Skip to content

Commit

Permalink
add support for iam-runtime relationship events
Browse files Browse the repository at this point in the history 
Adds support for using the iam-runtime to create relationships,
while still maintaining support using the legacy permissions client.

Signed-off-by: Mike Mason <mimason@equinix.com>
  • Loading branch information
@mikemrm
mikemrm committed May 8, 2024
1 parent 818bb30 commit 8f2071b
Showing 1 changed file with 60 additions and 13 deletions.
73 changes: 60 additions & 13 deletions entx/template/event_hooks.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,11 @@

{{ $genPackage := base $.Config.Package }}

import "go.infratographer.com/permissions-api/pkg/permissions"
import (
"github.com/metal-toolbox/iam-runtime/pkg/iam/runtime/authorization"
"github.com/metal-toolbox/iam-runtime-contrib/iamruntime"
"go.infratographer.com/permissions-api/pkg/permissions"
)

{{- range $node := $.Nodes }}
{{- if $nodeAnnotation := $node.Annotations.INFRA9_EVENTHOOKS }}
Expand All @@ -19,7 +23,7 @@
return hook.{{ $node.Name }}Func(func(ctx context.Context, m *generated.{{ $node.Name }}Mutation) (ent.Value, error) {
var err error
additionalSubjects := []gidx.PrefixedID{}
relationships := []events.AuthRelationshipRelation{}
relationships := []*authorization.Relationship{}

objID, ok := m.{{ $node.ID.MutationGet }}()
if !ok {
Expand Down Expand Up @@ -56,19 +60,19 @@
additionalSubjects = append(additionalSubjects, {{ $f.Name }})

{{- if $annotation.AdditionalSubjectRelation }}
relationships = append(relationships, events.AuthRelationshipRelation{
relationships = append(relationships, &authorization.Relationship{
Relation: "{{ $annotation.AdditionalSubjectRelation }}",
SubjectID: {{ $f.Name }},
SubjectId: {{ $f.Name }}.String(),
})
{{- end }}
}
{{- else }}
additionalSubjects = append(additionalSubjects, {{ $f.Name }})

{{- if $annotation.AdditionalSubjectRelation }}
relationships = append(relationships, events.AuthRelationshipRelation{
relationships = append(relationships, &authorization.Relationship{
Relation: "{{ $annotation.AdditionalSubjectRelation }}",
SubjectID: {{ $f.Name }},
SubjectId: {{ $f.Name }}.String(),
})
{{- end }}
{{- end }}
Expand Down Expand Up @@ -132,7 +136,7 @@
}

if len(relationships) != 0 && m.Op().Is(ent.OpCreate) {
if err := permissions.CreateAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil {
if err := createAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil {
return nil, fmt.Errorf("relationship request failed with error: %w", err)
}
}
Expand All @@ -151,7 +155,7 @@
func(next ent.Mutator) ent.Mutator {
return hook.{{ $node.Name }}Func(func(ctx context.Context, m *generated.{{ $node.Name }}Mutation) (ent.Value, error) {
additionalSubjects := []gidx.PrefixedID{}
relationships := []events.AuthRelationshipRelation{}
relationships := []*authorization.Relationship{}

objID, ok := m.{{ $node.ID.MutationGet }}()
if !ok {
Expand All @@ -172,19 +176,19 @@
additionalSubjects = append(additionalSubjects, dbObj.{{ $f.MutationGet }})

{{- if $annotation.AdditionalSubjectRelation }}
relationships = append(relationships, events.AuthRelationshipRelation{
relationships = append(relationships, &authorization.Relationship{
Relation: "{{ $annotation.AdditionalSubjectRelation }}",
SubjectID: dbObj.{{ $f.MutationGet }},
SubjectId: dbObj.{{ $f.MutationGet }}.String(),
})
{{- end }}
}
{{- else }}
additionalSubjects = append(additionalSubjects, dbObj.{{ $f.MutationGet }})

{{- if $annotation.AdditionalSubjectRelation }}
relationships = append(relationships, events.AuthRelationshipRelation{
relationships = append(relationships, &authorization.Relationship{
Relation: "{{ $annotation.AdditionalSubjectRelation }}",
SubjectID: dbObj.{{ $f.MutationGet }},
SubjectId: dbObj.{{ $f.MutationGet }}.String(),
})
{{- end }}
{{- end }}
Expand All @@ -199,7 +203,7 @@
}

if len(relationships) != 0 {
if err := permissions.DeleteAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil {
if err := deleteAuthRelationships(ctx, "{{ $nodeAnnotation.SubjectName }}", objID, relationships...); err != nil {
return nil, fmt.Errorf("relationship request failed with error: %w", err)
}
}
Expand Down Expand Up @@ -248,5 +252,48 @@
}
}

func createAuthRelationships(ctx context.Context, resourceType string, resourceID gidx.PrefixedID, relationships ...*authorization.Relationship) error {
request := &authorization.CreateRelationshipsRequest{
ResourceId: resourceID.String(),
Relationships: relationships,
}

if _, err := iamruntime.ContextCreateRelationships(ctx, request); err == nil || !errors.Is(err, iamruntime.ErrRuntimeNotFound) {
return err
}

eventRelationships := make([]events.AuthRelationshipRelation, len(request.Relationships))

for i, rel := range request.Relationships {
eventRelationships[i] = events.AuthRelationshipRelation{
Relation: rel.Relation,
SubjectID: gidx.PrefixedID(rel.SubjectId),
}
}

return permissions.CreateAuthRelationships(ctx, resourceType, gidx.PrefixedID(request.ResourceId), eventRelationships...)
}

func deleteAuthRelationships(ctx context.Context, resourceType string, resourceID gidx.PrefixedID, relationships ...*authorization.Relationship) error {
request := &authorization.DeleteRelationshipsRequest{
ResourceId: resourceID.String(),
Relationships: relationships,
}

if _, err := iamruntime.ContextDeleteRelationships(ctx, request); err == nil || !errors.Is(err, iamruntime.ErrRuntimeNotFound) {
return err
}

eventRelationships := make([]events.AuthRelationshipRelation, len(request.Relationships))

for i, rel := range request.Relationships {
eventRelationships[i] = events.AuthRelationshipRelation{
Relation: rel.Relation,
SubjectID: gidx.PrefixedID(rel.SubjectId),
}
}

return permissions.DeleteAuthRelationships(ctx, resourceType, gidx.PrefixedID(request.ResourceId), eventRelationships...)
}

{{ end }}

0 comments on commit 8f2071b

Please sign in to comment.