fix(provisioning): address service principal review findings

Author: onutc

api/acp_conversations.go

@@ -48,7 +48,7 @@ func (s *server) listACPConversations(c echo.Context) error {
 	if spritzName != "" {
 		labels[acpConversationSpritzLabelKey] = spritzName
 	}
-	if s.auth.enabled() {
+	if s.auth.enabled() && !principal.isAdminPrincipal() {
 		labels[acpConversationOwnerLabelKey] = ownerLabelValue(principal.ID)
 	}
 	opts = append(opts, client.MatchingLabels(labels))

api/acp_test.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/gorilla/websocket"
 	"github.com/labstack/echo/v4"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -26,6 +27,9 @@ func newACPTestScheme(t *testing.T) *runtime.Scheme {
 	if err := spritzv1.AddToScheme(scheme); err != nil {
 		t.Fatalf("failed to register spritz scheme: %v", err)
 	}
+	if err := corev1.AddToScheme(scheme); err != nil {
+		t.Fatalf("failed to register core scheme: %v", err)
+	}
 	return scheme
 }
 
@@ -428,6 +432,41 @@ func TestListAndPatchACPConversationsByID(t *testing.T) {
 	}
 }
 
+func TestListACPConversationsAllowsAdminToSeeAllOwners(t *testing.T) {
+	now := metav1.Now()
+	spritz := readyACPSpritz("tidy-otter", "user-1")
+	ownerOne := conversationFor("tidy-otter-user-1", "tidy-otter", "user-1", "Owner one", now)
+	ownerTwo := conversationFor("tidy-otter-user-2", "tidy-otter", "user-2", "Owner two", now)
+
+	s := newACPTestServer(t, spritz, ownerOne, ownerTwo)
+	s.auth.adminIDs = map[string]struct{}{"admin-1": {}}
+	e := echo.New()
+	secured := e.Group("", s.authMiddleware())
+	secured.GET("/api/acp/conversations", s.listACPConversations)
+
+	req := httptest.NewRequest(http.MethodGet, "/api/acp/conversations?spritz=tidy-otter", nil)
+	req.Header.Set("X-Spritz-User-Id", "admin-1")
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected status 200, got %d: %s", rec.Code, rec.Body.String())
+	}
+
+	var payload struct {
+		Status string `json:"status"`
+		Data   struct {
+			Items []spritzv1.SpritzConversation `json:"items"`
+		} `json:"data"`
+	}
+	if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
+		t.Fatalf("failed to decode list response: %v", err)
+	}
+	if len(payload.Data.Items) != 2 {
+		t.Fatalf("expected 2 visible conversations for admin, got %d", len(payload.Data.Items))
+	}
+}
+
 func TestPatchACPConversationRejectsSessionIDMutation(t *testing.T) {
 	spritz := readyACPSpritz("tidy-otter", "user-1")
 	conversation := conversationFor("tidy-otter-new", "tidy-otter", "user-1", "Latest", metav1.Now())

api/auth.go

@@ -231,7 +231,7 @@ func (a *authConfig) principal(r *http.Request) (principal, error) {
 			id,
 			"",
 			normalizePrincipalType(r.Header.Get(a.headerType), a.headerDefaultType),
-			splitList(r.Header.Get(a.headerScopes)),
+			splitScopes(r.Header.Get(a.headerScopes)),
 			a.isAdmin(id, teams),
 		), nil
 	case authModeAuto:
@@ -246,7 +246,7 @@ func (a *authConfig) principal(r *http.Request) (principal, error) {
 				id,
 				"",
 				normalizePrincipalType(r.Header.Get(a.headerType), a.headerDefaultType),
-				splitList(r.Header.Get(a.headerScopes)),
+				splitScopes(r.Header.Get(a.headerScopes)),
 				a.isAdmin(id, teams),
 			), nil
 		}
@@ -348,7 +348,7 @@ func (a *authConfig) introspectToken(ctx context.Context, token string) (princip
 		firstStringPath(payload, []string{"sub"}),
 		firstStringPath(payload, []string{"iss", "issuer"}),
 		normalizePrincipalType(firstStringPath(payload, a.bearerTypePaths), a.bearerDefaultType),
-		firstStringListPath(payload, a.bearerScopesPaths),
+		firstScopeListPath(payload, a.bearerScopesPaths),
 		a.isAdmin(id, teams),
 	), nil
 }
@@ -434,7 +434,7 @@ func (a *authConfig) principalFromJWT(ctx context.Context, token string) (princi
 		firstStringPath(claims, []string{"sub"}),
 		firstStringPath(claims, []string{"iss", "issuer"}),
 		normalizePrincipalType(firstStringPath(claims, a.bearerTypePaths), a.bearerDefaultType),
-		firstStringListPath(claims, a.bearerScopesPaths),
+		firstScopeListPath(claims, a.bearerScopesPaths),
 		a.isAdmin(id, teams),
 	), nil
 }
@@ -602,6 +602,23 @@ func splitList(value string) []string {
 	return out
 }
 
