Cluster bot org auth

Makefile

@@ -9,12 +9,15 @@ build_date=$(shell date -u '+%Y%m%d')
 version=v${build_date}-${git_commit}
 
 SOURCE_GIT_TAG=v1.0.0+$(shell git rev-parse --short=7 HEAD)
+# GCS support is enabled by default - append to build machinery's defaults
+GO_BUILD_FLAGS += -tags gcs
 
+# Extend OpenShift's standard ldflags
 GO_LD_EXTRAFLAGS=-X github.com/openshift/ci-chat-bot/vendor/k8s.io/client-go/pkg/version.gitCommit=$(shell git rev-parse HEAD) -X github.com/openshift/ci-chat-bot/vendor/k8s.io/client-go/pkg/version.gitVersion=${SOURCE_GIT_TAG} -X sigs.k8s.io/prow/version.Name=ci-chat-bot -X sigs.k8s.io/prow/version.Version=${version}
 GOLINT=golangci-lint run
 
 debug:
-	go build -gcflags="all=-N -l" ${GO_LD_FLAGS} -mod vendor -o ci-chat-bot ./cmd/...
+	go build $(GO_BUILD_FLAGS) -gcflags="all=-N -l" $(GO_LD_FLAGS) $(GO_MOD_FLAGS) -o ci-chat-bot ./cmd/...
 .PHONY: debug
 
 vendor:
@@ -31,6 +34,38 @@ run:
 	./hack/run.sh
 .PHONY: run
 
+run-gcs:
+	./hack/run-with-gcs.sh
+.PHONY: run-gcs
+
+run-local:
+	USE_GCS_ORGDATA=false ./hack/run.sh
+.PHONY: run-local
+
+help-ci-chat-bot:
+	@echo "CI Chat Bot specific targets:"
+	@echo "  build            - Build ci-chat-bot binary (GCS support included by default)"
+	@echo "  debug            - Build with debug symbols"
+	@echo "  run              - Run ci-chat-bot with hack/run.sh (auto-detects GCS vs local)"
+	@echo "  run-gcs          - Run with GCS backend explicitly"
+	@echo "  run-local        - Run with local file backend explicitly"
+	@echo ""
+	@echo "Build flags:"
+	@echo "  GO_BUILD_FLAGS   - Standard OpenShift build flags for custom tags"
+	@echo ""
+	@echo "Environment variables for hack scripts:"
+	@echo "  USE_GCS_ORGDATA  - Set to 'true' to use GCS backend"
+	@echo "  GCS_BUCKET       - GCS bucket name (default: resolved-org)"
+	@echo "  GCS_PROJECT_ID   - GCS project ID (default: openshift-crt)"
+	@echo "  ORGDATA_PATHS    - Local orgdata file path"
+	@echo "  AUTH_CONFIG      - Authorization config file path"
+	@echo ""
+	@echo "Examples:"
+	@echo "  make build                                # Build with all features (GCS included)"
+	@echo "  make run-gcs                              # Run with GCS backend"
+	@echo "  ORGDATA_PATHS=/my/file.json make run      # Run with custom local file"
+.PHONY: help-ci-chat-bot
+
 lint: verify-golint
 
 sonar-reports:

README.md

@@ -6,8 +6,80 @@ You'll be placed in a new channel with the App, and you'll be ready to begin lau
 
 To see the available commands, type `help`.
 
+## Features
+
+### 🔐 **Advanced Authorization System**
+- **Organizational data-based access control** using pre-computed indexes for fast lookups
+- **Multiple authorization levels**: User UID, team membership, organization-based permissions  
+- **Hot reload**: Automatic updates when organizational data or authorization config changes
+- **Complete hierarchy support**: Teams → Organizations → Pillars → Team Groups
+
+### ☁️ **Flexible Data Sources**
+- **Local files**: Development and testing with JSON files
+- **Google Cloud Storage**: Production deployments with secure, cross-cluster access
+- **Hot reload**: Both file watching and GCS polling for live updates
+- **Pluggable architecture**: Easy to extend with new data sources
+
+### 🚀 **Production Ready**
+- **Fast performance**: O(1) organizational lookups with pre-computed indexes
+- **Thread-safe**: Concurrent access with read-write mutex protection
+- **GCS support**: Cloud storage support included by default
+- **Secure authentication**: Application Default Credentials for GCS
+
+## Quick Start
+
+### Option 1: Local Development
+```bash
+# Set your organizational data file
+export ORGDATA_PATHS="/path/to/comprehensive_index_dump.json"
+
+# Start the bot
+./hack/run.sh
+```
+
+### Option 2: Google Cloud Storage
+```bash
+# Build (GCS support included by default)
+make build
+
+# Quick start with GCS
+./hack/run-with-gcs.sh
+
+# Or configure manually
+export USE_GCS_ORGDATA=true
+export GCS_BUCKET="your-bucket"
+export GCS_OBJECT_PATH="orgdata/comprehensive_index_dump.json"
+./hack/run.sh
+```
+
+### Check Your Permissions
+```
+@cluster-bot whoami
+```
+
+## Documentation
+
+- 📖 **[AUTHORIZATION.md](AUTHORIZATION.md)** - Complete authorization system setup and configuration
+- 🛠️ **[hack/DEVELOPMENT.md](hack/DEVELOPMENT.md)** - Detailed development setup guide
+- ❓ **[docs/FAQ.md](docs/FAQ.md)** - Frequently asked questions
+
+## Build Options
+
+```bash
+# Build (includes GCS support)
+make build
+
+# See all available targets
+make help-ci-chat-bot
+```
+
+## Getting Help
+
 For any questions, concerns, comments, etc, please reach out in the `#forum-ocp-crt` channel.
 
