fix: address PR review feedback

- e2e-login: add AMBIENT_ENV=production guard alongside E2E_TEST_HELPERS
  to prevent accidental auth bypass in production
- impersonation: align getUserSubjectFromContext claim order with
  buildImpersonatingClients (preferred_username > email > sub) so
  RoleBinding subjects match the impersonated identity
- JWK_CERT_URL: fix priority to CLI flag > env var > default (standard
  convention, per review feedback)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jsell-rh

components/ambient-api-server/cmd/ambient-api-server/environments/e_production.go

@@ -24,15 +24,15 @@ const defaultJwkCertURL = "https://sso.redhat.com/auth/realms/redhat-external/pr
 func (e *ProductionEnvImpl) OverrideConfig(c *config.ApplicationConfig) error {
 	c.Server.CORSAllowedHeaders = []string{"X-Ambient-Project"}
 
-	// Priority: env var > CLI flag > default.
+	// Priority: CLI flag > env var > default.
 	// The framework parses --jwk-cert-url before OverrideConfig runs,
 	// so c.Auth.JwkCertURL already holds the flag value (or the flag's
 	// built-in default if not explicitly set).
 	switch {
-	case os.Getenv("JWK_CERT_URL") != "":
-		c.Auth.JwkCertURL = os.Getenv("JWK_CERT_URL")
 	case c.Auth.JwkCertURL != "" && c.Auth.JwkCertURL != defaultJwkCertURL:
 		// CLI flag was explicitly set to a non-default value; keep it.
+	case os.Getenv("JWK_CERT_URL") != "":
+		c.Auth.JwkCertURL = os.Getenv("JWK_CERT_URL")
 	default:
 		c.Auth.JwkCertURL = defaultJwkCertURL
 	}

components/backend/handlers/projects.go

@@ -941,17 +941,20 @@ func getUserSubjectFromContext(c *gin.Context) (string, error) {
 		return fmt.Sprintf("system:serviceaccount:%s:%s", ns, saName), nil
 	}
 
-	// Prefer email — this matches the impersonation identity (Impersonate-User)
-	// so RoleBindings created with this subject are effective under impersonation.
+	// Must match the order in buildImpersonatingClients (sso.go):
+	// preferred_username > email > sub. If these diverge, RoleBindings
+	// created here won't match the impersonated identity.
+	if userName, exists := c.Get("userName"); exists && userName != nil {
+		if s := fmt.Sprintf("%v", userName); s != "" {
+			return s, nil
+		}
+	}
 	if email := c.GetString("userEmail"); email != "" {
 		return email, nil
 	}
 	if userIDOrig := c.GetString("userIDOriginal"); userIDOrig != "" {
 		return userIDOrig, nil
 	}
-	if userName, exists := c.Get("userName"); exists && userName != nil {
-		return fmt.Sprintf("%v", userName), nil
-	}
 	if userID, exists := c.Get("userID"); exists && userID != nil {
 		return fmt.Sprintf("%v", userID), nil
 	}

components/frontend/src/app/api/auth/sso/e2e-login/route.ts

@@ -2,10 +2,14 @@ import { NextRequest, NextResponse } from "next/server";
 import { getSession } from "@/lib/session";
 
 export async function POST(request: NextRequest) {
-  // Gate on E2E_TEST_HELPERS rather than NODE_ENV so this route works in
-  // Kind/CI where the Docker image sets NODE_ENV=production but E2E tests
-  // still need programmatic session creation.
-  if (process.env.E2E_TEST_HELPERS !== "true") {
+  // Double guard: E2E_TEST_HELPERS must be explicitly set AND we must not
+  // be in an environment that looks like production (has a public route).
+  // This prevents accidental auth bypass if E2E_TEST_HELPERS leaks into
+  // a production overlay.
+  if (
+    process.env.E2E_TEST_HELPERS !== "true" ||
+    process.env.AMBIENT_ENV === "production"
+  ) {
     return NextResponse.json({ error: "Not available" }, { status: 404 });
   }
 

workflows/deploy-native-sso.md

@@ -268,12 +268,12 @@ data:
 ```bash
 cd /path/to/platform
 
-# Apply ClusterRoleBindings separately (kustomize's namespace transformer
-# would rewrite the ambient-code subject namespaces)
-oc apply -f components/manifests/overlays/hcmais/jsell-sso-poc/clusterrolebindings.yaml
-
-# Apply everything else via kustomize
+# Apply kustomize first
 oc apply -k components/manifests/overlays/hcmais/jsell-sso-poc/
+
+# Then apply CRBs AFTER kustomize to restore the ambient-code subjects
+# that kustomize's namespace transformer overwrites
+oc apply -f components/manifests/overlays/hcmais/jsell-sso-poc/clusterrolebindings.yaml
 ```
 
 Verify all deployments come up: