feat: Introduce provisioned roles in ACL (#706)

Author: kelvin-chappell

app/logic/Owners.scala

@@ -23,7 +23,8 @@ object Owners {
       acl: ACL
   ): List[(String, Set[Permission])] = {
     acl.userAccess
-      .flatMap { case (username, permissions) =>
+      .flatMap { case (username, aclEntry) =>
+        val permissions = aclEntry.permissions
         if (permissions.exists(_.account == account))
           Some(username -> permissions.filter(_.account == account))
         else None

app/logic/UserAccess.scala

@@ -15,11 +15,10 @@ object UserAccess {
   /** A user's basic access. Note that default permissions are available for
     * anyone mentioned in the Access list.
     */
-  def userAccess(username: String, acl: ACL): Option[Set[Permission]] = {
+  def userAccess(username: String, acl: ACL): Option[Set[Permission]] =
     acl.userAccess
       .get(username)
-      .map(permissions => permissions ++ acl.defaultPermissions)
-  }
+      .map(_.permissions ++ acl.defaultPermissions)
 
   /** Checks if the username is explicitly mentioned in the provided ACL.
     */

configTools/src/main/scala/com/gu/janus/Validation.scala

@@ -1,6 +1,7 @@
 package com.gu.janus
 
 import cats.Monoid
+import com.gu.janus.model.Permission.allPermissions
 import com.gu.janus.model.{JanusData, ValidationResult}
 
 object Validation {
@@ -9,13 +10,8 @@ object Validation {
     // but based on trial and error it seems to be around 1050
     val sizeLimit = 1050
 
-    val allPermissions = janusData.access.defaultPermissions ++
-      janusData.access.userAccess.values.flatten.toSet ++
-      janusData.admin.userAccess.values.flatten.toSet ++
-      janusData.support.supportAccess
-
     val largePermissions = for {
-      largePermission <- allPermissions.filter { perm =>
+      largePermission <- allPermissions(janusData).filter { perm =>
         // session policy limit includes the managed ARNs and inline policy document
         val totalLength =
           perm.policy // the inline policy document's size
@@ -44,12 +40,7 @@ object Validation {
     * unambiguously looked up from the URL.
     */
   def permissionUniqueness(janusData: JanusData): ValidationResult = {
-    val allPermissions = janusData.access.defaultPermissions ++
-      janusData.access.userAccess.values.flatten.toSet ++
-      janusData.admin.userAccess.values.flatten.toSet ++
-      janusData.support.supportAccess
-
-    val duplicates = allPermissions
+    val duplicates = allPermissions(janusData)
       .groupBy(_.id)
       .filter { case (_, permissions) =>
         permissions.size > 1

configTools/src/main/scala/com/gu/janus/config/Loader.scala

@@ -1,15 +1,13 @@
 package com.gu.janus.config
 
-import cats.implicits._
-import com.gu.janus.model._
+import cats.implicits.*
+import com.gu.janus.model.*
+import com.gu.janus.model.given
 import com.typesafe.config.Config
-import io.circe.Decoder
-import io.circe.config.syntax._
-import io.circe.generic.auto._
+import io.circe.config.syntax.*
+import io.circe.generic.auto.*
 
-import java.time.{Duration, Instant, ZoneId, ZonedDateTime, format}
 import scala.util.Try
-import scala.util.control.NonFatal
 
 /** Loads an instance of JanusData from a Typesafe Config definition. If it
   * fails, a description of the failure is made available.
@@ -112,21 +110,7 @@ object Loader {
               s"The 'default permissions' section of the access definition includes a permission that doesn't appear to be defined.\nIt has label `${configuredAclEntry.label}` and refers to the account with key ${configuredAclEntry.account}"
             )
       }
-      acl <- configuredAccess.acl.toList.traverse {
-        case (username, configuredAclEntries) =>
-          for {
-            userPermissions <- configuredAclEntries.traverse {
-              configuredAclEntry =>
-                permissions
-                  .find(p =>
-                    configuredAclEntry.account == p.account.authConfigKey && configuredAclEntry.label == p.label
-                  )
-                  .toRight(
-                    s"The access configuration for `$username` includes a permission that doesn't appear to be defined.\nIt has label `${configuredAclEntry.label}` and refers to the account with key ${configuredAclEntry.account}"
-                  )
-            }
-          } yield username -> userPermissions.toSet
-      }
+      acl <- parseAclEntries(configuredAccess.acl, permissions)
     } yield ACL(acl.toMap, defaultAccess.toSet)
   }
 
