Skip to content

Commit

Permalink
confdb, daemon: add confdb-control api
Browse files Browse the repository at this point in the history
  • Loading branch information
st3v3nmw committed Dec 17, 2024
1 parent 6eed2b2 commit 983bc9d
Show file tree
Hide file tree
Showing 6 changed files with 491 additions and 53 deletions.
2 changes: 1 addition & 1 deletion asserts/confdb.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ func parseConfdbControlGroups(rawGroups []interface{}) (map[string]*confdb.Opera
return nil, fmt.Errorf(`%s: "views" must be provided`, errPrefix)
}

if err := operator.AddControlGroup(views, auth); err != nil {
if err := operator.Delegate(views, auth); err != nil {
return nil, fmt.Errorf(`%s: %w`, errPrefix, err)
}
}
Expand Down
4 changes: 2 additions & 2 deletions asserts/confdb_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -335,12 +335,12 @@ func (s *confdbCtrlSuite) TestDecodeInvalid(c *C) {
{
" - operator-key",
" - foo-bar",
"cannot parse group at position 1: cannot add group: invalid authentication method: foo-bar",
"cannot parse group at position 1: cannot delegate: invalid authentication method: foo-bar",
},
{
"canonical/network/control-interfaces",
"canonical",
`cannot parse group at position 2: view "canonical" must be in the format account/confdb/view`,
`cannot parse group at position 2: cannot delegate: view "canonical" must be in the format account/confdb/view`,
},
}

Expand Down
277 changes: 247 additions & 30 deletions confdb/confdb_control.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,31 @@ type ControlGroup struct {
Views []*ViewRef
}

// findView binary searches the position of the given view in the control group.
func (g *ControlGroup) findView(view *ViewRef) (int, bool) {
left, right := 0, len(g.Views)-1

for left <= right {
mid := (left + right) / 2
cmp := g.Views[mid].compare(view)

if cmp == 0 {
return mid, true
} else if cmp < 0 {
left = mid + 1
} else {
right = mid - 1
}
}

return 0, false
}

// deleteViewAt removes the view at the given index.
func (g *ControlGroup) deleteViewAt(idx int) {
g.Views = append(g.Views[:idx], g.Views[idx+1:]...)
}

// ViewRef holds the reference to account/confdb/view as parsed from the
// confdb-control assertion.
type ViewRef struct {
Expand All @@ -91,58 +116,224 @@ type ViewRef struct {
View string
}

// newViewRef parses account/confdb/view into ViewRef
func newViewRef(view string) (*ViewRef, error) {
viewPath := strings.Split(view, "/")
if len(viewPath) != 3 {
return nil, fmt.Errorf(`view "%s" must be in the format account/confdb/view`, view)
}

account := viewPath[0]
if !validAccountID.MatchString(account) {
return nil, fmt.Errorf("invalid Account ID %s", account)
}

confdb := viewPath[1]
if !ValidConfdbName.MatchString(confdb) {
return nil, fmt.Errorf("invalid confdb name %s", confdb)
}

viewName := viewPath[2]
if !ValidViewName.MatchString(viewName) {
return nil, fmt.Errorf("invalid view name %s", viewName)
}

return &ViewRef{
Account: account,
Confdb: confdb,
View: viewName,
}, nil
}

// compare compares two ViewRefs lexicographically based the Account, Confdb, & View fields.
// It returns:
// - -1 if `v` is less than `b`,
// - 1 if `v` is greater than `b`,
// - 0 if `v` is equal to `b`.
func (v *ViewRef) compare(b *ViewRef) int {
if v.Account != b.Account {
if v.Account < b.Account {
return -1
}
return 1
}

if v.Confdb != b.Confdb {
if v.Confdb < b.Confdb {
return -1
}
return 1
}

if v.View != b.View {
if v.View < b.View {
return -1
}
return 1
}

return 0
}

// groupWithView returns the group that holds the given view.
func (op *Operator) groupWithView(view *ViewRef) (*ControlGroup, int) {
for _, group := range op.Groups {
index, ok := group.findView(view)
if ok {
return group, index
}
}

return nil, 0
}

// groupWithAuthentication returns the group with the given auth.
// The provided auth should be sorted.
func (op *Operator) groupWithAuthentication(auth []AuthenticationMethod) *ControlGroup {
for _, group := range op.Groups {
if checkListEqual(group.Authentication, auth) {
return group
}
}

return nil
}

// IsDelegated checks if <accountID>/<registry>/<view> is delegated to
// the operator under the given auth.
func (op *Operator) IsDelegated(view *ViewRef, auth AuthenticationMethod) bool {
group, _ := op.groupWithView(view)
if group == nil {
return false
}

return checkListContains(group.Authentication, auth)

