feat(server): Implement the new Web API (#230)

Implements the new web API that allows us to have separate routes for
each of our endpoints. Old endpoints still exist and will be removed
once all clients have been updated. The new endpoints follow this
design:

```
# Single-object operations (kind = object; separator = `key`, NO trailing slash)
GET     /v1/objects/attachments/organization=42;project=4711/dead/beef
HEAD    /v1/objects/attachments/organization=42;project=4711/dead/beef
PUT     /v1/objects/attachments/organization=42;project=4711/dead/beef
PATCH   /v1/objects/attachments/organization=42;project=4711/dead/beef
DELETE  /v1/objects/attachments/organization=42;project=4711/dead/beef

# Collection-level operations (kind = objects; WITH trailing slash)
GET     /v1/objects/attachments/organization=42;project=4711/?prefix=dead/
POST    /v1/objects/attachments/organization=42;project=4711/

# Batch endpoint (kind = batch; collection-level)
POST    /v1/batch/attachments/organization=42;project=4711/
```

All clients have been updated to use the new URLs. We should only
release the clients once the service is rolled out.

Along with this, there's a number of internal changes:
- Routes are now split into submodules. All deprecated routes are in
their own module and will be removed together.
- The format for scopes in the URL and in storage (backends) is now
decoupled.
- `ObjectPath` has become `ObjectId`, and has structured scopes with an
addressable name and value. All backends now work with the new ID type.
- Deserialization of scopes in the URL is implemented with the endpoints
now. There are specific `CollectionParams` and `ObjectParams` types for
this that convert into an `ObjectId`.

Author: jan-auer

Cargo.lock

@@ -168,9 +168,9 @@ def session(self, usecase: Usecase, **scopes: str | int | bool) -> Session:
                     f"{''.join(SCOPE_VALUE_ALLOWED_CHARS)}"
                 )
 
-            formatted = f"{key}.{value}"
+            formatted = f"{key}={value}"
             parts.append(formatted)
-        scope_str = "/".join(parts)
+        scope_str = ";".join(parts)
 
         return Session(
             self._pool,
@@ -214,7 +214,7 @@ def _make_headers(self) -> dict[str, str]:
         return headers
 
     def _make_url(self, key: str | None, full: bool = False) -> str:
-        relative_path = f"/v1/{self._usecase.name}/{self._scope}/objects/{key or ''}"
+        relative_path = f"/v1/objects/{self._usecase.name}/{self._scope}/{key or ''}"
         path = self._base_path.rstrip("/") + relative_path
         if full:
             return f"http://{self._pool.host}:{self._pool.port}{path}"

clients/python/src/objectstore_client/client.py

@@ -14,7 +14,7 @@ def test_object_url() -> None:
 
     assert (
         session.object_url("foo/bar")
-        == "http://127.0.0.1:8888/v1/testing/org.12345/project.1337/app_slug.email_app/objects/foo/bar"
+        == "http://127.0.0.1:8888/v1/objects/testing/org=12345;project=1337;app_slug=email_app/foo/bar"
     )
 
 
@@ -24,5 +24,5 @@ def test_object_url_with_base_path() -> None:
 
     assert (
         session.object_url("foo/bar")
-        == "http://127.0.0.1:8888/api/prefix/v1/testing/org.12345/project.1337/objects/foo/bar"
+        == "http://127.0.0.1:8888/api/prefix/v1/objects/testing/org=12345;project=1337/foo/bar"
     )

clients/python/tests/test_smoke.py

@@ -226,6 +226,14 @@ impl ScopeInner {
     pub(crate) fn usecase(&self) -> &Usecase {
         &self.usecase
     }
+
+    fn as_path_segment(&self) -> &str {
+        if self.scope.is_empty() {
+            "_"
+        } else {
+            &self.scope
+        }
+    }
 }
 
 impl std::fmt::Display for ScopeInner {
@@ -254,12 +262,12 @@ impl Scope {
     }
 
     fn for_organization(usecase: Usecase, organization: u64) -> Self {
-        let scope = format!("org.{}", organization);
+        let scope = format!("org={}", organization);
         Self(Ok(ScopeInner { usecase, scope }))
     }
 
     fn for_project(usecase: Usecase, organization: u64, project: u64) -> Self {
-        let scope = format!("org.{}/project.{}", organization, project);
+        let scope = format!("org={};project={}", organization, project);
         Self(Ok(ScopeInner { usecase, scope }))
     }
 
