feat: Introduce a new filter to exclude private ContactGroups (#494)

Updates the ContactGroup visibility filter to strictly enforce
spec.visibility=public for user-scoped requests.

- Private contact groups are now hidden from this endpoint regardless of
membership.
- Updated unit tests and E2E scenarios to verify strict public-only
filtering.

Relates to:
https://datum-inc.slack.com/archives/C084W6XRVS7/p1770121357391059

Author: JoseSzycho

cmd/milo/apiserver/config.go

@@ -402,7 +402,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *server.Config, loopbac
 	handler = datumfilters.UserContactListConstraintDecorator(handler)
 	handler = datumfilters.UserContactGroupMembershipListConstraintDecorator(handler)
 	handler = datumfilters.UserContactGroupMembershipRemovalListConstraintDecorator(handler)
-	handler = datumfilters.ContactGroupVisibilityDecorator(loopbackConfig)(handler)
+	handler = datumfilters.ContactGroupVisibilityWithoutPrivateDecorator(handler)
 	handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)
 	handler = genericapifilters.WithRequestReceivedTimestamp(handler)
 	// handler = genericapifilters.WithMuxAndDiscoveryComplete(handler, c.lifecycleSignals.MuxAndDiscoveryComplete.Signaled())

config/crd/bases/notification/notification.miloapis.com_contactgroups.yaml

@@ -216,6 +216,8 @@ spec:
                 type: array
             type: object
         type: object
+    selectableFields:
+    - jsonPath: .spec.visibility
     served: true
     storage: true
     subresources:

pkg/apis/notification/v1alpha1/contactgroup_types.go

@@ -52,6 +52,7 @@ const (
 // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:scope=Namespaced
+// +kubebuilder:selectablefield:JSONPath=".spec.visibility"
 type ContactGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

pkg/server/filters/contactgroups_excludeprivates.go

@@ -0,0 +1,84 @@
+package filters
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
+	"k8s.io/apiserver/pkg/endpoints/request"
+
+	notificationv1alpha1 "go.miloapis.com/milo/pkg/apis/notification/v1alpha1"
+)
+
+const (
+	// ContactGroupVisibilityFieldSelector is the field selector for the visibility in a contact group.
+	ContactGroupVisibilityFieldSelector = "spec.visibility"
+)
+
+// ContactGroupVisibilityWithoutPrivateDecorator intercepts requests to list
+// contact groups, and injects a field selector to only include public contact groups.
+//
+// This is done so that end users can execute `kubectl get contactgroups`
+// and only see public contact groups.
+func ContactGroupVisibilityWithoutPrivateDecorator(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		ctx := req.Context()
+		info, ok := request.RequestInfoFrom(ctx)
+		if !ok {
+			responsewriters.InternalError(w, req, fmt.Errorf("failed to get RequestInfo from context"))
+			return
+		}
+
+		if info.APIGroup == notificationv1alpha1.SchemeGroupVersion.Group && info.Resource == "contactgroups" && info.Verb == "list" {
+			_, ok := ctx.Value(UserIDContextKey).(string)
+			if ok {
+				currentSelector, err := fields.ParseSelector(info.FieldSelector)
+				if err != nil {
+					responsewriters.InternalError(w, req, fmt.Errorf("failed to parse label selector: %w", err))
+					return
+				}
+
+				// Filter out any subject constraints that may have been provided
+				// in the request by rebuilding the selector without them.
+				filteredSelector := fields.Nothing()
+				for _, r := range currentSelector.Requirements() {
+					if r.Field == ContactGroupVisibilityFieldSelector {
+						// Skip any pre-existing subject constraints so we can
+						// replace it with the authenticated user's ID.
+						continue
+					}
+					filteredSelector = fields.AndSelectors(filteredSelector, fields.OneTermEqualSelector(r.Field, r.Value))
+				}
+
+				// Combine the filtered selector with the new subject requirements.
+				currentSelector = filteredSelector
+
+				// Build new selector, filtering out any user-id/kind constraint that
+				// may have been provided in the request
+				newSelector := fields.AndSelectors(currentSelector, fields.SelectorFromSet(fields.Set{
+					ContactGroupVisibilityFieldSelector: "public",
+				}))
+
+				// Set the new field selector on the request info.
+				info.FieldSelector = newSelector.String()
+
+				// Inject the new selector into the request
+				query, err := url.ParseQuery(req.URL.RawQuery)
+				if err != nil {
+					responsewriters.InternalError(w, req, fmt.Errorf("failed to parse url query: %w", err))
+					return
+				}
+				query.Del("fieldSelector")
+				query.Add("fieldSelector", info.FieldSelector)
+
+				req.URL.RawQuery = query.Encode()
+			}
+		}
+
+		req = req.WithContext(request.WithRequestInfo(ctx, info))
+
+		handler.ServeHTTP(w, req)
+	})
+}

pkg/server/filters/contactgroups_excludeprivates_test.go

@@ -0,0 +1,132 @@
+package filters
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"k8s.io/apiserver/pkg/endpoints/request"
+
+	notificationv1alpha1 "go.miloapis.com/milo/pkg/apis/notification/v1alpha1"
+)
+
+func TestContactGroupVisibilityWithoutPrivateDecorator(t *testing.T) {
+	testCases := []struct {
+		name                  string
+		requestPath           string
+		apiGroup              string
+		resource              string
+		verb                  string
+		userID                string
+		existingFieldSelector string
+		expectedFieldSelector string
+	}{
+		{
+			name:                  "contactgroups list with user context",
+			apiGroup:              notificationv1alpha1.SchemeGroupVersion.Group,
+			resource:              "contactgroups",
+			verb:                  "list",
+			userID:                "test-user",
+			existingFieldSelector: "",
+			expectedFieldSelector: ",spec.visibility=public",
+		},
+		{
+			name:                  "contactgroups list with existing field selector",
+			apiGroup:              notificationv1alpha1.SchemeGroupVersion.Group,
+			resource:              "contactgroups",
+			verb:                  "list",
+			userID:                "test-user",
+			existingFieldSelector: "metadata.name=test-group",
+			expectedFieldSelector: ",metadata.name=test-group,spec.visibility=public",
+		},
+		{
+			name:                  "existing visibility filter replaced",
+			requestPath:           "/apis/notification.miloapis.com/v1alpha1/contactgroups",
+			apiGroup:              notificationv1alpha1.SchemeGroupVersion.Group,
+			resource:              "contactgroups",
+			verb:                  "list",
+			userID:                "test-user",
+			existingFieldSelector: "spec.visibility=private",
+			expectedFieldSelector: ",spec.visibility=public",
+		},
+		{
+			name:        "non-contactgroups request",
+			requestPath: "/api/v1/pods",
+			apiGroup:    "",
+			resource:    "pods",
+			verb:        "list",
+			userID:      "test-user",
+		},
+		{
+			name:        "contactgroups get request",
+			requestPath: "/apis/notification.miloapis.com/v1alpha1/contactgroups/test-group",
+			apiGroup:    notificationv1alpha1.SchemeGroupVersion.Group,
+			resource:    "contactgroups",
+			verb:        "get",
+			userID:      "test-user",
+		},
+		{
+			name:                  "contactgroups list without user context",
+			apiGroup:              notificationv1alpha1.SchemeGroupVersion.Group,
+			resource:              "contactgroups",
+			verb:                  "list",
+			userID:                "",
+			existingFieldSelector: "",
+			expectedFieldSelector: "", // Should not be modified
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var capturedFieldSelector string
+
+			handler := ContactGroupVisibilityWithoutPrivateDecorator(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+				if info, ok := request.RequestInfoFrom(req.Context()); ok {
+					capturedFieldSelector = info.FieldSelector
+				}
+			}))
+
+			requestURL := tc.requestPath
+			if tc.existingFieldSelector != "" {
+				u, _ := url.Parse(requestURL)
+				query := u.Query()
+				query.Set("fieldSelector", tc.existingFieldSelector)
+				u.RawQuery = query.Encode()
+				requestURL = u.String()
+			}
+
+			req := httptest.NewRequest("GET", "http://localhost"+requestURL, nil)
+			ctx := req.Context()
+
+			requestInfo := &request.RequestInfo{
+				IsResourceRequest: true,
+				APIGroup:          tc.apiGroup,
+				Resource:          tc.resource,
+				Verb:              tc.verb,
+				FieldSelector:     tc.existingFieldSelector,
+			}
+
+			ctx = request.WithRequestInfo(ctx, requestInfo)
+
+			if tc.userID != "" {
+				ctx = request.WithValue(ctx, UserIDContextKey, tc.userID)
+			}
+
+			req = req.WithContext(ctx)
+			w := httptest.NewRecorder()
+
+			handler.ServeHTTP(w, req)
+
+			if tc.expectedFieldSelector != "" {
+				if capturedFieldSelector != tc.expectedFieldSelector {
+					t.Fatalf("expected field selector %q, got %q", tc.expectedFieldSelector, capturedFieldSelector)
+				}
+			} else if tc.expectedFieldSelector == "" {
+				if capturedFieldSelector != tc.existingFieldSelector {
+					t.Fatalf("expected field selector to be unchanged %q, got %q", tc.existingFieldSelector, capturedFieldSelector)
+				}
+			}
+		})
+	}
+}

pkg/server/filters/contactgroups.go …filters/contactgroups_includeprivates.gopkg/server/filters/contactgroups.go renamed to pkg/server/filters/contactgroups_includeprivates.go pkg/server/filters/contactgroups.go renamed to pkg/server/filters/contactgroups_includeprivates.go

@@ -26,14 +26,14 @@ import (
 //   - Public contact groups are visible to all users
 //   - Private contact groups are only visible to users who have an associated
 //     ContactGroupMembership
-type ContactGroupVisibilityFilter struct {
+type ContactGroupVisibilityWithPrivateFilter struct {
 	loopbackConfig *rest.Config
 	clientGetter   func() (dynamic.Interface, error)
 }
 
 // NewContactGroupVisibilityFilter creates a new ContactGroupVisibilityFilter.
-func NewContactGroupVisibilityFilter(loopbackConfig *rest.Config) *ContactGroupVisibilityFilter {
-	return &ContactGroupVisibilityFilter{
+func NewContactGroupVisibilityWithPrivateFilter(loopbackConfig *rest.Config) *ContactGroupVisibilityWithPrivateFilter {
+	return &ContactGroupVisibilityWithPrivateFilter{
 		loopbackConfig: loopbackConfig,
 		clientGetter: func() (dynamic.Interface, error) {
 			return dynamic.NewForConfig(loopbackConfig)
@@ -47,13 +47,13 @@ func NewContactGroupVisibilityFilter(loopbackConfig *rest.Config) *ContactGroupV
 // Visibility rules:
 //   - Public groups: visible to everyone
 //   - Private groups: only visible if the user has a ContactGroupMembership associated with that group
-func ContactGroupVisibilityDecorator(loopbackConfig *rest.Config) func(http.Handler) http.Handler {
-	filter := NewContactGroupVisibilityFilter(loopbackConfig)
+func ContactGroupVisibilityWithPrivateDecorator(loopbackConfig *rest.Config) func(http.Handler) http.Handler {
+	filter := NewContactGroupVisibilityWithPrivateFilter(loopbackConfig)
 	return filter.Wrap
 }
 
 // Wrap wraps the provided handler with contact group visibility filtering.
-func (f *ContactGroupVisibilityFilter) Wrap(handler http.Handler) http.Handler {
+func (f *ContactGroupVisibilityWithPrivateFilter) Wrap(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		ctx := req.Context()
 		info, ok := request.RequestInfoFrom(ctx)
@@ -104,7 +104,7 @@ func (f *ContactGroupVisibilityFilter) Wrap(handler http.Handler) http.Handler {
 
 // filterContactGroups filters the list of contact groups based on visibility rules.
 // Supports both ContactGroupList/List responses and Table responses (kubectl default).
-func (f *ContactGroupVisibilityFilter) filterContactGroups(ctx context.Context, userID string, body []byte) ([]byte, error) {
+func (f *ContactGroupVisibilityWithPrivateFilter) filterContactGroups(ctx context.Context, userID string, body []byte) ([]byte, error) {
 	// First, check the response kind to determine how to filter it.
 	var typeMeta struct {
 		Kind string `json:"kind"`
@@ -135,7 +135,7 @@ func (f *ContactGroupVisibilityFilter) filterContactGroups(ctx context.Context,
 
 // buildAccessibleGroupsSet returns the set of group keys (namespace/name) accessible to the user.
 // Returns the map and a boolean indicating if the user has an associated Contact.
-func (f *ContactGroupVisibilityFilter) buildAccessibleGroupsSet(ctx context.Context, client dynamic.Interface, userID string) (map[string]bool, bool) {
+func (f *ContactGroupVisibilityWithPrivateFilter) buildAccessibleGroupsSet(ctx context.Context, client dynamic.Interface, userID string) (map[string]bool, bool) {
 	contactName, contactNamespace, err := f.findContactForUser(ctx, client, userID)
 	if err != nil {
 		// No contact found, user can only see public groups
@@ -152,7 +152,7 @@ func (f *ContactGroupVisibilityFilter) buildAccessibleGroupsSet(ctx context.Cont
 }
 
 // filterListResponse filters a ContactGroupList or List response.
-func (f *ContactGroupVisibilityFilter) filterListResponse(body []byte, accessibleGroups map[string]bool, hasContact bool) ([]byte, error) {
+func (f *ContactGroupVisibilityWithPrivateFilter) filterListResponse(body []byte, accessibleGroups map[string]bool, hasContact bool) ([]byte, error) {
 	var contactGroupList notificationv1alpha1.ContactGroupList
 	if err := json.Unmarshal(body, &contactGroupList); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal contact group list: %w", err)
@@ -164,7 +164,7 @@ func (f *ContactGroupVisibilityFilter) filterListResponse(body []byte, accessibl
 }
 
