server+service+database: add bundle trigger endpoint (with authz)

Some arbitrary choices here that we'll need to discuss before merging!

Signed-off-by: Stephan Renatus <[email protected]>

Author: srenatus

cmd/run/run.go

@@ -2,8 +2,6 @@ package cmd
 
 import (
 	"os"
-	"os/signal"
-	"syscall"
 
 	"github.com/open-policy-agent/opa-control-plane/cmd"
 	"github.com/open-policy-agent/opa-control-plane/cmd/internal/flags"
@@ -72,12 +70,14 @@ func init() {
 				log.Fatalf("initialize service: %v", err)
 			}
 
-			// NB(sr): Preliminary, not necessarily something we'll want to keep:
-			// Rebuild all bundles on SIGHUP.
-			signalTrigger(svc, log)
-
 			go func() {
-				if err := server.New().WithDatabase(svc.Database()).WithReadiness(svc.Ready).WithConfig(config.Service).Init().ListenAndServe(params.addr); err != nil {
+				if err := server.New().
+					WithService(svc).
+					WithConfig(config.Service).
+					WithDatabase(svc.Database()).
+					WithReadiness(svc.Ready).
+					Init().
+					ListenAndServe(params.addr); err != nil {
 					log.Fatalf("failed to start server: %v", err)
 				}
 			}()
@@ -100,15 +100,3 @@ func init() {
 		run,
 	)
 }
-
-func signalTrigger(s *service.Service, l *logging.Logger) {
-	sigs := make(chan os.Signal, 1)
-	signal.Notify(sigs, syscall.SIGHUP)
-	go func() {
-		for range sigs {
-			if err := s.TriggerAll(context.Background()); err != nil {
-				l.Error(err.Error())
-			}
-		}
-	}()
-}

e2e/cli/run_with_trigger.txtar

@@ -0,0 +1,42 @@
+! exec $OPACTL run --config config.d/bundle.yml --data-dir tmp --addr 127.0.0.1:8284 --log-level debug &opactl&
+! stderr .
+! stdout .
+
+exec curl --retry 5 --retry-all-errors http://127.0.0.1:8284/health
+
+# automation token
+exec curl -H 'Authorization: bearer sesame' http://127.0.0.1:8284/v1/bundles/hello-world -XPOST
+
+# admin token
+exec curl -H 'Authorization: bearer admin' http://127.0.0.1:8284/v1/bundles/hello-world -XPOST
+
+kill opactl
+wait opactl
+stderr 'triggered bundle build for hello-world'
+
+-- data/common.json --
+{ "common": true }
+-- config.d/bundle.yml --
+bundles:
+  hello-world:
+    object_storage:
+      filesystem:
+        path: bundles/hello-world/bundle.tar.gz
+    requirements:
+    - source: global-data
+sources:
+  global-data:
+    paths:
+    - data/common.json
+service:
+  bundle_rebuild_interval: 1h
+  reconfiguration_interval: 1h
+tokens:
+  admin-user:
+    api_key: admin
+    scopes:
+    - role: administrator
+  trigger-token:
+    api_key: sesame
+    scopes:
+    - role: automation

internal/authz/authz.rego

@@ -49,3 +49,9 @@ allow if {
 	data.resource_permissions.principal_id == input.principal
 	data.resource_permissions.permission == input.permission
 }
+
+allow if {
+	data.principals.id == input.principal
+	data.principals.role == "automation"
+	input.permission == "bundles.trigger"
+}

internal/config/config.go

@@ -736,7 +736,7 @@ func (t *Token) Equal(other *Token) bool {
 }
 
 type Scope struct {
-	Role string `json:"role" yaml:"role" enum:"administrator,viewer,owner,stack_owner"`
+	Role string `json:"role" yaml:"role" enum:"administrator,viewer,owner,stack_owner,automation"`
 }
 
 func scopesEqual(a, b []Scope) bool {
@@ -963,18 +963,6 @@ func (a Datasources) Equal(b Datasources) bool {
 	return setEqual(a, b, func(ds Datasource) string { return ds.Name }, func(a, b Datasource) bool { return a.Equal(&b) })
 }
 
-type Service struct {
-	// ReconfigurationInterval is the duration between configuration checks, i.e. when a change
-	// to a bundle/stack/source will have an effect on the internal bundle workers.
-	// String of a duration, e.g. "1m". Defaults to "15s".
-	ReconfigurationInterval *time.Duration `json:"reconfiguration_interval,omitempty" yaml:"reconfiguration_interval,omitempty"`
-
-	// BundleRebuildInterval is the time between bundle builds: After a bundle build as finished,
-	// OCP will wait _this long_ until it's build again (unless the bundle build is triggered by
-	// other means). String duration, e.g. "90s". Defaults to "30s".
-	BundleRebuildInterval *time.Duration `json:"bundle_rebuild_interval,omitempty" yaml:"bundle_rebuild_interval,omitempty"`
-}
-
 type Database struct {
 	SQL    *SQLDatabase `json:"sql,omitempty" yaml:"sql,omitempty"`
 	AWSRDS *AmazonRDS   `json:"aws_rds,omitempty" yaml:"aws_rds,omitempty"`
@@ -1003,6 +991,16 @@ type Service struct {
 	// ApiPrefix prefixes all endpoints (including health and metrics) with its value. It is important to start with `/` and not end with `/`.
 	// For example `/my/path` will make health endpoint be accessible under `/my/path/health`
 	ApiPrefix string `json:"api_prefix,omitempty" yaml:"api_prefix,omitempty" pattern:"^/([^/].*[^/])?$"`
+
+	// ReconfigurationInterval is the duration between configuration checks, i.e. when a change
+	// to a bundle/stack/source will have an effect on the internal bundle workers.
+	// String of a duration, e.g. "1m". Defaults to "15s".
+	ReconfigurationInterval *time.Duration `json:"reconfiguration_interval,omitempty" yaml:"reconfiguration_interval,omitempty"`
+
+	// BundleRebuildInterval is the time between bundle builds: After a bundle build as finished,
+	// OCP will wait _this long_ until it's build again (unless the bundle build is triggered by
+	// other means). String duration, e.g. "90s". Defaults to "30s".
+	BundleRebuildInterval *time.Duration `json:"bundle_rebuild_interval,omitempty" yaml:"bundle_rebuild_interval,omitempty"`
 }
 
