fix(api): harden external owner idempotency

onutc · onutc · commit dd44a4c32a3e · 2026-03-12T22:12:09.000+01:00
diff --git a/api/create_request_normalization.go b/api/create_request_normalization.go
@@ -56,22 +56,21 @@ func writeCreateRequestError(c echo.Context, err error) error {
 }
 
 type normalizedCreateRequest struct {
-	body                  createRequest
-	fingerprintRequest    createRequest
-	namespace             string
-	owner                 spritzv1.SpritzOwner
-	resolvedExternalOwner *externalOwnerResolution
-	userConfigKeys        map[string]json.RawMessage
-	userConfigPayload     userConfigPayload
-	normalizedUserConfig  json.RawMessage
-	requestedImage        bool
-	requestedRepo         bool
-	requestedNamespace    bool
-	nameProvided          bool
-	requestedNamePrefix   string
+	body                 createRequest
+	fingerprintRequest   createRequest
+	namespace            string
+	owner                spritzv1.SpritzOwner
+	userConfigKeys       map[string]json.RawMessage
+	userConfigPayload    userConfigPayload
+	normalizedUserConfig json.RawMessage
+	requestedImage       bool
+	requestedRepo        bool
+	requestedNamespace   bool
+	nameProvided         bool
+	requestedNamePrefix  string
 }
 
-func (s *server) normalizeCreateRequest(ctx context.Context, principal principal, body createRequest) (*normalizedCreateRequest, error) {
+func (s *server) normalizeCreateRequest(_ context.Context, principal principal, body createRequest) (*normalizedCreateRequest, error) {
 	body.Name = strings.TrimSpace(body.Name)
 	body.NamePrefix = strings.TrimSpace(body.NamePrefix)
 	applyTopLevelCreateFields(&body)
@@ -87,22 +86,21 @@ func (s *server) normalizeCreateRequest(ctx context.Context, principal principal
 	}
 	requestedNamespace := s.namespaceOverrideRequested(body.Namespace, namespace)
 
-	owner, resolvedExternalOwner, err := s.resolveCreateOwner(ctx, &body, principal)
+	owner, err := normalizeCreateOwnerRequest(&body, principal, s.auth.enabled())
 	if err != nil {
-		var resolutionErr externalOwnerResolutionError
-		if errors.As(err, &resolutionErr) {
-			return nil, newCreateRequestErrorWithData(resolutionErr.status, resolutionErr.message, resolutionErr.responseData(), err)
-		}
 		if errors.Is(err, errForbidden) {
 			return nil, newCreateRequestError(http.StatusForbidden, err)
 		}
 		return nil, newCreateRequestError(http.StatusBadRequest, err)
 	}
-	body.Spec.Owner = owner
-	fingerprintRequest := body
-	if resolvedExternalOwner != nil {
-		fingerprintRequest.Spec.Owner = spritzv1.SpritzOwner{}
+	if body.OwnerRef != nil && strings.EqualFold(strings.TrimSpace(body.OwnerRef.Type), "external") {
+		if !principalCanUseProvisionerFlow(principal) {
+			return nil, newCreateRequestError(http.StatusForbidden, errForbidden)
+		}
+	} else {
+		body.Spec.Owner = owner
 	}
+	fingerprintRequest := body
 
 	requestedImage := strings.TrimSpace(body.Spec.Image) != ""
 	requestedRepo := body.Spec.Repo != nil || len(body.Spec.Repos) > 0
@@ -145,19 +143,18 @@ func (s *server) normalizeCreateRequest(ctx context.Context, principal principal
 	}
 
 	return &normalizedCreateRequest{
-		body:                  body,
-		fingerprintRequest:    fingerprintRequest,
-		namespace:             namespace,
-		owner:                 owner,
-		resolvedExternalOwner: resolvedExternalOwner,
-		userConfigKeys:        userConfigKeys,
-		userConfigPayload:     userConfigPayload,
-		normalizedUserConfig:  normalizedUserConfig,
-		requestedImage:        requestedImage,
-		requestedRepo:         requestedRepo,
-		requestedNamespace:    requestedNamespace,
-		nameProvided:          body.Name != "",
-		requestedNamePrefix:   strings.TrimSpace(fingerprintRequest.NamePrefix),
+		body:                 body,
+		fingerprintRequest:   fingerprintRequest,
+		namespace:            namespace,
+		owner:                owner,
+		userConfigKeys:       userConfigKeys,
+		userConfigPayload:    userConfigPayload,
+		normalizedUserConfig: normalizedUserConfig,
+		requestedImage:       requestedImage,
+		requestedRepo:        requestedRepo,
+		requestedNamespace:   requestedNamespace,
+		nameProvided:         body.Name != "",
+		requestedNamePrefix:  strings.TrimSpace(fingerprintRequest.NamePrefix),
 	}, nil
 }
 
