feat: Add few apis and tests

- expose project creation
- expose granting user/project/role
- extend api tests to create project and user for verifying role grant

Author: gtema

doc/src/developer.md

@@ -39,3 +39,12 @@ the how the K8 is being deployed and access the Keystone may be directly
 accessible from the localhost when i.e. the routes are added in the `/etc/hosts`
 file. The manifests are not currently designed to be used for production
 deployment.
+
+With the keystone deployed in the Kubernetes running API tests can be performed
+with the following command:
+
+```console
+
+KEYSTONE_URL=http://keystone-rs.local cargo nextest run --test api
+
+```

policy/assignment/common.rego

@@ -0,0 +1,21 @@
+package identity.assignment
+
+import data.identity
+
+# current domain scope matches the domain_id of the project, or the user and of
+# the role (or it is a global role)
+project_user_role_domain_matches if {
+	input.target.project.domain_id != null
+	input.target.user.domain_id != null
+	input.credentials.domain_id == input.target.user.domain_id
+	input.credentials.domain_id == input.target.project.domain_id
+	identity.own_role_or_global_role
+}
+
+# Ensure that the domain_id of the target project is matching the current
+# domain scope and the role belongs to the same domain or is global.
+project_role_domain_matches if {
+	input.target.project.domain_id != null
+	input.credentials.domain_id == input.target.project.domain_id
+	identity.own_role_or_global_role
+}

policy/project/create.rego

@@ -0,0 +1,33 @@
+package identity.project.create
+
+import data.identity
+
+# Create a new project
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+project_domain_matches_domain_scope if {
+	input.target.project.domain_id != null
+	input.target.project.domain_id = input.credentials.domain_id
+}
+
+allow if {
+	"manager" in input.credentials.roles
+	project_domain_matches_domain_scope
+}
+
+violation contains {"field": "domain_id", "msg": "creating a new project requires a manager role in the domain scope for the domain where the project is being created."} if {
+	not "admin" in input.credentials.roles
+	"manager" in input.credentials.roles
+	not project_domain_matches_domain_scope
+}
+
+violation contains {"field": "domain_id", "msg": "creating a new project requires a manager role in the domain scope for the domain where the project is being created."} if {
+	not "admin" in input.credentials.roles
+	not "manager" in input.credentials.roles
+	project_domain_matches_domain_scope
+}

policy/project/create_test.rego

@@ -0,0 +1,14 @@
+package test_project_create
+
+import data.identity.project.create
+
+test_allowed if {
+	create.allow with input as {"credentials": {"roles": ["admin"]}}
+	create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "foo"}, "target": {"project": {"domain_id": "foo"}}}
+}
+
+test_forbidden if {
+	not create.allow with input as {"credentials": {"roles": []}}
+	not create.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "foo"}, "target": {"project": {"domain_id": "foo1"}}}
+	not create.allow with input as {"credentials": {"roles": ["manager"]}, "target": {"project": {"domain_id": "foo"}}}
+}

policy/project/user/role/check.rego

@@ -1,6 +1,7 @@
 package identity.project.user.role.check
 
 import data.identity
+import data.identity.assignment
 
 # Check whether the user has a role assigned on the project.
 
@@ -17,13 +18,9 @@ allow if {
 
 allow if {
 	"reader" in input.credentials.roles
-	input.target.project.domain_id != null
-	input.target.user.domain_id != null
-	input.credentials.domain_id == input.target.user.domain_id
-	input.credentials.domain_id == input.target.project.domain_id
-	identity.own_role_or_global_role
+	assignment.project_user_role_domain_matches
 }
 
-# violation contains {"field": "domain_id", "msg": "checking project-user-role assignment requires domain scope."} if {
-# 	not "admin" in input.credentials.roles
-# }
+violation contains {"field": "domain_id", "msg": "checking project-user-role assignment requires domain scope matching the domain of all targets."} if {
+	not assignment.project_user_role_domain_matches
+}

policy/project/user/role/grant.rego

@@ -0,0 +1,26 @@
+package identity.project.user.role.grant
+
+import data.identity
+import data.identity.assignment
+
+# Grant user a role on a project
+
+default allow := false
+
+allow if {
+	"admin" in input.credentials.roles
+}
+
+allow if {
+	"manager" in input.credentials.roles
+	assignment.project_role_domain_matches
+}
+
+violation contains {"field": "domain_id", "msg": "granting a role to a user on a project requires admin or manager role in the domain scope."} if {
+	not "admin" in input.credentials.roles
+	not "manager" in input.credentials.roles
+}
+
+violation contains {"field": "domain_id", "msg": "granting a role to a user on a project requires domain scope matching the domain_id of the target project and role (or a global role)."} if {
+	assignment.project_role_domain_matches
+}

policy/project/user/role/grant_test.rego

@@ -0,0 +1,20 @@
+package test_project_user_role_grant
+
+import data.identity.project.user.role.grant
+
+test_allowed if {
+	grant.allow with input as {"credentials": {"roles": ["admin"]}}
+	grant.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo"}, "role": {"domain_id": null}}}
+	grant.allow with input as {"credentials": {"roles": ["manager"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}}}
+}
+
+test_forbidden if {
+	not grant.allow with input as {"credentials": {"roles": []}}
+	not grant.allow with input as {"credentials": {"roles": ["reader"], "system": "foo"}}
+	not grant.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo1"}, "project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}}}
+	not grant.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo1"}, "project": {"domain_id": "foo1"}, "role": {"domain_id": "foo1"}}}
+	not grant.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo"}, "project": {"domain_id": "foo1"}, "role": {"domain_id": "foo1"}}}
+	not grant.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"user": {"domain_id": "foo1"}, "project": {"domain_id": "foo1"}, "role": {"domain_id": "foo1"}}}
+	not grant.allow with input as {"credentials": {"roles": ["reader"], "domain_id": "foo"}, "target": {"project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}}}
+	not grant.allow with input as {"credentials": {"roles": ["member"], "domain_id": "foo"}, "target": {"project": {"domain_id": "foo"}, "role": {"domain_id": "foo"}, "user": {"domain_id": "foo"}}}
+}