@@ -141,27 +125,49 @@ object Loader {
         .map(err =>
           s"Failed to load admin config from path `janus.admin`: ${err.getMessage}"
         )
-      acl <- configuredAccess.acl.toList.traverse {
-        case (username, configuredAclEntries) =>
-          for {
-            userPermissions <- configuredAclEntries.traverse {
-              configuredAclEntry =>
-                permissions
-                  .find(p =>
-                    configuredAclEntry.account == p.account.authConfigKey && configuredAclEntry.label == p.label
-                  )
-                  .toRight(
-                    s"The admin configuration for `$username` includes a permission that doesn't appear to be defined.\nIt has label `${configuredAclEntry.label}` and refers to the account with key ${configuredAclEntry.account}"
-                  )
-            }
-          } yield username -> userPermissions.toSet
-      }
+      acl <- parseAclEntries(configuredAccess.acl, permissions)
     } yield ACL(
       acl.toMap,
       Set.empty
     ) // TODO: these shouldn't share a representation since Admin doesn't need the default permissions
   }
 
+  private[config] def parseAclEntries(
+      acl: Map[String, List[ConfiguredAclEntry | ConfiguredRoleAclEntry]],
+      permissions: Set[Permission]
+  ): Either[String, List[(String, ACLEntry)]] = {
+    val permsMap =
+      permissions.map(p => (p.account.authConfigKey, p.label) -> p).toMap
+    acl.toList.traverse { case (username, configuredAclEntries) =>
+      configuredAclEntries
+        .foldLeft[Either[String, ACLEntry]](
+          Right(ACLEntry(Set.empty, Set.empty))
+        ) {
+          case (acc, entry: ConfiguredAclEntry) =>
+            for {
+              current <- acc
+              permission <- permsMap
+                .get((entry.account, entry.label))
+                .toRight(
+                  s"The access configuration for `$username` includes a permission that doesn't appear to be defined.\nIt has label `${entry.label}` and refers to the account with key ${entry.account}"
+                )
+            } yield ACLEntry(current.permissions + permission, current.roles)
+
+          case (acc, entry: ConfiguredRoleAclEntry) =>
+            acc.map(current =>
+              ACLEntry(
+                current.permissions,
+                current.roles + ProvisionedRole(
+                  entry.provisionedRoleName,
+                  entry.iamRoleTag
+                )
+              )
+            )
+        }
+        .map(username -> _)
+    }
+  }
+
   private[config] def loadSupport(
       config: Config,
       permissions: Set[Permission]

configTools/src/main/scala/com/gu/janus/config/Writer.scala

@@ -1,6 +1,7 @@
 package com.gu.janus.config
 
-import com.gu.janus.model.{JanusData, Permission}
+import com.gu.janus.model.JanusData
+import com.gu.janus.model.Permission.allPermissions
 
 object Writer {
   def toConfig(janusData: JanusData): String = {
@@ -10,13 +11,6 @@ object Writer {
     )
   }
 
-  private[config] def allPermissions(janusData: JanusData): Set[Permission] = {
-    janusData.access.defaultPermissions ++
-      janusData.access.userAccess.values.flatten.toSet ++
-      janusData.admin.userAccess.values.flatten.toSet ++
-      janusData.support.supportAccess
-  }
-
   /** Twirl is designed for HTML, not plain text. As a result it's tricky to
     * control how whitespace (particularly newlines) get added to the file.
     *

configTools/src/main/scala/com/gu/janus/model/configuredRepresentation.scala

@@ -1,5 +1,9 @@
 package com.gu.janus.model
 
+import cats.implicits.toFunctorOps
+import io.circe.Decoder
+import io.circe.generic.auto.deriveDecoder
+
 import java.time.Instant
 
 case class ConfiguredAccount(
@@ -31,14 +35,27 @@ case class ConfiguredAclEntry(
     label: String
 )
 
+case class ConfiguredRoleAclEntry(
+    provisionedRoleName: String,
+    iamRoleTag: String
+)
+
+given Decoder[ConfiguredAclEntry | ConfiguredRoleAclEntry] =
+  Decoder[ConfiguredAclEntry]
+    .widen[ConfiguredAclEntry | ConfiguredRoleAclEntry]
+    .or(
+      Decoder[ConfiguredRoleAclEntry]
+        .widen[ConfiguredAclEntry | ConfiguredRoleAclEntry]
+    )
+
 case class ConfiguredAccess(
     defaultPermissions: List[ConfiguredAclEntry],
-    acl: Map[String, List[ConfiguredAclEntry]]
+    acl: Map[String, List[ConfiguredAclEntry | ConfiguredRoleAclEntry]]
 )
 
