Merge branch 'permitio:main' into fix/correct-resource-names

Author: alexstojda

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build prepare
+.PHONY: help build prepare build-amd64 build-arm64
 
 .DEFAULT_GOAL := help
 

charts/pdp/Chart.yaml

@@ -1,4 +1,4 @@
 apiVersion: v2
 name: pdp
 description: An official Helm chart for Permit.io PDP (Policy Decision Point)
-version: 0.0.4
+version: 0.0.4

horizon/facts/client.py

@@ -1,4 +1,4 @@
-from typing import Annotated
+from typing import Annotated, Any
 from urllib.parse import urljoin
 
 from fastapi import Depends, HTTPException
@@ -30,7 +30,13 @@ def client(self) -> AsyncClient:
             )
         return self._client
 
-    async def build_forward_request(self, request: FastApiRequest, path: str) -> HttpxRequest:
+    async def build_forward_request(
+        self,
+        request: FastApiRequest,
+        path: str,
+        *,
+        query_params: dict[str, Any] | None = None,
+    ) -> HttpxRequest:
         """
         Build an HTTPX request from a FastAPI request to forward to the facts service.
         :param request: FastAPI request
@@ -50,10 +56,11 @@ async def build_forward_request(self, request: FastApiRequest, path: str) -> Htt
             )
 
         full_path = urljoin(f"/v2/facts/{project_id}/{environment_id}/", path.removeprefix("/"))
+        _query_params = {**request.query_params, **(query_params or {})}
         return self.client.build_request(
             method=request.method,
             url=full_path,
-            params=request.query_params,
+            params=_query_params,
             headers=forward_headers,
             content=request.stream(),
         )
@@ -62,18 +69,28 @@ async def send(self, request: HttpxRequest, *, stream: bool = False) -> HttpxRes
         logger.info(f"Forwarding facts request: {request.method} {request.url}")
         return await self.client.send(request, stream=stream)
 
-    async def send_forward_request(self, request: FastApiRequest, path: str) -> HttpxResponse:
+    async def send_forward_request(
+        self,
+        request: FastApiRequest,
+        path: str,
+        *,
+        query_params: dict[str, Any] | None = None,
+    ) -> HttpxResponse:
         """
         Send a forward request to the facts service.
         :param request: FastAPI request
         :param path: Backend facts service path to forward to
         :return: HTTPX response
         """
-        forward_request = await self.build_forward_request(request, path)
+        forward_request = await self.build_forward_request(request, path, query_params=query_params)
         return await self.send(forward_request)
 
     @staticmethod
-    def convert_response(response: HttpxResponse, *, stream: bool = False) -> FastApiResponse:
+    def convert_response(
+        response: HttpxResponse,
+        *,
+        stream: bool = False,
+    ) -> FastApiResponse:
         """
         Convert an HTTPX response to a FastAPI response.
         :param response: HTTPX response
@@ -103,6 +120,8 @@ def extract_body(response: HttpxResponse):
             return None
 
         try:
+            if response.status_code == 204:
+                return None
             body = response.json()
         except Exception:  # noqa: BLE001
             logger.exception("Failed to parse response body as JSON, skipping wait for update.")

horizon/facts/router.py

@@ -192,6 +192,27 @@ async def assign_user_role(
     )
 
 
+@facts_router.delete("/users/{user_id}/roles")
+async def unassign_user_role(
+    request: FastApiRequest,
+    client: FactsClientDependency,
+    update_subscriber: DataUpdateSubscriberDependency,
+    wait_timeout: WaitTimeoutDependency,
+    timeout_policy: TimeoutPolicyDependency,
+    user_id: str,
+):
+    return await forward_request_then_wait_for_update(
+        client,
+        request,
+        update_subscriber,
+        wait_timeout,
+        path=f"/users/{user_id}/roles",
+        query_params={"return_deleted": True},
+        entries_callback=create_role_assignment_data_entries,
+        timeout_policy=timeout_policy,
+    )
+
+
 @facts_router.post("/role_assignments")
 async def create_role_assignment(
     request: FastApiRequest,
@@ -211,6 +232,26 @@ async def create_role_assignment(
     )
 
 
+@facts_router.delete("/role_assignments")
+async def delete_role_assignment(
+    request: FastApiRequest,
+    client: FactsClientDependency,
+    update_subscriber: DataUpdateSubscriberDependency,
+    wait_timeout: WaitTimeoutDependency,
+    timeout_policy: TimeoutPolicyDependency,
+):
+    return await forward_request_then_wait_for_update(
+        client,
+        request,
+        update_subscriber,
+        wait_timeout,
+        path="/role_assignments",
+        entries_callback=create_role_assignment_data_entries,
+        timeout_policy=timeout_policy,
+        query_params={"return_deleted": True},
+    )
+
+
 @facts_router.post("/resource_instances")
 async def create_resource_instance(
     request: FastApiRequest,
@@ -293,6 +334,12 @@ async def create_relationship_tuple(
     )
 
