OCPBUGS-81749: Gate Install button and operand Create button on RBAC

[sampadasawant-36]

Summary

Follow-up to #16554 which covered most of OCPBUGS-81749. That PR fixed Edit Subscription, channel/approval pencil buttons, descriptor edit buttons, and the catalog source Enable button, but the original Jira description also explicitly lists Install Operator and Create custom resources as actions that should be gated on RBAC. This PR fills those two remaining gaps.

Changes

frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx

Add a useAccessReview check for create on SubscriptionModel and disable the Install button when the user lacks that permission:

const canCreateSubscription = useAccessReview({
  group: SubscriptionModel.apiGroup,
  resource: SubscriptionModel.plural,
  verb: 'create',
});
// ...
isDisabled={formValid() || !canCreateSubscription}

frontend/packages/operator-lifecycle-manager/src/components/operand/index.tsx

Pass createAccessReview to ListPageCreateLink in DefaultProvidedAPIPage so the existing RequireCreatePermission mechanism hides the Create <Kind> button when the user cannot create that operand type — consistent with the CRD card pattern already in place:

<ListPageCreateLink
  to={createPath}
  createAccessReview={{ groupVersionKind: { group, version, kind }, namespace }}
>

Before / After

UI element	Before	After
Install button on Operator Hub subscribe form	Always enabled (if form valid)	Disabled when user lacks create on subscriptions
Create <Kind> on operand list page	Always shown	Hidden when user lacks create on that CR type

Tests

• operator-hub/__tests__/operator-hub-subscribe.spec.tsx (new) — verifies Install button is disabled when useAccessReview returns false for Subscription create
• operand/__tests__/index.spec.tsx — verifies Create button is hidden when useAccessReviewAllowed returns false

Test plan

• As cluster-admin, Install button and operand Create button remain fully functional
• As a user without create subscriptions permission, the Install button on the Operator Hub subscribe form is disabled
• As a user without create on a CR kind, the Create <Kind> button is hidden on the operand list page

Made with Cursor

Summary by CodeRabbit

• New Features

  • Create and Install buttons now respect user permissions and become disabled when the user lacks authorization.

• Tests

  • Added test coverage for permission-based UI behavior and access control.

[openshift-ci-robot]

@sampadasawant-36: This pull request references Jira Issue OCPBUGS-81749, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Follow-up to #16554 which covered most of OCPBUGS-81749. That PR fixed Edit Subscription, channel/approval pencil buttons, descriptor edit buttons, and the catalog source Enable button, but the original Jira description also explicitly lists Install Operator and Create custom resources as actions that should be gated on RBAC. This PR fills those two remaining gaps.

Changes

frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx

Add a useAccessReview check for create on SubscriptionModel and disable the Install button when the user lacks that permission:

const canCreateSubscription = useAccessReview({
 group: SubscriptionModel.apiGroup,
 resource: SubscriptionModel.plural,
 verb: 'create',
});
// ...
isDisabled={formValid() || !canCreateSubscription}

frontend/packages/operator-lifecycle-manager/src/components/operand/index.tsx

Pass createAccessReview to ListPageCreateLink in DefaultProvidedAPIPage so the existing RequireCreatePermission mechanism hides the Create <Kind> button when the user cannot create that operand type — consistent with the CRD card pattern already in place:

<ListPageCreateLink
 to={createPath}
 createAccessReview={{ groupVersionKind: { group, version, kind }, namespace }}
>

Before / After

UI element	Before	After
Install button on Operator Hub subscribe form	Always enabled (if form valid)	Disabled when user lacks create on subscriptions
Create <Kind> on operand list page	Always shown	Hidden when user lacks create on that CR type

Tests

• operator-hub/__tests__/operator-hub-subscribe.spec.tsx (new) — verifies Install button is disabled when useAccessReview returns false for Subscription create
• operand/__tests__/index.spec.tsx — verifies Create button is hidden when useAccessReviewAllowed returns false

Test plan

• As cluster-admin, Install button and operand Create button remain fully functional
• As a user without create subscriptions permission, the Install button on the Operator Hub subscribe form is disabled
• As a user without create on a CR kind, the Create <Kind> button is hidden on the operand list page

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sampadasawant-36
Once this PR has been reviewed and has the lgtm label, please assign logonoff for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• frontend/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds RBAC permission checks to operator creation flows. OperatorHubSubscribePage disables the Install button when users lack Subscription create permission. ProvidedAPIPage passes access review metadata to ListPageCreateLink to enable permission-based visibility. Both changes include comprehensive test coverage for allowed and denied permission states.

