server+service+database: add bundle trigger endpoint (with authz)

Some arbitrary choices here that we'll need to discuss before merging!

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Author: srenatus

cmd/run/run.go

@@ -3,8 +3,6 @@ package cmd
 import (
 	"context"
 	"os"
-	"os/signal"
-	"syscall"
 
 	"github.com/open-policy-agent/opa-control-plane/cmd"
 	"github.com/open-policy-agent/opa-control-plane/cmd/internal/flags"
@@ -73,12 +71,14 @@ func init() {
 				log.Fatalf("initialize service: %v", err)
 			}
 
-			// NB(sr): Preliminary, not necessarily something we'll want to keep:
-			// Rebuild all bundles on SIGHUP.
-			signalTrigger(svc, log)
-
 			go func() {
-				if err := server.New().WithDatabase(svc.Database()).WithReadiness(svc.Ready).WithConfig(config.Service).Init().ListenAndServe(params.addr); err != nil {
+				if err := server.New().
+					WithService(svc).
+					WithConfig(config.Service).
+					WithDatabase(svc.Database()).
+					WithReadiness(svc.Ready).
+					Init().
+					ListenAndServe(params.addr); err != nil {
 					log.Fatalf("failed to start server: %v", err)
 				}
 			}()
@@ -101,15 +101,3 @@ func init() {
 		run,
 	)
 }
-
-func signalTrigger(s *service.Service, l *logging.Logger) {
-	sigs := make(chan os.Signal, 1)
-	signal.Notify(sigs, syscall.SIGHUP)
-	go func() {
-		for range sigs {
-			if err := s.TriggerAll(context.Background()); err != nil {
-				l.Error(err.Error())
-			}
-		}
-	}()
-}

e2e/cli/run_with_trigger.txtar

@@ -0,0 +1,42 @@
+! exec $OPACTL run --config config.d/bundle.yml --data-dir tmp --addr 127.0.0.1:8285 --log-level debug &opactl&
+! stderr .
+! stdout .
+
+exec curl --retry 5 --retry-all-errors http://127.0.0.1:8285/health
+
+# automation token
+exec curl -H 'Authorization: bearer sesame' http://127.0.0.1:8285/v1/bundles/hello-world -XPOST
+
+# admin token
+exec curl -H 'Authorization: bearer admin' http://127.0.0.1:8285/v1/bundles/hello-world -XPOST
+
+kill opactl
+wait opactl
+stderr 'triggered bundle build for hello-world'
+
+-- data/common.json --
+{ "common": true }
+-- config.d/bundle.yml --
+bundles:
+  hello-world:
+    object_storage:
+      filesystem:
+        path: bundles/hello-world/bundle.tar.gz
+    requirements:
+    - source: global-data
+sources:
+  global-data:
+    paths:
+    - data/common.json
+service:
+  bundle_rebuild_interval: 1h
+  reconfiguration_interval: 1h
+tokens:
+  admin-user:
+    api_key: admin
+    scopes:
+    - role: administrator
+  trigger-token:
+    api_key: sesame
+    scopes:
+    - role: automation

internal/authz/authz.rego

@@ -60,3 +60,9 @@ in_tenant(tenant_id) if {
 	data.tenants.name == input.tenant
 	tenant_id == data.tenants.id
 }
+
+allow if {
+	data.principals.id == input.principal
+	data.principals.role == "automation"
+	input.permission == "bundles.trigger"
+}

internal/config/config.go

@@ -801,7 +801,7 @@ func (t *Token) Equal(other *Token) bool {
 }
 
 type Scope struct {
-	Role string `json:"role" enum:"administrator,viewer,owner,stack_owner"`
+	Role string `json:"role" enum:"administrator,viewer,owner,stack_owner,automation"`
 }
 
 func scopesEqual(a, b []Scope) bool {

internal/database/database.go

@@ -491,7 +491,7 @@ func (d *Database) sourcesDataPut(ctx context.Context, sourceName, path string,
 			Name:       sourceName,
 		})
 		if !allowed {
-			return errors.New("unauthorized")
+			return ErrNotAuthorized
 		}
 
 		sourceID, err := d.lookupID(ctx, tx, tenant, "sources", sourceName)
@@ -1914,6 +1914,15 @@ func (d *Database) deleteNotIn(ctx context.Context, tx *sql.Tx, table, keyColumn
 	return err
 }
 
