Adding access checks to MaaS package

katieperry4 · katieperry4 · commit cee650874c96 · 2026-03-24T11:46:38.000-04:00
diff --git a/packages/maas/bff/internal/api/access_review_handler.go b/packages/maas/bff/internal/api/access_review_handler.go
@@ -0,0 +1,79 @@
+package api
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/julienschmidt/httprouter"
+	k8s "github.com/opendatahub-io/maas-library/bff/internal/integrations/kubernetes"
+)
+
+type AccessReviewRequest struct {
+	Group     string `json:"group"`
+	Resource  string `json:"resource"`
+	Verb      string `json:"verb"`
+	Namespace string `json:"namespace,omitempty"`
+}
+
+type AccessReviewResult struct {
+	Allowed bool `json:"allowed"`
+}
+
+// extractBearerToken returns the token from an Authorization: Bearer <token> header value,
+// or an empty string if the value is not a Bearer token.
+func extractBearerToken(authHeader string) string {
+	if strings.HasPrefix(authHeader, "Bearer ") {
+		return strings.TrimPrefix(authHeader, "Bearer ")
+	}
+	return ""
+}
+
+// AccessReviewHandler handles POST /api/v1/access-review
+// It performs a SelfSubjectAccessReview via the BFF's Kubernetes client.
+//
+// Token selection (in priority order):
+//  1. Authorization: Bearer <token> — set by the ODH dashboard backend, and correctly
+//     substituted with the impersonated user's token when using the ODH dev impersonation
+//     feature (DEV_IMPERSONATE_USER). This ensures the SSAR evaluates the right identity.
+//  2. x-forwarded-access-token — fallback for standalone federated dev mode where the
+//     webpack proxy injects the real user's token directly.
+func AccessReviewHandler(app *App, w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	ctx := r.Context()
+
+	token := extractBearerToken(r.Header.Get("Authorization"))
+	if token == "" {
+		token = r.Header.Get("x-forwarded-access-token")
+	}
+	if token == "" {
+		app.badRequestResponse(w, r, fmt.Errorf("no authentication token found in Authorization or x-forwarded-access-token headers"))
+		return
+	}
+
+	var request Envelope[AccessReviewRequest, None]
+	if err := json.NewDecoder(r.Body).Decode(&request); err != nil {
+		app.badRequestResponse(w, r, err)
+		return
+	}
+
+	client, err := k8s.NewTokenKubernetesClient(token, app.logger)
+	if err != nil {
+		app.serverErrorResponse(w, r, fmt.Errorf("failed to create Kubernetes client: %w", err))
+		return
+	}
+
+	allowed, err := client.CheckSelfAccess(ctx, request.Data.Group, request.Data.Resource, request.Data.Verb, request.Data.Namespace)
+	if err != nil {
+		app.serverErrorResponse(w, r, err)
+		return
+	}
+
+	responseEnvelope := Envelope[AccessReviewResult, None]{
+		Data: AccessReviewResult{Allowed: allowed},
+	}
+
+	if err := app.WriteJSON(w, http.StatusOK, responseEnvelope, nil); err != nil {
+		app.serverErrorResponse(w, r, err)
+	}
+}
diff --git a/packages/maas/bff/internal/api/app.go b/packages/maas/bff/internal/api/app.go
@@ -34,6 +34,7 @@ const (
 	HealthCheckPath = "/healthcheck"
 	UserPath        = constants.ApiPathPrefix + "/user"
 	NamespacePath   = constants.ApiPathPrefix + "/namespaces"
+	IsMaasAdminPath = constants.ApiPathPrefix + "/is-maas-admin"
 )
 
 type App struct {
@@ -182,6 +183,7 @@ func (app *App) Routes() http.Handler {
 	attachSubscriptionHandlers(apiRouter, app)
 	attachMaaSModelRefHandlers(apiRouter, app)
 	apiRouter.GET(constants.ApiPathPrefix+"/models", handlerWithApp(app, ListModelsHandler))
+	apiRouter.GET(IsMaasAdminPath, handlerWithApp(app, IsMaasAdminHandler))
 
