Added initial config for RBAC support

Author: akclace

internal/metadata/metadata.go

@@ -21,7 +21,7 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-const CURRENT_DB_VERSION = 5
+const CURRENT_DB_VERSION = 6
 
 // Metadata is the metadata persistence layer
 type Metadata struct {
@@ -213,6 +213,17 @@ func (m *Metadata) VersionUpgrade(config *types.ServerConfig) error {
 		}
 	}
 
+	if version < 6 {
+		m.Info().Msg("Upgrading to version 6")
+		if _, err := tx.ExecContext(ctx, `create table config(version_id text, user_id text, update_time `+system.MapDataType(m.dbType, "datetime")+", config json)"); err != nil {
+			return err
+		}
+
+		if _, err := tx.ExecContext(ctx, `update version set version=6, last_upgraded=`+system.FuncNow(m.dbType)); err != nil {
+			return err
+		}
+	}
+
 	if err := tx.Commit(); err != nil {
 		return err
 	}
@@ -627,6 +638,88 @@ func (m *Metadata) UpdateSyncStatus(ctx context.Context, tx types.Transaction, i
 	return nil
 }
 
+var ErrConfigAlreadyExists = errors.New("config already exists")
+var ErrConfigNotFound = errors.New("config not found")
+
+func (m *Metadata) InitConfig(ctx context.Context, user string, dynamicConfig *types.DynamicConfig) error {
+	configJson, err := json.Marshal(dynamicConfig)
+	if err != nil {
+		return fmt.Errorf("error marshalling dynamic config: %w", err)
+	}
+
+	tx, err := m.db.BeginTx(ctx, nil)
+	if err != nil {
+		return fmt.Errorf("error beginning transaction: %w", err)
+	}
+
+	defer tx.Rollback()
+	countResult := tx.QueryRowContext(ctx, system.RebindQuery(m.dbType, `select count(*) from config`))
+	var rowCount int
+	err = countResult.Scan(&rowCount)
+	if err != nil {
+		return fmt.Errorf("error scanning config: %w", err)
+	}
+	if rowCount > 0 {
+		return ErrConfigAlreadyExists
+	}
+
+	_, err = tx.ExecContext(ctx, system.RebindQuery(m.dbType,
+		`insert into config values (?, ?, `+system.FuncNow(m.dbType)+", ?)"),
+		dynamicConfig.VersionId, user, string(configJson))
+	if err != nil {
+		return fmt.Errorf("error inserting config: %w", err)
+	}
+	err = tx.Commit()
+	if err != nil {
+		return fmt.Errorf("error committing transaction: %w", err)
+	}
+	return nil
+}
+
+func (m *Metadata) UpdateConfig(ctx context.Context, user string, oldVersionId string, dynamicConfig *types.DynamicConfig) error {
+	configJson, err := json.Marshal(dynamicConfig)
+	if err != nil {
+		return fmt.Errorf("error marshalling dynamic config: %w", err)
+	}
+
+	result, err := m.db.ExecContext(ctx, system.RebindQuery(m.dbType,
+		`update config set version_id = ?, config = ?, update_time = `+system.FuncNow(m.dbType)+", user_id = ? where version_id = ?"),
+		dynamicConfig.VersionId, string(configJson), user, oldVersionId)
+	if err != nil {
+		return fmt.Errorf("error updating config: %w", err)
+	}
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("error getting rows affected: %w", err)
+	}
+	if rowsAffected == 0 {
+		return fmt.Errorf("no config entry found with version id for update: %s", oldVersionId)
+	}
+	return nil
+}
+
+func (m *Metadata) GetConfig() (*types.DynamicConfig, error) {
+	var configStr sql.NullString
+	row := m.db.QueryRow(system.RebindQuery(m.dbType, `select config from config`))
+	err := row.Scan(&configStr)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			return nil, ErrConfigNotFound
+		}
+		return nil, fmt.Errorf("error querying config: %w", err)
+	}
+
+	var config types.DynamicConfig
+	if configStr.Valid && configStr.String != "" {
+		err = json.Unmarshal([]byte(configStr.String), &config)
+		if err != nil {
+			return nil, fmt.Errorf("error unmarshalling config: %w", err)
+		}
+	}
+
+	return &config, nil
+}
+
 // BeginTransaction starts a new Transaction
 func (m *Metadata) BeginTransaction(ctx context.Context) (types.Transaction, error) {
 	tx, err := m.db.BeginTx(ctx, nil)

internal/server/router.go

@@ -1078,6 +1078,11 @@ func (h *Handler) listSyncEntries(r *http.Request) (any, error) {
 	return results, nil
 }
 
