From b6fc695598d775c3cd63d013de4783ca7f6d265b Mon Sep 17 00:00:00 2001
From: Gabriel MABILLE <gamab@users.noreply.github.com>
Date: Wed, 15 Jan 2025 17:38:46 +0100
Subject: [PATCH] ExtJwtClient: Use user namespace for k8s allowed namespace
 (#93687)

* ExtJwtClient: Use user namespace for k8s allowed namespace

* fix test
---
 pkg/services/authn/clients/ext_jwt.go      | 9 +--------
 pkg/services/authn/clients/ext_jwt_test.go | 4 ++--
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/pkg/services/authn/clients/ext_jwt.go b/pkg/services/authn/clients/ext_jwt.go
index 571f9ff5c35..2780bdadf64 100644
--- a/pkg/services/authn/clients/ext_jwt.go
+++ b/pkg/services/authn/clients/ext_jwt.go
@@ -127,13 +127,6 @@ func (s *ExtendedJWT) authenticateAsUser(
 		return nil, errExtJWTInvalidSubject.Errorf("unexpected identity: %s", idTokenClaims.Subject)
 	}
 
-	// For use in service layer, allow higher privilege
-	namespace := accessTokenClaims.Rest.Namespace
-	if len(s.cfg.StackID) > 0 {
-		// For single-tenant cloud use, choose the lower of the two (id token will always have the specific namespace)
-		namespace = idTokenClaims.Rest.Namespace
-	}
-
 	return &authn.Identity{
 		ID:                id,
 		Type:              t,
@@ -142,7 +135,7 @@ func (s *ExtendedJWT) authenticateAsUser(
 		IDTokenClaims:     &idTokenClaims,
 		AuthenticatedBy:   login.ExtendedJWTModule,
 		AuthID:            accessTokenClaims.Subject,
-		Namespace:         namespace,
+		Namespace:         idTokenClaims.Rest.Namespace,
 		ClientParams: authn.ClientParams{
 			SyncPermissions: true,
 			FetchPermissionsParams: authn.FetchPermissionsParams{
diff --git a/pkg/services/authn/clients/ext_jwt_test.go b/pkg/services/authn/clients/ext_jwt_test.go
index f09cd95ed29..9851ad3ab3e 100644
--- a/pkg/services/authn/clients/ext_jwt_test.go
+++ b/pkg/services/authn/clients/ext_jwt_test.go
@@ -283,7 +283,7 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 			},
 		},
 		{
-			name:        "should authenticate as user using wildcard namespace for access token",
+			name:        "should authenticate as user in the user namespace",
 			accessToken: &validAccessTokenClaimsWildcard,
 			idToken:     &validIDTokenClaims,
 			orgID:       1,
@@ -293,7 +293,7 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 				OrgID:             1,
 				AccessTokenClaims: &validAccessTokenClaimsWildcard,
 				IDTokenClaims:     &validIDTokenClaims,
-				Namespace:         "*",
+				Namespace:         "default",
 				AuthenticatedBy:   "extendedjwt",
 				AuthID:            "access-policy:this-uid",
 				ClientParams: authn.ClientParams{