From f3d18e9d267c2323f027daae56e3edaf3129ccc8 Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Tue, 10 Sep 2024 17:20:47 +0200 Subject: [PATCH 1/6] RHCLOUD-34169: register resources MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Josejulio Martínez --- deploy/schema.yaml | 4 ++ internal/authz/allow/allow.go | 4 ++ internal/authz/api/authz-service.go | 1 + internal/authz/kessel/kessel.go | 41 +++++++++++++++++++ internal/data/hosts/hosts.go | 19 +++++++++ internal/data/k8sclusters/k8sclusters.go | 19 +++++++++ .../notificationsintegrations.go | 19 +++++++++ 7 files changed, 107 insertions(+) diff --git a/deploy/schema.yaml b/deploy/schema.yaml index 098d91f2..721b1467 100644 --- a/deploy/schema.yaml +++ b/deploy/schema.yaml @@ -85,3 +85,7 @@ schema: |- permission disable = workspace->notifications_integration_disable permission enable = workspace->notifications_integration_enable } + + definition hbi/rhel_host { + relation workspace: rbac/workspace + } diff --git a/internal/authz/allow/allow.go b/internal/authz/allow/allow.go index d844e082..3bcb458d 100644 --- a/internal/authz/allow/allow.go +++ b/internal/authz/allow/allow.go @@ -31,3 +31,7 @@ func (a *AllowAllAuthz) CreateTuples(ctx context.Context, r *kessel.CreateTuples func (a *AllowAllAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuplesRequest) (*kessel.DeleteTuplesResponse, error) { return &kessel.DeleteTuplesResponse{}, nil } + +func (a *AllowAllAuthz) SetWorkspace(ctx context.Context, id int64, workspace, name, namespace string) (*kessel.CreateTuplesResponse, error) { + return &kessel.CreateTuplesResponse{}, nil +} diff --git a/internal/authz/api/authz-service.go b/internal/authz/api/authz-service.go index ffe191f8..357bd9d2 100644 --- a/internal/authz/api/authz-service.go +++ b/internal/authz/api/authz-service.go @@ -10,4 +10,5 @@ type Authorizer interface { Check(context.Context, *kessel.CheckRequest) (*kessel.CheckResponse, error) CreateTuples(context.Context, *kessel.CreateTuplesRequest) (*kessel.CreateTuplesResponse, error) DeleteTuples(context.Context, *kessel.DeleteTuplesRequest) (*kessel.DeleteTuplesResponse, error) + SetWorkspace(context.Context, int64, string, string, string) (*kessel.CreateTuplesResponse, error) } diff --git a/internal/authz/kessel/kessel.go b/internal/authz/kessel/kessel.go index c0f87645..886496b6 100644 --- a/internal/authz/kessel/kessel.go +++ b/internal/authz/kessel/kessel.go @@ -2,6 +2,9 @@ package kessel import ( "context" + "fmt" + "strconv" + "github.com/go-kratos/kratos/v2/log" authzapi "github.com/project-kessel/inventory-api/internal/authz/api" kessel "github.com/project-kessel/relations-api/api/kessel/relations/v1beta1" @@ -69,3 +72,41 @@ func (a *KesselAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuplesRe } return a.TupleService.DeleteTuples(ctx, r, opts...) } + +func (a *KesselAuthz) SetWorkspace(ctx context.Context, id int64, workspace, namespace, name string) (*kessel.CreateTuplesResponse, error) { + if workspace == "" { + return nil, fmt.Errorf("workspace is required") + } + + // TODO: remove previous tuple for workspace + + rels := []*kessel.Relationship{{ + Resource: &kessel.ObjectReference{ + Type: &kessel.ObjectType{ + Name: name, + Namespace: namespace, + }, + Id: strconv.FormatInt(id, 10), + }, + Relation: "workspace", + Subject: &kessel.SubjectReference{ + Subject: &kessel.ObjectReference{ + Type: &kessel.ObjectType{ + Name: "workspace", + Namespace: "rbac", + }, + Id: workspace, + }, + }, + }} + + response, err := a.CreateTuples(ctx, &kessel.CreateTuplesRequest{ + Tuples: rels, + }) + + if err != nil { + return nil, err + } + + return response, nil +} diff --git a/internal/data/hosts/hosts.go b/internal/data/hosts/hosts.go index 828153ac..fb7eb8c0 100644 --- a/internal/data/hosts/hosts.go +++ b/internal/data/hosts/hosts.go @@ -49,6 +49,14 @@ func (r *hostsRepo) Save(ctx context.Context, model *biz.Host) (*biz.Host, error return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "hbi", "rhel_host") + if err != nil { + return nil, err + } + } + return model, nil } @@ -73,6 +81,14 @@ func (r *hostsRepo) Update(ctx