Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add test for ParseRelation function #1050

Merged
merged 4 commits into from
Sep 29, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions cmd/jimmsrv/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,10 @@ func start(ctx context.Context, s *service.Service) error {
if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok {
insecureSecretStorage = true
}
insecureJwksLookup := false
if _, ok := os.LookupEnv("INSECURE_JWKS_LOOKUP"); ok {
insecureJwksLookup = true
}
jimmsvc, err := jimm.NewService(ctx, jimm.Params{
ControllerUUID: os.Getenv("JIMM_UUID"),
DSN: os.Getenv("JIMM_DSN"),
Expand Down Expand Up @@ -97,6 +101,7 @@ func start(ctx context.Context, s *service.Service) error {
MacaroonExpiryDuration: macaroonExpiryDuration,
JWTExpiryDuration: jwtExpiryDuration,
InsecureSecretStorage: insecureSecretStorage,
InsecureJwksLookup: insecureJwksLookup,
})
if err != nil {
return err
Expand Down
3 changes: 2 additions & 1 deletion docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ services:
VAULT_PATH: "/jimm-kv/"
VAULT_SECRET_FILE: "/vault/approle.json"
VAULT_AUTH_PATH: "/auth/approle/login"
INSECURE_JWKS_LOOKUP: "enabled"
# Note: By default we should use Vault as that is the primary means of secret storage.
# INSECURE_SECRET_STORAGE: "enabled"
# JIMM_DASHBOARD_LOCATION: ""
Expand Down Expand Up @@ -82,7 +83,7 @@ services:
test: [ "CMD", "curl", "http://jimm.localhost:80" ]
interval: 5s
timeout: 5s
retries: 40
retries: 50
depends_on:
db:
condition: service_healthy
Expand Down
4 changes: 4 additions & 0 deletions internal/openfga/names/export_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ package names

import cofga "github.com/canonical/ofga"

var (
AllRelations = allRelations
)

func NewTag(id, kind, relation string) *Tag {
return &Tag{
ID: id,
Expand Down
22 changes: 18 additions & 4 deletions internal/openfga/names/names.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
package names

import (
"fmt"

"github.com/canonical/jimm/internal/errors"
jimmnames "github.com/canonical/jimm/pkg/names"
cofga "github.com/canonical/ofga"
Expand Down Expand Up @@ -36,6 +38,10 @@ var (
NoRelation cofga.Relation = ""
)

// allRelations contains a slice of all valid relations.
// NB: Add any new relations from the above to this slice.
var allRelations = []cofga.Relation{MemberRelation, AdministratorRelation, ControllerRelation, ModelRelation, ConsumerRelation, ReaderRelation, WriterRelation, CanAddModelRelation, AuditLogViewerRelation, NoRelation}

// Tag represents an entity tag as used by JIMM in OpenFGA.
type Tag = cofga.Entity

Expand Down Expand Up @@ -101,6 +107,7 @@ func BlankKindTag(kind string) (*Tag, error) {
// ConvertJujuRelation takes a juju relation string and converts it to
// one appropriate for use with OpenFGA.
func ConvertJujuRelation(relation string) (cofga.Relation, error) {
const op = errors.Op("ConvertJujuRelation")
switch relation {
case string(permission.AdminAccess):
return AdministratorRelation, nil
Expand All @@ -115,19 +122,24 @@ func ConvertJujuRelation(relation string) (cofga.Relation, error) {
// Below are controller specific permissions that
// are not represented in JIMM's OpenFGA model.
case string(permission.LoginAccess):
return NoRelation, errors.E("login access unused")
return NoRelation, errors.E(op, "login access unused")
case string(permission.SuperuserAccess):
return NoRelation, errors.E("superuser access unused")
return NoRelation, errors.E(op, "superuser access unused")
default:
return NoRelation, errors.E("unknown relation")
return NoRelation, errors.E(op, "unknown relation")
}
}

// ParseRelation parses the relation string
func ParseRelation(relationString string) (cofga.Relation, error) {
const op = errors.Op("ParseRelation")
switch relationString {
case "":
return cofga.Relation(""), nil
case ControllerRelation.String():
return ControllerRelation, nil
case ModelRelation.String():
return ModelRelation, nil
case MemberRelation.String():
return MemberRelation, nil
case AdministratorRelation.String():
Expand All @@ -140,8 +152,10 @@ func ParseRelation(relationString string) (cofga.Relation, error) {
return WriterRelation, nil
case CanAddModelRelation.String():
return CanAddModelRelation, nil
case AuditLogViewerRelation.String():
return AuditLogViewerRelation, nil
default:
return cofga.Relation(""), errors.E("unknown relation")
return cofga.Relation(""), errors.E(op, fmt.Sprintf("unknown relation %s", relationString))

}
}
8 changes: 8 additions & 0 deletions internal/openfga/names/names_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,11 @@ func (s *namesSuite) TestConvertJujuRelation(c *gc.C) {
}
}
}

func (s *namesSuite) TestParseRelations(c *gc.C) {
for _, relation := range ofganames.AllRelations {
res, err := ofganames.ParseRelation(relation.String())
c.Assert(err, gc.IsNil, gc.Commentf("testing relation %s", relation))
c.Assert(res, gc.Equals, relation, gc.Commentf("testing relation %s", relation))
}
}
6 changes: 5 additions & 1 deletion service.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,10 @@ type Params struct {
// InsecureSecretStorage instructs JIMM to store secrets in its database
// instead of dedicated secure storage. SHOULD NOT BE USED IN PRODUCTION.
InsecureSecretStorage bool

// InsecureJwksLookup instructs JIMM to lookup its JWKS value via
// http instead of https. Useful when running JIMM in a docker compose.
InsecureJwksLookup bool
}

// A Service is the implementation of a JIMM server.
Expand Down Expand Up @@ -312,7 +316,7 @@ func NewService(ctx context.Context, p Params) (*Service, error) {
s.jimm.JWKService = jimmjwx.NewJWKSService(s.jimm.CredentialStore)
s.jimm.JWTService = jimmjwx.NewJWTService(jimmjwx.JWTServiceParams{
Host: p.PublicDNSName,
Secure: true,
Secure: !p.InsecureJwksLookup,
Store: s.jimm.CredentialStore,
Expiry: p.JWTExpiryDuration,
})
Expand Down