feat(cloud_auth): Make database modular (#289)

Allows the `CloudAuthDatabase` to be incorporated into other Drift databases via the `include` field and a `CloudAuthDatabaseMixin` mixin. This means that only one database class is required per project.

In order to control schema upgrades in the Cloud Auth portion of the database, a new meta table is created so that the version pragma can be used for the host database's schema version.

Author: dnys1

services/celest_cloud_auth/CHANGELOG.md

@@ -1,5 +1,7 @@
 ## 0.2.1-wip
 
+- feat: Make database modular
+- refactor: Rename `AuthDatabase` to `CloudAuthDatabase`
 - chore: Make `Authorizer` a class
 
 ## 0.2.0

services/celest_cloud_auth/drift_schema/auth_database/drift_schema_v3.json

@@ -1,4 +1,3 @@
-import 'package:cedar/cedar.dart';
 import 'package:celest/src/core/context.dart' as celest;
 // ignore: invalid_use_of_internal_member
 import 'package:celest/src/runtime/http/cloud_middleware.dart';
@@ -7,9 +6,9 @@ import 'package:celest_cloud_auth/src/authorization/authorization_middleware.dar
 import 'package:celest_cloud_auth/src/authorization/authorizer.dart';
 import 'package:celest_cloud_auth/src/authorization/corks_repository.dart';
 import 'package:celest_cloud_auth/src/context.dart';
-import 'package:celest_cloud_auth/src/crypto/crypto_key_model.dart';
 import 'package:celest_cloud_auth/src/crypto/crypto_key_repository.dart';
 import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/src/database/auth_database_accessors.dart';
 import 'package:celest_cloud_auth/src/email/email_provider.dart';
 import 'package:celest_cloud_auth/src/model/route_map.dart';
 import 'package:celest_cloud_auth/src/otp/otp_repository.dart';
@@ -22,8 +21,10 @@ import 'package:shelf/shelf.dart';
 
 export 'package:celest_cloud_auth/src/authentication/authentication_service.dart';
 export 'package:celest_cloud_auth/src/database/auth_database.dart';
+export 'package:celest_cloud_auth/src/database/auth_database_accessors.dart';
 export 'package:celest_cloud_auth/src/email/email_provider.dart';
 export 'package:celest_cloud_auth/src/otp/otp_provider.dart';
+export 'package:celest_cloud_auth/src/users/users_service.dart';
 
 /// The Celest authentication and authorization service.
 final class CelestCloudAuth {
@@ -69,10 +70,9 @@ final class CelestCloudAuth {
   /// }
   /// ```
   static Future<CelestCloudAuth> create({
-    required AuthDatabase database,
+    required CloudAuthDatabaseMixin database,
     EmailOtpProvider? emailProvider,
   }) async {
-    await database.ping();
     final cryptoKeys = await CryptoKeyRepository.create(db: database);
     if (emailProvider != null) {
       celest.context.put(contextKeyEmailOtpProvider, emailProvider);
@@ -85,11 +85,10 @@ final class CelestCloudAuth {
 
   @visibleForTesting
   static Future<CelestCloudAuth> test({
-    AuthDatabase? db,
+    CloudAuthDatabaseMixin? db,
     CryptoKey? rootKey,
   }) async {
-    db ??= AuthDatabase.memory();
-    await db.ping();
+    db ??= CloudAuthDatabase.memory();
     final cryptoKeys = await CryptoKeyRepository.create(
       db: db,
       rootKey: rootKey,
@@ -110,7 +109,7 @@ final class CelestCloudAuth {
       );
 
   @visibleForTesting
-  final AuthDatabase db;
+  final CloudAuthDatabaseMixin db;
 
   @visibleForTesting
   final CryptoKeyRepository cryptoKeys;