Check warning on line 210 in confdb/confdb_control.go

View check run for this annotation

Codecov / codecov/patch

confdb/confdb_control.go#L210

Added line #L210 was not covered by tests
}

// AddControlGroup adds the group to an operator under the given authentication.
func (op *Operator) AddControlGroup(views, auth []string) error {
if len(auth) == 0 {
return errors.New(`cannot add group: "auth" must be a non-empty list`)
func (op *Operator) Delegate(views, rawAuth []string) error {
if len(rawAuth) == 0 {
return errors.New(`cannot delegate: "auth" must be a non-empty list`)
}

authentication, err := convertToAuthenticationMethods(auth)
auth, err := convertToAuthenticationMethods(rawAuth)
if err != nil {
return fmt.Errorf("cannot add group: %w", err)
return fmt.Errorf("cannot delegate: %w", err)
}

if len(views) == 0 {
return errors.New(`cannot add group: "views" must be a non-empty list`)
return errors.New(`cannot delegate: "views" must be a non-empty list`)
}

parsedViews := []*ViewRef{}
for _, view := range views {
viewPath := strings.Split(view, "/")
if len(viewPath) != 3 {
return fmt.Errorf(`view "%s" must be in the format account/confdb/view`, view)
parsedView, err := newViewRef(view)
if err != nil {
return fmt.Errorf("cannot delegate: %w", err)
}

account := viewPath[0]
if !validAccountID.MatchString(account) {
return fmt.Errorf("invalid Account ID %s", account)
}
op.delegateOne(parsedView, auth)
}

op.compact()
return nil
}

// delegateOne grants remote registry control to <account-id>/<registry>/<view>.
func (op *Operator) delegateOne(view *ViewRef, auth []AuthenticationMethod) {
newAuth := auth
existingGroup, viewIdx := op.groupWithView(view)
if existingGroup != nil {
newAuth = append(newAuth, existingGroup.Authentication...)
sort.Slice(newAuth, func(i, j int) bool {
return newAuth[i] < newAuth[j]
})
newAuth = unique(newAuth)
}

newGroup := op.groupWithAuthentication(newAuth)
if existingGroup == newGroup && existingGroup != nil {
// already delegated, nothing to do
return
}

Check warning on line 257 in confdb/confdb_control.go

View check run for this annotation

Codecov / codecov/patch

confdb/confdb_control.go#L255-L257

Added lines #L255 - L257 were not covered by tests

confdb := viewPath[1]
if !ValidConfdbName.MatchString(confdb) {
return fmt.Errorf("invalid confdb name %s", confdb)
if newGroup == nil {
newGroup = &ControlGroup{Authentication: newAuth, Views: []*ViewRef{view}}
op.Groups = append(op.Groups, newGroup)
} else {
newGroup.Views = append(newGroup.Views, view)
sort.Slice(newGroup.Views, func(i, j int) bool {
return newGroup.Views[i].compare(newGroup.Views[j]) < 0
})
}

if existingGroup != nil {
// remove the view from the old group
existingGroup.deleteViewAt(viewIdx)
}
}

// Revoke withdraws remote access to the views that have been delegated under
// the authentication methods.
func (op *Operator) Revoke(views []string, rawAuth []string) error {
var err error
var auth []AuthenticationMethod
if len(rawAuth) == 0 {
// if no authentication is provided, revoke all auth methods
auth = []AuthenticationMethod{OperatorKey, Store}
} else {
auth, err = convertToAuthenticationMethods(rawAuth)
if err != nil {
return fmt.Errorf("cannot revoke: %w", err)
}
}

viewName := viewPath[2]
if !ValidViewName.MatchString(viewName) {
return fmt.Errorf("invalid view name %s", viewName)
for _, view := range views {
parsedView, err := newViewRef(view)
if err != nil {
return fmt.Errorf("cannot revoke: %w", err)
}

parsedView := &ViewRef{
Account: account,
Confdb: confdb,
View: viewName,
op.revokeOne(parsedView, auth)
}

op.compact()
return nil
}

// revokeOne revokes remote registry control over <account-id>/<registry>/<view>.
func (op *Operator) revokeOne(view *ViewRef, auth []AuthenticationMethod) {
group, viewIdx := op.groupWithView(view)
if group == nil {
// not delegated, nothing to do
return
}

remaining := make([]AuthenticationMethod, 0, len(group.Authentication))
for _, existingAuth := range group.Authentication {
if !checkListContains(auth, existingAuth) {
remaining = append(remaining, existingAuth)

Check warning on line 314 in confdb/confdb_control.go

View check run for this annotation

Codecov / codecov/patch

confdb/confdb_control.go#L314

Added line #L314 was not covered by tests
}
parsedViews = append(parsedViews, parsedView)
}

group := &ControlGroup{
Authentication: authentication,
Views: parsedViews,
// remove the view from the group
group.deleteViewAt(viewIdx)

if len(remaining) != 0 {
// delegate the view with the remaining authentication method(s)
op.delegateOne(view, remaining)

Check warning on line 323 in confdb/confdb_control.go

View check run for this annotation

Codecov / codecov/patch

confdb/confdb_control.go#L322-L323

Added lines #L322 - L323 were not covered by tests
}
op.Groups = append(op.Groups, group)
}

return nil
// compact removes empty groups.
func (op *Operator) compact() {
groups := make([]*ControlGroup, 0, len(op.Groups))
for _, group := range op.Groups {
if len(group.Views) != 0 {
groups = append(groups, group)
}
}

op.Groups = groups
}

// unique replaces consecutive runs of equal elements with a single copy.
Expand All @@ -162,3 +353,29 @@ func unique[T comparable](s []T) []T {

return s[:j]
}

// checkListContains checks if the slice contains the given value.
func checkListContains[T comparable](s []T, v T) bool {
for _, item := range s {
if item == v {
return true
}
}

return false

Check warning on line 365 in confdb/confdb_control.go

View check run for this annotation

Codecov / codecov/patch

confdb/confdb_control.go#L365

Added line #L365 was not covered by tests
}

// checkListEqual checks if two slices are equal.
func checkListEqual[T comparable](a, b []T) bool {
if len(a) != len(b) {
return false
}

for i := range a {
if a[i] != b[i] {
return false
}
}

return true
}
Loading

0 comments on commit 983bc9d

Please sign in to comment.