MGMT-19297: Handle user_name, org_id correctly when AUTH_TYPE RHSSO used

Presently there is a bug in the way we handle AUTH_TYPE RHSSO while fetching the events list. A join is performed between infra_envs and either hosts or clusters, this leads to some ambiguity around column names in WHERE clauses. Specifically the fields `user_name` and `org_id`, combinations of which appear in hosts, clusters and infra_envs. This change applies the authorization check by turning the final database query into a subquery and then filtering on the returned user_name, org_id columns in the subquery.
openshift · Nov 18, 2024 · 6fe8c97 · 6fe8c97
1 parent b86a302
commit 6fe8c97
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/internal/events/event.go b/internal/events/event.go
@@ -427,11 +427,6 @@ func (e Events) queryEvents(ctx context.Context, params *common.V2GetEventsParam
 
 	events := []*common.Event{}
 
-	// add authorization check to query
-	if e.authz != nil {
-		tx = e.authz.OwnedBy(ctx, tx)
-	}
-
 	tx = e.prepareEventsTable(ctx, tx, params.ClusterID, params.HostIds, params.InfraEnvID, params.Severities, params.Message, params.DeletedHosts)
 	if tx == nil {
 		return make([]*common.Event, 0), &common.EventSeverityCount{}, swag.Int64(0), nil
@@ -470,6 +465,11 @@ func (e Events) queryEvents(ctx context.Context, params *common.V2GetEventsParam
 		return make([]*common.Event, 0), eventSeverityCount, &eventCount, nil
 	}
 
+	// if we need to apply authorization check then repackage tx as a subquery
+	// this is to ensure that user_name and org_id are unambiguous
+	if e.authz != nil {
+		tx = e.authz.OwnedBy(ctx, cleanQuery.Table("(?) as s", tx))
+	}
 	err = tx.Offset(int(*params.Offset)).Limit(int(*params.Limit)).Find(&events).Error
 	if err != nil {
 		return nil, nil, nil, err