Dynamic validation for workload identity permissions and requirements (…

…#3619)

* ARO-4376 Track2 authorization api addition for roledefinitions

* ARO-4376 add a stringutil funcs

* ARO-4376 use dbPlatformWorkloadIdentityRoleSets to get platform identity roles for cluster version

* ARO-4376 add dynamic validation for platformworkloadidentityprofile

* ARO-4376 resolve initial comments

* ARO-4376 refactor error messages and checkaccess action crosscheck

* ARO-4376 Add unit tests and comments resolution

* ARO-4376 add validation for upgradeableTo

* ARO-4376 Comment resoultion and additional unit tests

* ARO-4376 minor version comparison handling

* ARO-4376 update permission error messaging handling for MIWI

* ARO-4376 update constructors to return non-interface type

* ARO-4376 add unit tests for GroupsIntersect

* ARO-4376 update generate files to support bingo

cmd/aro/rp.go

@@ -147,6 +147,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}
 
+	// Note: When handling DB operations don't delete records but set TTL on them otherwise if we're leveraging change feeds, it will break.
 	dbPlatformWorkloadIdentityRoleSets, err := database.NewPlatformWorkloadIdentityRoleSets(ctx, dbc, dbName)
 	if err != nil {
 		return err
@@ -175,7 +176,7 @@ func rp(ctx context.Context, log, audit *logrus.Entry) error {
 		return err
 	}
 
-	b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, aead, metrics)
+	b, err := backend.NewBackend(ctx, log.WithField("component", "backend"), _env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, aead, metrics)
 	if err != nil {
 		return err
 	}

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/Azure/azure-sdk-for-go v63.1.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.4.0

go.sum

@@ -10,6 +10,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6Z
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2 h1:qiir/pptnHqp6hV8QwV+IExYIf6cPsXBfUDUXQ27t2Y=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v3 v3.0.0-beta.2/go.mod h1:jVRrRDLCOuif95HDYC23ADTMlvahB7tMdl519m9Iyjc=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0 h1:FTNvxTFH/08JBmhcbL5lmLaGYVXokZM6Ni92Mqr+gSg=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2 v2.5.0/go.mod h1:T0ryqIz5h5qg4HOBni+VeRn24alSqOx1Se1IAwUByOk=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 h1:lpOxwrQ919lCZoNCd69rVt8u1eLZuMORrGXqy8sNf3c=

pkg/api/error.go

@@ -91,6 +91,7 @@ const (
 	CloudErrorCodeInvalidServicePrincipalClaims      = "InvalidServicePrincipalClaims"
 	CloudErrorCodeInvalidResourceProviderPermissions = "InvalidResourceProviderPermissions"
 	CloudErrorCodeInvalidServicePrincipalPermissions = "InvalidServicePrincipalPermissions"
+	CloudErrorCodeInvalidWorkloadIdentityPermissions = "InvalidWorkloadIdentityPermissions"
 	CloudErrorCodeInvalidLocation                    = "InvalidLocation"
 	CloudErrorCodeInvalidOperationID                 = "InvalidOperationID"
 	CloudErrorCodeDuplicateClientID                  = "DuplicateClientID"
@@ -105,6 +106,8 @@ const (
 	CloudErrorCodeInvalidNetworkAddress              = "InvalidNetworkAddress"
 	CloudErrorCodeThrottlingLimitExceeded            = "ThrottlingLimitExceeded"
 	CloudErrorCodeInvalidCIDRRange                   = "InvalidCIDRRange"
+	CloudErrorCodePlatformWorkloadIdentityMismatch   = "CloudErrorCodePlatformWorkloadIdentityMismatch"
+	CloudErrorCodeInvalidClusterMSICount             = "CloudErrorCodeInvalidClusterMSICount"
 )
 