+func (d *Database) Check(ctx context.Context, a authz.Access) error {
+	return tx1(ctx, d, func(tx *sql.Tx) error {
+		if !authz.Check(ctx, tx, d.arg, a) {
+			return ErrNotAuthorized
+		}
+		return nil
+	})
+}
+
 func (d *Database) arg(i int) string {
 	switch d.kind {
 	case postgres, cockroach:

internal/server/server.go

@@ -19,13 +19,15 @@ import (
 	"github.com/open-policy-agent/opa-control-plane/internal/metrics"
 	"github.com/open-policy-agent/opa-control-plane/internal/server/chain"
 	"github.com/open-policy-agent/opa-control-plane/internal/server/types"
+	"github.com/open-policy-agent/opa-control-plane/internal/service"
 )
 
 const defaultTenant = "default"
 
 type Server struct {
 	router    *http.ServeMux
 	db        *database.Database
+	svc       *service.Service
 	readyFn   func(context.Context) error
 	apiPrefix string
 }
@@ -64,6 +66,7 @@ func (s *Server) Init() *Server {
 	setup("GET", "/v1/bundles/{bundle}", s.v1BundlesGet)
 	setup("PUT", "/v1/bundles/{bundle}", s.v1BundlesPut)
 	setup("DELETE", "/v1/bundles/{bundle}", s.v1BundlesDelete)
+	setup("POST", "/v1/bundles/{bundle}", s.v1BundlesPost)
 
 	setup("GET", "/v1/stacks", s.v1StacksList)
 	setup("GET", "/v1/stacks/{stack}", s.v1StacksGet)
@@ -83,6 +86,11 @@ func (s *Server) WithRouter(router *http.ServeMux) *Server {
 	return s
 }
 
+func (s *Server) WithService(svc *service.Service) *Server {
+	s.svc = svc
+	return s
+}
+
 func (s *Server) WithDatabase(db *database.Database) *Server {
 	s.db = db
 	return s
@@ -184,6 +192,24 @@ func (s *Server) v1BundlesGet(w http.ResponseWriter, r *http.Request) {
 	JSONOK(w, resp, pretty(r))
 }
 
+func (s *Server) v1BundlesPost(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	name, err := url.PathUnescape(r.PathValue("bundle"))
+	if err != nil {
+		ErrorString(w, http.StatusBadRequest, types.CodeInvalidParameter, err)
+		return
+	}
+
+	if err := s.svc.Trigger(ctx, s.auth(r), name); err != nil {
+		errorAuto(w, err)
+		return
+	}
+
+	resp := types.BundlesPostResponseV1{}
+	JSONOK(w, resp, pretty(r))
+}
+
 func (s *Server) v1BundlesDelete(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 

internal/server/types/types.go

@@ -45,6 +45,8 @@ type BundlesGetResponseV1 struct {
 
 type BundlesPutResponseV1 struct{}
 
+type BundlesPostResponseV1 struct{}
+
 type BundlesDeleteResponseV1 struct{}
 
 type SourcesGetResponseV1 struct {

internal/service/service.go

@@ -20,6 +20,7 @@ import (
 	"github.com/open-policy-agent/opa/v1/ast"
 	_ "modernc.org/sqlite"
 
+	"github.com/open-policy-agent/opa-control-plane/internal/authz"
 	"github.com/open-policy-agent/opa-control-plane/internal/builder"
 	"github.com/open-policy-agent/opa-control-plane/internal/config"
 	"github.com/open-policy-agent/opa-control-plane/internal/database"
@@ -37,7 +38,6 @@ import (
 const (
 	internalPrincipal              = "internal"
 	defaultTenant                  = "default"
-	reconfigurationInterval        = 15 * time.Second
 	defaultReconfigurationInterval = 15 * time.Second
 	defaultBuildInterval           = 30 * time.Second
 )
@@ -230,14 +230,17 @@ func (s *Service) Report() *Report {
 	return s.report
 }
 
-func (s *Service) TriggerAll(ctx context.Context) error {
-	for name := range s.workers {
-		return s.Trigger(ctx, name)
+func (s *Service) Trigger(ctx context.Context, principal, name string) error {
+	a := authz.Access{
+		Principal:  principal,
+		Resource:   "bundles",
+		Permission: "bundles.trigger",
+		Name:       name,
+	}
+	if err := s.database.Check(ctx, a); err != nil {
+		return err
 	}
-	return nil
-}
 
-func (s *Service) Trigger(_ context.Context, name string) error {
 	err := s.pool.Trigger(name)
 	if err != nil {
 		s.log.Errorf("trigger bundle build for %s: %v", name, err)