Skip to content

fix(api): expose internal namespace lookup for SSH service#6228

Merged
gustavosbarreto merged 1 commit intomasterfrom
fix/internal-namespace-lookup
Apr 22, 2026
Merged

fix(api): expose internal namespace lookup for SSH service#6228
gustavosbarreto merged 1 commit intomasterfrom
fix/internal-namespace-lookup

Conversation

@gustavosbarreto
Copy link
Copy Markdown
Member

@gustavosbarreto gustavosbarreto commented Apr 22, 2026

Summary

Add GET /internal/namespaces/:tenant bound to the same handler as the public route but without the tenant guard, and point internalclient.NamespaceLookup at it.

The SSH service calls NamespaceLookup directly on api:8080 without passing through the nginx /auth subrequest, so the RequiresTenant guard added on /api/namespaces/:tenant in fe8e2bd was turning every SSH connection into a 403.

Backported to release/v0.21.6 as 9881a99.

@gustavosbarreto
fix(api): expose internal namespace lookup for SSH service
ced3765 
Add GET /internal/namespaces/:tenant bound to the same handler but
without the tenant guard, and point internalclient at it. The SSH
service calls NamespaceLookup directly on api:8080 without the /auth
subrequest, so the guard on /api/namespaces/:tenant was turning every
SSH connection into a 403.
@gustavosbarreto gustavosbarreto requested a review from a team as a code owner April 22, 2026 21:15
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026
edited
Loading

Claude finished @gustavosbarreto's task in 2m 17s —— View job

Code Review Complete

Reviewed 2 files across code quality, security, testing, language patterns, and architecture — no issues found. The code looks good as-is.

Key observations:

  • The new /internal/namespaces/:tenant route correctly reuses the existing GetNamespaceURL constant and handler.GetNamespace handler under the /internal group, which is network-isolated (no external exposure via nginx gateway).
  • The client URL change in internalclient correctly points to the new internal route.
  • The handler's membership guard (if uid != "") naturally short-circuits for unauthenticated internal callers, returning the namespace without a 403.
  • Cross-repo impact is clean — cloud/ only has an auto-generated mock for NamespaceLookup, and the SSH service (ssh/session/session.go) picks up the fix transparently.

To request another review round, comment /review.

@gustavosbarreto gustavosbarreto enabled auto-merge (rebase) April 22, 2026 21:18
@gustavosbarreto gustavosbarreto merged commit 6a549a0 into master Apr 22, 2026
12 checks passed
@gustavosbarreto gustavosbarreto deleted the fix/internal-namespace-lookup branch April 22, 2026 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gustavosbarreto