 // NewCloudError returns a new CloudError

pkg/api/v20240812preview/openshiftcluster_validatestatic.go

@@ -499,5 +499,10 @@ func (sv openShiftClusterStaticValidator) validatePlatformIdentities(oc *OpenShi
 	if clusterIdentityPresent != operatorRolePresent {
 		return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "identity", "Cluster identity and platform workload identities require each other.")
 	}
+
+	if operatorRolePresent && len(oc.Identity.UserAssignedIdentities) != 1 {
+		return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidParameter, "identity", "The provided cluster identity is invalid; there should be exactly one.")
+	}
+
 	return nil
 }

pkg/api/v20240812preview/openshiftcluster_validatestatic_test.go

@@ -1351,6 +1351,21 @@ func TestOpenShiftClusterStaticValidatePlatformWorkloadIdentityProfile(t *testin
 			},
 			wantErr: "400: InvalidParameter: identity: Cluster identity and platform workload identities require each other.",
 		},
+		{
+			name: "platform workload identity - cluster identity map is empty",
+			modify: func(oc *OpenShiftCluster) {
+				oc.Properties.PlatformWorkloadIdentityProfile = &PlatformWorkloadIdentityProfile{
+					PlatformWorkloadIdentities: []PlatformWorkloadIdentity{
+						{
+							OperatorName: "operator_name",
+						},
+					},
+				}
+				oc.Properties.ServicePrincipalProfile = nil
+				oc.Identity = &Identity{}
+			},
+			wantErr: "400: InvalidParameter: identity: The provided cluster identity is invalid; there should be exactly one.",
+		},
 		{
 			name: "operator name missing",
 			modify: func(oc *OpenShiftCluster) {
@@ -1385,7 +1400,11 @@ func TestOpenShiftClusterStaticValidatePlatformWorkloadIdentityProfile(t *testin
 		{
 			name: "valid UpgradeableTo value",
 			modify: func(oc *OpenShiftCluster) {
-				oc.Identity = &Identity{}
+				oc.Identity = &Identity{
+					UserAssignedIdentities: UserAssignedIdentities{
+						"Dummy": ClusterUserAssignedIdentity{},
+					},
+				}
 				oc.Properties.ServicePrincipalProfile = nil
 				oc.Properties.PlatformWorkloadIdentityProfile = &PlatformWorkloadIdentityProfile{
 					UpgradeableTo: &validUpgradeableToValue,
@@ -1395,7 +1414,11 @@ func TestOpenShiftClusterStaticValidatePlatformWorkloadIdentityProfile(t *testin
 		{
 			name: "invalid UpgradeableTo value",
 			modify: func(oc *OpenShiftCluster) {
-				oc.Identity = &Identity{}
+				oc.Identity = &Identity{
+					UserAssignedIdentities: UserAssignedIdentities{
+						"Dummy": ClusterUserAssignedIdentity{},
+					},
+				}
 				oc.Properties.ServicePrincipalProfile = nil
 				oc.Properties.PlatformWorkloadIdentityProfile = &PlatformWorkloadIdentityProfile{
 					UpgradeableTo: &invalidUpgradeableToValue,

pkg/backend/backend.go

@@ -28,12 +28,13 @@ type backend struct {
 	baseLog *logrus.Entry
 	env     env.Interface
 
-	dbAsyncOperations   database.AsyncOperations
-	dbBilling           database.Billing
-	dbGateway           database.Gateway
-	dbOpenShiftClusters database.OpenShiftClusters
-	dbSubscriptions     database.Subscriptions
-	dbOpenShiftVersions database.OpenShiftVersions
+	dbAsyncOperations                  database.AsyncOperations
+	dbBilling                          database.Billing
+	dbGateway                          database.Gateway
+	dbOpenShiftClusters                database.OpenShiftClusters
+	dbSubscriptions                    database.Subscriptions
+	dbOpenShiftVersions                database.OpenShiftVersions
+	dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets
 
 	aead    encryption.AEAD
 	m       metrics.Emitter
@@ -54,8 +55,8 @@ type Runnable interface {
 }
 
