Skip to content

Commit

Permalink
Revert remove namespace (#331)
Browse files Browse the repository at this point in the history 
* Revert "remove AuthService"

This reverts commit 220c8b6.

* Revert "remove namespace first part"

This reverts commit 94c65bf.
  • Loading branch information
@nicoburniske
nicoburniske authored Mar 27, 2024
1 parent 220c8b6 commit c499e61
Show file tree
Hide file tree
Showing 22 changed files with 809 additions and 511 deletions.
28 changes: 0 additions & 28 deletions golem-service-base/src/model.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3116,31 +3116,3 @@ impl From<GrpcRoutingTableEntry> for RoutingTableEntry {
}
}
}

#[derive(
Debug, Clone, PartialEq, Eq, Hash, Ord, PartialOrd, serde::Serialize, serde::Deserialize, Object,
)]
#[serde(rename_all = "camelCase")]
#[oai(rename_all = "camelCase")]
pub struct ResourceLimits {
pub available_fuel: i64,
pub max_memory_per_worker: i64,
}

impl From<ResourceLimits> for golem_api_grpc::proto::golem::common::ResourceLimits {
fn from(value: ResourceLimits) -> Self {
Self {
available_fuel: value.available_fuel,
max_memory_per_worker: value.max_memory_per_worker,
}
}
}

impl From<golem_api_grpc::proto::golem::common::ResourceLimits> for ResourceLimits {
fn from(value: golem_api_grpc::proto::golem::common::ResourceLimits) -> Self {
Self {
available_fuel: value.available_fuel,
max_memory_per_worker: value.max_memory_per_worker,
}
}
}
71 changes: 71 additions & 0 deletions golem-service-base/src/service/auth.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
use async_trait::async_trait;
use serde::{Deserialize, Serialize};

// Every authorisation is based on a permission to a particular context.
// A context can be a simple unit, to a user, namespace, project, account, or
// a mere request from where we can fetch details.
//
#[async_trait]
pub trait AuthService<AuthCtx, Namespace> {
async fn is_authorized(
&self,
permission: Permission,
ctx: &AuthCtx,
) -> Result<Namespace, AuthError>;
}

#[derive(Debug, Clone, thiserror::Error)]
pub enum AuthError {
// TODO: Do we want to display these errors?
#[error("Unauthorized: {0}")]
Unauthorized(String),
#[error("Forbidden: {0}")]
Forbidden(String),
#[error("Not found: {0}")]
NotFound(String),
#[error("Internal error: {0}")]
Internal(String),
}

#[derive(Debug, Copy, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum Permission {
View,
Create,
Update,
Delete,
}

impl std::fmt::Display for Permission {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Permission::View => write!(f, "View"),
Permission::Create => write!(f, "Create"),
Permission::Update => write!(f, "Update"),
Permission::Delete => write!(f, "Delete"),
}
}
}

#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct WithNamespace<T, Namespace> {
pub value: T,
pub namespace: Namespace,
}

impl<T, Namespace> WithNamespace<T, Namespace> {
pub fn new(value: T, namespace: Namespace) -> Self {
Self { value, namespace }
}
}

#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct WithAuth<T, AuthCtx> {
pub value: T,
pub auth: AuthCtx,
}

impl<T, AuthCtx> WithAuth<T, AuthCtx> {
pub fn new(value: T, auth: AuthCtx) -> Self {
Self { value, auth }
}
}
1 change: 1 addition & 0 deletions golem-service-base/src/service/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,5 @@
// See the License for the specific language governing permissions and
// limitations under the License.

pub mod auth;
pub mod template_object_store;
7 changes: 7 additions & 0 deletions golem-worker-service-base/src/api/common.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ impl ApiEndpointError {
}

mod conversion {
use golem_service_base::service::auth::AuthError;
use poem_openapi::payload::Json;