 
+def cast_delete_200_to_204(response: Response) -> Response:
+    if response.status_code == 200:
+        return Response(status_code=204)
+    return response
+
+
 async def forward_request_then_wait_for_update(
     client: FactsClient,
     request: FastApiRequest,
@@ -303,9 +350,10 @@ async def forward_request_then_wait_for_update(
     update_id: UUID | None = None,
     entries_callback: Callable[[FastApiRequest, dict[str, Any], UUID | None], Iterable[DataSourceEntry]],
     timeout_policy: TimeoutPolicy = TimeoutPolicy.IGNORE,
+    query_params: dict[str, Any] | None = None,
 ) -> Response:
     _update_id = update_id or uuid4()
-    response = await client.send_forward_request(request, path)
+    response = await client.send_forward_request(request, path, query_params=query_params)
     body = client.extract_body(response)
     if body is None:
         return client.convert_response(response)

pdp-server/src/api/authn_middleware.rs

@@ -33,10 +33,7 @@ pub(super) async fn authentication_middleware(
             header_str[7..].to_string()
         }
         Ok(header_str) => {
-            warn!(
-                "Invalid Authorization header format, missing 'Bearer ' prefix: {}",
-                header_str
-            );
+            warn!("Invalid Authorization header format, missing 'Bearer ' prefix: {header_str}");
             return Response::builder()
                 .status(StatusCode::FORBIDDEN)
                 .body(
@@ -46,7 +43,7 @@ pub(super) async fn authentication_middleware(
                 .expect("Failed to create response");
         }
         Err(e) => {
-            warn!("Failed to parse Authorization header to string: {}", e);
+            warn!("Failed to parse Authorization header to string: {e}");
             return Response::builder()
                 .status(StatusCode::FORBIDDEN)
                 .body(

pdp-server/src/api/authz/allowed.rs

@@ -36,7 +36,7 @@ pub(super) async fn allowed_handler(
     match query_allowed_cached(&state, &query, &cache_control).await {
         Ok(result) => (StatusCode::OK, Json(result)).into_response(),
         Err(err) => {
-            log::error!("Failed to send request to OPA: {}", err);
+            log::error!("Failed to send request to OPA: {err}");
             ApiError::from(err).into_response()
         }
     }

pdp-server/src/api/authz/allowed_bulk.rs

@@ -36,7 +36,7 @@ pub(super) async fn allowed_bulk_handler(
     match query_allowed_bulk_cached(&state, &queries, &cache_control).await {
         Ok(result) => (StatusCode::OK, Json(result)).into_response(),
         Err(err) => {
-            log::error!("Failed to send request to OPA: {}", err);
+            log::error!("Failed to send request to OPA: {err}");
             ApiError::from(err).into_response()
         }
     }

pdp-server/src/api/authz/authorized_users.rs

@@ -39,7 +39,7 @@ pub(super) async fn authorized_users_handler(
     match query_authorized_users_cached(&state, &query, &cache_control).await {
         Ok(result) => (StatusCode::OK, Json(result)).into_response(),
         Err(err) => {
-            log::error!("Failed to send request to OPA: {}", err);
+            log::error!("Failed to send request to OPA: {err}");
             ApiError::from(err).into_response()
         }
     }

pdp-server/src/api/authz/user_permissions.rs

@@ -56,7 +56,7 @@ pub(super) async fn user_permissions_handler(
     let permissions = match query_user_permissions_cached(&state, &query, &cache_control).await {
         Ok(permissions) => permissions,
         Err(err) => {
-            log::error!("Failed to send request to OPA: {}", err);
+            log::error!("Failed to send request to OPA: {err}");
             return ApiError::from(err).into_response();
         }
     };

pdp-server/src/api/authzen/errors.rs

@@ -88,7 +88,7 @@ impl From<crate::errors::ApiError> for AuthZenError {
             StatusCode::FORBIDDEN => AuthZenError::forbidden("Access denied"),
             StatusCode::BAD_REQUEST => AuthZenError::invalid_request(err.detail),
             _ => {
-                log::error!("Internal error converted to AuthZen format: {:?}", err);
+                log::error!("Internal error converted to AuthZen format: {err:?}");
                 AuthZenError::internal_error("Internal server error")
             }
         }
@@ -98,7 +98,7 @@ impl From<crate::errors::ApiError> for AuthZenError {
 /// Convert OPA forwarding errors to AuthZen format
 impl From<crate::opa_client::ForwardingError> for AuthZenError {
     fn from(err: crate::opa_client::ForwardingError) -> Self {
-        log::error!("OPA forwarding error: {:?}", err);
+        log::error!("OPA forwarding error: {err:?}");
         // Use generic message to avoid leaking internal implementation details
         AuthZenError::internal_error("Internal server error")
     }