diff --git a/api/main.go b/api/main.go
@@ -368,7 +368,7 @@ func (s *server) createSpritz(c echo.Context) error {
 	body = normalized.body
 	namespace := normalized.namespace
 	owner := normalized.owner
-	resolvedExternalOwner := normalized.resolvedExternalOwner
+	var resolvedExternalOwner *externalOwnerResolution
 	userConfigKeys := normalized.userConfigKeys
 	userConfigPayload := normalized.userConfigPayload
 	nameProvided := normalized.nameProvided
@@ -417,6 +417,7 @@ func (s *server) createSpritz(c echo.Context) error {
 			return writeProvisionerCreateError(c, err)
 		}
 		owner = body.Spec.Owner
+		resolvedExternalOwner = provisionerTx.resolvedExternalOwner
 		provisionerFingerprint = provisionerTx.provisionerFingerprint
 		if !nameProvided {
 			if err := buildNameGenerator(body); err != nil {
diff --git a/api/main_create_external_owner_test.go b/api/main_create_external_owner_test.go
@@ -53,15 +53,19 @@ func newCreateSpritzAPI(t *testing.T, s *server) *echo.Echo {
 }
 
 func newServiceCreateRequest(body []byte) (*http.Request, *httptest.ResponseRecorder) {
+	return newServiceCreateRequestWithScopes(body,
+		scopeInstancesCreate,
+		scopeInstancesAssignOwner,
+		scopeExternalResolveViaCreate,
+	)
+}
+
+func newServiceCreateRequestWithScopes(body []byte, scopes ...string) (*http.Request, *httptest.ResponseRecorder) {
 	req := httptest.NewRequest(http.MethodPost, "/api/spritzes", bytes.NewReader(body))
 	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
 	req.Header.Set("X-Spritz-User-Id", "zenobot")
 	req.Header.Set("X-Spritz-Principal-Type", "service")
-	req.Header.Set("X-Spritz-Principal-Scopes", strings.Join([]string{
-		scopeInstancesCreate,
-		scopeInstancesAssignOwner,
-		scopeExternalResolveViaCreate,
-	}, ","))
+	req.Header.Set("X-Spritz-Principal-Scopes", strings.Join(scopes, ","))
 	return req, httptest.NewRecorder()
 }
 
@@ -229,6 +233,130 @@ func TestCreateSpritzReplaysExternalOwnerProvisioningAfterResolverMappingChanges
 	}
 }
 
