Service accounts (#89)

- Introduce service accounts in graphql api
- Rework roles to be a bit more dynamic

Co-authored-by: Christer Edvartsen <[email protected]>
Co-authored-by: @x10an14-nav <[email protected]>

Author: 3 people

.configs/gqlgen.yaml

@@ -27,6 +27,7 @@ omit_root_models: true
 autobind:
   - "github.com/99designs/gqlgen/graphql/introspection" # Without this line in the beginning, a `prelude.resolver.go` is generated
   - "github.com/nais/api/internal/activitylog"
+  - "github.com/nais/api/internal/auth/authz"
   - "github.com/nais/api/internal/cost"
   - "github.com/nais/api/internal/deployment"
   - "github.com/nais/api/internal/feature"

.configs/sqlc.yaml

@@ -68,13 +68,13 @@ sql:
         out: "../internal/team/teamsql"
 
   - <<: *default_domain
-    name: "Roles SQL"
-    queries: "../internal/role/queries"
+    name: "Authz SQL"
+    queries: "../internal/auth/authz/queries"
     gen:
       go:
         <<: *default_go
-        package: "rolesql"
-        out: "../internal/role/rolesql"
+        package: "authzsql"
+        out: "../internal/auth/authz/authzsql"
 
   - <<: *default_domain
     name: "Activity log SQL"

cmd/setup_local/main.go

@@ -20,11 +20,11 @@ import (
 	"github.com/nais/api/internal/graph/model"
 	"github.com/nais/api/internal/graph/pagination"
 	"github.com/nais/api/internal/logger"
-	"github.com/nais/api/internal/role"
-	"github.com/nais/api/internal/role/rolesql"
 	"github.com/nais/api/internal/slug"
 	"github.com/nais/api/internal/team"
 	"github.com/nais/api/internal/user"
+	"github.com/nais/api/internal/usersync/usersyncer"
+	"github.com/nais/api/internal/usersync/usersyncsql"
 	"github.com/sethvargo/go-envconfig"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/text/runes"
@@ -154,7 +154,7 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 	ctx = activitylog.NewLoaderContext(ctx, pool)
 	ctx = user.NewLoaderContext(ctx, pool)
 	ctx = team.NewLoaderContext(ctx, pool, nil)
-	ctx = role.NewLoaderContext(ctx, pool)
+	ctx = authz.NewLoaderContext(ctx, pool)
 	ctx = environment.NewLoaderContext(ctx, pool)
 
 	emails := map[string]struct{}{}
@@ -218,39 +218,52 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 			return fmt.Errorf("sync environments: %w", err)
 		}
 
-		defaultUserRoles := []rolesql.RoleName{
-			rolesql.RoleNameTeamcreator,
-			rolesql.RoleNameTeamviewer,
-			rolesql.RoleNameUserviewer,
-			rolesql.RoleNameServiceaccountcreator,
-		}
-
 		var err error
 		var adminUser, devUser *user.User
 
+		usersyncq := usersyncsql.New(database.TransactionFromContext(ctx))
+
+		createUser := func(ctx context.Context, name, email string) (*user.User, error) {
+			usu, err := usersyncq.Create(ctx, usersyncsql.CreateParams{
+				Name:       name,
+				Email:      email,
+				ExternalID: uuid.New().String(),
+			})
+			if err != nil {
+				return nil, fmt.Errorf("create user: %w", err)
+			}
+
+			usr, err := user.GetByEmail(ctx, usu.Email)
+			if err != nil {
+				return nil, fmt.Errorf("get user: %w", err)
+			}
+
+			return usr, nil
+		}
+
 		adminUser, err = user.GetByEmail(ctx, nameToEmail(adminName, cfg.Domain))
 		if err != nil {
-			adminUser, err = user.Create(ctx, adminName, nameToEmail(adminName, cfg.Domain), uuid.New().String())
+			adminUser, err = createUser(ctx, adminName, nameToEmail(adminName, cfg.Domain))
 			if err != nil {
 				return fmt.Errorf("create admin user: %w", err)
 			}
 		}
-		if err := role.AssignGlobalRoleToUser(ctx, adminUser.UUID, rolesql.RoleNameAdmin); err != nil {
+
+		if err := usersyncq.AssignGlobalAdmin(ctx, adminUser.UUID); err != nil {
 			return fmt.Errorf("assign global admin role to admin user: %w", err)
 		}
 		actor := &authz.Actor{User: adminUser}
 