+func (h *Handler) configUpdate(r *http.Request) (any, error) {
+	// TODO
+	return nil, nil
+}
+
 // serveInternal returns a handler for the internal APIs for app admin and management
 func (h *Handler) serveInternal(enableBasicAuth bool) http.Handler {
 	// These API's are mounted at /_openrun
@@ -1203,6 +1208,11 @@ func (h *Handler) serveInternal(enableBasicAuth bool) http.Handler {
 		h.apiHandler(w, r, enableBasicAuth, "list_sync", h.listSyncEntries)
 	}))
 
+	// API to run sync
+	r.Post("/config", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h.apiHandler(w, r, enableBasicAuth, "config_update", h.configUpdate)
+	}))
+
 	return r
 }
 

internal/server/server.go

@@ -136,6 +136,8 @@ type Server struct {
 	auditDB        *sql.DB
 	auditDbType    system.DBType
 	syncTimer      *time.Ticker
+	configMu       sync.RWMutex
+	dynamicConfig  *types.DynamicConfig
 }
 
 // NewServer creates a new instance of the OpenRun Server
@@ -203,12 +205,43 @@ func NewServer(config *types.ServerConfig) (*Server, error) {
 
 	initOpenRunPlugin(server)
 
+	server.dynamicConfig, err = server.db.GetConfig()
+	if err != nil && !errors.Is(err, metadata.ErrConfigNotFound) {
+		return nil, fmt.Errorf("error getting dynamic config: %w", err)
+	}
+
+	if server.dynamicConfig == nil || server.dynamicConfig.VersionId == "" {
+		// Initialize dynamic config if not already done
+		if server.dynamicConfig == nil {
+			server.dynamicConfig = &types.DynamicConfig{}
+		}
+		server.dynamicConfig.VersionId = "ver_" + ksuid.New().String()
+		err = server.db.InitConfig(context.Background(), "admin", server.dynamicConfig)
+		if err != nil {
+			if !errors.Is(err, metadata.ErrConfigAlreadyExists) {
+				return nil, fmt.Errorf("error init dynamic config: %w", err)
+			} else {
+				server.dynamicConfig, err = server.db.GetConfig()
+				if err != nil {
+					return nil, fmt.Errorf("error getting dynamic config: %w", err)
+				}
+			}
+		}
+		// TODO : notify other instances about new dynamic config
+	}
+
 	// Start the idle shutdown check
 	server.syncTimer = time.NewTicker(time.Minute) // run sync every minute
 	go server.syncRunner()
 	return server, nil
 }
 
+func (s *Server) GetRBACConfig() types.RBACConfig {
+	s.configMu.RLock()
+	defer s.configMu.RUnlock()
+	return s.dynamicConfig.RBAC
+}
+
 func (s *Server) appNotifyFunction(updatePayload types.AppUpdatePayload) {
 	if updatePayload.ServerId == types.CurrentServerId {
 		s.Trace().Str("server_id", string(updatePayload.ServerId)).Msg("Ignoring app update notification from self")

internal/types/types.go

@@ -678,3 +678,29 @@ type JSLibrary struct {
 	EsbuildArgs       [10]string // use an array so that the struct can be used as key in the jsCache map
 	SanitizedFileName string
 }
+
+// DynamicConfig is the configuration which is settable through API and is persisted to metadata
+type DynamicConfig struct {
+	VersionId string     `json:"version_id"`
+	RBAC      RBACConfig `json:"rbac"`
+}
+
+type RBACConfig struct {
+	Groups map[string][]string         `json:"groups"` // groups names to user ids. These groups are appended to the groups info from SAML
+	Roles  map[string][]RBACPermission `json:"roles"`  // roles names to permissions.
+	Grants []RBACGrant                 `json:"grants"` // grants are used to grant permissions to users/groups for specific apps
+}
+
+type RBACGrant struct {
+	Description string   `json:"description"`
+	Users       []string `json:"users"`   // users/groups granted by this rule
+	Roles       []string `json:"roles"`   // the roles granted by this rule
+	Targets     []string `json:"targets"` // the app path globs for which this grant applies
+}
+
+type RBACPermission string
+
+const (
+	PermissionList   RBACPermission = "list"   // list apps
+	PermissionAccess RBACPermission = "access" // access apps
+)