Merge branch 'feature-http-proxy' into CSS-9328-stream-connector

cmd/jimmctl/cmd/group.go

@@ -323,6 +323,9 @@ type listGroupsCommand struct {
 
 	store    jujuclient.ClientStore
 	dialOpts *jujuapi.DialOpts
+
+	limit  int
+	offset int
 }
 
 // Info implements the cmd.Command interface.
@@ -349,6 +352,8 @@ func (c *listGroupsCommand) SetFlags(f *gnuflag.FlagSet) {
 		"yaml": cmd.FormatYaml,
 		"json": cmd.FormatJson,
 	})
+	f.IntVar(&c.limit, "limit", 0, "The maximum number of groups to return")
+	f.IntVar(&c.offset, "offset", 0, "The offset to use when requesting groups")
 }
 
 // Run implements Command.Run.
@@ -364,7 +369,8 @@ func (c *listGroupsCommand) Run(ctxt *cmd.Context) error {
 	}
 
 	client := api.NewClient(apiCaller)
-	groups, err := client.ListGroups()
+	req := apiparams.ListGroupsRequest{Limit: c.limit, Offset: c.offset}
+	groups, err := client.ListGroups(&req)
 	if err != nil {
 		return errors.E(err)
 	}

cmd/jimmctl/cmd/group_test.go

@@ -9,10 +9,12 @@ import (
 
 	"github.com/juju/cmd/v3/cmdtesting"
 	gc "gopkg.in/check.v1"
+	"gopkg.in/yaml.v3"
 
 	"github.com/canonical/jimm/v3/cmd/jimmctl/cmd"
 	"github.com/canonical/jimm/v3/internal/cmdtest"
 	"github.com/canonical/jimm/v3/internal/dbmodel"
+	"github.com/canonical/jimm/v3/pkg/api/params"
 )
 
 type groupSuite struct {
@@ -115,6 +117,26 @@ func (s *groupSuite) TestListGroupsSuperuser(c *gc.C) {
 	c.Assert(strings.Contains(output, "test-group2"), gc.Equals, true)
 }
 
+func (s *groupSuite) TestListGroupsLimitSuperuser(c *gc.C) {
+	// alice is superuser
+	bClient := s.SetupCLIAccess(c, "alice")
+
+	for i := 0; i < 3; i++ {
+		_, err := s.JimmCmdSuite.JIMM.Database.AddGroup(context.TODO(), fmt.Sprint("test-group", i))
+		c.Assert(err, gc.IsNil)
+	}
+
+	ctx, err := cmdtesting.RunCommand(c, cmd.NewListGroupsCommandForTesting(s.ClientStore(), bClient), "test-group", "--limit", "1", "--offset", "1")
+	c.Assert(err, gc.IsNil)
+	output := cmdtesting.Stdout(ctx)
+	groups := []params.Group{}
+	err = yaml.Unmarshal([]byte(output), &groups)
+	c.Assert(err, gc.IsNil)
+	c.Assert(groups, gc.HasLen, 1)
+	c.Assert(groups[0].Name, gc.Equals, "test-group1")
+	c.Assert(groups[0].UUID, gc.Not(gc.Equals), "")
+}
+
 func (s *groupSuite) TestListGroups(c *gc.C) {
 	// bob is not superuser
 	bClient := s.SetupCLIAccess(c, "bob")

cmd/jimmctl/cmd/relation_test.go

@@ -250,7 +250,7 @@ func (s *relationSuite) TestRemoveRelationViaFileSuperuser(c *gc.C) {
 func (s *relationSuite) TestRemoveRelation(c *gc.C) {
 	// bob is not superuser
 	bClient := s.SetupCLIAccess(c, "bob")
-	_, err := cmdtesting.RunCommand(c, cmd.NewRemoveRelationCommandForTesting(s.ClientStore(), bClient), "test-group1#member", "member", "test-group2")
+	_, err := cmdtesting.RunCommand(c, cmd.NewRemoveRelationCommandForTesting(s.ClientStore(), bClient), "group-testGroup1#member", "member", "group-testGroup2")
 	c.Assert(err, gc.ErrorMatches, `unauthorized \(unauthorized access\)`)
 }
 
@@ -439,9 +439,9 @@ func (s *relationSuite) TestListRelationsWithError(c *gc.C) {
 
 	ctx := context.Background()
 	group := &dbmodel.GroupEntry{Name: "group-1"}
-	err = s.JIMM.DB().GetGroup(ctx, group)
+	err = s.JIMM.Database.GetGroup(ctx, group)
 	c.Assert(err, gc.IsNil)
-	err = s.JIMM.DB().RemoveGroup(ctx, group)
+	err = s.JIMM.Database.RemoveGroup(ctx, group)
 	c.Assert(err, gc.IsNil)
 
 	expectedData := apiparams.ListRelationshipTuplesResponse{

cmd/jimmsrv/service/service.go

@@ -38,9 +38,11 @@ import (
 	"github.com/canonical/jimm/v3/internal/jujuapi"
 	"github.com/canonical/jimm/v3/internal/jujuclient"
 	"github.com/canonical/jimm/v3/internal/logger"
+	"github.com/canonical/jimm/v3/internal/middleware"
 	"github.com/canonical/jimm/v3/internal/openfga"
 	ofganames "github.com/canonical/jimm/v3/internal/openfga/names"
 	"github.com/canonical/jimm/v3/internal/pubsub"
+	"github.com/canonical/jimm/v3/internal/rebac_admin"
 	"github.com/canonical/jimm/v3/internal/vault"
 	"github.com/canonical/jimm/v3/internal/wellknownapi"
 )
@@ -387,6 +389,11 @@ func NewService(ctx context.Context, p Params) (*Service, error) {
 		return nil, errors.E(op, err, "failed to parse final redirect url for the dashboard")
 	}
 
