[SREP-1313] feat : Update isolation workflow to enforce policy Arn from backplane-api assume-role-sequence endpoint (#748)

Author: samanthajayasinghe

cmd/ocm-backplane/cloud/common.go

@@ -18,6 +18,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
 	ocmsdk "github.com/openshift-online/ocm-sdk-go"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	BackplaneApi "github.com/openshift/backplane-api/pkg/client"
@@ -211,6 +212,7 @@ func (cfg *QueryConfig) getCloudCredentialsFromBackplaneAPI(ocmToken string) (bp
 type assumeChainResponse struct {
 	AssumptionSequence      []namedRoleArn `json:"assumptionSequence"`
 	CustomerRoleSessionName string         `json:"customerRoleSessionName"`
+	SessionPolicyArn        string         `json:"sessionPolicyArn"` // SessionPolicyArn is the ARN of the session policy
 }
 
 type namedRoleArn struct {
@@ -319,6 +321,24 @@ func (cfg *QueryConfig) getIsolatedCredentials(ocmToken string) (aws.Credentials
 		} else {
 			roleArnSession.RoleSessionName = email
 		}
+		// Default to no policy ARNs
+		roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
+		if namedRoleArnEntry.Name == CustomerRoleArnName {
+			roleArnSession.IsCustomerRole = true
+			// Add the session policy ARN for selected roles
+			if roleChainResponse.SessionPolicyArn != "" {
+				logger.Debugf("Adding session policy ARN for role %s: %s", namedRoleArnEntry.Name, roleChainResponse.SessionPolicyArn)
+				roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
+					{
+						Arn: aws.String(roleChainResponse.SessionPolicyArn),
+					},
+				}
+			}
+		} else {
+			roleArnSession.IsCustomerRole = false
+		}
+		roleArnSession.Name = namedRoleArnEntry.Name
+
 		assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
 	}
 
@@ -471,7 +491,7 @@ func isIsolatedBackplaneAccess(cluster *cmv1.Cluster, ocmConnection *ocmsdk.Conn
 	if strings.HasSuffix(baseDomain, "devshiftusgov.com") || strings.HasSuffix(baseDomain, "openshiftusgov.com") {
 		return false, nil
 	}
-	
+
 	if cluster.Hypershift().Enabled() {
 		return true, nil
 	}

