Add RBAC

Well, kinda. This is more of an exploration to see what's actually necessary from the interface. it'll get refactored eventually!
unikorn-cloud · Mar 27, 2024 · ea4cf78 · ea4cf78
1 parent 93eedac
commit ea4cf78
Show file tree

Hide file tree

Showing 13 changed files with 453 additions and 308 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -6,7 +6,7 @@ on:
     tags-ignore:
     - '*'
 env:
-  GO_VERSION: 1.21.1
+  GO_VERSION: 1.22.1
 jobs:
   Static:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,7 +6,7 @@ on:
     tags:
     - '*'
 env:
-  GO_VERSION: 1.21.1
+  GO_VERSION: 1.22.1
   REGISTRY: ghcr.io
 jobs:
   release:

diff --git a/go.mod b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/google/uuid v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.15
+	github.com/unikorn-cloud/core v0.1.16
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0
 	go.opentelemetry.io/otel/sdk v1.22.0

diff --git a/go.sum b/go.sum
@@ -271,6 +271,10 @@ github.com/unikorn-cloud/core v0.1.14 h1:Nk/2g40sf2IAEwQa1fDFcjINInFrw9sOa4rcnCN
 github.com/unikorn-cloud/core v0.1.14/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
 github.com/unikorn-cloud/core v0.1.15 h1:avOh0uSvlgSgBzVdM/JUsdP0eYYO8pTaD0oQSUNLGDY=
 github.com/unikorn-cloud/core v0.1.15/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.16-0.20240326105740-6aafeec6c87d h1:qFtSQK+lYTeA9W1vYI1G2ysWak7m8rfVI1yFk8ul5e8=
+github.com/unikorn-cloud/core v0.1.16-0.20240326105740-6aafeec6c87d/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.16 h1:PMg5VO0cNtr79J8y9JwzV9ljTDHv+nUIyQQDii54vOQ=
+github.com/unikorn-cloud/core v0.1.16/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=

diff --git a/openapi/server.spec.yaml b/openapi/server.spec.yaml
@@ -111,23 +111,6 @@ paths:
           $ref: '#/components/responses/jwksResponse'
         '500':
           $ref: '#/components/responses/internalServerErrorResponse'
-  /api/v1/oauth2/providers:
-    description: |-
-      Allows management of oauth2 providers.  The identity service is typically
-      registered with an identity provider who provides us a client identitifier
-      and possibly a secret that we need to authenticate the user.
-    get:
-      description: |-
-        Returns a list of identity providers.
-      security:
-      - oauth2Authentication: []
-      responses:
-        '200':
-          $ref: '#/components/responses/oauth2ProvidersResponse'
-        '401':
-          $ref: '#/components/responses/unauthorizedResponse'
-        '500':
-          $ref: '#/components/responses/internalServerErrorResponse'
   /api/v1/organizations:
     description: |-
       Allows management of organizations.  Organizations are identified by an
@@ -190,6 +173,25 @@ paths:
           $ref: '#/components/responses/unauthorizedResponse'
         '403':
           $ref: '#/components/responses/forbiddenResponse'
+  /api/v1/organizations/{organization}/oauth2/providers:
+    description: |-
+      Allows management of oauth2 providers.  The identity service is typically
+      registered with an identity provider who provides us a client identitifier
+      and possibly a secret that we need to authenticate the user.
+    parameters:
+    - $ref: '#/components/parameters/organizationParameter'
+    get:
+      description: |-
+        Returns a list of identity providers, either public or owned by the organization.
+      security:
+      - oauth2Authentication: []
+      responses:
+        '200':
+          $ref: '#/components/responses/oauth2ProvidersResponse'
+        '401':
+          $ref: '#/components/responses/unauthorizedResponse'
+        '500':
+          $ref: '#/components/responses/internalServerErrorResponse'
   # TODO: in order to create a group, we'd need to know from the identity
   # provider what groups are available, and to do that we'd need to have
   # the access token available.  We could pass it around in our access token
@@ -559,19 +561,25 @@ components:
       - name
       - displayName
       - issuer
-      - clientID
       properties:
         name:
-          description:
+          description: A description of the provider.
           type: string
         displayName:
-          description:
+          description: The name to display for the provider.
           type: string
         issuer:
-          description:
+          description: The OIDC issuer, typically where to perform auto discovery relative to.
           type: string
         clientID:
-          description:
+          description: |
+            The client identification, only shown for super admin or organization owned providers
+            that you are an admin for.
+          type: string
+        clientSecret:
+          description: |
+            The client secret, only shown for super admin or organization owned providers
+            that you are an admin for.
           type: string
     oauth2Providers:
       description: A list of oauth2 providers.