 ## Links
 * [OpenShift Releases](https://amd64.ocp.releases.ci.openshift.org/)
+* [Authorization System Documentation](AUTHORIZATION.md) - Complete setup guide
+* [Development Guide](hack/DEVELOPMENT.md) - Local development setup  
 * [Frequently Asked Questions](docs/FAQ.md)
+* [Makefile Help](Makefile) - Run `make help-ci-chat-bot` for build options

TEST-README.md

@@ -0,0 +1,153 @@
+# Testing the Authorization System
+
+This guide shows how to test the integrated orgdata authorization system with your existing test data.
+
+## 🗂️ Your Data Structure
+
+Your `test-data/orgdata.json` contains a hierarchical organization structure:
+- **Top-level org**: "Multi-product and Engineering Experience" 
+- **Teams**: Nested units with `"type": {"name": "team"}`
+- **Employees**: Found in `resolved_roles[].people[]` throughout the hierarchy
+
+The orgdata service automatically flattens this hierarchy to create indexed lookups.
+
+## 🧪 Quick Test (Direct Authorization Testing)
+
+Test the authorization logic directly without Slack:
+
+```bash
+# 1. Update test-auth.go with actual Slack IDs if needed (already configured)
+# 2. Run the test
+go run test-auth.go
+```
+
+**Expected Output:**
+```
+🔍 Testing User #1: Slack ID UFF9BL596
+==================================================
+Has org data: true
+Employee UID: benl
+Display Name: Ben
+Email: [email protected]
+Job Title: Senior Director, Engineering
+Teams: [...]
+Organizations: [Multi-product and Engineering Experience]
+
+📋 Command Authorization Tests:
+  version             : ✅ ALLOWED
+  whoami              : ✅ ALLOWED  
+  test_uid_command    : ✅ ALLOWED
+  launch              : ✅ ALLOWED
+  ...
+```
+
+## 🔍 Inspect Your Data
+
+See what's available for authorization rules:
+
+```bash
+chmod +x inspect-json.sh
+./inspect-json.sh test-data/orgdata.json
+```
+
+## 🤖 Full Bot Testing
+
+**Note:** For production, use GCS instead of local files. This test example is for development/testing only.
+
+Run the complete ci-chat-bot with authorization using GCS:
+
+```bash
+# Production approach (recommended)
+go run ./cmd/ci-chat-bot \
+  --gcs-enabled=true \
+  --gcs-bucket="your-test-bucket" \
+  --gcs-object-path="test-data/orgdata.json" \
+  --authorization-config="./test-authorization.yaml" \
+  --slack-token="your-slack-bot-token" \
+  --slack-signing-secret="your-signing-secret" \
+  --dry-run=true
+```
+
+Then test in Slack:
+```
+@your-bot whoami
+# Should show comprehensive info including:
+# *Organizational Memberships:*
+# • ACS UI (Team)
+# • Multi-product and Engineering Experience (Organization)
+# • Platform+ Engineering (Team Group)
+#
+# *Commands You Can Execute:*
+# 🌐 *Available to Everyone:* version, whoami
+# 👤 *Your Personal Access:* launch (if you're benl)
+# 👥 *Via Team Membership:* test_team_command (if you're in ACS UI)
+# 🏢 *Via Organization:* test_org_command (if you're in MPEX)
+
+@your-bot version
+@your-bot test_uid_command
+@your-bot launch
+```
+
+## 📋 Current Test Configuration
+
+The `test-authorization.yaml` includes:
+
+### ✅ **Allowed for Everyone:**
+- `version`, `whoami` (allow_all: true)
+
+### 🔒 **Restricted Commands:**
+- `test_uid_command` - Only for UIDs: benl, eparis, linsong
+- `test_team_command` - Only for team: "ACS UI"
+- `test_org_command` - Only for org: "Multi-product and Engineering Experience"
+- `launch` - Only for UID: benl (Senior Director)
+
+### 👥 **Test Users:**
+- **UFF9BL596** (benl) - Senior Director ✅ Access to everything
+- **U01PLAWUU8N** (linsong) - Associate Manager ✅ Limited access
+- **UNKNOWN_USER** - Not in org data ❌ Only allow_all commands
+
+## 🛠️ Customizing Authorization
+
+Edit `test-authorization.yaml` to add your own rules:
+
+```yaml
+# Allow specific users
+- command: "your_command"
+  allowed_uids:
+    - "user_uid_from_data"
+
+# Allow specific teams  
+- command: "team_command"
+  allowed_teams:
+    - "Team Name From Data"
+
+# Allow entire organization
+- command: "org_command"
+  allowed_orgs:
+    - "Multi-product and Engineering Experience"
+
+# Mixed authorization (OR logic)
+- command: "flexible_command"
+  allowed_uids: ["admin_uid"]
+  allowed_teams: ["Admin Team"]  
+  allowed_orgs: ["Admin Org"]
+```
+
+## 🎯 Authorization Priority
+
+1. **`allow_all: true`** → Everyone has access
+2. **`allowed_uids`** → Specific Employee.UID values
+3. **`allowed_teams`** → Team membership  
+4. **`allowed_orgs`** → Organization membership
+
+If any check passes, access is granted. If all fail, access is denied with a helpful message.
+
+## 📊 Understanding Your Data
+
+The hierarchical structure is automatically processed:
+- **Teams** are identified by `"type": {"name": "team"}`
+- **Employees** are collected from all `resolved_roles[].people[]` 
+- **Organizations** are derived from the org path hierarchy
+- **All data** is flattened and indexed for fast O(1) lookups
+
+Perfect for testing authorization rules with your real organizational structure! 🚀