+func splitScopes(value string) []string {
+	if value == "" {
+		return nil
+	}
+	raw := strings.FieldsFunc(value, func(r rune) bool {
+		return r == ',' || r == ';' || r == ' ' || r == '\n' || r == '\r' || r == '\t'
+	})
+	out := make([]string, 0, len(raw))
+	for _, item := range raw {
+		item = strings.TrimSpace(item)
+		if item != "" {
+			out = append(out, item)
+		}
+	}
+	return out
+}
+
 func splitListOrDefault(value string, fallback []string) []string {
 	items := splitList(value)
 	if len(items) == 0 {
@@ -724,6 +741,32 @@ func firstStringListPath(payload map[string]any, paths []string) []string {
 	return nil
 }
 
+func firstScopeListPath(payload map[string]any, paths []string) []string {
+	for _, path := range paths {
+		value, ok := lookupPath(payload, path)
+		if !ok {
+			continue
+		}
+		switch typed := value.(type) {
+		case []string:
+			return typed
+		case []any:
+			items := make([]string, 0, len(typed))
+			for _, item := range typed {
+				if s, ok := item.(string); ok && s != "" {
+					items = append(items, s)
+				}
+			}
+			if len(items) > 0 {
+				return items
+			}
+		case string:
+			return splitScopes(typed)
+		}
+	}
+	return nil
+}
+
 func lookupPath(payload map[string]any, path string) (any, bool) {
 	path = strings.TrimSpace(path)
 	if path == "" {

api/auth_middleware_test.go

@@ -126,3 +126,55 @@ func TestAuthMiddlewareSetsPrincipalTypeAndScopes(t *testing.T) {
 		t.Fatalf("expected two scopes, got %#v", payload["scopes"])
 	}
 }
+
+func TestBearerAuthParsesSpaceDelimitedScopes(t *testing.T) {
+	introspection := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"sub":   "zenobot",
+			"type":  "service",
+			"scope": "spritz.instances.create spritz.instances.assign_owner",
+		})
+	}))
+	defer introspection.Close()
+
+	t.Setenv("SPRITZ_AUTH_MODE", "bearer")
+	t.Setenv("SPRITZ_AUTH_BEARER_INTROSPECTION_URL", introspection.URL)
+	t.Setenv("SPRITZ_AUTH_BEARER_ID_PATHS", "sub")
+	t.Setenv("SPRITZ_AUTH_BEARER_TYPE_PATHS", "type")
+	t.Setenv("SPRITZ_AUTH_BEARER_SCOPES_PATHS", "scope")
+
+	s := &server{auth: newAuthConfig()}
+	e := echo.New()
+	secured := e.Group("", s.authMiddleware())
+	secured.GET("/api/spritzes", func(c echo.Context) error {
+		p, ok := principalFromContext(c)
+		if !ok {
+			return c.JSON(http.StatusInternalServerError, map[string]string{"error": "missing principal"})
+		}
+		return c.JSON(http.StatusOK, map[string]any{
+			"type":   p.Type,
+			"scopes": p.Scopes,
+		})
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/api/spritzes", nil)
+	req.Header.Set("Authorization", "Bearer test-token")
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", rec.Code, rec.Body.String())
+	}
+
+	payload := map[string]any{}
+	if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
+		t.Fatalf("failed to decode response: %v", err)
+	}
+	if payload["type"] != string(principalTypeService) {
+		t.Fatalf("expected service principal type, got %#v", payload["type"])
+	}
+	scopes, _ := payload["scopes"].([]any)
+	if len(scopes) != 2 {
+		t.Fatalf("expected two scopes, got %#v", payload["scopes"])
+	}
+}

api/main.go

@@ -379,15 +379,45 @@ func (s *server) createSpritz(c echo.Context) error {
 	}
 	body.Spec.Owner = owner
 