cmd/ocm-backplane/cloud/common_test.go

@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/openshift/backplane-cli/pkg/awsutil"
@@ -15,6 +16,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go-v2/service/sts/types"
 	"github.com/golang/mock/gomock"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -523,3 +525,313 @@ var _ = Describe("isIsolatedBackplaneAccess", func() {
 		})
 	})
 })
+
+var _ = Describe("PolicyARNs Integration", func() {
+	var (
+		testSessionPolicyArn string
+	)
+
+	BeforeEach(func() {
+		testSessionPolicyArn = "arn:aws:iam::123456789012:policy/TestSessionPolicy"
+	})
+
+	// Helper function to simulate the getIsolatedCredentials logic
+	simulateGetIsolatedCredentialsLogic := func(roleChainResponse assumeChainResponse) []awsutil.RoleArnSession {
+		assumeRoleArnSessionSequence := make([]awsutil.RoleArnSession, 0, len(roleChainResponse.AssumptionSequence))
+		for _, namedRoleArnEntry := range roleChainResponse.AssumptionSequence {
+			roleArnSession := awsutil.RoleArnSession{RoleArn: namedRoleArnEntry.Arn}
+			if namedRoleArnEntry.Name == CustomerRoleArnName || namedRoleArnEntry.Name == OrgRoleArnName {
+				roleArnSession.RoleSessionName = roleChainResponse.CustomerRoleSessionName
+			} else {
+				roleArnSession.RoleSessionName = "test@example.com"
+			}
+
+			// Default to no policy ARNs
+			roleArnSession.PolicyARNs = []types.PolicyDescriptorType{}
+			if namedRoleArnEntry.Name == CustomerRoleArnName {
+				roleArnSession.IsCustomerRole = true
+				// Add the session policy ARN for selected roles
+				if roleChainResponse.SessionPolicyArn != "" {
+					roleArnSession.PolicyARNs = []types.PolicyDescriptorType{
+						{
+							Arn: aws.String(roleChainResponse.SessionPolicyArn),
+						},
+					}
+				}
+			} else {
+				roleArnSession.IsCustomerRole = false
+			}
+			roleArnSession.Name = namedRoleArnEntry.Name
+
+			assumeRoleArnSessionSequence = append(assumeRoleArnSessionSequence, roleArnSession)
+		}
+		return assumeRoleArnSessionSequence
+	}
+
+	// Generated by Cursor
+	Context("when creating RoleArnSession with SessionPolicyArn", func() {
+		It("should set PolicyARNs for customer roles", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+		})
+
+		It("should not set PolicyARNs for non-customer roles", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: "Support-Role-Arn",
+						Arn:  "arn:aws:iam::123456789012:role/support-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			supportRole := assumeRoleArnSessionSequence[0]
+			Expect(supportRole.IsCustomerRole).To(BeFalse())
+			Expect(supportRole.Name).To(Equal("Support-Role-Arn"))
+			Expect(len(supportRole.PolicyARNs)).To(Equal(0))
+		})
+
+		// Generated by Cursor
+		It("should handle empty SessionPolicyArn for customer roles", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        "", // Empty session policy ARN
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole.PolicyARNs)).To(Equal(0))
+		})
+	})
+
+	Context("error scenarios with PolicyARNs", func() {
+		It("should handle invalid SessionPolicyArn gracefully", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        "invalid-arn-format", // Invalid ARN format
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			// The invalid ARN is still passed through - validation happens at AWS level
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal("invalid-arn-format"))
+		})
+
+		It("should handle missing AssumptionSequence", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence:      []namedRoleArn{}, // Empty sequence
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			// Should result in empty sequence
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(0))
+		})
+
+		It("should handle malformed role ARNs in AssumptionSequence", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "malformed-role-arn", // Invalid role ARN format
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.RoleArn).To(Equal("malformed-role-arn")) // Malformed ARN is passed through
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+		})
+
+		It("should handle extremely long SessionPolicyArn", func() {
+			// Create a very long policy ARN that might cause issues
+			longPolicyArn := "arn:aws:iam::123456789012:policy/" + strings.Repeat("a", 500)
+
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        longPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(longPolicyArn))
+			// Verify the ARN length
+			Expect(len(*customerRole.PolicyARNs[0].Arn)).To(BeNumerically(">", 500))
+		})
+
+		It("should handle special characters in SessionPolicyArn", func() {
+			// Policy ARN with special characters (though this would be invalid in real AWS)
+			specialCharsArn := "arn:aws:iam::123456789012:policy/test-policy-with-special-chars!@#$%"
+
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        specialCharsArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(specialCharsArn))
+		})
+
+		It("should verify debug logging when SessionPolicyArn is non-empty", func() {
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn, // Non-empty SessionPolicyArn
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			// Verify the non-empty SessionPolicyArn scenario
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(1))
+
+			customerRole := assumeRoleArnSessionSequence[0]
+
+			// Verify the customer role identification
+			Expect(customerRole.IsCustomerRole).To(BeTrue())
+			Expect(customerRole.Name).To(Equal(CustomerRoleArnName))
+			Expect(customerRole.RoleSessionName).To(Equal("customer-session"))
+
+			// Verify that SessionPolicyArn is non-empty
+			Expect(roleChainResponse.SessionPolicyArn).ToNot(BeEmpty())
+
+			// Verify PolicyARNs array is populated correctly
+			Expect(len(customerRole.PolicyARNs)).To(Equal(1))
+			Expect(customerRole.PolicyARNs[0].Arn).ToNot(BeNil())
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+
+			// Verify the exact SessionPolicyArn value matches
+			Expect(*customerRole.PolicyARNs[0].Arn).To(Equal(roleChainResponse.SessionPolicyArn))
+		})
+
+		It("should handle multiple customer roles with same SessionPolicyArn", func() {
+			// Test scenario with multiple customer roles getting the same session policy
+			roleChainResponse := assumeChainResponse{
+				AssumptionSequence: []namedRoleArn{
+					{
+						Name: CustomerRoleArnName,
+						Arn:  "arn:aws:iam::123456789012:role/customer-role-1",
+					},
+					{
+						Name: "Support-Role-Arn",
+						Arn:  "arn:aws:iam::123456789012:role/support-role",
+					},
+					{
+						Name: CustomerRoleArnName, // Another customer role
+						Arn:  "arn:aws:iam::123456789012:role/customer-role-2",
+					},
+				},
+				CustomerRoleSessionName: "customer-session",
+				SessionPolicyArn:        testSessionPolicyArn,
+			}
+
+			assumeRoleArnSessionSequence := simulateGetIsolatedCredentialsLogic(roleChainResponse)
+
+			Expect(len(assumeRoleArnSessionSequence)).To(Equal(3))
+
+			// Verify first customer role
+			customerRole1 := assumeRoleArnSessionSequence[0]
+			Expect(customerRole1.IsCustomerRole).To(BeTrue())
+			Expect(customerRole1.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole1.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole1.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+
+			// Verify support role (non-customer)
+			supportRole := assumeRoleArnSessionSequence[1]
+			Expect(supportRole.IsCustomerRole).To(BeFalse())
+			Expect(supportRole.Name).To(Equal("Support-Role-Arn"))
+			Expect(len(supportRole.PolicyARNs)).To(Equal(0))
+
+			// Verify second customer role
+			customerRole2 := assumeRoleArnSessionSequence[2]
+			Expect(customerRole2.IsCustomerRole).To(BeTrue())
+			Expect(customerRole2.Name).To(Equal(CustomerRoleArnName))
+			Expect(len(customerRole2.PolicyARNs)).To(Equal(1))
+			Expect(*customerRole2.PolicyARNs[0].Arn).To(Equal(testSessionPolicyArn))
+		})
+	})
+})