feat: Advanced authorization (#1789)

* feat: Advanced authorization

Signed-off-by: Anatolii Bazko <[email protected]>

.github/PULL_REQUEST_TEMPLATE.md

@@ -21,16 +21,26 @@ che-operator Development Guide: https://github.com/eclipse-che/che-operator/#dev
   - steps to reproduce
  -->
 
+1. Prepare a patch file if needed:
 ```bash
-cat > /tmp/patch.yaml <<EOF
-<PATCH_CONTENT>
+cat > /tmp/cr-patch.yaml <<EOF
+apiVersion: org.eclipse.che/v2
+kind: CheCluster
+spec: {}
 EOF
+```
+
+2. Deploy the operator:
+
+#### OpenShift
+```bash
+./build/scripts/olm/test-catalog-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml
+```
+
+#### on Minikube
 
-chectl server:deploy \
-     --installer operator \
-     --platform <PLATFORM_TO_DEPLOY> \
-     --che-operator-image <CUSTOM_OPERATOR_IMAGE> \
-     --che-operator-cr-patch-yaml /tmp/patch.yaml
+```bash
+./build/scripts/minikube-tests/test-operator-from-sources.sh --cr-patch-yaml /tmp/cr-patch.yaml
 ```
 
 ### PR Checklist

api/v2/checluster_types.go

@@ -524,6 +524,28 @@ type Auth struct {
 	// +optional
 	// +kubebuilder:default:={configLabels: {app: che, component: che-gateway-config}}
 	Gateway Gateway `json:"gateway,omitempty"`
+	// Advance authorization settings. Determines which users and groups are allowed to access Che.
+	// User is allowed to access Che if he/she is either in the `allowUsers` list or is member of group from `allowGroups` list
+	// and not in neither the `denyUsers` list nor is member of group from `denyGroups` list.
+	// If `allowUsers` and `allowGroups` are empty, then all users are allowed to access Che.
+	// if `denyUsers` and `denyGroups` are empty, then no users are denied to access Che.
+	// +optional
+	AdvancedAuthorization *AdvancedAuthorization `json:"advancedAuthorization,omitempty"`
+}
+
+type AdvancedAuthorization struct {
+	// List of users allowed to access Che.
+	// +optional
+	AllowUsers []string `json:"allowUsers,omitempty"`
+	// List of groups allowed to access Che (currently supported in OpenShift only).
+	// +optional
+	AllowGroups []string `json:"allowGroups,omitempty"`
+	// List of users denied to access Che.
+	// +optional
+	DenyUsers []string `json:"denyUsers,omitempty"`
+	// List of groups denied to access Che (currently supported in OpenShift only).
+	// +optional
+	DenyGroups []string `json:"denyGroups,omitempty"`
 }
 
 // Gateway settings.

build/scripts/minikube-tests/test-operator-from-sources.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2019-2023 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+set -e
+
+OPERATOR_REPO=$(dirname "$(dirname "$(dirname "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")")")")
+source "${OPERATOR_REPO}/build/scripts/minikube-tests/common.sh"
+
+init() {
+  unset CR_PATCH_YAML
+
+  while [[ "$#" -gt 0 ]]; do
+    case $1 in
+      '--help'|'-h') usage; exit;;
+      '--cr-patch-yaml') CR_PATCH_YAML=$2; shift 1;;
+    esac
+    shift 1
+  done
+}
+
+usage () {
+  echo "Deploy Eclipse Che from sources"
+  echo
+	echo "Usage:"
+	echo -e "\t$0 [--cr-patch-yaml <path_to_cr_patch>]"
+  echo
+  echo "OPTIONS:"
+  echo -e "\t--cr-patch-yaml          CheCluster CR patch yaml file"
+  echo
+	echo "Example:"
+	echo -e "\t$0"
+}
+
+runTest() {
+  buildAndCopyCheOperatorImageToMinikube
+  yq -riSY '.spec.template.spec.containers[0].image = "'${OPERATOR_IMAGE}'"' "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}/che-operator/kubernetes/operator.yaml"
+  yq -riSY '.spec.template.spec.containers[0].imagePullPolicy = "IfNotPresent"' "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}/che-operator/kubernetes/operator.yaml"
+
+  if [[ -n "${CR_PATCH_YAML}" ]]; then
+      chectl server:deploy --batch --platform minikube \
+        --templates "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}" \
+        --che-operator-cr-patch-yaml "${CR_PATCH_YAML}"
+  else
+    chectl server:deploy --batch --platform minikube \
+      --templates "${CURRENT_OPERATOR_VERSION_TEMPLATE_PATH}"
+  fi
+}
+
+pushd ${OPERATOR_REPO} >/dev/null
+initDefaults
+init "$@"
+initTemplates
+runTest
+popd >/dev/null

