                    properties:
+                      allowed:
+                        type: boolean
+                        description: Whether the user has MaaS admin access
+                    required:
+                      - allowed
+              example:
+                data:
+                  allowed: true
+        '400':
+          description: Bad Request (missing authentication token)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '500':
+          description: Internal Server Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+
+  /api/v1/access-review:
+    post:
+      summary: Generic Self-Subject Access Review
+      operationId: accessReview
+      description: >
+        Performs a SelfSubjectAccessReview for the requesting user against the
+        specified Kubernetes resource, group, and verb. Returns `allowed: true`
+        if the user has the requested permission.
+
+        Use this endpoint when you need a custom permission check beyond the
+        fixed MaaS-admin check provided by `/api/v1/is-maas-admin`.
+
+        Token resolution priority:
+
+        1. `Authorization: Bearer <token>` — used by the ODH dashboard backend;
+           correctly substituted with the impersonated user's token when the ODH
+           dev impersonation feature (`DEV_IMPERSONATE_USER`) is active.
+
+        2. `x-forwarded-access-token` — fallback for standalone federated dev mode
+           where the webpack proxy injects the real user's token directly.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - data
+              properties:
+                data:
+                  type: object
+                  required:
+                    - resource
+                    - verb
+                  properties:
+                    group:
+                      type: string
+                      description: API group of the resource
+                      example: maas.opendatahub.io
+                    resource:
+                      type: string
+                      description: Resource type to check access for
+                      example: maasauthpolicies
+                    verb:
+                      type: string
+                      description: Action to check (e.g. get, list, create, patch, delete, *)
+                      example: create
+                    namespace:
+                      type: string
+                      description: Namespace scope for the check
+                      example: models-as-a-service
+            examples:
+              wildcard_admin_check:
+                summary: Check if user can do anything
+                value:
+                  data:
+                    group: ""
+                    resource: "*"
+                    verb: "*"
+              maas_admin_check:
+                summary: Check MaaS admin access explicitly
+                value:
+                  data:
+                    group: maas.opendatahub.io
+                    resource: maasauthpolicies
+                    verb: create
+                    namespace: models-as-a-service
+      responses:
+        '200':
+          description: Access check result
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  data:
+                    type: object
+                    properties:
+                      allowed:
+                        type: boolean
+                        description: Whether the user has the requested access
+                    required:
+                      - allowed
+              example:
+                data:
+                  allowed: true
+        '400':
+          description: Bad Request (missing token or missing required fields)
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+        '500':
+          description: Internal Server Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+
   /api/v1/namespaces:
     get:
       summary: Get Namespaces

packages/maas/frontend/src/app/hooks/useIsMaasAdmin.ts

@@ -6,13 +6,13 @@ type IsMaasAdminResult = {
   allowed: boolean;
 };
 
-export const useIsMaasAdmin = (): [boolean, boolean] => {
+export const useIsMaasAdmin = (): [boolean, boolean, Error | undefined] => {
   const callback = React.useCallback<FetchStateCallbackPromise<IsMaasAdminResult>>(
     (opts: APIOptions) => getIsMaasAdmin()(opts),
     [],
   );
 
-  const [result, loaded] = useFetchState<IsMaasAdminResult>(callback, { allowed: false });
+  const [result, loaded, error] = useFetchState<IsMaasAdminResult>(callback, { allowed: false });
 
-  return [result.allowed, loaded];
+  return [result.allowed, loaded, error];
 };