context.Context, model *biz.Host, id string) (*bi return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "hbi", "rhel_host") + if err != nil { + return nil, err + } + } + return model, nil } @@ -96,6 +112,9 @@ func (r *hostsRepo) Delete(ctx context.Context, id string) error { return err } } + + // TODO: do we need to delete the workspace tuple? + return nil } diff --git a/internal/data/k8sclusters/k8sclusters.go b/internal/data/k8sclusters/k8sclusters.go index b3c737b6..1552b8d2 100644 --- a/internal/data/k8sclusters/k8sclusters.go +++ b/internal/data/k8sclusters/k8sclusters.go @@ -46,6 +46,14 @@ func (r *k8sclustersRepo) Save(ctx context.Context, model *biz.K8SCluster) (*biz return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "acm", "k8scluster") + if err != nil { + return nil, err + } + } + return model, nil } @@ -71,6 +79,14 @@ func (r *k8sclustersRepo) Update(ctx context.Context, model *biz.K8SCluster, id return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "acm", "k8scluster") + if err != nil { + return nil, err + } + } + return model, nil } @@ -94,6 +110,9 @@ func (r *k8sclustersRepo) Delete(ctx context.Context, id string) error { return err } } + + // TODO: do we need to delete the workspace tuple? + return nil } diff --git a/internal/data/notificationsintegrations/notificationsintegrations.go b/internal/data/notificationsintegrations/notificationsintegrations.go index 72b50a7b..6d7b1162 100644 --- a/internal/data/notificationsintegrations/notificationsintegrations.go +++ b/internal/data/notificationsintegrations/notificationsintegrations.go @@ -49,6 +49,14 @@ func (r *notificationsintegrationsRepo) Save(ctx context.Context, model *biz.Not return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "notifications", "integration") + if err != nil { + return nil, err + } + } + return model, nil } @@ -73,6 +81,14 @@ func (r *notificationsintegrationsRepo) Update(ctx context.Context, model *biz.N return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "notifications", "integration") + if err != nil { + return nil, err + } + } + return model, nil } @@ -96,6 +112,9 @@ func (r *notificationsintegrationsRepo) Delete(ctx context.Context, id string) e return err } } + + // TODO: do we need to delete the workspace tuple? + return nil } From e95e35159d853445492347c69ed74e91fd075c3e Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Wed, 11 Sep 2024 22:17:54 +0200 Subject: [PATCH 2/6] use local_resource_id instead of inventory id --- internal/authz/allow/allow.go | 2 +- internal/authz/api/authz-service.go | 2 +- internal/authz/kessel/kessel.go | 5 ++--- internal/data/hosts/hosts.go | 4 ++-- internal/data/k8sclusters/k8sclusters.go | 4 ++-- .../notificationsintegrations/notificationsintegrations.go | 4 ++-- 6 files changed, 10 insertions(+), 11 deletions(-) diff --git a/internal/authz/allow/allow.go b/internal/authz/allow/allow.go index 3bcb458d..fc74901c 100644 --- a/internal/authz/allow/allow.go +++ b/internal/authz/allow/allow.go @@ -32,6 +32,6 @@ func (a *AllowAllAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuples return &kessel.DeleteTuplesResponse{}, nil } -func (a *AllowAllAuthz) SetWorkspace(ctx context.Context, id int64, workspace, name, namespace string) (*kessel.CreateTuplesResponse, error) { +func (a *AllowAllAuthz) SetWorkspace(ctx context.Context, local_resource_id, workspace, name, namespace string) (*kessel.CreateTuplesResponse, error) { return &kessel.CreateTuplesResponse{}, nil } diff --git a/internal/authz/api/authz-service.go b/internal/authz/api/authz-service.go index 357bd9d2..3d3157f2 100644 --- a/internal/authz/api/authz-service.go +++ b/internal/authz/api/authz-service.go @@ -10,5 +10,5 @@ type Authorizer interface { Check(context.Context, *kessel.CheckRequest) (*kessel.CheckResponse, error) CreateTuples(context.Context, *kessel.CreateTuplesRequest) (*kessel.CreateTuplesResponse, error) DeleteTuples(context.Context, *kessel.DeleteTuplesRequest) (*kessel.DeleteTuplesResponse, error) - SetWorkspace(context.Context, int64, string, string, string) (*kessel.CreateTuplesResponse, error) + SetWorkspace(context.Context, string, string, string, string) (*kessel.CreateTuplesResponse, error) } diff --git a/internal/authz/kessel/kessel.go b/internal/authz/kessel/kessel.go index 886496b6..f04de57f 100644 --- a/internal/authz/kessel/kessel.go +++ b/internal/authz/kessel/kessel.go @@ -3,7 +3,6 @@ package kessel import ( "context" "fmt" - "strconv" "github.com/go-kratos/kratos/v2/log" authzapi "github.com/project-kessel/inventory-api/internal/authz/api" @@ -73,7 +72,7 @@ func (a *KesselAuthz) DeleteTuples(ctx context.Context, r *kessel.DeleteTuplesRe return a.TupleService.DeleteTuples(ctx, r, opts...) } -func (a *KesselAuthz) SetWorkspace(ctx context.Context, id int64, workspace, namespace, name string) (*kessel.CreateTuplesResponse, error) { +func (a *KesselAuthz) SetWorkspace(ctx context.Context, local_resource_id, workspace, namespace, name string) (*kessel.CreateTuplesResponse, error) { if workspace == "" { return nil, fmt.Errorf("workspace is required") } @@ -86,7 +85,7 @@ func (a *KesselAuthz) SetWorkspace(ctx context.Context, id int64, workspace, nam Name: name, Namespace: namespace, }, - Id: strconv.FormatInt(id, 10), + Id: local_resource_id, }, Relation: "workspace", Subject: &kessel.SubjectReference{ diff --git a/internal/data/hosts/hosts.go b/internal/data/hosts/hosts.go index fb7eb8c0..5e6bafd4 100644 --- a/internal/data/hosts/hosts.go +++ b/internal/data/hosts/hosts.go @@ -51,7 +51,7 @@ func (r *hostsRepo) Save(ctx context.Context, model *biz.Host) (*biz.Host, error } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "hbi", "rhel_host") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "hbi", "rhel_host") if err != nil { return nil, err } @@ -83,7 +83,7 @@ func (r *hostsRepo) Update(ctx context.Context, model *biz.Host, id string) (*bi } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "hbi", "rhel_host") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "hbi", "rhel_host") if err != nil { return nil, err } diff --git a/internal/data/k8sclusters/k8sclusters.go b/internal/data/k8sclusters/k8sclusters.go index 1552b8d2..8e97102c 100644 --- a/internal/data/k8sclusters/k8sclusters.go +++ b/internal/data/k8sclusters/k8sclusters.go @@ -48,7 +48,7 @@ func (r *k8sclustersRepo) Save(ctx context.Context, model *biz.K8SCluster) (*biz } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "acm", "k8scluster") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8scluster") if err != nil { return nil, err } @@ -81,7 +81,7 @@ func (r *k8sclustersRepo) Update(ctx context.Context, model *biz.K8SCluster, id } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "acm", "k8scluster") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8scluster") if err != nil { return nil, err } diff --git a/internal/data/notificationsintegrations/notificationsintegrations.go b/internal/data/notificationsintegrations/notificationsintegrations.go index 6d7b1162..de55ac99 100644 --- a/internal/data/notificationsintegrations/notificationsintegrations.go +++ b/internal/data/notificationsintegrations/notificationsintegrations.go @@ -51,7 +51,7 @@ func (r *notificationsintegrationsRepo) Save(ctx context.Context, model *biz.Not } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "notifications", "integration") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "notifications", "integration") if err != nil { return nil, err } @@ -83,7 +83,7 @@ func (r *notificationsintegrationsRepo) Update(ctx context.Context, model *biz.N } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.ID, model.Metadata.Workspace, "notifications", "integration") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "notifications", "integration") if err != nil { return nil, err } From 15d8b603600a5460c6c37055632e7b7c4188abea Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Wed, 11 Sep 2024 22:20:34 +0200 Subject: [PATCH 3/6] update examples --- data/host-service-account.json | 2 +- data/host.