fix(provisioning): scope reservations to control namespace

Author: onutc

api/main.go

@@ -34,6 +34,7 @@ type server struct {
 	restConfig           *rest.Config
 	scheme               *runtime.Scheme
 	namespace            string
+	controlNamespace     string
 	auth                 authConfig
 	internalAuth         internalAuthConfig
 	ingressDefaults      ingressDefaults
@@ -68,6 +69,16 @@ func main() {
 		os.Exit(1)
 	}
 	ns := os.Getenv("SPRITZ_NAMESPACE")
+	controlNamespace := strings.TrimSpace(os.Getenv("SPRITZ_CONTROL_NAMESPACE"))
+	if controlNamespace == "" {
+		controlNamespace = strings.TrimSpace(os.Getenv("POD_NAMESPACE"))
+	}
+	if controlNamespace == "" {
+		controlNamespace = strings.TrimSpace(ns)
+	}
+	if controlNamespace == "" {
+		controlNamespace = "default"
+	}
 	{
 		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
@@ -129,6 +140,7 @@ func main() {
 		restConfig:        cfg,
 		scheme:            scheme,
 		namespace:         ns,
+		controlNamespace:  controlNamespace,
 		auth:              auth,
 		internalAuth:      internalAuth,
 		ingressDefaults:   ingressDefaults,
@@ -265,6 +277,17 @@ func (s *server) resolveSpritzNamespace(requested string) (string, error) {
 	return namespace, nil
 }
 
+func (s *server) namespaceOverrideRequested(requested, resolved string) bool {
+	requested = strings.TrimSpace(requested)
+	if requested == "" {
+		return false
+	}
+	if strings.TrimSpace(s.namespace) == "" {
+		return true
+	}
+	return requested != strings.TrimSpace(resolved)
+}
+
 func (s *server) listPresets(c echo.Context) error {
 	principal, ok := principalFromContext(c)
 	if s.auth.enabled() && (!ok || principal.ID == "") {
@@ -388,8 +411,7 @@ func (s *server) createSpritz(c echo.Context) error {
 	if err != nil {
 		return writeError(c, http.StatusForbidden, err.Error())
 	}
-	requestedNamespaceValue := strings.TrimSpace(body.Namespace)
-	requestedNamespace := requestedNamespaceValue != "" && requestedNamespaceValue != namespace
+	requestedNamespace := s.namespaceOverrideRequested(body.Namespace, namespace)
 
 	owner, err := normalizeCreateOwner(&body, principal, s.auth.enabled())
 	if err != nil {
@@ -570,7 +592,7 @@ func (s *server) createSpritz(c echo.Context) error {
 			return writeError(c, http.StatusInternalServerError, err.Error())
 		}
 		if principal.isService() {
-			if err := s.completeIdempotencyReservation(c.Request().Context(), namespace, principal.ID, body.IdempotencyKey, spritz); err != nil {
+			if err := s.completeIdempotencyReservation(c.Request().Context(), principal.ID, body.IdempotencyKey, spritz); err != nil {
 				return writeError(c, http.StatusInternalServerError, err.Error())
 			}
 		}

api/main_create_owner_test.go

@@ -38,9 +38,10 @@ func newCreateSpritzTestServer(t *testing.T) *server {
 	t.Helper()
 	scheme := newTestSpritzScheme(t)
 	return &server{
-		client:    fake.NewClientBuilder().WithScheme(scheme).Build(),
-		scheme:    scheme,
-		namespace: "spritz-test",
+		client:           fake.NewClientBuilder().WithScheme(scheme).Build(),
+		scheme:           scheme,
+		namespace:        "spritz-test",
+		controlNamespace: "spritz-test",
 		auth: authConfig{
 			mode:              authModeHeader,
 			headerID:          "X-Spritz-User-Id",
@@ -758,6 +759,78 @@ func TestCreateSpritzAllowsProvisionerCurrentNamespaceWithoutOverride(t *testing
 	}
 }
 
+func TestCreateSpritzRejectsExplicitNamespaceForProvisionerWhenOverrideDisabled(t *testing.T) {
+	s := newCreateSpritzTestServer(t)
+	configureProvisionerTestServer(s)
+	s.namespace = ""
+	s.controlNamespace = "spritz-system"
+	s.provisioners.allowedNamespaces = map[string]struct{}{"team-a": {}}
+
+	e := echo.New()
+	secured := e.Group("", s.authMiddleware())
+	secured.POST("/api/spritzes", s.createSpritz)
+
+	body := []byte(`{"presetId":"openclaw","ownerId":"user-123","idempotencyKey":"discord-ns-override","namespace":"team-a"}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/spritzes", bytes.NewReader(body))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	req.Header.Set("X-Spritz-User-Id", "zenobot")
+	req.Header.Set("X-Spritz-Principal-Type", "service")
+	req.Header.Set("X-Spritz-Principal-Scopes", "spritz.instances.create,spritz.instances.assign_owner")
+	rec := httptest.NewRecorder()
+
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Fatalf("expected status 400, got %d: %s", rec.Code, rec.Body.String())
+	}
+	if !strings.Contains(rec.Body.String(), "namespace override is not allowed") {
+		t.Fatalf("expected namespace override error, got %s", rec.Body.String())
+	}
+}
+
+func TestCreateSpritzRejectsProvisionerIdempotencyReuseAcrossNamespaces(t *testing.T) {
+	s := newCreateSpritzTestServer(t)
+	configureProvisionerTestServer(s)
+	s.namespace = ""
+	s.controlNamespace = "spritz-system"
+	s.provisioners.allowNamespaceOverride = true
+	s.provisioners.allowedNamespaces = map[string]struct{}{"team-a": {}, "team-b": {}}
+
+	e := echo.New()
+	secured := e.Group("", s.authMiddleware())
+	secured.POST("/api/spritzes", s.createSpritz)
+
+	first := []byte(`{"presetId":"openclaw","ownerId":"user-123","idempotencyKey":"discord-cross-ns","namespace":"team-a"}`)
+	second := []byte(`{"presetId":"openclaw","ownerId":"user-123","idempotencyKey":"discord-cross-ns","namespace":"team-b"}`)
+
+	req1 := httptest.NewRequest(http.MethodPost, "/api/spritzes", bytes.NewReader(first))
+	req1.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	req1.Header.Set("X-Spritz-User-Id", "zenobot")
+	req1.Header.Set("X-Spritz-Principal-Type", "service")
+	req1.Header.Set("X-Spritz-Principal-Scopes", "spritz.instances.create,spritz.instances.assign_owner")
+	rec1 := httptest.NewRecorder()
+	e.ServeHTTP(rec1, req1)
+
+	if rec1.Code != http.StatusCreated {
+		t.Fatalf("expected first create to succeed, got %d: %s", rec1.Code, rec1.Body.String())
+	}
+
+	req2 := httptest.NewRequest(http.MethodPost, "/api/spritzes", bytes.NewReader(second))
+	req2.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	req2.Header.Set("X-Spritz-User-Id", "zenobot")
+	req2.Header.Set("X-Spritz-Principal-Type", "service")
+	req2.Header.Set("X-Spritz-Principal-Scopes", "spritz.instances.create,spritz.instances.assign_owner")
+	rec2 := httptest.NewRecorder()
+	e.ServeHTTP(rec2, req2)
+
+	if rec2.Code != http.StatusConflict {
+		t.Fatalf("expected status 409, got %d: %s", rec2.Code, rec2.Body.String())
+	}
+	if !strings.Contains(rec2.Body.String(), "idempotencyKey already used with a different request") {
+		t.Fatalf("expected idempotency conflict, got %s", rec2.Body.String())
+	}
+}
+
 func TestCreateSpritzRetriesPendingIdempotencyReservationWithConflictingOccupant(t *testing.T) {
 	s := newCreateSpritzTestServer(t)
 	configureProvisionerTestServer(s)

api/provisioning.go

@@ -577,15 +577,26 @@ func idempotencyReservationName(actorID, key string) string {
 	return fmt.Sprintf("%s%x", idempotencyReservationPrefix, sum[:16])
 }
 
+func (s *server) idempotencyReservationNamespace() string {
+	if namespace := strings.TrimSpace(s.controlNamespace); namespace != "" {
+		return namespace
+	}
+	if namespace := strings.TrimSpace(s.namespace); namespace != "" {
+		return namespace
+	}
+	return "default"
+}
+
 func (s *server) reserveIdempotentCreateName(ctx context.Context, namespace string, principal principal, key, fingerprint, desiredName string) (string, bool, error) {
 	if strings.TrimSpace(key) == "" {
 		return desiredName, false, nil
 	}
 	reservationName := idempotencyReservationName(principal.ID, key)
+	reservationNamespace := s.idempotencyReservationNamespace()
 	record := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      reservationName,
-			Namespace: namespace,
+			Namespace: reservationNamespace,
 			Labels: map[string]string{
 				actorLabelKey:       actorLabelValue(principal.ID),
 				idempotencyLabelKey: idempotencyLabelValue(key),
@@ -602,7 +613,7 @@ func (s *server) reserveIdempotentCreateName(ctx context.Context, namespace stri
 			return "", false, err
 		}
 		existing := &corev1.ConfigMap{}
-		if getErr := s.client.Get(ctx, clientKey(namespace, reservationName), existing); getErr != nil {
+		if getErr := s.client.Get(ctx, clientKey(reservationNamespace, reservationName), existing); getErr != nil {
 			return "", false, getErr
 		}
 		if strings.TrimSpace(existing.Data[idempotencyReservationHashKey]) != fingerprint {
@@ -646,13 +657,14 @@ func (s *server) reserveIdempotentCreateName(ctx context.Context, namespace stri
 	return desiredName, false, nil
 }
 
-func (s *server) completeIdempotencyReservation(ctx context.Context, namespace, actorID, key string, spritz *spritzv1.Spritz) error {
+func (s *server) completeIdempotencyReservation(ctx context.Context, actorID, key string, spritz *spritzv1.Spritz) error {
 	if strings.TrimSpace(actorID) == "" || strings.TrimSpace(key) == "" || spritz == nil {
 		return nil
 	}
 	reservationName := idempotencyReservationName(actorID, key)
+	reservationNamespace := s.idempotencyReservationNamespace()
 	current := &corev1.ConfigMap{}
-	if err := s.client.Get(ctx, clientKey(namespace, reservationName), current); err != nil {
+	if err := s.client.Get(ctx, clientKey(reservationNamespace, reservationName), current); err != nil {
 		if apierrors.IsNotFound(err) {
 			return nil
 		}

helm/spritz/templates/api-deployment.yaml

@@ -40,6 +40,10 @@ spec:
             {{- toYaml .Values.api.resources | nindent 12 }}
           {{- end }}
           env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             - name: SPRITZ_NAMESPACE
               value: {{ .Values.spritz.namespace | quote }}
             {{- if .Values.api.defaultAnnotations }}