[hax] Using more abstract notion of type

Signed-off-by: John Schaeffer <[email protected]>

cmd/server.go

@@ -28,6 +28,7 @@ import (
 
 	"go.infratographer.com/permissions-api/internal/api"
 	"go.infratographer.com/permissions-api/internal/config"
+	"go.infratographer.com/permissions-api/internal/query"
 	"go.infratographer.com/permissions-api/internal/spicedbx"
 )
 
@@ -64,9 +65,11 @@ func serve(ctx context.Context, cfg *config.AppConfig) {
 		logger.Fatalw("unable to initialize spicedb client", "error", err)
 	}
 
+	engine := query.NewEngine("infratographer", spiceClient)
+
 	s := ginx.NewServer(logger.Desugar(), cfg.Server, versionx.BuildDetails())
 
-	r, err := api.NewRouter(cfg.OIDC, spiceClient, logger)
+	r, err := api.NewRouter(cfg.OIDC, engine, logger)
 	if err != nil {
 		logger.Fatalw("unable to initialize router", "error", err)
 	}

cmd/worker.go

@@ -24,9 +24,6 @@ import (
 	"go.infratographer.com/x/otelx"
 
 	"go.infratographer.com/permissions-api/internal/config"
-	"go.infratographer.com/permissions-api/internal/query"
-	"go.infratographer.com/permissions-api/internal/spicedbx"
-	"go.infratographer.com/permissions-api/pkg/pubsubx"
 )
 
 var workerCmd = &cobra.Command{
@@ -44,22 +41,24 @@ func init() {
 }
 
 func worker(ctx context.Context, cfg *config.AppConfig) {
-	err := otelx.InitTracer(cfg.Tracing, appName, logger)
-	if err != nil {
-		logger.Fatalw("unable to initialize tracing system", "error", err)
-	}
+	/*
+		err := otelx.InitTracer(cfg.Tracing, appName, logger)
+		if err != nil {
+			logger.Fatalw("unable to initialize tracing system", "error", err)
+		}
 
-	spiceClient, err := spicedbx.NewClient(cfg.SpiceDB, cfg.Tracing.Enabled)
-	if err != nil {
-		logger.Fatalw("unable to initialize spicedb client", "error", err)
-	}
+		spiceClient, err := spicedbx.NewClient(cfg.SpiceDB, cfg.Tracing.Enabled)
+		if err != nil {
+			logger.Fatalw("unable to initialize spicedb client", "error", err)
+		}
 
-	w, err := pubsubx.NewSubscription(ctx, "nats://localhost", logger)
-	if err != nil {
-		logger.Fatalw("unable to start queue subscription", "error", err)
-	}
+		w, err := pubsubx.NewSubscription(ctx, "nats://localhost", logger)
+		if err != nil {
+			logger.Fatalw("unable to start queue subscription", "error", err)
+		}
 
-	if err := w.StartListening(ctx, &query.Stores{SpiceDB: spiceClient}); err != nil {
-		logger.Fatalw("listener stopped listening", "error", err)
-	}
+		if err := w.StartListening(ctx, &query.Stores{SpiceDB: spiceClient}); err != nil {
+			logger.Fatalw("listener stopped listening", "error", err)
+		}
+	*/
 }

internal/api/permissions.go

@@ -22,7 +22,7 @@ func (r *Router) checkAction(c *gin.Context) {
 		return
 	}
 
-	resource, err := query.NewResourceFromURN(resourceURN)
+	resource, err := r.engine.NewResourceFromURN(resourceURN)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"message": "error processing resource URN", "error": err.Error()})
 		return
@@ -34,13 +34,13 @@ func (r *Router) checkAction(c *gin.Context) {
 		return
 	}
 
-	subjectResource, err := query.NewResourceFromURN(subject)
+	subjectResource, err := r.engine.NewResourceFromURN(subject)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"message": "error processing subject URN", "error": err.Error()})
 		return
 	}
 
-	err = query.SubjectHasPermission(ctx, r.authzedClient, subjectResource, action, resource, "")
+	err = r.engine.SubjectHasPermission(ctx, subjectResource, action, resource, "")
 	if err != nil {
 		if errors.Is(err, query.ErrActionNotAssigned) {
 			c.JSON(http.StatusForbidden, gin.H{"message": "subject does not have requested action"})

internal/api/resources.go

@@ -4,7 +4,6 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
-	"go.infratographer.com/permissions-api/internal/query"
 	"go.infratographer.com/x/urnx"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
@@ -18,39 +17,49 @@ func (r *Router) resourceCreate(c *gin.Context) {
 
 	resourceURN, err := urnx.Parse(resourceURNStr)
 	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"message": "error processing resource URN", "error": err.Error()})
+		c.JSON(http.StatusBadRequest, gin.H{"message": "error parsing resource URN", "error": err.Error()})
 		return
 	}
 
-	resource, err := query.NewResourceFromURN(resourceURN)
+	resource, err := r.engine.NewResourceFromURN(resourceURN)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"message": "error processing resource URN", "error": err.Error()})
 		return
 	}
 
-	if err := c.ShouldBindJSON(&resource.Fields); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
 	subject, err := currentSubject(c)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error(), "message": "failed to get the subject"})
 		return
 	}
 
-	subjectResource, err := query.NewResourceFromURN(subject)
+	subjectResource, err := r.engine.NewResourceFromURN(subject)
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"message": "error processing subject URN", "error": err.Error()})
 		return
 	}
 
-	zedToken, err := query.CreateSpiceDBRelationships(ctx, r.authzedClient, resource, subjectResource)
+	if resource.Type != "tenant" {
+		c.JSON(http.StatusBadRequest, gin.H{"message": "failed to create relationship", "error": "only tenants can be created"})
+		return
+	}
+
+	roles, _, err := r.engine.CreateBuiltInRoles(ctx, resource)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"message": "failed to create relationship", "error": err.Error()})
 		return
 	}
 
+	var zedToken string
+	for _, role := range roles {
+		zedToken, err = r.engine.AssignSubjectRole(ctx, subjectResource, role)
+
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"message": "failed to create relationship", "error": err.Error()})
+			return
+		}
+	}
+
 	c.JSON(http.StatusCreated, gin.H{"token": zedToken})
 }
 

internal/api/router.go

@@ -1,9 +1,9 @@
 package api
 
 import (
-	"github.com/authzed/authzed-go/v1"
 	"github.com/gin-gonic/gin"
 	"go.hollow.sh/toolbox/ginjwt"
+	"go.infratographer.com/permissions-api/internal/query"
 	"go.infratographer.com/x/urnx"
 	"go.opentelemetry.io/otel"
 	"go.uber.org/zap"
@@ -13,21 +13,21 @@ var tracer = otel.Tracer("go.infratographer.com/permissions-api/internal/api")
 
 // Router provides a router for the API
 type Router struct {
-	authMW        func(*gin.Context)
-	authzedClient *authzed.Client
-	logger        *zap.SugaredLogger
+	authMW func(*gin.Context)
+	engine *query.Engine
+	logger *zap.SugaredLogger
 }
 
-func NewRouter(authCfg ginjwt.AuthConfig, authzedClient *authzed.Client, l *zap.SugaredLogger) (*Router, error) {
+func NewRouter(authCfg ginjwt.AuthConfig, engine *query.Engine, l *zap.SugaredLogger) (*Router, error) {
 	authMW, err := newAuthMiddleware(authCfg)
 	if err != nil {
 		return nil, err
 	}
 
 	out := &Router{
-		authMW:        authMW,
-		authzedClient: authzedClient,
-		logger:        l.Named("api"),
+		authMW: authMW,
+		engine: engine,
+		logger: l.Named("api"),
 	}
 
 	return out, nil

internal/query/roles.go

@@ -0,0 +1,15 @@
+package query
+
+import (
+	"github.com/google/uuid"
+	"go.infratographer.com/permissions-api/internal/types"
+)
+
+func newRoleFromTemplate(t types.RoleTemplate) types.Role {
+	out := types.Role{
+		ID:      uuid.New(),
+		Actions: t.Actions,
+	}
+
+	return out
+}

internal/query/service.go

@@ -0,0 +1,16 @@
+package query
+
+import "github.com/authzed/authzed-go/v1"
+
+// Engine represents a client for making permissions queries.
+type Engine struct {
+	namespace string
+	client    *authzed.Client
+}
+
+func NewEngine(namespace string, client *authzed.Client) *Engine {
+	return &Engine{
+		namespace: namespace,
+		client:    client,
+	}
+}