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/data/host-service-account.json b/data/host-service-account.json index 11972bee..e827fbdf 100644 --- a/data/host-service-account.json +++ b/data/host-service-account.json @@ -1,7 +1,7 @@ { "rhelHost": { "metadata": { - "workspace": "" + "workspace": "workspace1" }, "reporter_data": { "reporter_type": "OCM", diff --git a/data/host.json b/data/host.json index 2f508045..2250e679 100644 --- a/data/host.json +++ b/data/host.json @@ -2,7 +2,7 @@ "rhelHost": { "metadata": { "resource_type": "rhel-host", - "workspace": "" + "workspace": "workspace1" }, "reporter_data": { "reporter_type": "OCM", From f196350173896557b72c3414811039f489646d42 Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Wed, 11 Sep 2024 22:35:17 +0200 Subject: [PATCH 4/6] add relationships for k8spolicies as well --- internal/data/k8spolicies/k8spolicies.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/data/k8spolicies/k8spolicies.go b/internal/data/k8spolicies/k8spolicies.go index fac210a5..588f7c87 100644 --- a/internal/data/k8spolicies/k8spolicies.go +++ b/internal/data/k8spolicies/k8spolicies.go @@ -49,6 +49,14 @@ func (r *k8spoliciesRepo) Save(ctx context.Context, model *biz.K8sPolicy) (*biz. return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8spolicy") + if err != nil { + return nil, err + } + } + return model, nil } @@ -74,6 +82,14 @@ func (r *k8spoliciesRepo) Update(ctx context.Context, model *biz.K8sPolicy, id s return nil, err } } + + if r.Authz != nil { + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8scluster") + if err != nil { + return nil, err + } + } + return model, nil } @@ -97,6 +113,9 @@ func (r *k8spoliciesRepo) Delete(ctx context.Context, id string) error { return err } } + + // TODO: delete the workspace tuple + return nil } From 5e23e6333c035df3886a51ed43fbbef2e3e2b89b Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Wed, 11 Sep 2024 22:36:16 +0200 Subject: [PATCH 5/6] remember to delete the workspace tuple --- internal/data/hosts/hosts.go | 2 +- internal/data/k8sclusters/k8sclusters.go | 2 +- .../data/notificationsintegrations/notificationsintegrations.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/data/hosts/hosts.go b/internal/data/hosts/hosts.go index 5e6bafd4..2d0f98c5 100644 --- a/internal/data/hosts/hosts.go +++ b/internal/data/hosts/hosts.go @@ -113,7 +113,7 @@ func (r *hostsRepo) Delete(ctx context.Context, id string) error { } } - // TODO: do we need to delete the workspace tuple? + // TODO: delete the workspace tuple return nil } diff --git a/internal/data/k8sclusters/k8sclusters.go b/internal/data/k8sclusters/k8sclusters.go index 8e97102c..c6bd88bf 100644 --- a/internal/data/k8sclusters/k8sclusters.go +++ b/internal/data/k8sclusters/k8sclusters.go @@ -111,7 +111,7 @@ func (r *k8sclustersRepo) Delete(ctx context.Context, id string) error { } } - // TODO: do we need to delete the workspace tuple? + // TODO: delete the workspace tuple return nil } diff --git a/internal/data/notificationsintegrations/notificationsintegrations.go b/internal/data/notificationsintegrations/notificationsintegrations.go index de55ac99..fc105df6 100644 --- a/internal/data/notificationsintegrations/notificationsintegrations.go +++ b/internal/data/notificationsintegrations/notificationsintegrations.go @@ -113,7 +113,7 @@ func (r *notificationsintegrationsRepo) Delete(ctx context.Context, id string) e } } - // TODO: do we need to delete the workspace tuple? + // TODO: delete the workspace tuple return nil } From affc77cf3283b600e57475b40c39bdba894a6954 Mon Sep 17 00:00:00 2001 From: Jaime Melis Date: Wed, 11 Sep 2024 22:37:55 +0200 Subject: [PATCH 6/6] typo --- internal/data/k8spolicies/k8spolicies.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/data/k8spolicies/k8spolicies.go b/internal/data/k8spolicies/k8spolicies.go index 588f7c87..1d720e5d 100644 --- a/internal/data/k8spolicies/k8spolicies.go +++ b/internal/data/k8spolicies/k8spolicies.go @@ -84,7 +84,7 @@ func (r *k8spoliciesRepo) Update(ctx context.Context, model *biz.K8sPolicy, id s } if r.Authz != nil { - _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8scluster") + _, err := r.Authz.SetWorkspace(ctx, model.Metadata.Reporters[0].LocalResourceId, model.Metadata.Workspace, "acm", "k8spolicy") if err != nil { return nil, err }