build/scripts/olm/test-catalog-from-sources.sh

@@ -34,11 +34,13 @@ unset CATALOG_IMAGE
 
 init() {
   unset VERBOSE
+  unset CR_PATCH_YAML
 
   while [[ "$#" -gt 0 ]]; do
     case $1 in
       '--help'|'-h') usage; exit;;
       '--verbose'|'-v') VERBOSE=1;;
+      '--cr-patch-yaml') CR_PATCH_YAML=$2; shift 1;;
     esac
     shift 1
   done
@@ -53,10 +55,11 @@ usage () {
   echo "Deploy Eclipse Che from sources"
   echo
 	echo "Usage:"
-	echo -e "\t$0 [--verbose]"
+	echo -e "\t$0 [--verbose] [--cr-patch-yaml <path_to_cr_patch>]"
   echo
   echo "OPTIONS:"
   echo -e "\t-v,--verbose             Verbose mode"
+  echo -e "\t--cr-patch-yaml          CheCluster CR patch yaml file"
   echo
 	echo "Example:"
 	echo -e "\t$0"
@@ -163,8 +166,12 @@ run() {
     VERBOSE=${VERBOSE}
   make wait-pod-running NAMESPACE="${NAMESPACE}" SELECTOR="app.kubernetes.io/component=che-operator"
 
-  if [[ $(oc get checluster -n eclipse-che --no-headers | wc -l) == 0 ]]; then
+  if [[ $(oc get checluster -n "${NAMESPACE}" --no-headers | wc -l) == 0 ]]; then
     getCheClusterCRFromInstalledCSV | oc apply -n "${NAMESPACE}" -f -
+    if [[ -n ${CR_PATCH_YAML} ]]; then
+      patch=$(yq -r "." "${CR_PATCH_YAML}" | tr -d "\n" )
+      oc patch checluster eclipse-che -n "${NAMESPACE}" --type='merge' -p "${patch}"
+    fi
   fi
   make wait-eclipseche-version VERSION="$(getCheVersionFromInstalledCSV)" NAMESPACE="${NAMESPACE}" VERBOSE=${VERBOSE}
 }

bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml

@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che.v7.78.0-817.next
+  name: eclipse-che.v7.78.0-826.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -527,6 +527,12 @@ spec:
               verbs:
                 - list
                 - delete
+            - apiGroups:
+                - user.openshift.io
+              resources:
+                - groups
+              verbs:
+                - get
             - apiGroups:
                 - user.openshift.io
               resources:
@@ -1234,7 +1240,7 @@ spec:
   minKubeVersion: 1.19.0
   provider:
     name: Eclipse Foundation
-  version: 7.78.0-817.next
+  version: 7.78.0-826.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1

bundle/next/eclipse-che/manifests/org.eclipse.che_checlusters.yaml

@@ -7917,6 +7917,40 @@ spec:
                             component: che-gateway-config
                       description: Authentication settings.
                       properties:
+                        advancedAuthorization:
+                          description: Advance authorization settings. Determines
+                            which users and groups are allowed to access Che. User
+                            is allowed to access Che if he/she is either in the `allowUsers`
+                            list or is member of group from `allowGroups` list and
+                            not in neither the `denyUsers` list nor is member of group
+                            from `denyGroups` list. If `allowUsers` and `allowGroups`
+                            are empty, then all users are allowed to access Che. if
+                            `denyUsers` and `denyGroups` are empty, then no users
+                            are denied to access Che.
+                          properties:
+                            allowGroups:
+                              description: List of groups allowed to access Che (currently
+                                supported in OpenShift only).
+                              items:
+                                type: string
+                              type: array
+                            allowUsers:
+                              description: List of users allowed to access Che.
+                              items:
+                                type: string
+                              type: array
+                            denyGroups:
+                              description: List of groups denied to access Che (currently
+                                supported in OpenShift only).
+                              items:
+                                type: string
+                              type: array
+                            denyUsers:
+                              description: List of users denied to access Che.
+                              items:
+                                type: string
+                              type: array
+                          type: object
                         gateway:
                           default:
                             configLabels:

config/crd/bases/org.eclipse.che_checlusters.yaml

@@ -7709,6 +7709,40 @@ spec:
                           component: che-gateway-config
                     description: Authentication settings.
                     properties:
+                      advancedAuthorization:
+                        description: Advance authorization settings. Determines which
+                          users and groups are allowed to access Che. User is allowed
+                          to access Che if he/she is either in the `allowUsers` list
+                          or is member of group from `allowGroups` list and not in
+                          neither the `denyUsers` list nor is member of group from
+                          `denyGroups` list. If `allowUsers` and `allowGroups` are
+                          empty, then all users are allowed to access Che. if `denyUsers`
+                          and `denyGroups` are empty, then no users are denied to
+                          access Che.
+                        properties:
+                          allowGroups:
+                            description: List of groups allowed to access Che (currently
+                              supported in OpenShift only).
+                            items:
+                              type: string
+                            type: array
+                          allowUsers:
+                            description: List of users allowed to access Che.
+                            items:
+                              type: string
+                            type: array
+                          denyGroups:
+                            description: List of groups denied to access Che (currently
+                              supported in OpenShift only).
+                            items:
+                              type: string
+                            type: array
+                          denyUsers:
+                            description: List of users denied to access Che.
+                            items:
+                              type: string
+                            type: array
+                        type: object
                       gateway:
                         default:
                           configLabels:

config/rbac/cluster_role.yaml

@@ -64,6 +64,12 @@ rules:
     verbs:
       - list
       - delete
+  - apiGroups:
+      - user.openshift.io
+    resources:
+      - groups
+    verbs:
+      - get
   - apiGroups:
       - user.openshift.io
     resources: