RHINENG-22821: fix rbac/kessel switch

[Dugowitch]

This is not expected to fix the issue from the ticket, I just noticed this bug during testing

Secure Coding Practices Checklist GitHub Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

Summary by Sourcery

Enhancements:

• Adjust middleware selection so that RBAC is only applied when Kessel is disabled, avoiding conflicting access control handlers.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adjusts the authenticated routes middleware chain so that RBAC and Kessel are mutually exclusive, applying Kessel when enabled and RBAC otherwise to avoid conflicting access control handlers.

Sequence diagram for request handling with Kessel vs RBAC middleware

sequenceDiagram
    actor Client
    participant GinRouter as GinRouterGroup_api
    participant UserAuth as GinRouterGroup_userAuth
    participant DBMW as DatabaseWithContext
    participant KesselMW as Kessel
    participant RBACMW as RBAC
    participant PublicAuth as PublicAuthenticator
    participant Handler as EndpointHandler

    Client->>GinRouter: HTTP request
    GinRouter->>DBMW: Apply DatabaseWithContext
    DBMW-->>GinRouter: Next
    GinRouter->>UserAuth: Route to userAuth group

    alt KesselEnabled
        UserAuth->>KesselMW: Apply Kessel
        KesselMW-->>UserAuth: Next
    else KesselDisabled
        UserAuth->>RBACMW: Apply RBAC
        RBACMW-->>UserAuth: Next
    end

    UserAuth->>PublicAuth: Apply PublicAuthenticator
    PublicAuth-->>UserAuth: Next
    UserAuth->>Handler: Invoke handler
    Handler-->>Client: HTTP response

Loading

Flow diagram for InitAPI middleware selection between Kessel and RBAC

flowchart TD
    A["InitAPI called"] --> B["Create api RouterGroup"]
    B --> C["api.Use DatabaseWithContext"]
    C --> D["Create userAuth = api.Group /"]
    D --> E{CoreCfg.KesselEnabled?}
    E -->|true| F["userAuth.Use Kessel"]
    E -->|false| G["userAuth.Use RBAC"]
    F --> H["userAuth.Use PublicAuthenticator"]
    G --> H["userAuth.Use PublicAuthenticator"]
    H --> I["Register authenticated routes on userAuth"]

Loading

File-Level Changes

Change	Details	Files
Make RBAC and Kessel middlewares mutually exclusive on authenticated routes based on configuration.	Remove unconditional RBAC middleware from the authenticated routes group initialization. Wrap middleware selection in a conditional: apply Kessel middleware when the Kessel feature flag is enabled. Apply RBAC middleware only when the Kessel feature flag is disabled, ensuring only one access-control mechanism is active at a time. Preserve the existing DatabaseWithContext and PublicAuthenticator middleware usage around the updated access-control logic.	manager/routes/routes.go

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.38%. Comparing base (ff33bf9) to head (9f605a0).

Files with missing lines	Patch %	Lines
manager/routes/routes.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2054      +/-   ##
==========================================
- Coverage   59.39%   59.38%   -0.01%     
==========================================
  Files         134      134              
  Lines        8678     8679       +1     
==========================================
  Hits         5154     5154              
- Misses       2977     2978       +1     
  Partials      547      547              

Flag	Coverage Δ
unittests	59.38% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider adding a brief code comment explaining that Kessel and RBAC middleware are mutually exclusive here so future changes don’t accidentally reintroduce both on the same route group.
• It may be clearer to construct the middleware slice conditionally (e.g., authMiddlewares := []gin.HandlerFunc{} then append either Kessel or RBAC) before applying it to the group, which can help avoid duplication if additional auth middlewares are added later.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding a brief code comment explaining that Kessel and RBAC middleware are mutually exclusive here so future changes don’t accidentally reintroduce both on the same route group.
- It may be clearer to construct the middleware slice conditionally (e.g., `authMiddlewares := []gin.HandlerFunc{}` then append either Kessel or RBAC) before applying it to the group, which can help avoid duplication if additional auth middlewares are added later.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}