+	rebacBackend, err := rebac_admin.SetupBackend(ctx, &s.jimm)
+	if err != nil {
+		return nil, errors.E(op, err)
+	}
+
 	// Setup CORS middleware
 	corsOpts := cors.New(cors.Options{
 		AllowedOrigins:   p.CorsAllowedOrigins,
@@ -402,6 +409,8 @@ func NewService(ctx context.Context, p Params) (*Service, error) {
 
 	s.mux.Mount("/metrics", promhttp.Handler())
 
+	s.mux.Mount("/rebac", middleware.AuthenticateRebac(rebacBackend.Handler(""), &s.jimm))
+
 	mountHandler(
 		"/debug",
 		debugapi.NewDebugHandler(

cmd/jimmsrv/service/service_test.go

@@ -274,6 +274,29 @@ func TestPublicKey(t *testing.T) {
 	c.Assert(string(data), qt.Equals, `{"PublicKey":"izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk="}`)
 }
 
+func TestRebacAdminApi(t *testing.T) {
+	c := qt.New(t)
+
+	_, _, cofgaParams, err := jimmtest.SetupTestOFGAClient(c.Name())
+	c.Assert(err, qt.IsNil)
+
+	p := jimmtest.NewTestJimmParams(c)
+	p.InsecureSecretStorage = true
+	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
+
+	svc, err := jimmsvc.NewService(context.Background(), p)
+	c.Assert(err, qt.IsNil)
+	defer svc.Cleanup()
+
+	srv := httptest.NewTLSServer(svc)
+	c.Cleanup(srv.Close)
+
+	response, err := srv.Client().Get(srv.URL + "/rebac/v1/swagger.json")
+	c.Assert(err, qt.IsNil)
+	defer response.Body.Close()
+	c.Assert(response.StatusCode, qt.Equals, 401)
+}
+
 func TestThirdPartyCaveatDischarge(t *testing.T) {
 	c := qt.New(t)
 

go.mod

@@ -45,9 +45,10 @@ require (
 require (
 	github.com/antonlindstrom/pgstore v0.0.0-20220421113606-e3a6e3fed12a
 	github.com/canonical/ofga v0.10.0
+	github.com/canonical/rebac-admin-ui-handlers v0.1.0
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/dustinkirkland/golang-petname v0.0.0-20231002161417-6a283f1aaaf2
-	github.com/go-chi/chi/v5 v5.0.8
+	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/render v1.0.2
 	github.com/gorilla/sessions v1.2.1
 	github.com/hashicorp/golang-lru/v2 v2.0.7
@@ -65,6 +66,7 @@ require (
 	gopkg.in/errgo.v1 v1.0.1
 	gopkg.in/httprequest.v1 v1.2.1
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -85,6 +87,7 @@ require (
 	github.com/Rican7/retry v0.3.1 // indirect
 	github.com/adrg/xdg v0.3.3 // indirect
 	github.com/ajg/form v1.5.1 // indirect
+	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.24.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.26.2 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.13 // indirect
@@ -119,17 +122,22 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/flosch/pongo2 v0.0.0-20200913210552-0d938eb266f3 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/gdamore/encoding v1.0.0 // indirect
 	github.com/gdamore/tcell/v2 v2.5.1 // indirect
+	github.com/getkin/kin-openapi v0.125.0 // indirect
 	github.com/go-goose/goose/v5 v5.0.0-20230421180421-abaee9096e3a // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-macaroon-bakery/macaroonpb v1.0.0 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/swag v0.22.8 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.22.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/godbus/dbus/v5 v5.0.4 // indirect
 	github.com/gofrs/flock v0.8.1 // indirect
@@ -156,6 +164,7 @@ require (
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/im7mortal/kmutex v1.0.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/invopop/yaml v0.2.0 // indirect
 	github.com/itchyny/timefmt-go v0.1.5 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
@@ -211,6 +220,7 @@ require (
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc v1.0.5 // indirect
@@ -251,10 +261,12 @@ require (
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/oapi-codegen/runtime v1.1.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/oracle/oci-go-sdk/v65 v65.55.0 // indirect
 	github.com/packethost/packngo v0.28.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/sftp v1.13.6 // indirect
@@ -313,7 +325,6 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.29.0 // indirect
 	k8s.io/apiextensions-apiserver v0.29.0 // indirect
 	k8s.io/apimachinery v0.29.0 // indirect