 // helps circe-config auto-extract data
 case class ConfiguredAdmin(
-    acl: Map[String, List[ConfiguredAclEntry]]
+    acl: Map[String, List[ConfiguredAclEntry | ConfiguredRoleAclEntry]]
 )
 
 case class ConfiguredSupport(

configTools/src/main/scala/com/gu/janus/model/models.scala

@@ -14,9 +14,16 @@ case class JanusData(
 )
 
 case class ACL(
-    userAccess: Map[String, Set[Permission]],
+    userAccess: Map[String, ACLEntry],
     defaultPermissions: Set[Permission] = Set.empty
 )
+
+/** Access available to a single user. */
+case class ACLEntry(
+    permissions: Set[Permission],
+    roles: Set[ProvisionedRole]
+)
+
 case class SupportACL private (
     rota: Map[Instant, (String, String)],
     supportAccess: Set[Permission]
@@ -149,8 +156,32 @@ object Permission {
       shortTerm
     )
   }
+
+  def allPermissions(janusData: JanusData): Set[Permission] = {
+    def perms(
+        access: Map[String, ACLEntry]
+    ): Set[Permission] =
+      access.values.flatMap(_.permissions).toSet
+
+    janusData.access.defaultPermissions ++
+      perms(janusData.access.userAccess) ++
+      perms(janusData.admin.userAccess) ++
+      janusData.support.supportAccess
+  }
 }
 
+/** A set of provisioned IAM roles that Janus can discover by tag lookup. */
+case class ProvisionedRole(
+    /** A friendly name to identify this in a UI or elsewhere. */
+    name: String,
+
+    /** Hook that will allow us to discover the IAM roles included in this set.
+      * Each relevant role will be found by a tag identifying it as a Janus role
+      * and a tag that matches this value.
+      */
+    iamRoleTag: String
+)
+
 sealed abstract class JanusAccessType(override val toString: String)
 object JCredentials extends JanusAccessType("credentials")
 object JConsole extends JanusAccessType("console")

configTools/src/main/twirl/com/gu/janus/config/templates/janusData.scala.txt

@@ -1,4 +1,4 @@
-@import com.gu.janus.model.{JanusData, Permission}
+@import com.gu.janus.model.{JanusData, Permission, ProvisionedRole}
 
 @(janusData: JanusData, allPermissions: Set[Permission])
 
@@ -38,22 +38,28 @@ janus {
         ]
 
         acl {
-            @for((user, permissions) <- janusData.access.userAccess){
+            @for((user, aclEntry) <- janusData.access.userAccess){
                 "@user" = [
-                    @for(permission <- permissions){
-                        @permissionReference(permission),
+                    @for(permission <- aclEntry.permissions) {
+                        @permissionReference(permission)
+                    }
+                    @for(role <- aclEntry.roles) {
+                        { provisionedRoleName = """@role.name""", iamRoleTag = "@role.iamRoleTag" }
                     }
                 ]
-            }
+            },
         }
     }
 
     admin {
         acl {
-            @for((user, permissions) <- janusData.admin.userAccess){
+            @for((user, aclEntry) <- janusData.admin.userAccess){
                 "@user" = [
-                    @for(permission <- permissions){
-                        @permissionReference(permission),
+                    @for(permission <- aclEntry.permissions) {
+                        @permissionReference(permission)
+                    }
+                    @for(role <- aclEntry.roles) {
+                        { provisionedRoleName = """@role.name""", iamRoleTag = "@role.iamRoleTag" }
                     }
                 ]
             }
@@ -65,7 +71,7 @@ janus {
             {
                 account = "@permission.account.authConfigKey"
                 label = "@permission.label"
-                description = "@permission.description"
+                description = """@permission.description"""
                 shortTerm = @if(permission.shortTerm) {true} else {false}
                 @permission.policy match {
                     case Some(policy) => {

configTools/src/test/resources/example.conf

@@ -39,7 +39,9 @@ janus {
 
     acl {
       employee1 = [
-        { account = "website", label = "developer" }
+        { account = "website", label = "developer" },
+        { provisionedRoleName = """Crucial App Developer""", iamRoleTag = "crucial-app-developer" }
+        { provisionedRoleName = """The "Super" App Local Developer""", iamRoleTag = "super-app-developer" }
       ]
       employee2 = [
         { account = "website", label = "developer" }
@@ -59,6 +61,7 @@ janus {
     acl {
       employee1 = [
         { account = "website", label = "admin" }
+        { provisionedRoleName = """The "Super" App Superuser""", iamRoleTag = "super-app-admin" }
       ]
     }
   }