 func setEqual[K comparable, V any](a, b []V, key func(V) K, eq func(a, b V) bool) bool {

internal/database/database.go

@@ -415,7 +415,7 @@ func (d *Database) sourcesDataPut(ctx context.Context, sourceName, path string,
 			Name:       sourceName,
 		})
 		if !allowed {
-			return errors.New("unauthorized")
+			return ErrNotAuthorized
 		}
 
 		bs, err := json.Marshal(data)
@@ -1632,6 +1632,15 @@ func (d *Database) deleteNotIn(ctx context.Context, tx *sql.Tx, table, keyColumn
 	return err
 }
 
+func (d *Database) Check(ctx context.Context, a authz.Access) error {
+	return tx1(ctx, d, func(tx *sql.Tx) error {
+		if !authz.Check(ctx, tx, d.arg, a) {
+			return ErrNotAuthorized
+		}
+		return nil
+	})
+}
+
 func (d *Database) arg(i int) string {
 	if d.kind == postgres {
 		return "$" + strconv.Itoa(i+1)

internal/server/server.go

@@ -19,11 +19,13 @@ import (
 	"github.com/open-policy-agent/opa-control-plane/internal/metrics"
 	"github.com/open-policy-agent/opa-control-plane/internal/server/chain"
 	"github.com/open-policy-agent/opa-control-plane/internal/server/types"
+	"github.com/open-policy-agent/opa-control-plane/internal/service"
 )
 
 type Server struct {
 	router    *http.ServeMux
 	db        *database.Database
+	svc       *service.Service
 	readyFn   func(context.Context) error
 	apiPrefix string
 }
@@ -62,6 +64,7 @@ func (s *Server) Init() *Server {
 	setup("GET", "/v1/bundles/{bundle}", s.v1BundlesGet)
 	setup("PUT", "/v1/bundles/{bundle}", s.v1BundlesPut)
 	setup("DELETE", "/v1/bundles/{bundle}", s.v1BundlesDelete)
+	setup("POST", "/v1/bundles/{bundle}", s.v1BundlesPost)
 
 	setup("GET", "/v1/stacks", s.v1StacksList)
 	setup("GET", "/v1/stacks/{stack}", s.v1StacksGet)
@@ -81,6 +84,11 @@ func (s *Server) WithRouter(router *http.ServeMux) *Server {
 	return s
 }
 
+func (s *Server) WithService(svc *service.Service) *Server {
+	s.svc = svc
+	return s
+}
+
 func (s *Server) WithDatabase(db *database.Database) *Server {
 	s.db = db
 	return s
@@ -179,6 +187,24 @@ func (s *Server) v1BundlesGet(w http.ResponseWriter, r *http.Request) {
 	JSONOK(w, resp, pretty(r))
 }
 
+func (s *Server) v1BundlesPost(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	name, err := url.PathUnescape(r.PathValue("bundle"))
+	if err != nil {
+		ErrorString(w, http.StatusBadRequest, types.CodeInvalidParameter, err)
+		return
+	}
+
+	if err := s.svc.Trigger(ctx, s.auth(r), name); err != nil {
+		errorAuto(w, err)
+		return
+	}
+
+	resp := types.BundlesPostResponseV1{}
+	JSONOK(w, resp, pretty(r))
+}
+
 func (s *Server) v1BundlesDelete(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 

internal/server/types/types.go

@@ -45,6 +45,8 @@ type BundlesGetResponseV1 struct {
 
 type BundlesPutResponseV1 struct{}
 
+type BundlesPostResponseV1 struct{}
+
 type BundlesDeleteResponseV1 struct{}
 
 type SourcesGetResponseV1 struct {

internal/service/service.go

@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/open-policy-agent/opa-control-plane/internal/authz"
 	"github.com/open-policy-agent/opa-control-plane/internal/builder"
 	"github.com/open-policy-agent/opa-control-plane/internal/config"
 	"github.com/open-policy-agent/opa-control-plane/internal/database"
@@ -220,14 +221,17 @@ func (s *Service) Report() *Report {
 	return s.report
 }
 
-func (s *Service) TriggerAll(ctx context.Context) error {
-	for name := range s.workers {
-		return s.Trigger(ctx, name)
+func (s *Service) Trigger(ctx context.Context, principal, name string) error {
+	a := authz.Access{
+		Principal:  principal,
+		Resource:   "bundles",
+		Permission: "bundles.trigger",
+		Name:       name,
+	}
+	if err := s.database.Check(ctx, a); err != nil {
+		return err
 	}
-	return nil
-}
 
-func (s *Service) Trigger(_ context.Context, name string) error {
 	err := s.pool.Trigger(name)
 	if err != nil {
 		s.log.Errorf("trigger bundle build for %s: %v", name, err)