+func TestCreateSpritzReplaysExternalOwnerProvisioningWhenResolverBecomesUnavailable(t *testing.T) {
+	s := newCreateSpritzTestServer(t)
+	configureProvisionerTestServer(s)
+	resolverCalls := 0
+	configureExternalOwnerTestServer(s, fakeExternalOwnerResolver{
+		resolve: func(_ context.Context, _ externalOwnerPolicy, _ principal, _ ownerRef, _ string) (externalOwnerResolution, error) {
+			resolverCalls++
+			if resolverCalls == 1 {
+				return externalOwnerResolution{
+					Status:  externalOwnerResolved,
+					OwnerID: "user-123",
+				}, nil
+			}
+			return externalOwnerResolution{}, context.DeadlineExceeded
+		},
+	})
+	e := newCreateSpritzAPI(t, s)
+
+	body := []byte(`{"presetId":"openclaw","ownerRef":{"type":"external","provider":"msteams","tenant":"72f988bf-86f1-41af-91ab-2d7cd011db47","subject":"6f0f9d4f-9b0e-4d52-8c3a-ef0fd64b9b9f"},"idempotencyKey":"teams-replay-unavailable"}`)
+
+	req1, rec1 := newServiceCreateRequest(body)
+	e.ServeHTTP(rec1, req1)
+	if rec1.Code != http.StatusCreated {
+		t.Fatalf("expected first create status 201, got %d: %s", rec1.Code, rec1.Body.String())
+	}
+
+	req2, rec2 := newServiceCreateRequest(body)
+	e.ServeHTTP(rec2, req2)
+	if rec2.Code != http.StatusOK {
+		t.Fatalf("expected replay status 200, got %d: %s", rec2.Code, rec2.Body.String())
+	}
+	if resolverCalls != 1 {
+		t.Fatalf("expected replay to avoid a second resolver call, got %d calls", resolverCalls)
+	}
+}
+
+func TestCreateSpritzRejectsExternalOwnerResolutionWithoutCreateScopes(t *testing.T) {
+	s := newCreateSpritzTestServer(t)
+	configureProvisionerTestServer(s)
+	resolverCalls := 0
+	configureExternalOwnerTestServer(s, fakeExternalOwnerResolver{
+		resolve: func(_ context.Context, _ externalOwnerPolicy, _ principal, _ ownerRef, _ string) (externalOwnerResolution, error) {
+			resolverCalls++
+			return externalOwnerResolution{Status: externalOwnerUnresolved}, nil
+		},
+	})
+	e := newCreateSpritzAPI(t, s)
+
+	body := []byte(`{"presetId":"openclaw","ownerRef":{"type":"external","provider":"msteams","tenant":"72f988bf-86f1-41af-91ab-2d7cd011db47","subject":"6f0f9d4f-9b0e-4d52-8c3a-ef0fd64b9b9f"},"idempotencyKey":"teams-no-create-scope"}`)
+
+	req, rec := newServiceCreateRequestWithScopes(body, scopeExternalResolveViaCreate)
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected status 403, got %d: %s", rec.Code, rec.Body.String())
+	}
+	if resolverCalls != 0 {
+		t.Fatalf("expected resolver to be skipped when create scopes are missing, got %d calls", resolverCalls)
+	}
+}
+
+func TestCreateRequestFingerprintCanonicalizesEquivalentOwnerInputs(t *testing.T) {
+	directFingerprint, err := createRequestFingerprint(createRequest{
+		OwnerID: "user-123",
+		Spec: spritzv1.SpritzSpec{
+			Image: "example.com/spritz-openclaw:latest",
+		},
+	}, "spritz-test", "", "", nil)
+	if err != nil {
+		t.Fatalf("createRequestFingerprint failed for direct owner: %v", err)
+	}
+
+	ownerRefFingerprint, err := createRequestFingerprint(createRequest{
+		OwnerRef: &ownerRef{
+			Type: "owner",
+			ID:   "user-123",
+		},
+		Spec: spritzv1.SpritzSpec{
+			Image: "example.com/spritz-openclaw:latest",
+		},
+	}, "spritz-test", "", "", nil)
+	if err != nil {
+		t.Fatalf("createRequestFingerprint failed for ownerRef owner: %v", err)
+	}
+
+	if directFingerprint != ownerRefFingerprint {
+		t.Fatalf("expected equivalent direct and ownerRef owner inputs to share a fingerprint")
+	}
+
+	lowerFingerprint, err := createRequestFingerprint(createRequest{
+		OwnerRef: &ownerRef{
+			Type:     "external",
+			Provider: "msteams",
+			Tenant:   "72f988bf-86f1-41af-91ab-2d7cd011db47",
+			Subject:  "6f0f9d4f-9b0e-4d52-8c3a-ef0fd64b9b9f",
+		},
+		Spec: spritzv1.SpritzSpec{
+			Image: "example.com/spritz-openclaw:latest",
+		},
+	}, "spritz-test", "", "", nil)
+	if err != nil {
+		t.Fatalf("createRequestFingerprint failed for lowercase msteams identity: %v", err)
+	}
+
+	upperFingerprint, err := createRequestFingerprint(createRequest{
+		OwnerRef: &ownerRef{
+			Type:     "external",
+			Provider: "msteams",
+			Tenant:   "72F988BF-86F1-41AF-91AB-2D7CD011DB47",
+			Subject:  "6F0F9D4F-9B0E-4D52-8C3A-EF0FD64B9B9F",
+		},
+		Spec: spritzv1.SpritzSpec{
+			Image: "example.com/spritz-openclaw:latest",
+		},
+	}, "spritz-test", "", "", nil)
+	if err != nil {
+		t.Fatalf("createRequestFingerprint failed for uppercase msteams identity: %v", err)
+	}
+
+	if lowerFingerprint != upperFingerprint {
+		t.Fatalf("expected equivalent msteams UUID casing to share a fingerprint")
+	}
+}
+
 func TestNormalizeCreateOwnerSupportsOwnerRefOwner(t *testing.T) {
 	body := &createRequest{
 		OwnerRef: &ownerRef{Type: "owner", ID: "user-123"},
diff --git a/api/main_create_owner_test.go b/api/main_create_owner_test.go
@@ -1094,7 +1094,7 @@ func TestCreateSpritzUsesPendingReservationPayloadAfterDefaultPresetChanges(t *t
 	if err != nil {
 		t.Fatalf("createRequestFingerprint failed: %v", err)
 	}
-	resolvedPayload, err := createResolvedProvisionerPayload(requestBody, s.resolvedCreateNamePrefix(requestBody, requestFingerprintBody.NamePrefix))
+	resolvedPayload, err := createResolvedProvisionerPayload(requestBody, s.resolvedCreateNamePrefix(requestBody, requestFingerprintBody.NamePrefix), nil)
 	if err != nil {
 		t.Fatalf("createResolvedProvisionerPayload failed: %v", err)
 	}
@@ -1547,7 +1547,7 @@ func TestCreateSpritzRetriesPendingIdempotencyReservationWithConflictingOccupant
 	if err != nil {
 		t.Fatalf("createRequestFingerprint failed: %v", err)
 	}
-	resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix))
+	resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix), nil)
 	if err != nil {
 		t.Fatalf("createResolvedProvisionerPayload failed: %v", err)
 	}
@@ -1641,7 +1641,7 @@ func TestCreateSpritzReplaysPendingIdempotentCreateBeforeQuotaCheck(t *testing.T
 	if err != nil {
 		t.Fatalf("createRequestFingerprint failed: %v", err)
 	}
-	resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix))
+	resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix), nil)
 	if err != nil {
 		t.Fatalf("createResolvedProvisionerPayload failed: %v", err)
 	}
diff --git a/api/provisioning.go b/api/provisioning.go
diff --git a/api/provisioning_transaction.go b/api/provisioning_transaction.go