services/celest_cloud_auth/lib/celest_cloud_auth.dart

@@ -3,13 +3,12 @@ import 'package:cedar/cedar.dart';
 import 'package:celest/src/runtime/http/cloud_middleware.dart';
 import 'package:celest_ast/celest_ast.dart';
 import 'package:celest_cloud/src/proto.dart' as pb;
-import 'package:celest_cloud_auth/src/authentication/authentication_model.dart';
 import 'package:celest_cloud_auth/src/authorization/authorization_middleware.dart';
 import 'package:celest_cloud_auth/src/authorization/authorizer.dart';
 import 'package:celest_cloud_auth/src/authorization/corks_repository.dart';
 import 'package:celest_cloud_auth/src/context.dart';
 import 'package:celest_cloud_auth/src/crypto/crypto_key_repository.dart';
-import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/src/database/auth_database_accessors.dart';
 import 'package:celest_cloud_auth/src/http/http_helpers.dart';
 import 'package:celest_cloud_auth/src/model/route_map.dart';
 import 'package:celest_cloud_auth/src/otp/otp_repository.dart';
@@ -25,7 +24,7 @@ import 'package:shelf_router/shelf_router.dart';
 typedef _Deps = ({
   EntityUid issuer,
   RouteMap routeMap,
-  AuthDatabase db,
+  CloudAuthDatabaseMixin db,
   OtpRepository otp,
   CryptoKeyRepository cryptoKeys,
   Authorizer authorizer,
@@ -38,7 +37,7 @@ extension type AuthenticationService._(_Deps _deps) implements Object {
   AuthenticationService({
     required EntityUid issuer,
     required RouteMap routeMap,
-    required AuthDatabase db,
+    required CloudAuthDatabaseMixin db,
     required OtpRepository otp,
     required CryptoKeyRepository cryptoKeys,
     required Authorizer authorizer,
@@ -59,7 +58,7 @@ extension type AuthenticationService._(_Deps _deps) implements Object {
           ),
         );
 
-  AuthDatabase get _db => _deps.db;
+  CloudAuthDatabaseAccessors get _db => _deps.db.cloudAuth;
   OtpRepository get _otp => _deps.otp;
   CorksRepository get _corks => _deps.corks;
   SessionsRepository get _sessions => _deps.sessions;

services/celest_cloud_auth/lib/src/authentication/authentication_service.dart

@@ -2,7 +2,7 @@ import 'package:cedar/cedar.dart';
 import 'package:celest_cloud_auth/src/authorization/authorizer.dart';
 import 'package:celest_cloud_auth/src/authorization/corks_repository.dart';
 import 'package:celest_cloud_auth/src/context.dart';
-import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/src/database/auth_database_accessors.dart';
 import 'package:celest_cloud_auth/src/http/http_helpers.dart';
 import 'package:celest_cloud_auth/src/model/interop.dart';
 import 'package:celest_cloud_auth/src/model/route_map.dart';
@@ -16,7 +16,7 @@ import 'package:shelf/shelf.dart' show Handler, Request;
 typedef _Deps = ({
   RouteMap routeMap,
   CorksRepository corks,
-  AuthDatabase db,
+  CloudAuthDatabaseMixin db,
   Authorizer authorizer,
   EntityUid issuer,
 });
@@ -29,7 +29,7 @@ extension type AuthorizationMiddleware._(_Deps _deps) implements Object {
   AuthorizationMiddleware({
     required RouteMap routeMap,
     required CorksRepository corks,
-    required AuthDatabase db,
+    required CloudAuthDatabaseMixin db,
     required Authorizer authorizer,
     required EntityUid issuer,
   }) : this._(
@@ -44,7 +44,7 @@ extension type AuthorizationMiddleware._(_Deps _deps) implements Object {
 
   RouteMap get _routeMap => _deps.routeMap;
   CorksRepository get _corks => _deps.corks;
-  AuthDatabase get _db => _deps.db;
+  CloudAuthDatabaseAccessors get _db => _deps.db.cloudAuth;
   Authorizer get _authorizer => _deps.authorizer;
 
   Handler call(Handler inner) {

services/celest_cloud_auth/lib/src/authorization/authorization_middleware.dart

@@ -1,17 +1,17 @@
 import 'dart:async';
 
 import 'package:cedar/cedar.dart';
-import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/src/database/auth_database_accessors.dart';
 import 'package:celest_core/celest_core.dart';
 import 'package:logging/logging.dart';
 import 'package:meta/meta.dart';
 
 class Authorizer {
-  Authorizer({required AuthDatabase db}) : _db = db;
+  Authorizer({required CloudAuthDatabaseMixin db}) : _db = db.cloudAuth;
 
   static final Logger _logger = Logger('Celest.Authorizer');
 
-  final AuthDatabase _db;
+  final CloudAuthDatabaseAccessors _db;
 
   Future<void> expectAuthorized({
     Component? principal,
@@ -65,6 +65,25 @@ class Authorizer {
       },
     );
     final response = policySet.isAuthorized(request);
+    _logger.finest(() {
+      final buffer = StringBuffer()
+        ..writeln('Request:')
+        ..writeln('  Principal: $principal')
+        ..writeln('  Resource: $resource')
+        ..writeln('  Action: $action');
+
+      final jsonContext = context?.map((k, v) => MapEntry(k, v.toJson()));
+      buffer.writeln('  Context: $jsonContext');
+
+      buffer.writeln('Decision: ${response.decision}');
+      if (response.errors.isNotEmpty) {
+        buffer.writeln('  Errors: ${response.errors.join(', ')}');
+      }
+      if (response.reasons.isNotEmpty) {
+        buffer.writeln('  Reasons: ${response.reasons.join(', ')}');
+      }
+      return buffer;
+    });
     unawaited(_recordAuthorization(request, response));
     return response;
   }

services/celest_cloud_auth/lib/src/authorization/authorizer.dart

@@ -1,10 +1,9 @@
 import 'dart:typed_data';
 
 import 'package:cedar/cedar.dart';
-import 'package:celest_cloud_auth/src/authentication/authentication_model.dart';
 import 'package:celest_cloud_auth/src/context.dart';
 import 'package:celest_cloud_auth/src/crypto/crypto_key_repository.dart';
-import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/src/database/auth_database_accessors.dart';
 import 'package:celest_cloud_auth/src/database/schema/auth.drift.dart' as drift;
 import 'package:celest_cloud_auth/src/model/interop.dart';
 import 'package:celest_core/celest_core.dart';
@@ -13,14 +12,14 @@ import 'package:drift/drift.dart' as drift;
 
 typedef _Dependencies = ({
   EntityUid issuer,
-  AuthDatabase db,
+  CloudAuthDatabaseMixin db,
   CryptoKeyRepository cryptoKeys,
 });
 
 extension type CorksRepository._(_Dependencies _deps) implements Object {
   CorksRepository({
     required EntityUid issuer,
-    required AuthDatabase db,
+    required CloudAuthDatabaseMixin db,
     required CryptoKeyRepository cryptoKeys,
   }) : this._(
           (
@@ -31,7 +30,7 @@ extension type CorksRepository._(_Dependencies _deps) implements Object {
         );
 
   EntityUid get issuer => _deps.issuer;
-  AuthDatabase get _db => _deps.db;
+  CloudAuthDatabaseAccessors get _db => _deps.db.cloudAuth;
   CryptoKeyRepository get _cryptoKeys => _deps.cryptoKeys;
 
   Future<drift.Cork?> getCork({

services/celest_cloud_auth/lib/src/authorization/corks_repository.dart

@@ -1,16 +1,15 @@
-import 'package:celest_cloud_auth/src/crypto/crypto_key_model.dart';
-import 'package:celest_cloud_auth/src/database/auth_database.dart';
+import 'package:celest_cloud_auth/celest_cloud_auth.dart';
 import 'package:celest_cloud_auth/src/util/random_bytes.dart';
 import 'package:drift/drift.dart';
 
 typedef _Deps = ({
-  AuthDatabase db,
+  CloudAuthDatabaseMixin db,
   CryptoKey rootKey,
 });
 
 extension type CryptoKeyRepository._(_Deps _deps) implements Object {
   static Future<CryptoKeyRepository> create({
-    required AuthDatabase db,
+    required CloudAuthDatabaseMixin db,
     CryptoKey? rootKey,
   }) async {
     rootKey ??= LocalCryptoKey(
@@ -19,7 +18,7 @@ extension type CryptoKeyRepository._(_Deps _deps) implements Object {
       keyAlgorithm: KeyAlgorithm.hmacSha256,
       keyMaterial: secureRandomBytes(32),
     );
-    rootKey = (await db.authDrift.createCryptoKey(
+    rootKey = (await db.cloudAuth.authDrift.createCryptoKey(
       cryptoKeyId: rootKey.cryptoKeyId,
       keyPurpose: rootKey.keyPurpose.name,
       keyAlgorithm: rootKey.keyAlgorithm.name,
@@ -34,7 +33,7 @@ extension type CryptoKeyRepository._(_Deps _deps) implements Object {
     );
   }
 
-  AuthDatabase get _db => _deps.db;
+  CloudAuthDatabaseAccessors get _db => _deps.db.cloudAuth;
   CryptoKey get rootKey => _deps.rootKey;
 
   Future<CryptoKey> getKey({