 // filterTableResponse filters a Table response (kubectl default format).
-func (f *ContactGroupVisibilityFilter) filterTableResponse(ctx context.Context, client dynamic.Interface, body []byte, accessibleGroups map[string]bool, hasContact bool) ([]byte, error) {
+func (f *ContactGroupVisibilityWithPrivateFilter) filterTableResponse(ctx context.Context, client dynamic.Interface, body []byte, accessibleGroups map[string]bool, hasContact bool) ([]byte, error) {
 	var table metav1.Table
 	if err := json.Unmarshal(body, &table); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal table: %w", err)
@@ -210,7 +210,7 @@ func (f *ContactGroupVisibilityFilter) filterTableResponse(ctx context.Context,
 }
 
 // filterGroupItems filters a slice of ContactGroup items based on visibility rules.
-func (f *ContactGroupVisibilityFilter) filterGroupItems(groups []notificationv1alpha1.ContactGroup, accessibleGroups map[string]bool, hasContact bool) []notificationv1alpha1.ContactGroup {
+func (f *ContactGroupVisibilityWithPrivateFilter) filterGroupItems(groups []notificationv1alpha1.ContactGroup, accessibleGroups map[string]bool, hasContact bool) []notificationv1alpha1.ContactGroup {
 	filtered := make([]notificationv1alpha1.ContactGroup, 0, len(groups))
 	for _, group := range groups {
 		if f.isGroupVisible(group, accessibleGroups, hasContact) {
@@ -221,7 +221,7 @@ func (f *ContactGroupVisibilityFilter) filterGroupItems(groups []notificationv1a
 }
 
 // isGroupVisible determines if a contact group is visible to the user.
-func (f *ContactGroupVisibilityFilter) isGroupVisible(group notificationv1alpha1.ContactGroup, accessibleGroups map[string]bool, hasContact bool) bool {
+func (f *ContactGroupVisibilityWithPrivateFilter) isGroupVisible(group notificationv1alpha1.ContactGroup, accessibleGroups map[string]bool, hasContact bool) bool {
 	// Public groups are always visible
 	if group.Spec.Visibility == notificationv1alpha1.ContactGroupVisibilityPublic {
 		return true
@@ -238,7 +238,7 @@ func (f *ContactGroupVisibilityFilter) isGroupVisible(group notificationv1alpha1
 
 // findContactForUser finds the Contact resource for the given user ID.
 // Searches across all namespaces and returns the contact name, namespace, and any error.
-func (f *ContactGroupVisibilityFilter) findContactForUser(ctx context.Context, client dynamic.Interface, userID string) (string, string, error) {
+func (f *ContactGroupVisibilityWithPrivateFilter) findContactForUser(ctx context.Context, client dynamic.Interface, userID string) (string, string, error) {
 	// Query contacts across all namespaces
 	contactGVR := notificationv1alpha1.SchemeGroupVersion.WithResource("contacts")
 
@@ -265,7 +265,7 @@ func (f *ContactGroupVisibilityFilter) findContactForUser(ctx context.Context, c
 
 // getAccessibleGroups returns the list of contact group keys (namespace/name) that the user has access to
 // (through membership or removal records). Searches across all namespaces.
-func (f *ContactGroupVisibilityFilter) getAccessibleGroups(ctx context.Context, client dynamic.Interface, contactName, contactNamespace string) (map[string]bool, error) {
+func (f *ContactGroupVisibilityWithPrivateFilter) getAccessibleGroups(ctx context.Context, client dynamic.Interface, contactName, contactNamespace string) (map[string]bool, error) {
 	accessibleGroups := make(map[string]bool)
 
 	// Get memberships for this contact across all namespaces

pkg/server/filters/contactgroups_test.go …rs/contactgroups_includeprivates_test.gopkg/server/filters/contactgroups_test.go renamed to pkg/server/filters/contactgroups_includeprivates_test.go pkg/server/filters/contactgroups_test.go renamed to pkg/server/filters/contactgroups_includeprivates_test.go

@@ -21,7 +21,7 @@ import (
 )
 
 func TestFilterGroupItems(t *testing.T) {
-	f := NewContactGroupVisibilityFilter(nil)
+	f := NewContactGroupVisibilityWithPrivateFilter(nil)
 
 	tests := []struct {
 		name             string
@@ -340,7 +340,7 @@ func TestContactGroupVisibilityFilter_Visibility(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			// Setup fake client
-			f := NewContactGroupVisibilityFilter(nil)
+			f := NewContactGroupVisibilityWithPrivateFilter(nil)
 			f.clientGetter = func() (dynamic.Interface, error) {
 				// Convert typed objects to unstructured for the dynamic client
 				scheme := runtime.NewScheme()