@@ -275,10 +283,10 @@ impl Scope {
             Self::validate_value(&value)?;
 
             if !inner.scope.is_empty() {
-                inner.scope.push('/');
+                inner.scope.push(';');
             }
             inner.scope.push_str(key);
-            inner.scope.push('.');
+            inner.scope.push('=');
             inner.scope.push_str(&value);
 
             Ok(inner)
@@ -429,11 +437,10 @@ impl Session {
         let mut segments = url.path_segments_mut().unwrap();
         segments
             .push("v1")
-            .extend(self.scope.usecase.name.split("/"));
-        if !self.scope.scope.is_empty() {
-            segments.extend(self.scope.scope.split("/"));
-        }
-        segments.push("objects").extend(object_key.split("/"));
+            .push("objects")
+            .push(&self.scope.usecase.name)
+            .push(self.scope.as_path_segment())
+            .extend(object_key.split("/"));
         drop(segments);
 
         url
@@ -475,7 +482,7 @@ mod tests {
 
         assert_eq!(
             session.object_url("foo/bar").to_string(),
-            "http://127.0.0.1:8888/v1/testing/org.12345/project.1337/app_slug.email_app/objects/foo/bar"
+            "http://127.0.0.1:8888/v1/objects/testing/org=12345;project=1337;app_slug=email_app/foo/bar"
         )
     }
 
@@ -488,7 +495,7 @@ mod tests {
 
         assert_eq!(
             session.object_url("foo/bar").to_string(),
-            "http://127.0.0.1:8888/api/prefix/v1/testing/org.12345/project.1337/objects/foo/bar"
+            "http://127.0.0.1:8888/api/prefix/v1/objects/testing/org=12345;project=1337/foo/bar"
         )
     }
 }

clients/rust/src/client.rs

@@ -1,7 +1,7 @@
 use std::collections::{BTreeMap, HashSet};
 
 use jsonwebtoken::{DecodingKey, Header, TokenData, Validation, decode, decode_header};
-use objectstore_service::ObjectPath;
+use objectstore_service::id::ObjectId;
 use secrecy::ExposeSecret;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
@@ -35,7 +35,7 @@ pub struct AuthContext {
     /// The objectstore usecase that this request may act on.
     pub usecase: String,
 
-    /// The scope elements that this request may act on. See also: [`ObjectPath::scope`].
+    /// The scope elements that this request may act on. See also: [`ObjectId::scopes`].
     pub scopes: BTreeMap<String, StringOrWildcard>,
 
     /// The permissions that this request has been granted.
@@ -168,8 +168,8 @@ impl AuthContext {
         })
     }
 
-    fn fail_if_enforced(&self, perm: &Permission, path: &ObjectPath) -> Result<(), AuthError> {
-        tracing::debug!(?self, ?perm, ?path, "Authorization failed");
+    fn fail_if_enforced(&self, perm: &Permission, id: &ObjectId) -> Result<(), AuthError> {
+        tracing::debug!(?self, ?perm, ?id, "Authorization failed");
         if self.enforce {
             return Err(AuthError::NotPermitted);
         }
@@ -181,24 +181,19 @@ impl AuthContext {
     ///
     /// The passed-in `perm` is checked against this `AuthContext`'s `permissions`. If it is not
     /// present, then the operation is not authorized.
-    pub fn assert_authorized(&self, perm: Permission, path: &ObjectPath) -> Result<(), AuthError> {
-        if !self.permissions.contains(&perm) || self.usecase != path.usecase {
-            self.fail_if_enforced(&perm, path)?;
+    pub fn assert_authorized(&self, perm: Permission, id: &ObjectId) -> Result<(), AuthError> {
+        if !self.permissions.contains(&perm) || self.usecase != id.usecase {
+            self.fail_if_enforced(&perm, id)?;
         }
 
-        for element in &path.scope {
-            let (key, value) = element
-                .split_once('.')
-                .ok_or(AuthError::InternalError(format!(
-                    "Invalid scope element: {element}"
-                )))?;
-            let authorized = match self.scopes.get(key) {
-                Some(StringOrWildcard::String(s)) => s == value,
+        for scope in &id.scopes {
+            let authorized = match self.scopes.get(scope.name()) {
+                Some(StringOrWildcard::String(s)) => s == scope.value(),
                 Some(StringOrWildcard::Wildcard) => true,
                 None => false,
             };
             if !authorized {
-                self.fail_if_enforced(&perm, path)?;
+                self.fail_if_enforced(&perm, id)?;
             }
         }
 