Original file line number	Diff line number	Diff line change
`@@ -1094,7 +1094,7 @@ func TestCreateSpritzUsesPendingReservationPayloadAfterDefaultPresetChanges(t *t`
`1094`	`1094`	`if err != nil {`
`1095`	`1095`	`t.Fatalf("createRequestFingerprint failed: %v", err)`
`1096`	`1096`	`}`
`1097`		`- resolvedPayload, err := createResolvedProvisionerPayload(requestBody, s.resolvedCreateNamePrefix(requestBody, requestFingerprintBody.NamePrefix))`
	`1097`	`+ resolvedPayload, err := createResolvedProvisionerPayload(requestBody, s.resolvedCreateNamePrefix(requestBody, requestFingerprintBody.NamePrefix), nil)`
`1098`	`1098`	`if err != nil {`
`1099`	`1099`	`t.Fatalf("createResolvedProvisionerPayload failed: %v", err)`
`1100`	`1100`	`}`
`@@ -1547,7 +1547,7 @@ func TestCreateSpritzRetriesPendingIdempotencyReservationWithConflictingOccupant`
`1547`	`1547`	`if err != nil {`
`1548`	`1548`	`t.Fatalf("createRequestFingerprint failed: %v", err)`
`1549`	`1549`	`}`
`1550`		`- resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix))`
	`1550`	`+ resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix), nil)`
`1551`	`1551`	`if err != nil {`
`1552`	`1552`	`t.Fatalf("createResolvedProvisionerPayload failed: %v", err)`
`1553`	`1553`	`}`
`@@ -1641,7 +1641,7 @@ func TestCreateSpritzReplaysPendingIdempotentCreateBeforeQuotaCheck(t *testing.T`
`1641`	`1641`	`if err != nil {`
`1642`	`1642`	`t.Fatalf("createRequestFingerprint failed: %v", err)`
`1643`	`1643`	`}`
`1644`		`- resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix))`
	`1644`	`+ resolvedPayload, err := createResolvedProvisionerPayload(body, s.resolvedCreateNamePrefix(body, requestFingerprintBody.NamePrefix), nil)`
`1645`	`1645`	`if err != nil {`
`1646`	`1646`	`t.Fatalf("createResolvedProvisionerPayload failed: %v", err)`
`1647`	`1647`	`}`