 	// Minimal Kubernetes-backed starter endpoints TODO: Remove?
 	apiRouter.GET(UserPath, app.UserHandler)
diff --git a/packages/maas/bff/internal/api/is_maas_admin_handler.go b/packages/maas/bff/internal/api/is_maas_admin_handler.go
@@ -0,0 +1,56 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+	k8s "github.com/opendatahub-io/maas-library/bff/internal/integrations/kubernetes"
+)
+
+const (
+	maasAdminGroup     = "maas.opendatahub.io"
+	maasAdminResource  = "maasauthpolicies"
+	maasAdminVerb      = "create"
+	maasAdminNamespace = "models-as-a-service"
+)
+
+// IsMaasAdminHandler handles GET /api/v1/is-maas-admin
+// It checks whether the requesting user can create maasauthpolicies in the
+// models-as-a-service namespace, which is the signal for MaaS admin access.
+//
+// Token selection follows the same priority as AccessReviewHandler:
+//  1. Authorization: Bearer <token> — correctly substituted when using ODH impersonation
+//  2. x-forwarded-access-token — fallback for standalone federated dev mode
+func IsMaasAdminHandler(app *App, w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	ctx := r.Context()
+
+	token := extractBearerToken(r.Header.Get("Authorization"))
+	if token == "" {
+		token = r.Header.Get("x-forwarded-access-token")
+	}
+	if token == "" {
+		app.badRequestResponse(w, r, fmt.Errorf("no authentication token found in Authorization or x-forwarded-access-token headers"))
+		return
+	}
+
+	client, err := k8s.NewTokenKubernetesClient(token, app.logger)
+	if err != nil {
+		app.serverErrorResponse(w, r, fmt.Errorf("failed to create Kubernetes client: %w", err))
+		return
+	}
+
+	allowed, err := client.CheckSelfAccess(ctx, maasAdminGroup, maasAdminResource, maasAdminVerb, maasAdminNamespace)
+	if err != nil {
+		app.serverErrorResponse(w, r, err)
+		return
+	}
+
+	responseEnvelope := Envelope[AccessReviewResult, None]{
+		Data: AccessReviewResult{Allowed: allowed},
+	}
+
+	if err := app.WriteJSON(w, http.StatusOK, responseEnvelope, nil); err != nil {
+		app.serverErrorResponse(w, r, err)
+	}
+}
diff --git a/packages/maas/bff/internal/constants/api_routes.go b/packages/maas/bff/internal/constants/api_routes.go
@@ -14,6 +14,9 @@ const (
 	APIKeyBulkRevokePath = ApiPathPrefix + "/api-keys/bulk-revoke"
 	APIKeyByIDPath       = ApiPathPrefix + "/api-keys/:id"
 
+	// Access review
+	IsMaasAdminPath = ApiPathPrefix + "/is-maas-admin"
+
 	// Subscription routes
 	SubscriptionListPath     = ApiPathPrefix + "/all-subscriptions"
 	SubscriptionInfoPath     = ApiPathPrefix + "/subscription-info/:name"
diff --git a/packages/maas/bff/internal/integrations/kubernetes/client.go b/packages/maas/bff/internal/integrations/kubernetes/client.go
@@ -17,4 +17,5 @@ type KubernetesClientInterface interface {
 	GetNamespaces(ctx context.Context, identity *RequestIdentity) ([]corev1.Namespace, error)
 	IsClusterAdmin(identity *RequestIdentity) (bool, error)
 	GetUser(identity *RequestIdentity) (string, error)
+	CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error)
 }
diff --git a/packages/maas/bff/internal/integrations/kubernetes/factory.go b/packages/maas/bff/internal/integrations/kubernetes/factory.go
@@ -159,5 +159,5 @@ func (f *TokenClientFactory) GetClient(ctx context.Context) (KubernetesClientInt
 		return nil, fmt.Errorf("invalid or missing identity token")
 	}
 