@@ -210,6 +205,7 @@ impl AuthContext {
 mod tests {
     use super::*;
     use crate::config::{AuthZVerificationKey, ConfigSecret};
+    use objectstore_service::id::{Scope, Scopes};
     use secrecy::SecretBox;
     use serde_json::json;
 
@@ -397,10 +393,13 @@ mod tests {
         Ok(())
     }
 
-    fn sample_object_path(org: u32, proj: u32) -> ObjectPath {
-        ObjectPath {
+    fn sample_object_path(org: &str, project: &str) -> ObjectId {
+        ObjectId {
             usecase: "attachments".into(),
-            scope: vec![format!("org.{org}"), format!("project.{proj}")],
+            scopes: Scopes::from_iter([
+                Scope::create("org", org).unwrap(),
+                Scope::create("project", project).unwrap(),
+            ]),
             key: "abcde".into(),
         }
     }
@@ -411,7 +410,7 @@ mod tests {
     #[test]
     fn test_assert_authorized_exact_scope_allowed() -> Result<(), AuthError> {
         let auth_context = sample_auth_context("123", "456", max_permission());
-        let object = sample_object_path(123, 456);
+        let object = sample_object_path("123", "456");
 
         auth_context.assert_authorized(Permission::ObjectRead, &object)?;
 
@@ -424,7 +423,7 @@ mod tests {
     #[test]
     fn test_assert_authorized_wildcard_project_allowed() -> Result<(), AuthError> {
         let auth_context = sample_auth_context("123", "*", max_permission());
-        let object = sample_object_path(123, 456);
+        let object = sample_object_path("123", "456");
 
         auth_context.assert_authorized(Permission::ObjectRead, &object)?;
 
@@ -437,8 +436,11 @@ mod tests {
     #[test]
     fn test_assert_authorized_org_only_path_allowed() -> Result<(), AuthError> {
         let auth_context = sample_auth_context("123", "456", max_permission());
-        let mut object = sample_object_path(123, 999);
-        object.scope.pop();
+        let object = ObjectId {
+            usecase: "attachments".into(),
+            scopes: Scopes::from_iter([Scope::create("org", "123").unwrap()]),
+            key: "abcde".into(),
+        };
 
         auth_context.assert_authorized(Permission::ObjectRead, &object)?;
 
@@ -454,13 +456,13 @@ mod tests {
     #[test]
     fn test_assert_authorized_scope_mismatch_fails() -> Result<(), AuthError> {
         let auth_context = sample_auth_context("123", "456", max_permission());
-        let object = sample_object_path(123, 999);
+        let object = sample_object_path("123", "999");
 
         let result = auth_context.assert_authorized(Permission::ObjectRead, &object);
         assert_eq!(result, Err(AuthError::NotPermitted));
 
         let auth_context = sample_auth_context("123", "456", max_permission());
-        let object = sample_object_path(999, 456);
+        let object = sample_object_path("999", "456");
 
         let result = auth_context.assert_authorized(Permission::ObjectRead, &object);
         assert_eq!(result, Err(AuthError::NotPermitted));
@@ -472,7 +474,7 @@ mod tests {
     fn test_assert_authorized_wrong_usecase_fails() -> Result<(), AuthError> {
         let mut auth_context = sample_auth_context("123", "456", max_permission());
         auth_context.usecase = "debug-files".into();
-        let object = sample_object_path(123, 456);
+        let object = sample_object_path("123", "456");
 
         let result = auth_context.assert_authorized(Permission::ObjectRead, &object);
         assert_eq!(result, Err(AuthError::NotPermitted));
@@ -484,7 +486,7 @@ mod tests {
     fn test_assert_authorized_auth_context_missing_permission_fails() -> Result<(), AuthError> {
         let auth_context =
             sample_auth_context("123", "456", HashSet::from([Permission::ObjectRead]));
-        let object = sample_object_path(123, 456);
+        let object = sample_object_path("123", "456");
 
         let result = auth_context.assert_authorized(Permission::ObjectWrite, &object);
         assert_eq!(result, Err(AuthError::NotPermitted));
@@ -498,7 +500,7 @@ mod tests {
         let mut auth_context =
             sample_auth_context("123", "456", HashSet::from([Permission::ObjectRead]));
         // Object's scope is not covered by the auth context
-        let object = sample_object_path(999, 999);
+        let object = sample_object_path("999", "999");
 
         // Auth fails for two reasons, but because enforcement is off, it should not return an error
         auth_context.enforce = false;

objectstore-server/src/auth/context.rs

@@ -1,7 +1,7 @@
 use axum::extract::FromRequestParts;
 use axum::http::{StatusCode, header, request::Parts};
-use objectstore_service::PayloadStream;
-use objectstore_service::{ObjectPath, StorageService};
+use objectstore_service::id::ObjectId;
+use objectstore_service::{PayloadStream, StorageService};
 use objectstore_types::Metadata;
 
 use crate::auth::{AuthContext, AuthError, Permission};
@@ -18,17 +18,15 @@ const BEARER_PREFIX: &str = "Bearer ";
 /// Objectstore API endpoints can use `AuthAwareService` simply by adding it to their handler
 /// function's argument list like so:
 ///
-/// ```no_run
-/// # use axum::extract::Path;
-/// # use axum::response::IntoResponse;
-/// # use axum::http::StatusCode;
-/// # use objectstore_server::{auth::AuthAwareService, error::ApiResult};
-/// # use objectstore_service::ObjectPath;
-/// async fn delete_object(
-///     service: AuthAwareService,      // <- Constructed automatically from request parts
-///     Path(path): Path<ObjectPath>,
-/// ) -> ApiResult<impl IntoResponse> {
-///     service.delete_object(&path).await?;
+/// ```
+/// use axum::http::StatusCode;
+/// use objectstore_server::auth::AuthAwareService;
+/// use objectstore_server::error::ApiResult;
+///
+/// async fn my_endpoint(service: AuthAwareService) -> Result<StatusCode, StatusCode> {
+///     service.delete_object(todo!("pass some ID"))
+///         .await
+///         .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 ///
 ///     Ok(StatusCode::NO_CONTENT)
 /// }
@@ -41,13 +39,13 @@ pub struct AuthAwareService {
 }
 
 impl AuthAwareService {
-    fn assert_authorized(&self, perm: Permission, path: &ObjectPath) -> anyhow::Result<()> {
+    fn assert_authorized(&self, perm: Permission, id: &ObjectId) -> anyhow::Result<()> {
         if self.enforce {
             let context = self
                 .context
                 .as_ref()
                 .ok_or(AuthError::VerificationFailure)?;
-            context.assert_authorized(perm, path)?;
+            context.assert_authorized(perm, id)?;
         }
 
         Ok(())
@@ -56,27 +54,27 @@ impl AuthAwareService {
     /// Auth-aware wrapper around [`StorageService::put_object`].
     pub async fn put_object(
         &self,
-        path: ObjectPath,
+        id: ObjectId,
         metadata: &Metadata,
         stream: PayloadStream,
-    ) -> anyhow::Result<ObjectPath> {
-        self.assert_authorized(Permission::ObjectWrite, &path)?;
-        self.service.put_object(path, metadata, stream).await
+    ) -> anyhow::Result<ObjectId> {
+        self.assert_authorized(Permission::ObjectWrite, &id)?;
+        self.service.put_object(id, metadata, stream).await
     }
 
     /// Auth-aware wrapper around [`StorageService::get_object`].
     pub async fn get_object(
         &self,
-        path: &ObjectPath,
+        id: &ObjectId,
     ) -> anyhow::Result<Option<(Metadata, PayloadStream)>> {
-        self.assert_authorized(Permission::ObjectRead, path)?;
-        self.service.get_object(path).await
+        self.assert_authorized(Permission::ObjectRead, id)?;
+        self.service.get_object(id).await
     }
 
     /// Auth-aware wrapper around [`StorageService::delete_object`].
-    pub async fn delete_object(&self, path: &ObjectPath) -> anyhow::Result<()> {
-        self.assert_authorized(Permission::ObjectDelete, path)?;
-        self.service.delete_object(path).await
+    pub async fn delete_object(&self, id: &ObjectId) -> anyhow::Result<()> {
+        self.assert_authorized(Permission::ObjectDelete, id)?;
+        self.service.delete_object(id).await
     }
 }