Changes

RBAC Permission Controls for Creation Flows

Layer / File(s)	Summary
OperatorHub Subscription creation permission enforcement frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx, frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-subscribe.spec.tsx	useAccessReview hook checks whether the current user can create Subscription resources. The Install button becomes disabled when permission is denied, and tests verify both the disabled state when access is denied and the button presence when access is granted.
Operand instance creation with access review metadata frontend/packages/operator-lifecycle-manager/src/components/operand/index.tsx, frontend/packages/operator-lifecycle-manager/src/components/operand/__tests__/index.spec.tsx	ListPageCreateLink now includes createAccessReview metadata with the operand's groupVersionKind and namespace to support access review logic. Tests verify the create button is hidden when useAccessReviewAllowed returns false.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: gating Install and Create buttons on RBAC checks, directly addressing OCPBUGS-81749.
Description check	✅ Passed	The description provides comprehensive context including analysis, solution details, before/after comparison, and test cases, though some template sections remain unchecked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Scanned PR test files’ it()/describe() titles (operand/index.spec.tsx, operator-hub-subscribe.spec.tsx); all are static strings with no UUIDs, dates/timestamps, random suffixes, pod/node/ns names...
Test Structure And Quality	✅ Passed	Reviewed Jest tests in operand/index.spec.tsx and operator-hub-subscribe.spec.tsx: each It block checks a single RBAC UI outcome; setup uses beforeEach; no cluster waits/resources/timeouts or Ginkg...
Microshift Test Compatibility	✅ Passed	PR #16614 only modifies four front-end .tsx files (unit tests/components); no new Ginkgo e2e tests or OpenShift API usages for MicroShift compatibility are introduced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Inspected the PR’s touched files (operand/operator-hub Jest tests and TSX components); none import/use Ginkgo (It/Describe/onsi/ginkgo) or any SNO multi-node topology checks.
Topology-Aware Scheduling Compatibility	✅ Passed	Scanned the PR’s affected TSX/test files for scheduling constraints (affinity, topologySpreadConstraints, anti-affinity, nodeSelector/role labels, PDB); none found.
Ote Binary Stdout Contract	✅ Passed	PR #16614 changes only 4 .tsx files; no Go/OTE main/init/TestMain-level stdout code modified, so no JSON-stdout contract violation. citeturn0view0
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Repo-wide search found 0 occurrences of “ginkgo”/“onsi/ginkgo”; the PR’s related test/code files also contain no hardcoded IPv4/localhost or external URL patterns.
No-Weak-Crypto	✅ Passed	No weak-crypto markers (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB/crypto) found in PR diff via web.find; no secret/token comparison patterns observed.
Container-Privileges	✅ Passed	PR #16614 only modifies four TSX files for RBAC UI; no container/K8s manifest changes or privileged/securityContext/hostPID/hostNetwork/hostIPC/SYS_ADMIN/allowPrivilegeEscalation found.
No-Sensitive-Data-In-Logs	✅ Passed	Scanned the PR’s touched files for console/logging; only two console.error calls use static strings, and no tokens/PII/passwords/secrets are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @sampadasawant-36. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-subscribe.spec.tsx`:
- Around line 147-150: Mocks for the curried APIs used by
OperatorHubSubscribePage are returning non-curried values; update
providedAPIsForChannel and referenceForProvidedAPI to return functions (e.g.,
change providedAPIsForChannel: jest.fn(() => []) to providedAPIsForChannel:
jest.fn(() => () => []) and referenceForProvidedAPI: jest.fn(() =>
'test~v1~Kind') to referenceForProvidedAPI: jest.fn(() => () =>
'test~v1~Kind')), and apply the same curry-fix to any other similar mocks around
the 153-154 area so their shapes match the component’s curried calls.

