extend the onboarding struct to make it modular

controllers/storagecluster/storageclient.go

@@ -6,6 +6,7 @@ import (
 	ocsclientv1a1 "github.com/red-hat-storage/ocs-client-operator/api/v1alpha1"
 	ocsv1 "github.com/red-hat-storage/ocs-operator/api/v4/v1"
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
+	"github.com/red-hat-storage/ocs-operator/v4/services"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -31,7 +32,8 @@ func (s *storageClient) ensureCreated(r *StorageClusterReconciler, storagecluste
 	storageClient.Name = storagecluster.Name
 	_, err := controllerutil.CreateOrUpdate(r.ctx, r.Client, storageClient, func() error {
 		if storageClient.Status.ConsumerID == "" {
-			token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, nil)
+			roleSpec := services.OnboardingSubjectRoleSpec{Role: services.ClientRole}
+			token, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, roleSpec)
 			if err != nil {
 				return fmt.Errorf("unable to generate onboarding token: %v", err)
 			}

controllers/util/provider.go

@@ -19,19 +19,18 @@ import (
 
 // GenerateOnboardingToken generates a token valid for a duration of "tokenLifetimeInHours".
 // The token content is predefined and signed by the private key which'll be read from supplied "privateKeyPath".
-// The storageQuotaInGiB is optional, and it is used to limit the storage of PVC in the application cluster.
-func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, storageQuotaInGiB *uint) (string, error) {
+// The roleSpec contains the SubjectRole and the RoleOptions for the ticket.
+func GenerateOnboardingToken(tokenLifetimeInHours int, privateKeyPath string, roleSpec services.OnboardingSubjectRoleSpec) (string, error) {
 	tokenExpirationDate := time.Now().
 		Add(time.Duration(tokenLifetimeInHours) * time.Hour).
 		Unix()
 
 	ticket := services.OnboardingTicket{
 		ID:             uuid.New().String(),
 		ExpirationDate: tokenExpirationDate,
+		SubjectRole:    roleSpec,
 	}
-	if storageQuotaInGiB != nil {
-		ticket.StorageQuotaInGiB = *storageQuotaInGiB
-	}
+
 	payload, err := json.Marshal(ticket)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal the payload: %v", err)

services/provider/server/server.go

@@ -110,13 +110,13 @@ func (s *OCSProviderServer) OnboardConsumer(ctx context.Context, req *pb.Onboard
 		return nil, status.Errorf(codes.Internal, "failed to get public key to validate onboarding ticket for consumer %q. %v", req.ConsumerName, err)
 	}
 
-	onboardingTicket, err := decodeAndValidateTicket(req.OnboardingTicket, pubKey)
+	onboardingTicket, err := decodeAndValidateTicket(req.OnboardingTicket, pubKey, services.ClientRole)
 	if err != nil {
 		klog.Errorf("failed to validate onboarding ticket for consumer %q. %v", req.ConsumerName, err)
 		return nil, status.Errorf(codes.InvalidArgument, "onboarding ticket is not valid. %v", err)
 	}
 
-	storageConsumerUUID, err := s.consumerManager.Create(ctx, req, int(onboardingTicket.StorageQuotaInGiB))
+	storageConsumerUUID, err := s.consumerManager.Create(ctx, req, int(onboardingTicket.SubjectRole.ClientOptions.StorageQuotaInGiB))
 	if err != nil {
 		if !kerrors.IsAlreadyExists(err) && err != errTicketAlreadyExists {
 			return nil, status.Errorf(codes.Internal, "failed to create storageConsumer %q. %v", req.ConsumerName, err)
@@ -470,7 +470,7 @@ func getSubVolumeGroupClusterID(subVolumeGroup *rookCephv1.CephFilesystemSubVolu
 	return hex.EncodeToString(hash[:16])
 }
 
-func decodeAndValidateTicket(ticket string, pubKey *rsa.PublicKey) (*services.OnboardingTicket, error) {
+func decodeAndValidateTicket(ticket string, pubKey *rsa.PublicKey, expectedRole services.OnboardingSubjectRole) (*services.OnboardingTicket, error) {
 	ticketArr := strings.Split(string(ticket), ".")
 	if len(ticketArr) != 2 {
 		return nil, fmt.Errorf("invalid ticket")
@@ -487,8 +487,18 @@ func decodeAndValidateTicket(ticket string, pubKey *rsa.PublicKey) (*services.On
 		return nil, fmt.Errorf("failed to unmarshal onboarding ticket message. %v", err)
 	}
 
