server+service+database: add bundle trigger endpoint (with authz)

Some arbitrary choices here that we'll need to discuss before merging!

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Author: srenatus

cmd/run/run.go

@@ -4,8 +4,6 @@ import (
 	"bytes"
 	"context"
 	"os"
-	"os/signal"
-	"syscall"
 
 	"github.com/spf13/cobra"
 	"github.com/styrainc/opa-control-plane/cmd"
@@ -75,12 +73,13 @@ func init() {
 				log.Fatalf("initialize service: %v", err)
 			}
 
-			// NB(sr): Preliminary, not necessarily something we'll want to keep:
-			// Rebuild all bundles on SIGHUP.
-			signalTrigger(svc, log)
-
 			go func() {
-				if err := server.New().WithDatabase(svc.Database()).WithReadiness(svc.Ready).Init().ListenAndServe(params.addr); err != nil {
+				if err := server.New().
+					WithService(svc).
+					WithDatabase(svc.Database()).
+					WithReadiness(svc.Ready).
+					Init().
+					ListenAndServe(params.addr); err != nil {
 					log.Fatalf("failed to start server: %v", err)
 				}
 			}()
@@ -103,15 +102,3 @@ func init() {
 		run,
 	)
 }
-
-func signalTrigger(s *service.Service, l *logging.Logger) {
-	sigs := make(chan os.Signal, 1)
-	signal.Notify(sigs, syscall.SIGHUP)
-	go func() {
-		for range sigs {
-			if err := s.TriggerAll(context.Background()); err != nil {
-				l.Error(err.Error())
-			}
-		}
-	}()
-}

e2e/cli/run_with_trigger.txtar

@@ -0,0 +1,42 @@
+! exec $OPACTL run --config config.d/bundle.yml --data-dir tmp --addr 127.0.0.1:8284 --log-level debug &opactl&
+! stderr .
+! stdout .
+
+exec curl --retry 5 --retry-all-errors http://127.0.0.1:8284/health
+
+# automation token
+exec curl -H 'Authorization: bearer sesame' http://127.0.0.1:8284/v1/bundles/hello-world -XPOST
+
+# admin token
+exec curl -H 'Authorization: bearer admin' http://127.0.0.1:8284/v1/bundles/hello-world -XPOST
+
+kill opactl
+wait opactl
+stderr 'triggered bundle build for hello-world'
+
+-- data/common.json --
+{ "common": true }
+-- config.d/bundle.yml --
+bundles:
+  hello-world:
+    object_storage:
+      filesystem:
+        path: bundles/hello-world/bundle.tar.gz
+    requirements:
+    - source: global-data
+sources:
+  global-data:
+    paths:
+    - data/common.json
+service:
+  bundle_rebuild_interval: 1h
+  reconfiguration_interval: 1h
+tokens:
+  admin-user:
+    api_key: admin
+    scopes:
+    - role: administrator
+  trigger-token:
+    api_key: sesame
+    scopes:
+    - role: automation

internal/authz/authz.rego

@@ -49,3 +49,9 @@ allow if {
 	data.resource_permissions.principal_id == input.principal
 	data.resource_permissions.permission == input.permission
 }
+
+allow if {
+	data.principals.id == input.principal
+	data.principals.role == "automation"
+	input.permission == "bundles.trigger"
+}

internal/config/config.go

@@ -736,7 +736,7 @@ func (t *Token) Equal(other *Token) bool {
 }
 
 type Scope struct {
-	Role string `json:"role" yaml:"role" enum:"administrator,viewer,owner,stack_owner"`
+	Role string `json:"role" yaml:"role" enum:"administrator,viewer,owner,stack_owner,automation"`
 }
 
 func scopesEqual(a, b []Scope) bool {

internal/database/database.go

@@ -401,7 +401,7 @@ func (d *Database) SourcesDataPut(ctx context.Context, sourceName, path string,
 			Name:       sourceName,
 		})
 		if !allowed {
-			return errors.New("unauthorized")
+			return ErrNotAuthorized
 		}
 
 		bs, err := json.Marshal(data)
@@ -1613,6 +1613,15 @@ func (d *Database) deleteNotIn(ctx context.Context, tx *sql.Tx, table, keyColumn
 	return err
 }
 