 		devUser, err = user.GetByEmail(ctx, nameToEmail(devName, cfg.Domain))
 		if err != nil {
-			devUser, err = user.Create(ctx, devName, nameToEmail(devName, cfg.Domain), uuid.New().String())
+			devUser, err = createUser(ctx, devName, nameToEmail(devName, cfg.Domain))
 			if err != nil {
 				return fmt.Errorf("create dev user: %w", err)
 			}
 		}
-		for _, roleName := range defaultUserRoles {
-			if err := role.AssignGlobalRoleToUser(ctx, devUser.UUID, roleName); err != nil {
-				return fmt.Errorf("assign globla role %q to dev user: %w", roleName, err)
-			}
+
+		if err := usersyncer.AssignDefaultPermissionsToUser(ctx, usersyncq, devUser.UUID); err != nil {
+			return fmt.Errorf("assign default permissions to dev user: %w", err)
 		}
 
 		users := []*user.User{devUser}
@@ -263,22 +276,19 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 				continue
 			}
 
-			u, err := user.Create(ctx, name, email, uuid.New().String())
+			u, err := createUser(ctx, name, email)
 			if err != nil {
 				return fmt.Errorf("create user %q: %w", email, err)
 			}
 
-			for _, roleName := range defaultUserRoles {
-				if err = role.AssignGlobalRoleToUser(ctx, u.UUID, roleName); err != nil {
-					return fmt.Errorf("assign global role %q to user %q: %w", roleName, u.Email, err)
-				}
+			if err = usersyncer.AssignDefaultPermissionsToUser(ctx, usersyncq, u.UUID); err != nil {
+				return fmt.Errorf("assign default permissions to user %q: %w", u.Email, err)
 			}
 
 			log.Infof("%d/%d users created", i, *cfg.NumUsers)
 			users = append(users, u)
 			emails[email] = struct{}{}
 		}
-		usersCreated := len(users)
 
 		var devteam *team.Team
 		devteam, err = team.Get(ctx, "devteam")
@@ -304,8 +314,8 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 			return fmt.Errorf("update external references for devteam: %w", err)
 		}
 
-		if err := role.AssignTeamRoleToUser(ctx, devUser.UUID, devteam.Slug, rolesql.RoleNameTeamowner); err != nil {
-			return fmt.Errorf("assign team owner role to dev user: %w", err)
+		if err := authz.MakeUserTeamOwner(ctx, devUser.UUID, devteam.Slug); err != nil {
+			return fmt.Errorf("make user %q owner of team %q: %w", devUser.Email, devteam.Slug, err)
 		}
 
 		input := &team.UpdateTeamEnvironmentInput{
@@ -355,16 +365,16 @@ func run(ctx context.Context, cfg *seedConfig, log logrus.FieldLogger) error {
 			}
 
 			for o := 0; o < *cfg.NumOwnersPerTeam; o++ {
-				u := users[rand.IntN(usersCreated)]
-				if err = role.AssignTeamRoleToUser(ctx, u.UUID, t.Slug, rolesql.RoleNameTeamowner); err != nil {
-					return fmt.Errorf("assign team owner role to user %q in team %q: %w", u.Email, t.Slug, err)
+				u := users[rand.IntN(len(users))]
+				if err = authz.MakeUserTeamOwner(ctx, u.UUID, t.Slug); err != nil {
+					return fmt.Errorf("make user %q owner of team %q: %w", u.Email, t.Slug, err)
 				}
 			}
 
 			for o := 0; o < *cfg.NumMembersPerTeam; o++ {
-				u := users[rand.IntN(usersCreated)]
-				if err = role.AssignTeamRoleToUser(ctx, u.UUID, t.Slug, rolesql.RoleNameTeammember); err != nil {
-					return fmt.Errorf("assign team member role to user %q in team %q: %w", u.Email, t.Slug, err)
+				u := users[rand.IntN(len(users))]
+				if err = authz.MakeUserTeamMember(ctx, u.UUID, t.Slug); err != nil {
+					return fmt.Errorf("make user %q member of team %q: %w", u.Email, t.Slug, err)
 				}
 			}
 