 // NewBackend returns a new runnable backend
-func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD, m metrics.Emitter) (Runnable, error) {
-	b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, aead, m)
+func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD, m metrics.Emitter) (Runnable, error) {
+	b, err := newBackend(ctx, log, env, dbAsyncOperations, dbBilling, dbGateway, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, aead, m)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +66,7 @@ func NewBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
 	return b, nil
 }
 
-func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD, m metrics.Emitter) (*backend, error) {
+func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsyncOperations database.AsyncOperations, dbBilling database.Billing, dbGateway database.Gateway, dbOpenShiftClusters database.OpenShiftClusters, dbSubscriptions database.Subscriptions, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD, m metrics.Emitter) (*backend, error) {
 	billing, err := billing.NewManager(env, dbBilling, dbSubscriptions, log)
 	if err != nil {
 		return nil, err
@@ -75,12 +76,13 @@ func newBackend(ctx context.Context, log *logrus.Entry, env env.Interface, dbAsy
 		baseLog: log,
 		env:     env,
 
-		dbAsyncOperations:   dbAsyncOperations,
-		dbBilling:           dbBilling,
-		dbGateway:           dbGateway,
-		dbOpenShiftClusters: dbOpenShiftClusters,
-		dbSubscriptions:     dbSubscriptions,
-		dbOpenShiftVersions: dbOpenShiftVersions,
+		dbAsyncOperations:                  dbAsyncOperations,
+		dbBilling:                          dbBilling,
+		dbGateway:                          dbGateway,
+		dbOpenShiftClusters:                dbOpenShiftClusters,
+		dbSubscriptions:                    dbSubscriptions,
+		dbOpenShiftVersions:                dbOpenShiftVersions,
+		dbPlatformWorkloadIdentityRoleSets: dbPlatformWorkloadIdentityRoleSets,
 
 		billing: billing,
 		aead:    aead,

pkg/backend/openshiftcluster.go

@@ -30,7 +30,7 @@ import (
 type openShiftClusterBackend struct {
 	*backend
 
-	newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error)
+	newManager func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, database.PlatformWorkloadIdentityRoleSets, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error)
 }
 
 func newOpenShiftClusterBackend(b *backend) *openShiftClusterBackend {
@@ -129,7 +129,7 @@ func (ocb *openShiftClusterBackend) handle(ctx context.Context, log *logrus.Entr
 		}
 	}
 
-	m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.dbGateway, ocb.dbOpenShiftVersions, ocb.aead, ocb.billing, doc, subscriptionDoc, hr, ocb.m)
+	m, err := ocb.newManager(ctx, log, ocb.env, ocb.dbOpenShiftClusters, ocb.dbGateway, ocb.dbOpenShiftVersions, ocb.dbPlatformWorkloadIdentityRoleSets, ocb.aead, ocb.billing, doc, subscriptionDoc, hr, ocb.m)
 	if err != nil {
 		return ocb.endLease(ctx, log, stop, doc, api.ProvisioningStateFailed, api.ProvisioningStateFailed, err)
 	}

pkg/backend/openshiftcluster_test.go

@@ -429,6 +429,7 @@ func TestBackendTry(t *testing.T) {
 			dbSubscriptions, _ := testdatabase.NewFakeSubscriptions()
 			uuidGen := deterministicuuid.NewTestUUIDGenerator(deterministicuuid.OPENSHIFT_VERSIONS)
 			dbOpenShiftVersions, _ := testdatabase.NewFakeOpenShiftVersions(uuidGen)
+			dbPlatformWorkloadIdentityRoleSets, _ := testdatabase.NewFakePlatformWorkloadIdentityRoleSets(uuidGen)
 
 			f := testdatabase.NewFixture().WithOpenShiftClusters(dbOpenShiftClusters).WithSubscriptions(dbSubscriptions)
 			tt.mocks(manager, dbOpenShiftClusters)
@@ -438,11 +439,11 @@ func TestBackendTry(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error) {
+			createManager := func(context.Context, *logrus.Entry, env.Interface, database.OpenShiftClusters, database.Gateway, database.OpenShiftVersions, database.PlatformWorkloadIdentityRoleSets, encryption.AEAD, billing.Manager, *api.OpenShiftClusterDocument, *api.SubscriptionDocument, hive.ClusterManager, metrics.Emitter) (cluster.Interface, error) {
 				return manager, nil
 			}
 