-	if ticketData.StorageQuotaInGiB > math.MaxInt {
-		return nil, fmt.Errorf("invalid value sent in onboarding ticket, storage quota should be greater than 0 and less than %v: %v", math.MaxInt, ticketData.StorageQuotaInGiB)
+	if ticketData.SubjectRole.Role != expectedRole {
+		return nil, fmt.Errorf("unsupported role sent in onboarding ticket %s, expectedRole is %s", ticketData.SubjectRole.Role, expectedRole)
+	}
+
+	switch ticketData.SubjectRole.Role {
+	case services.ClientRole:
+		clientOptions := ticketData.SubjectRole.ClientOptions
+		if ticketData.SubjectRole.ClientOptions.StorageQuotaInGiB > math.MaxInt {
+			return nil, fmt.Errorf("invalid value sent in onboarding ticket, storage quota should be greater than 0 and less than %v: %v", math.MaxInt, clientOptions.StorageQuotaInGiB)
+		}
+	default:
+		return nil, fmt.Errorf("invalid role sent in onboarding ticket %s, expectedRole is %s", ticketData.SubjectRole.Role, expectedRole)
 	}
 
 	signature, err := base64.StdEncoding.DecodeString(ticketArr[1])

services/types.go

@@ -1,7 +1,24 @@
 package services
 
+type OnboardingSubjectRole string
+
+type OnboardingSubjectRoleSpec struct {
+	Role          OnboardingSubjectRole `json:"role"`
+	ClientOptions ClientRoleOptions     `json:"clientRoleOptions,omitempty"`
+}
+
+const (
+	ClientRole OnboardingSubjectRole = "ocs-client"
+)
+
+type ClientRoleOptions struct {
+	StorageQuotaInGiB uint `json:"storageQuotaInGiB,omitempty"`
+}
+
 type OnboardingTicket struct {
-	ID                string `json:"id"`
-	ExpirationDate    int64  `json:"expirationDate,string"`
-	StorageQuotaInGiB uint   `json:"storageQuotaInGiB,omitempty"`
+	ID             string `json:"id"`
+	ExpirationDate int64  `json:"expirationDate,string"`
+
+	// SubjectRole specifies the role and options for the role
+	SubjectRole OnboardingSubjectRoleSpec `json:"subjectRole"`
 }

services/ux-backend/handlers/onboardingtokens/handler.go

@@ -7,9 +7,10 @@ import (
 	"net/http"
 
 	"github.com/red-hat-storage/ocs-operator/v4/controllers/util"
+	"github.com/red-hat-storage/ocs-operator/v4/services"
 	"github.com/red-hat-storage/ocs-operator/v4/services/ux-backend/handlers"
+
 	"k8s.io/klog/v2"
-	"k8s.io/utils/ptr"
 )
 
 const (
@@ -32,9 +33,9 @@ func HandleMessage(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours
 }
 
 func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int) {
-	var storageQuotaInGiB *uint
-	// When ContentLength is 0 that means request body is empty and
-	// storage quota is unlimited
+
+	var roleSpec services.OnboardingSubjectRoleSpec
+	roleSpec.Role = services.ClientRole
 	var err error
 	if r.ContentLength != 0 {
 		var quota = struct {
@@ -55,9 +56,9 @@ func handlePost(w http.ResponseWriter, r *http.Request, tokenLifetimeInHours int
 			http.Error(w, fmt.Sprintf("invalid Unit type sent in request body, Valid types are [Gi,Ti,Pi]: %v", quota.Unit), http.StatusBadRequest)
 			return
 		}
-		storageQuotaInGiB = ptr.To(unitAsGiB * quota.Value)
+		roleSpec.ClientOptions = services.ClientRoleOptions{StorageQuotaInGiB: unitAsGiB * quota.Value}
 	}
-	if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, storageQuotaInGiB); err != nil {
+	if onboardingToken, err := util.GenerateOnboardingToken(tokenLifetimeInHours, onboardingPrivateKeyFilePath, roleSpec); err != nil {
 		klog.Errorf("failed to get onboardig token: %v", err)
 		w.WriteHeader(http.StatusInternalServerError)
 		w.Header().Set("Content-Type", handlers.ContentTypeTextPlain)