integration_tests/delete_application.lua

@@ -5,7 +5,7 @@ Helper.SQLExec([[
 	INSERT INTO
 		user_roles (role_name, user_id, target_team_slug)
 	VALUES (
-		'Team member'::role_name,
+		'Team member',
 		(SELECT id FROM users WHERE email = '[email protected]'),
 		'slug-1'
 	)

integration_tests/delete_job.lua

@@ -5,7 +5,7 @@ Helper.SQLExec([[
 	INSERT INTO
 		user_roles (role_name, user_id, target_team_slug)
 	VALUES (
-		'Team member'::role_name,
+		'Team member',
 		(SELECT id FROM users WHERE email = '[email protected]'),
 		'slug-1'
 	)

integration_tests/manage_team_members.lua

@@ -241,3 +241,55 @@ Test.gql("Add owner", function(t)
 		},
 	}
 end)
+
+Test.gql("Remove owner", function(t)
+	t.query(string.format([[
+		mutation {
+			removeTeamMember(
+				input: {
+					teamSlug: "%s"
+					userEmail: "%s"
+				}
+			) {
+				team {
+					members {
+						nodes {
+							role
+							user {
+								email
+								name
+							}
+						}
+					}
+				}
+			}
+		}
+	]], TeamSlug, OwnerToAdd))
+
+	t.check {
+		data = {
+			removeTeamMember = {
+				team = {
+					members = {
+						nodes = {
+							{
+								role = "OWNER",
+								user = {
+									email = "[email protected]",
+									name = "Authenticated User",
+								},
+							},
+							{
+								role = "OWNER",
+								user = {
+									email = "[email protected]",
+									name = "name-1",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+end)

integration_tests/reconcilers.lua

@@ -76,11 +76,11 @@ Test.gql("list reconcilers with config as non-admin", function(t)
 		data = Null,
 		errors = {
 			{
-				message = Contains("you need the \"global:admin\""),
+				message = "You are authenticated, but your account is not authorized to perform this action.",
 				path = { "reconcilers", "nodes", Ignore(), "config" },
 			},
 			{
-				message = Contains("you need the \"global:admin\""),
+				message = "You are authenticated, but your account is not authorized to perform this action.",
 				path = { "reconcilers", "nodes", Ignore(), "config" },
 			},
 		},
@@ -100,7 +100,7 @@ Test.gql("enable reconciler as non-admin", function(t)
 		data = Null,
 		errors = {
 			{
-				message = Contains("you need the \"global:admin\""),
+				message = "You are authenticated, but your account is not authorized to perform this action.",
 				path = { "enableReconciler" },
 			},
 		},
@@ -120,15 +120,15 @@ Test.gql("disable reconciler as non-admin", function(t)
 		data = Null,
 		errors = {
 			{
-				message = Contains("you need the \"global:admin\""),
+				message = "You are authenticated, but your account is not authorized to perform this action.",
 				path = { "disableReconciler" },
 			},
 		},
 	}
 end)
 
 -- Make the authenticated user an admin
-Helper.SQLExec("INSERT INTO user_roles (role_name, user_id) VALUES ('Admin', (SELECT id FROM users WHERE email = $1))",
+Helper.SQLExec("UPDATE users SET admin = true WHERE email = $1",
 	'[email protected]')
 
 Test.gql("enable non-configured reconciler as admin", function(t)

integration_tests/restart_application.lua

@@ -5,7 +5,7 @@ Helper.SQLExec([[
 	INSERT INTO
 		user_roles (role_name, user_id, target_team_slug)
 	VALUES (
-		'Team member'::role_name,
+		'Team member',
 		(SELECT id FROM users WHERE email = '[email protected]'),
 		'slug-1'
 	)

integration_tests/seeds/02_teams.sql

@@ -13,9 +13,7 @@ FROM
 INSERT INTO
 	user_roles (role_name, user_id, target_team_slug)
 SELECT
-	(
-		ARRAY['Team owner'::role_name, 'Team member'::role_name]
-	) [ROUND(RANDOM()) + 1],
+	(ARRAY['Team owner', 'Team member']) [ROUND(RANDOM()) + 1],
 	u.id,
 	t.slug
 FROM