-			b, err := newBackend(ctx, log, _env, nil, nil, nil, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, nil, &noop.Noop{})
+			b, err := newBackend(ctx, log, _env, nil, nil, nil, dbOpenShiftClusters, dbSubscriptions, dbOpenShiftVersions, dbPlatformWorkloadIdentityRoleSets, nil, &noop.Noop{})
 			if err != nil {
 				t.Fatal(err)
 			}

pkg/cluster/cluster.go

@@ -34,6 +34,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/operator/deploy"
 	"github.com/Azure/ARO-RP/pkg/util/azblob"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient"
+	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armauthorization"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/armnetwork"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/common"
 	"github.com/Azure/ARO-RP/pkg/util/azureclient/mgmt/authorization"
@@ -46,6 +47,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/util/dns"
 	"github.com/Azure/ARO-RP/pkg/util/encryption"
 	utilgraph "github.com/Azure/ARO-RP/pkg/util/graph"
+	"github.com/Azure/ARO-RP/pkg/util/platformworkloadidentity"
 	"github.com/Azure/ARO-RP/pkg/util/refreshable"
 	"github.com/Azure/ARO-RP/pkg/util/storage"
 	"github.com/Azure/ARO-RP/pkg/util/subnet"
@@ -93,6 +95,7 @@ type manager struct {
 	virtualNetworkLinks      privatedns.VirtualNetworkLinksClient
 	roleAssignments          authorization.RoleAssignmentsClient
 	roleDefinitions          authorization.RoleDefinitionsClient
+	armRoleDefinitions       armauthorization.RoleDefinitionsClient
 	denyAssignments          authorization.DenyAssignmentClient
 	fpPrivateEndpoints       network.PrivateEndpointsClient // TODO: use armFPPrivateEndpoints instead.
 	armFPPrivateEndpoints    armnetwork.PrivateEndpointsClient
@@ -127,10 +130,12 @@ type manager struct {
 	now func() time.Time
 
 	openShiftClusterDocumentVersioner openShiftClusterDocumentVersioner
+
+	platformWorkloadIdentityRolesByVersion platformworkloadidentity.PlatformWorkloadIdentityRolesByVersion
 }
 
 // New returns a cluster manager
-func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, aead encryption.AEAD,
+func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database.OpenShiftClusters, dbGateway database.Gateway, dbOpenShiftVersions database.OpenShiftVersions, dbPlatformWorkloadIdentityRoleSets database.PlatformWorkloadIdentityRoleSets, aead encryption.AEAD,
 	billing billing.Manager, doc *api.OpenShiftClusterDocument, subscriptionDoc *api.SubscriptionDocument, hiveClusterManager hive.ClusterManager, metricsEmitter metrics.Emitter,
 ) (Interface, error) {
 	r, err := azure.ParseResourceID(doc.OpenShiftCluster.ID)
@@ -233,6 +238,19 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		return nil, err
 	}
 
+	armRoleDefinitionsClient, err := armauthorization.NewArmRoleDefinitionsClient(fpCredClusterTenant, &clientOptions)
+	if err != nil {
+		return nil, err
+	}
+
+	platformWorkloadIdentityRolesByVersion := platformworkloadidentity.NewPlatformWorkloadIdentityRolesByVersionService()
+	if doc.OpenShiftCluster.UsesWorkloadIdentity() {
+		err = platformWorkloadIdentityRolesByVersion.PopulatePlatformWorkloadIdentityRolesByVersion(ctx, doc.OpenShiftCluster, dbPlatformWorkloadIdentityRoleSets)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &manager{
 		log:                      log,
 		env:                      _env,
@@ -264,6 +282,7 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		virtualNetworkLinks:      privatedns.NewVirtualNetworkLinksClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
 		roleAssignments:          authorization.NewRoleAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
 		roleDefinitions:          authorization.NewRoleDefinitionsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
+		armRoleDefinitions:       armRoleDefinitionsClient,
 		denyAssignments:          authorization.NewDenyAssignmentsClient(_env.Environment(), r.SubscriptionID, fpAuthorizer),
 		fpPrivateEndpoints:       network.NewPrivateEndpointsClient(_env.Environment(), _env.SubscriptionID(), localFPAuthorizer),
 		armFPPrivateEndpoints:    armFPPrivateEndpoints,
@@ -276,10 +295,11 @@ func New(ctx context.Context, log *logrus.Entry, _env env.Interface, db database
 		graph:   graph.NewManager(_env, log, aead, storage),
 		rpBlob:  rpBlob,
 