In
`@frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx`:
- Around line 237-241: The RBAC check using useAccessReview for
canCreateSubscription currently omits the namespace, causing false negatives for
users with namespace-scoped create permission; update the useAccessReview call
(the canCreateSubscription check) to include the target namespace (the same
namespace used for subscription.metadata.namespace) so the access review is
performed against that namespace (and apply the same fix where useAccessReview
is used again for SubscriptionModel elsewhere in this file).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3a99315f-f66a-42b3-a57f-fc307c8ec3f2

📥 Commits

Reviewing files that changed from the base of the PR and between ee28e61 and ef43305.

📒 Files selected for processing (4)

• frontend/packages/operator-lifecycle-manager/src/components/operand/__tests__/index.spec.tsx
• frontend/packages/operator-lifecycle-manager/src/components/operand/index.tsx
• frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-subscribe.spec.tsx
• frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix mocked function shapes to match the component’s curried API contracts.

At Lines 147-150 and 153-154, several mocks return non-curried values, but OperatorHubSubscribePage calls these APIs as chained/curried functions. This can cause runtime TypeError during render and make the RBAC assertions non-representative.

Suggested fix

+import { InstallModeType } from '../../../types';
@@
 jest.mock('../../index', () => ({
   defaultChannelNameFor: jest.fn((pkg) => pkg?.status?.defaultChannel || null),
   getManualSubscriptionsInNamespace: jest.fn(() => []),
   iconFor: jest.fn(() => null),
   NamespaceIncludesManualApproval: jest.fn(() => null),
-  providedAPIsForChannel: jest.fn(() => []),
+  providedAPIsForChannel: jest.fn(() => () => []),
   referenceForProvidedAPI: jest.fn(() => 'test~v1~Kind'),
-  supportedInstallModesFor: jest.fn(() => () => true),
+  supportedInstallModesFor: jest.fn(() => () => [
+    { type: InstallModeType.InstallModeTypeOwnNamespace, supported: true },
+    { type: InstallModeType.InstallModeTypeAllNamespaces, supported: true },
+  ]),
 }));
@@
 jest.mock('../../operator-group', () => ({
-  installedFor: jest.fn(() => () => false),
+  installedFor: jest.fn(() => () => () => () => false),
   supports: jest.fn(() => () => true),
   providedAPIsForOperatorGroup: jest.fn(() => []),
   isGlobal: jest.fn(() => false),
 }));

Also applies to: 153-154

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@frontend/packages/operator-lifecycle-manager/src/components/operator-hub/__tests__/operator-hub-subscribe.spec.tsx`
around lines 147 - 150, Mocks for the curried APIs used by
OperatorHubSubscribePage are returning non-curried values; update
providedAPIsForChannel and referenceForProvidedAPI to return functions (e.g.,
change providedAPIsForChannel: jest.fn(() => []) to providedAPIsForChannel:
jest.fn(() => () => []) and referenceForProvidedAPI: jest.fn(() =>
'test~v1~Kind') to referenceForProvidedAPI: jest.fn(() => () =>
'test~v1~Kind')), and apply the same curry-fix to any other similar mocks around
the 153-154 area so their shapes match the component’s curried calls.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Scope the Subscription access review to the selected namespace.

At Line 237, the RBAC check omits namespace, but the actual create operation is namespace-scoped (subscription.metadata.namespace at Line 480). This can disable Install for users who have create on subscriptions only in specific namespaces.

Suggested fix

-  const canCreateSubscription = useAccessReview({
-    group: SubscriptionModel.apiGroup,
-    resource: SubscriptionModel.plural,
-    verb: 'create',
-  });
+  // Place this after `selectedTargetNamespace` is derived
+  const canCreateSubscription = useAccessReview({
+    group: SubscriptionModel.apiGroup,
+    resource: SubscriptionModel.plural,
+    verb: 'create',
+    namespace: selectedTargetNamespace,
+  });

Also applies to: 1196-1196

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@frontend/packages/operator-lifecycle-manager/src/components/operator-hub/operator-hub-subscribe.tsx`
around lines 237 - 241, The RBAC check using useAccessReview for
canCreateSubscription currently omits the namespace, causing false negatives for
users with namespace-scoped create permission; update the useAccessReview call
(the canCreateSubscription check) to include the target namespace (the same
namespace used for subscription.metadata.namespace) so the access review is
performed against that namespace (and apply the same fix where useAccessReview
is used again for SubscriptionModel elsewhere in this file).

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.