use super::{
Expand All @@ -111,6 +112,12 @@ mod conversion {
impl From<ApiRegistrationError> for ApiEndpointError {
fn from(error: ApiRegistrationError) -> Self {
match error {
ApiRegistrationError::AuthenticationError(auth) => match auth {
AuthError::Forbidden(_) => ApiEndpointError::forbidden(auth),
AuthError::Unauthorized(_) => ApiEndpointError::unauthorized(auth),
AuthError::Internal(_) => ApiEndpointError::internal(auth),
AuthError::NotFound(_) => ApiEndpointError::not_found(auth),
},
ApiRegistrationError::RepoError(error) => match error {
ApiRegistrationRepoError::AlreadyExists(_) => {
ApiEndpointError::already_exists(error)
Expand Down
32 changes: 23 additions & 9 deletions golem-worker-service-base/src/api/error.rs
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
use crate::service::template::TemplateServiceError;
use crate::service::worker::WorkerServiceError;
use golem_service_base::model::*;
use golem_service_base::service::auth::AuthError;
use poem_openapi::payload::Json;
use poem_openapi::*;
use tonic::Status;
Expand Down Expand Up @@ -66,6 +67,7 @@ impl From<WorkerServiceError> for WorkerApiBaseError {
}

match error {
ServiceError::Auth(error) => error.into(),
ServiceError::Internal(_) => internal(error.to_string()),
ServiceError::TypeChecker(_) => WorkerApiBaseError::BadRequest(Json(ErrorsBody {
errors: vec![error.to_string()],
Expand Down Expand Up @@ -100,16 +102,28 @@ impl From<TemplateServiceError> for WorkerApiBaseError {
}),
}))
}
TemplateServiceError::Auth(error) => error.into(),
}
}
}

TemplateServiceError::NotFound(error) => {
WorkerApiBaseError::NotFound(Json(ErrorBody { error }))
}
TemplateServiceError::Unauthorized(error) => {
WorkerApiBaseError::Unauthorized(Json(ErrorBody { error }))
}
TemplateServiceError::Forbidden(error) => {
WorkerApiBaseError::Forbidden(Json(ErrorBody { error }))
}
impl From<AuthError> for WorkerApiBaseError {
fn from(error: AuthError) -> Self {
match error {
AuthError::Unauthorized(_) => WorkerApiBaseError::Unauthorized(Json(ErrorBody {
error: error.to_string(),
})),
AuthError::Forbidden(_) => WorkerApiBaseError::Forbidden(Json(ErrorBody {
error: error.to_string(),
})),
AuthError::NotFound(_) => WorkerApiBaseError::NotFound(Json(ErrorBody {
error: error.to_string(),
})),
AuthError::Internal(_) => WorkerApiBaseError::InternalError(Json(GolemErrorBody {
golem_error: GolemError::Unknown(GolemErrorUnknown {
details: error.to_string(),
}),
})),
}
}
}
47 changes: 38 additions & 9 deletions golem-worker-service-base/src/auth.rs
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
use std::fmt::{Display, Formatter};

use async_trait::async_trait;
use golem_api_grpc::proto::golem::common::ResourceLimits;
use golem_common::model::AccountId;
use golem_service_base::service::auth::{AuthError, AuthService, Permission};
use serde::Deserialize;

pub struct AuthServiceNoop {}
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct EmptyAuthCtx {}

Expand All @@ -11,15 +16,6 @@ impl Display for EmptyAuthCtx {
}
}

impl IntoIterator for EmptyAuthCtx {
type Item = (String, String);
type IntoIter = std::iter::Empty<Self::Item>;

fn into_iter(self) -> Self::IntoIter {
std::iter::empty()
}
}

#[derive(Debug, Clone, PartialEq, Eq, Hash, bincode::Encode, bincode::Decode, Deserialize)]
pub struct CommonNamespace(String);

Expand All @@ -34,3 +30,36 @@ impl Display for CommonNamespace {
write!(f, "{}", self.0)
}
}

#[async_trait]
impl<AuthCtx, Namespace: Default> AuthService<AuthCtx, Namespace> for AuthServiceNoop {
async fn is_authorized(
&self,
_permission: Permission,
_ctx: &AuthCtx,
) -> Result<Namespace, AuthError> {
Ok(Namespace::default())
}
}

// TODO: Replace with metadata map
pub trait HasMetadata {
fn get_metadata(&self) -> WorkerMetadata;
}

#[derive(Clone, Debug)]
pub struct WorkerMetadata {
pub account_id: Option<AccountId>,
pub limits: Option<ResourceLimits>,
}

impl HasMetadata for CommonNamespace {
fn get_metadata(&self) -> WorkerMetadata {
WorkerMetadata {
account_id: Some(golem_common::model::AccountId {
value: "-1".to_string(),
}),
limits: None,
}
}
}
Loading

0 comments on commit c499e61

Please sign in to comment.