Get project information for users from OpenFGA

This uses OpenFGA as the authoritative location for user/project relationships.
mindersec · Feb 1, 2024 · 1d8255d · 1d8255d
1 parent 0889f84
commit 1d8255d
Show file tree

Hide file tree

Showing 18 changed files with 120 additions and 273 deletions.
diff --git a/cmd/server/app/migrate_up.go b/cmd/server/app/migrate_up.go
@@ -31,7 +31,6 @@ import (
 
 	"github.com/stacklok/minder/internal/authz"
 	serverconfig "github.com/stacklok/minder/internal/config/server"
-	"github.com/stacklok/minder/internal/db"
 	"github.com/stacklok/minder/internal/logger"
 )
 
@@ -127,55 +126,10 @@ var upCmd = &cobra.Command{
 			return fmt.Errorf("error preparing authz client: %w", err)
 		}
 
-		store := db.NewStore(dbConn)
-		if err := migratePermsToFGA(ctx, store, authzw, cmd); err != nil {
-			return fmt.Errorf("error while migrating permissions to FGA: %w", err)
-		}
-
 		return nil
 	},
 }
 
-func migratePermsToFGA(ctx context.Context, store db.Store, authzw authz.Client, cmd *cobra.Command) error {
-	cmd.Println("Migrating permissions to FGA...")
-
-	var i int32 = 0
-	for {
-		userList, err := store.ListUsers(ctx, db.ListUsersParams{Limit: 100, Offset: i})
-		if err != nil {
-			return fmt.Errorf("error while listing users: %w", err)
-		}
-		i = i + 100
-		cmd.Printf("Found %d users to migrate\n", len(userList))
-		if len(userList) == 0 {
-			break
-		}
-
-		for _, user := range userList {
-			projs, err := store.GetUserProjects(ctx, user.ID)
-			if err != nil {
-				cmd.Printf("Skipping user %d since getting user projects yielded error: %s\n",
-					user.ID, err)
-				continue
-			}
-
-			for _, proj := range projs {
-				cmd.Printf("Migrating user to FGA for project %s\n", proj.ProjectID)
-				if err := authzw.Write(
-					ctx, user.IdentitySubject, authz.AuthzRoleAdmin, proj.ProjectID,
-				); err != nil {
-					cmd.Printf("Error while writing permission for user %d: %s\n", user.ID, err)
-					continue
-				}
-			}
-		}
-	}
-
-	cmd.Println("Done migrating permissions to FGA")
-
-	return nil
-}
-
 func init() {
 	migrateCmd.AddCommand(upCmd)
 }
diff --git a/database/migrations/000016_remove_user_project.down.sql b/database/migrations/000016_remove_user_project.down.sql
diff --git a/database/migrations/000016_remove_user_project.up.sql b/database/migrations/000016_remove_user_project.up.sql
@@ -0,0 +1,15 @@
+-- Copyright 2023 Stacklok, Inc
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+DROP TABLE IF EXISTS user_projects;
diff --git a/database/mock/store.go b/database/mock/store.go
diff --git a/database/query/user_projects.sql b/database/query/user_projects.sql
diff --git a/database/query/users.sql b/database/query/users.sql
@@ -23,13 +23,5 @@ ORDER BY id
 LIMIT $2
 OFFSET $3;
 
--- name: ListUsersByProject :many
-SELECT users.* FROM users
-JOIN user_projects ON users.id = user_projects.user_id
-WHERE user_projects.project_id = $1
-ORDER BY users.id
-LIMIT $2
-OFFSET $3;
-
 -- name: CountUsers :one
 SELECT COUNT(*) FROM users;
diff --git a/internal/authz/authz.go b/internal/authz/authz.go
@@ -377,6 +377,47 @@ func (a *ClientWrapper) AssignmentsToProject(ctx context.Context, project uuid.U
 	return assignments, nil
 }
 
+// ProjectsForUser lists the projects that the given user has access to
+func (a *ClientWrapper) ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error) {
+	u := getUserForTuple(sub)
+
+	var pagesize int32 = 50
+	var contTok *string = nil
+
+	projs := map[string]any{}
+	projectObj := "project:"
+
+	for {
+		resp, err := a.cli.Read(ctx).Options(fgaclient.ClientReadOptions{
+			PageSize:          &pagesize,
+			ContinuationToken: contTok,
+		}).Body(fgaclient.ClientReadRequest{
+			User:   &u,
+			Object: &projectObj,
+		}).Execute()
+		if err != nil {
+			return nil, fmt.Errorf("unable to read authorization tuples: %w", err)
+		}
+
+		for _, t := range resp.GetTuples() {
+			k := t.GetKey()
+
+			projs[k.GetObject()] = struct{}{}
+		}
+	}
+
+	out := []uuid.UUID{}
+	for proj := range projs {
+		uuid, err := uuid.Parse(getProjectFromTuple(proj))
+		if err != nil {
+			continue
+		}
+		out = append(out, uuid)
+	}
+
+	return out, nil
+}
+
 func getUserForTuple(user string) string {
 	return "user:" + user
 }
@@ -388,3 +429,26 @@ func getProjectForTuple(project uuid.UUID) string {
 func getUserFromTuple(user string) string {
 	return strings.TrimPrefix(user, "user:")
 }
+
+func getProjectFromTuple(project string) string {
+	return strings.TrimPrefix(project, "project:")
+}
+
+func getRoleAssignmentsFromReadResponse(resp *fgaclient.ClientReadResponse, proj *string) []*minderv1.RoleAssignment {
+	assignments := []*minderv1.RoleAssignment{}
+
+	for _, t := range resp.GetTuples() {
+		k := t.GetKey()
+		r, err := ParseRole(k.GetRelation())
+		if err != nil {
+			continue
+		}
+		assignments = append(assignments, &minderv1.RoleAssignment{
+			Subject: getUserFromTuple(k.GetUser()),
+			Role:    r.String(),
+			Project: proj,
+		})
+	}
+
+	return assignments
+}
diff --git a/internal/authz/interface.go b/internal/authz/interface.go
@@ -98,6 +98,9 @@ type Client interface {
 	// AssignmentsToProject outputs the existing role assignments for a given project.
 	AssignmentsToProject(ctx context.Context, project uuid.UUID) ([]*minderv1.RoleAssignment, error)
 