-	return newTokenKubernetesClient(identity.Token, f.Logger)
+	return NewTokenKubernetesClient(identity.Token, f.Logger)
 }
diff --git a/packages/maas/bff/internal/integrations/kubernetes/internal_k8s_client.go b/packages/maas/bff/internal/integrations/kubernetes/internal_k8s_client.go
@@ -218,6 +218,30 @@ func (kc *InternalKubernetesClient) IsClusterAdmin(identity *RequestIdentity) (b
 	return false, nil
 }
 
+func (kc *InternalKubernetesClient) CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error) {
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	sar := &authv1.SelfSubjectAccessReview{
+		Spec: authv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authv1.ResourceAttributes{
+				Group:     group,
+				Resource:  resource,
+				Verb:      verb,
+				Namespace: namespace,
+			},
+		},
+	}
+
+	resp, err := kc.Client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
+	if err != nil {
+		kc.Logger.Error("failed to perform access review", "error", err)
+		return false, fmt.Errorf("failed to perform access review: %w", err)
+	}
+
+	return resp.Status.Allowed, nil
+}
+
 func (kc *InternalKubernetesClient) GetUser(identity *RequestIdentity) (string, error) {
 	// On internal client, we can use the identity from request directly
 	return identity.UserID, nil
diff --git a/packages/maas/bff/internal/integrations/kubernetes/token_k8s_client.go b/packages/maas/bff/internal/integrations/kubernetes/token_k8s_client.go
@@ -54,8 +54,8 @@ func (kc *TokenKubernetesClient) IsClusterAdmin(_ *RequestIdentity) (bool, error
 	return true, nil
 }
 
-// newTokenKubernetesClient creates a Kubernetes client using a user bearer token.
-func newTokenKubernetesClient(token string, logger *slog.Logger) (KubernetesClientInterface, error) {
+// NewTokenKubernetesClient creates a Kubernetes client using a user bearer token.
+func NewTokenKubernetesClient(token string, logger *slog.Logger) (KubernetesClientInterface, error) {
 	baseConfig, err := helper.GetKubeconfig()
 	if err != nil {
 		logger.Error("failed to get kubeconfig", "error", err)
@@ -171,6 +171,30 @@ func (kc *TokenKubernetesClient) GetNamespaces(ctx context.Context, _ *RequestId
 	return nsList.Items, nil
 }
 
+func (kc *TokenKubernetesClient) CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error) {
+	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+
+	sar := &authv1.SelfSubjectAccessReview{
+		Spec: authv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authv1.ResourceAttributes{
+				Group:     group,
+				Resource:  resource,
+				Verb:      verb,
+				Namespace: namespace,
+			},
+		},
+	}
+
+	resp, err := kc.Client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
+	if err != nil {
+		kc.Logger.Error("failed to perform access review", "error", err)
+		return false, fmt.Errorf("failed to perform access review: %w", err)
+	}
+
+	return resp.Status.Allowed, nil
+}
+
 func (kc *TokenKubernetesClient) GetUser(_ *RequestIdentity) (string, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
diff --git a/packages/maas/frontend/config/webpack.dev.js b/packages/maas/frontend/config/webpack.dev.js
@@ -46,7 +46,6 @@ const getProxyHeaders = () => {
         .trim();
       console.info('Logged in as user:', username);
       return {
-        Authorization: `Bearer ${token}`,
         'x-forwarded-access-token': token,
       };
     } catch (error) {
diff --git a/packages/maas/frontend/src/app/api/k8s.ts b/packages/maas/frontend/src/app/api/k8s.ts
@@ -31,3 +31,22 @@ export const getNamespaces =
       }
       throw new Error('Invalid response format');
     });
+
+type IsMaasAdminResult = {
+  allowed: boolean;
+};
+
+const isIsMaasAdminResult = (v: unknown): v is IsMaasAdminResult =>
+  !!v && typeof v === 'object' && typeof (v as Record<string, unknown>).allowed === 'boolean';
+
+export const getIsMaasAdmin =
+  (hostPath = '') =>
+  (opts: APIOptions): Promise<IsMaasAdminResult> =>
+    handleRestFailures(
+      restGET(hostPath, `${URL_PREFIX}/api/${BFF_API_VERSION}/is-maas-admin`, {}, opts),
+    ).then((response) => {
+      if (isModArchResponse<unknown>(response) && isIsMaasAdminResult(response.data)) {
+        return response.data;
+      }
+      throw new Error('Invalid response format');
+    });
diff --git a/packages/maas/frontend/src/app/hooks/useIsMaasAdmin.ts b/packages/maas/frontend/src/app/hooks/useIsMaasAdmin.ts
@@ -0,0 +1,18 @@
+import React from 'react';
+import { type APIOptions, type FetchStateCallbackPromise, useFetchState } from 'mod-arch-core';
+import { getIsMaasAdmin } from '~/app/api/k8s';
+
+type IsMaasAdminResult = {
+  allowed: boolean;
+};
+
+export const useIsMaasAdmin = (): [boolean, boolean] => {
+  const callback = React.useCallback<FetchStateCallbackPromise<IsMaasAdminResult>>(
+    (opts: APIOptions) => getIsMaasAdmin()(opts),
+    [],
+  );
+
+  const [result, loaded] = useFetchState<IsMaasAdminResult>(callback, { allowed: false });
+
+  return [result.allowed, loaded];
+};
diff --git a/packages/maas/frontend/src/app/pages/api-keys/AllApiKeysPage.tsx b/packages/maas/frontend/src/app/pages/api-keys/AllApiKeysPage.tsx
@@ -4,6 +4,7 @@ import { PlusIcon } from '@patternfly/react-icons';
 import React from 'react';
 import { useFetchApiKeys } from '~/app/hooks/useFetchApiKeys';
 import { APIKey } from '~/app/types/api-key';
+import { useIsMaasAdmin } from '~/app/hooks/useIsMaasAdmin';
 import CreateApiKeyModal from './CreateApiKeyModal';
 import ApiKeysTable from './allKeys/ApiKeysTable';
 import EmptyApiKeysPage from './EmptyApiKeysPage';
@@ -15,6 +16,10 @@ const AllApiKeysPage: React.FC = () => {
   const [isModalOpen, setIsModalOpen] = React.useState(false);
   const [revokeApiKey, setRevokeApiKey] = React.useState<APIKey | undefined>(undefined);
 
+  // TODO: use this for hiding the username search for non-admins and for allowing admins to see all keys
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const [isMaasAdmin] = useIsMaasAdmin();
+
   const activeApiKeys = apiKeys.filter((apiKey) => apiKey.status === 'active');
 
   return (

Original file line number	Diff line number	Diff line change
`@@ -17,4 +17,5 @@ type KubernetesClientInterface interface {`
`17`	`17`	`GetNamespaces(ctx context.Context, identity *RequestIdentity) ([]corev1.Namespace, error)`
`18`	`18`	`IsClusterAdmin(identity *RequestIdentity) (bool, error)`
`19`	`19`	`GetUser(identity *RequestIdentity) (string, error)`
	`20`	`+ CheckSelfAccess(ctx context.Context, group, resource, verb, namespace string) (bool, error)`
`20`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -159,5 +159,5 @@ func (f *TokenClientFactory) GetClient(ctx context.Context) (KubernetesClientInt`
`159`	`159`	`return nil, fmt.Errorf("invalid or missing identity token")`
`160`	`160`	`}`
`161`	`161`
`162`		`- return newTokenKubernetesClient(identity.Token, f.Logger)`
	`162`	`+ return NewTokenKubernetesClient(identity.Token, f.Logger)`
`163`	`163`	`}`