+func (d *Database) Check(ctx context.Context, a authz.Access) error {
+	return tx1(ctx, d, func(tx *sql.Tx) error {
+		if !authz.Check(ctx, tx, d.arg, a) {
+			return ErrNotAuthorized
+		}
+		return nil
+	})
+}
+
 func (d *Database) arg(i int) string {
 	if d.kind == postgres {
 		return "$" + strconv.Itoa(i+1)

internal/server/server.go

@@ -17,11 +17,13 @@ import (
 	"github.com/styrainc/opa-control-plane/internal/database"
 	"github.com/styrainc/opa-control-plane/internal/metrics"
 	"github.com/styrainc/opa-control-plane/internal/server/types"
+	"github.com/styrainc/opa-control-plane/internal/service"
 )
 
 type Server struct {
 	router  *http.ServeMux
 	db      *database.Database
+	svc     *service.Service
 	readyFn func(context.Context) error
 }
 
@@ -48,6 +50,7 @@ func (s *Server) Init() *Server {
 	s.router.HandleFunc("PUT    /v1/bundles/{bundle}", authenticationMiddleware(s.db, s.v1BundlesPut))
 	s.router.HandleFunc("GET    /v1/bundles/{bundle}", authenticationMiddleware(s.db, s.v1BundlesGet))
 	s.router.HandleFunc("DELETE /v1/bundles/{bundle}", authenticationMiddleware(s.db, s.v1BundlesDelete))
+	s.router.HandleFunc("POST   /v1/bundles/{bundle}", authenticationMiddleware(s.db, s.v1BundlesPost))
 	s.router.HandleFunc("GET    /v1/stacks", authenticationMiddleware(s.db, s.v1StacksList))
 	s.router.HandleFunc("PUT    /v1/stacks/{stack}", authenticationMiddleware(s.db, s.v1StacksPut))
 	s.router.HandleFunc("GET    /v1/stacks/{stack}", authenticationMiddleware(s.db, s.v1StacksGet))
@@ -65,6 +68,11 @@ func (s *Server) WithRouter(router *http.ServeMux) *Server {
 	return s
 }
 
+func (s *Server) WithService(svc *service.Service) *Server {
+	s.svc = svc
+	return s
+}
+
 func (s *Server) WithDatabase(db *database.Database) *Server {
 	s.db = db
 	return s
@@ -156,6 +164,24 @@ func (s *Server) v1BundlesGet(w http.ResponseWriter, r *http.Request) {
 	JSONOK(w, resp, pretty(r))
 }
 
+func (s *Server) v1BundlesPost(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	name, err := url.PathUnescape(r.PathValue("bundle"))
+	if err != nil {
+		ErrorString(w, http.StatusBadRequest, types.CodeInvalidParameter, err)
+		return
+	}
+
+	if err := s.svc.Trigger(ctx, s.auth(r), name); err != nil {
+		errorAuto(w, err)
+		return
+	}
+
+	resp := types.BundlesPostResponseV1{}
+	JSONOK(w, resp, pretty(r))
+}
+
 func (s *Server) v1BundlesDelete(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 

internal/server/types/types.go

@@ -40,6 +40,8 @@ type BundlesGetResponseV1 struct {
 
 type BundlesPutResponseV1 struct{}
 
+type BundlesPostResponseV1 struct{}
+
 type BundlesDeleteResponseV1 struct{}
 
 type SourcesGetResponseV1 struct {

internal/service/service.go

@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/styrainc/opa-control-plane/internal/authz"
 	"github.com/styrainc/opa-control-plane/internal/builder"
 	"github.com/styrainc/opa-control-plane/internal/builtinsync"
 	"github.com/styrainc/opa-control-plane/internal/config"
@@ -220,14 +221,17 @@ func (s *Service) Report() *Report {
 	return s.report
 }
 
-func (s *Service) TriggerAll(ctx context.Context) error {
-	for name := range s.workers {
-		return s.Trigger(ctx, name)
+func (s *Service) Trigger(ctx context.Context, principal, name string) error {
+	a := authz.Access{
+		Principal:  principal,
+		Resource:   "bundles",
+		Permission: "bundles.trigger",
+		Name:       name,
+	}
+	if err := s.database.Check(ctx, a); err != nil {
+		return err
 	}
-	return nil
-}
 
-func (s *Service) Trigger(_ context.Context, name string) error {
 	err := s.pool.Trigger(name)
 	if err != nil {
 		s.log.Errorf("trigger bundle build for %s: %v", name, err)