-		installViaHive:                    installViaHive,
-		adoptViaHive:                      adoptByHive,
-		hiveClusterManager:                hiveClusterManager,
-		now:                               func() time.Time { return time.Now() },
-		openShiftClusterDocumentVersioner: new(openShiftClusterDocumentVersionerService),
+		installViaHive:                         installViaHive,
+		adoptViaHive:                           adoptByHive,
+		hiveClusterManager:                     hiveClusterManager,
+		now:                                    func() time.Time { return time.Now() },
+		openShiftClusterDocumentVersioner:      new(openShiftClusterDocumentVersionerService),
+		platformWorkloadIdentityRolesByVersion: platformWorkloadIdentityRolesByVersion,
 	}, nil
 }

pkg/cluster/validate.go

@@ -10,12 +10,7 @@ import (
 )
 
 func (m *manager) validateResources(ctx context.Context) error {
-	ocDynamicValidator := validate.NewOpenShiftClusterDynamicValidator(
-		m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer,
-	)
-	err := ocDynamicValidator.Dynamic(ctx)
-	if err != nil {
-		return err
-	}
-	return err
+	return validate.NewOpenShiftClusterDynamicValidator(
+		m.log, m.env, m.doc.OpenShiftCluster, m.subscriptionDoc, m.fpAuthorizer, m.armRoleDefinitions, m.platformWorkloadIdentityRolesByVersion,
+	).Dynamic(ctx)
 }

pkg/portal/info.go

@@ -10,6 +10,7 @@ import (
 	"github.com/gorilla/csrf"
 
 	"github.com/Azure/ARO-RP/pkg/portal/middleware"
+	"github.com/Azure/ARO-RP/pkg/util/stringutils"
 	"github.com/Azure/ARO-RP/pkg/util/version"
 )
 
@@ -23,7 +24,7 @@ type PortalInfo struct {
 
 func (p *portal) info(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	elevated := len(middleware.GroupsIntersect(p.elevatedGroupIDs, ctx.Value(middleware.ContextKeyGroups).([]string))) > 0
+	elevated := len(stringutils.GroupsIntersect(p.elevatedGroupIDs, ctx.Value(middleware.ContextKeyGroups).([]string))) > 0
 
 	resp := PortalInfo{
 		Location:  p.env.Location(),

pkg/portal/kubeconfig/kubeconfig.go

@@ -25,6 +25,7 @@ import (
 	"github.com/Azure/ARO-RP/pkg/portal/util/clientcache"
 	"github.com/Azure/ARO-RP/pkg/proxy"
 	"github.com/Azure/ARO-RP/pkg/util/roundtripper"
+	"github.com/Azure/ARO-RP/pkg/util/stringutils"
 )
 
 const (
@@ -95,7 +96,7 @@ func (k *Kubeconfig) New(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	elevated := len(middleware.GroupsIntersect(k.elevatedGroupIDs, ctx.Value(middleware.ContextKeyGroups).([]string))) > 0
+	elevated := len(stringutils.GroupsIntersect(k.elevatedGroupIDs, ctx.Value(middleware.ContextKeyGroups).([]string))) > 0
 
 	token := k.DbPortal.NewUUID()
 	portalDoc := &api.PortalDocument{