src/api/mod.rs

@@ -119,3 +119,66 @@ async fn version(
     };
     Ok(res)
 }
+
+#[cfg(test)]
+mod tests {
+    use sea_orm::DatabaseConnection;
+    use std::sync::Arc;
+
+    use crate::config::Config;
+    use crate::keystone::{Service, ServiceState};
+    use crate::policy::{MockPolicy, MockPolicyFactory, PolicyError, PolicyEvaluationResult};
+    use crate::provider::ProviderBuilder;
+    use crate::token::{MockTokenProvider, Token, UnscopedPayload};
+
+    pub fn get_mocked_state(
+        provider_builder: ProviderBuilder,
+        policy_allowed: bool,
+    ) -> ServiceState {
+        let mut token_mock = MockTokenProvider::default();
+        token_mock.expect_validate_token().returning(|_, _, _, _| {
+            Ok(Token::Unscoped(UnscopedPayload {
+                user_id: "bar".into(),
+                ..Default::default()
+            }))
+        });
+        token_mock
+            .expect_expand_token_information()
+            .returning(|_, _| {
+                Ok(Token::Unscoped(UnscopedPayload {
+                    user_id: "bar".into(),
+                    ..Default::default()
+                }))
+            });
+
+        let provider = provider_builder.token(token_mock).build().unwrap();
+
+        let mut policy_factory_mock = MockPolicyFactory::default();
+        if policy_allowed {
+            policy_factory_mock.expect_instantiate().returning(move || {
+                let mut policy_mock = MockPolicy::default();
+                policy_mock
+                    .expect_enforce()
+                    .returning(|_, _, _, _| Ok(PolicyEvaluationResult::allowed()));
+                Ok(policy_mock)
+            });
+        } else {
+            policy_factory_mock.expect_instantiate().returning(|| {
+                let mut policy_mock = MockPolicy::default();
+                policy_mock.expect_enforce().returning(|_, _, _, _| {
+                    Err(PolicyError::Forbidden(PolicyEvaluationResult::forbidden()))
+                });
+                Ok(policy_mock)
+            });
+        }
+        Arc::new(
+            Service::new(
+                Config::default(),
+                DatabaseConnection::Disconnected,
+                provider,
+                policy_factory_mock,
+            )
+            .unwrap(),
+        )
+    }
+}

src/api/v3/auth/project/list.rs

@@ -18,7 +18,7 @@ use mockall_double::double;
 use serde_json::Value;
 use std::collections::HashSet;
 
-use crate::api::v3::project::types::{ProjectShort, ProjectShortList};
+use crate::api::v3::project::types::ProjectShortList;
 use crate::api::{auth::Auth, error::KeystoneApiError};
 use crate::assignment::{
     AssignmentApi,
@@ -76,22 +76,26 @@ pub(super) async fn list(
         .map(|assignment| assignment.target_id.clone())
         .collect();
 
-    let projects: Vec<ProjectShort> = state
-        .provider
-        .get_resource_provider()
-        .list_projects(
-            &state,
-            &ProjectListParameters {
-                ids: Some(project_ids),
-                ..Default::default()
-            },
-        )
-        .await?
-        .into_iter()
-        .map(Into::into)
-        .collect();
-
-    Ok(ProjectShortList { projects })
+    Ok(ProjectShortList {
+        projects: if !project_ids.is_empty() {
+            state
+                .provider
+                .get_resource_provider()
+                .list_projects(
+                    &state,
+                    &ProjectListParameters {
+                        ids: Some(project_ids),
+                        ..Default::default()
+                    },
+                )
+                .await?
+                .into_iter()
+                .map(Into::into)
+                .collect()
+        } else {
+            vec![]
+        },
+    })
 }
 
 #[cfg(test)]
@@ -107,6 +111,7 @@ mod tests {
     use tower::ServiceExt; // for `call`, `oneshot`, and `ready`
     use tower_http::trace::TraceLayer;
 
+    use crate::api::v3::project::types::ProjectShort;
     use crate::assignment::{MockAssignmentProvider, types::*};
     use crate::config::Config;
     use crate::keystone::{Service, ServiceState};
@@ -232,6 +237,7 @@ mod tests {
                         id: "p1".into(),
                         name: "p1_name".into(),
                         parent_id: None,
+                        is_domain: false,
                     },
                     ProviderProject {
                         description: None,
@@ -241,6 +247,7 @@ mod tests {
                         id: "p2".into(),
                         name: "p2_name".into(),
                         parent_id: None,
+                        is_domain: false,
                     },
                 ])
             });

src/api/v3/mod.rs

@@ -36,7 +36,11 @@ use crate::api::types::*;
 
 /// OpenApi specification for v3.
 #[derive(OpenApi)]
-#[openapi()]
+#[openapi(
+    nest(
+      (path = "/roles", api = role::ApiDoc),
+    ),
+)]
 pub struct ApiDoc;
 
 pub(super) fn openapi_router() -> OpenApiRouter<ServiceState> {