+	nameProvided := body.Name != ""
+	var nameGenerator func() string
+	namePrefix := resolveSpritzNamePrefix(body.NamePrefix, body.Spec.Image)
+	if namePrefix == "" && preset != nil {
+		namePrefix = resolveSpritzNamePrefix(preset.NamePrefix, preset.Image)
+	}
+	if !nameProvided {
+		generator, err := s.newSpritzNameGenerator(c.Request().Context(), namespace, namePrefix)
+		if err != nil {
+			return writeError(c, http.StatusInternalServerError, "failed to generate spritz name")
+		}
+		nameGenerator = generator
+		body.Name = nameGenerator()
+	}
+	if body.Name == "" {
+		return writeError(c, http.StatusInternalServerError, "failed to generate spritz name")
+	}
+
 	if principal.isService() {
-		fingerprint, err := s.validateProvisionerCreate(c.Request().Context(), principal, namespace, &body, normalizedUserConfig, requestedImage, requestedRepo, requestedNamespace)
+		fingerprintName := body.Name
+		if !nameProvided {
+			fingerprintName = ""
+		}
+		fingerprint, err := s.validateProvisionerCreate(c.Request().Context(), principal, namespace, &body, normalizedUserConfig, requestedImage, requestedRepo, requestedNamespace, fingerprintName)
 		if err != nil {
 			if errors.Is(err, errForbidden) {
 				return writeError(c, http.StatusForbidden, "forbidden")
 			}
 			return writeError(c, http.StatusBadRequest, err.Error())
 		}
-		existing, err := findIdempotentSpritz(c.Request().Context(), s.client, namespace, principal.ID, body.IdempotencyKey)
+		reservedName, completed, err := s.reserveIdempotentCreateName(c.Request().Context(), namespace, principal, body.IdempotencyKey, fingerprint, body.Name)
+		if err != nil {
+			if strings.Contains(err.Error(), "idempotencyKey already used") {
+				return writeError(c, http.StatusConflict, err.Error())
+			}
+			return writeError(c, http.StatusInternalServerError, err.Error())
+		}
+		body.Name = reservedName
+		existing, err := s.findReservedSpritz(c.Request().Context(), namespace, reservedName)
 		if err != nil {
 			return writeError(c, http.StatusInternalServerError, err.Error())
 		}
@@ -397,12 +427,18 @@ func (s *server) createSpritz(c echo.Context) error {
 			}
 			return writeJSON(c, http.StatusOK, summarizeCreateResponse(existing, principal, body.PresetID, provisionerSource(&body), body.IdempotencyKey, true))
 		}
+		if completed {
+			return writeError(c, http.StatusConflict, "idempotencyKey already used")
+		}
+		if err := s.enforceProvisionerQuotas(c.Request().Context(), namespace, principal, body.Spec.Owner.ID); err != nil {
+			return writeError(c, http.StatusBadRequest, err.Error())
+		}
 		body.Annotations = mergeStringMap(body.Annotations, map[string]string{
-			actorIDAnnotationKey:        principal.ID,
-			actorTypeAnnotationKey:      string(principal.Type),
-			sourceAnnotationKey:         provisionerSource(&body),
-			requestIDAnnotationKey:      body.RequestID,
-			idempotencyKeyAnnotationKey: body.IdempotencyKey,
+			actorIDAnnotationKey:         principal.ID,
+			actorTypeAnnotationKey:       string(principal.Type),
+			sourceAnnotationKey:          provisionerSource(&body),
+			requestIDAnnotationKey:       body.RequestID,
+			idempotencyKeyAnnotationKey:  body.IdempotencyKey,
 			idempotencyHashAnnotationKey: fingerprint,
 		})
 	} else if s.auth.enabled() && !principal.isAdminPrincipal() && owner.ID != principal.ID {
@@ -413,24 +449,6 @@ func (s *server) createSpritz(c echo.Context) error {
 		return writeError(c, http.StatusBadRequest, err.Error())
 	}
 
-	nameProvided := body.Name != ""
-	var nameGenerator func() string
-	if !nameProvided {
-		namePrefix := resolveSpritzNamePrefix(body.NamePrefix, body.Spec.Image)
-		if namePrefix == "" && preset != nil {
-			namePrefix = resolveSpritzNamePrefix(preset.NamePrefix, preset.Image)
-		}
-		generator, err := s.newSpritzNameGenerator(c.Request().Context(), namespace, namePrefix)
-		if err != nil {
-			return writeError(c, http.StatusInternalServerError, "failed to generate spritz name")
-		}
-		nameGenerator = generator
-		body.Name = nameGenerator()
-	}
-	if body.Name == "" {
-		return writeError(c, http.StatusInternalServerError, "failed to generate spritz name")
-	}
-
 	labels := map[string]string{
 		ownerLabelKey: ownerLabelValue(owner.ID),
 	}
@@ -508,11 +526,26 @@ func (s *server) createSpritz(c echo.Context) error {
 			return writeError(c, http.StatusBadRequest, err.Error())
 		}
 		if err := s.client.Create(c.Request().Context(), spritz); err != nil {
+			if principal.isService() && apierrors.IsAlreadyExists(err) {
+				existing, getErr := s.findReservedSpritz(c.Request().Context(), namespace, name)
+				if getErr != nil {
+					return writeError(c, http.StatusInternalServerError, getErr.Error())
+				}
+				if existing != nil && strings.TrimSpace(existing.Annotations[idempotencyHashAnnotationKey]) == strings.TrimSpace(annotations[idempotencyHashAnnotationKey]) {
+					return writeJSON(c, http.StatusOK, summarizeCreateResponse(existing, principal, body.PresetID, provisionerSource(&body), body.IdempotencyKey, true))
+				}
+				return writeError(c, http.StatusConflict, "idempotencyKey already used with a different request")
+			}
 			if !nameProvided && apierrors.IsAlreadyExists(err) {
 				continue
 			}
 			return writeError(c, http.StatusInternalServerError, err.Error())
 		}
+		if principal.isService() {
+			if err := s.completeIdempotencyReservation(c.Request().Context(), namespace, principal.ID, body.IdempotencyKey, spritz); err != nil {
+				return writeError(c, http.StatusInternalServerError, err.Error())
+			}
+		}
 		return writeJSON(c, http.StatusCreated, summarizeCreateResponse(spritz, principal, body.PresetID, provisionerSource(&body), body.IdempotencyKey, false))
 	}