+	// ProjectsForUser outputs the projects a user has access to.
+	ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error)
+
 	// PrepareForRun allows for any preflight configurations to be done before
 	// the server is started.
 	PrepareForRun(ctx context.Context) error

diff --git a/internal/authz/mock/noop_authz.go b/internal/authz/mock/noop_authz.go
@@ -64,6 +64,11 @@ func (_ *NoopClient) AssignmentsToProject(_ context.Context, _ uuid.UUID) ([]*mi
 	return nil, nil
 }
 
+// ProjectsForUser implements authz.Client
+func (_ *NoopClient) ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error) {
+	return nil, nil
+}
+
 // PrepareForRun implements authz.Client
 func (_ *NoopClient) PrepareForRun(_ context.Context) error {
 	return nil

diff --git a/internal/authz/mock/simple_authz.go b/internal/authz/mock/simple_authz.go
@@ -67,6 +67,11 @@ func (_ *SimpleClient) AssignmentsToProject(_ context.Context, _ uuid.UUID) ([]*
 	return nil, nil
 }
 
+// ProjectsForUser implements authz.Client
+func (_ *SimpleClient) ProjectsForUser(ctx context.Context, sub string) ([]uuid.UUID, error) {
+	return nil, nil
+}
+
 // PrepareForRun implements authz.Client
 func (_ *SimpleClient) PrepareForRun(_ context.Context) error {
 	return nil

diff --git a/internal/controlplane/handlers_authz.go b/internal/controlplane/handlers_authz.go
@@ -67,7 +67,7 @@ func EntityContextProjectInterceptor(ctx context.Context, req interface{}, info
 
 	server := info.Server.(*Server)
 
-	ctx, err := populateEntityContext(ctx, server.store, request)
+	ctx, err := populateEntityContext(ctx, server.store, server.authzClient, request)
 	if err != nil {
 		return nil, err
 	}
@@ -112,12 +112,17 @@ func ProjectAuthorizationInterceptor(ctx context.Context, req interface{}, info
 
 // populateEntityContext populates the project in the entity context, by looking at the proto context or
 // fetching the default project
-func populateEntityContext(ctx context.Context, store db.Store, in HasProtoContext) (context.Context, error) {
+func populateEntityContext(
+	ctx context.Context,
+	store db.Store,
+	authzClient authz.Client,
+	in HasProtoContext,
+) (context.Context, error) {
 	if in.GetContext() == nil {
 		return ctx, fmt.Errorf("context cannot be nil")
 	}
 
-	projectID, err := getProjectFromRequestOrDefault(ctx, store, in)
+	projectID, err := getProjectFromRequestOrDefault(ctx, store, authzClient, in)
 	if err != nil {
 		return ctx, err
 	}
@@ -137,7 +142,12 @@ func populateEntityContext(ctx context.Context, store db.Store, in HasProtoConte
 	return engine.WithEntityContext(ctx, entityCtx), nil
 }
 
-func getProjectFromRequestOrDefault(ctx context.Context, store db.Store, in HasProtoContext) (uuid.UUID, error) {
+func getProjectFromRequestOrDefault(
+	ctx context.Context,
+	store db.Store,
+	authzClient authz.Client,
+	in HasProtoContext,
+) (uuid.UUID, error) {
 	// Prefer the context message from the protobuf
 	if in.GetContext().GetProject() != "" {
 		requestedProject := in.GetContext().GetProject()
@@ -154,15 +164,15 @@ func getProjectFromRequestOrDefault(ctx context.Context, store db.Store, in HasP
 	if err != nil {
 		return uuid.UUID{}, status.Errorf(codes.NotFound, "user not found")
 	}
-	projects, err := store.GetUserProjects(ctx, userInfo.ID)
+	projects, err := authzClient.ProjectsForUser(ctx, userInfo.IdentitySubject)
 	if err != nil {
 		return uuid.UUID{}, status.Errorf(codes.NotFound, "cannot find projects for user")
 	}
 
 	if len(projects) != 1 {
 		return uuid.UUID{}, status.Errorf(codes.InvalidArgument, "cannot get default project")
 	}
-	return projects[0].ID, nil
+	return projects[0], nil
 }
 
 // Permissions API

diff --git a/internal/controlplane/handlers_authz_test.go b/internal/controlplane/handlers_authz_test.go
@@ -109,11 +109,6 @@ func TestEntityContextProjectInterceptor(t *testing.T) {
 					Return(db.User{
 						ID: 1,
 					}, nil)
-				store.EXPECT().
-					GetUserProjects(gomock.Any(), gomock.Any()).
-					Return([]db.GetUserProjectsRow{{
-						ID: defaultProjectID,
-					}}, nil)
 			},
 			expectedContext: engine.EntityContext{
 				// Uses the default project id