Merge pull request #1195 from canonical/feature-oidc

Feature OIDC

.air.toml

@@ -4,15 +4,15 @@ tmp_dir = "tmp"
 
 [build]
   args_bin = []
-  bin = "./tmp/jimm"
+  bin = "env $(cat /vault/vault.env | xargs) ./tmp/jimm"
   cmd = "go build -gcflags='all=-N -l' -buildvcs=false -o ./tmp/jimm ./cmd/jimmsrv"
   delay = 1000
   exclude_dir = [".vscode", "assets", "tmp", "vendor", "testdata"]
   exclude_file = []
   exclude_regex = ["_test.go"]
   exclude_unchanged = false
   follow_symlink = false
-  full_bin = "dlv exec --accept-multiclient --log --headless --continue --listen :2345 --api-version 2 ./tmp/jimm"
+  full_bin = "env $(cat /vault/vault.env | xargs) dlv exec --accept-multiclient --log --headless --continue --listen :2345 --api-version 2 ./tmp/jimm"
   include_dir = []
   include_ext = ["go", "tpl", "tmpl", "html"]
   kill_delay = "0s"

.github/workflows/charm-build.yaml

@@ -17,7 +17,7 @@ jobs:
       - run: git fetch --prune 
       - run: sudo snap install charmcraft --channel=2.x/stable --classic
       - run: sudo charmcraft pack --project-dir ./charms/${{ matrix.charm-type }} --destructive-mode --verbosity=trace
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.charm-type }}-charm
           path: ./*.charm

.github/workflows/charm-test.yaml

@@ -49,33 +49,36 @@ jobs:
       - name: Run tests
         run: tox -e unit
 
-  # TODO(Kian): Fix this
-  # integration-tests:
-  #   name: Integration tests
-  #   needs:
-  #     - charm-build
-  #   runs-on: ubuntu-latest
-  #   env:
-  #     charm-type: "jimm-k8s"
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v3
-  #     - name: Setup operator environment
-  #       uses: charmed-kubernetes/actions-operator@main
-  #       with:
-  #         juju-channel: 2.9/stable
-  #         provider: microk8s
-  #         microk8s-addons: "ingress storage dns rbac registry"
-  #         channel: 1.27/stable
-  #     # Download the charm from the build to speed up integration tests.
-  #     - uses: actions/download-artifact@master
-  #       with:
-  #         name: jimm-k8s-charm
-  #         path: ./charms/${{ env.charm-type }}
-  #     - name: Create OCI Image
-  #       run: make push-microk8s
-  #     - name: Install tox
-  #       run: python -m pip install tox
-  #     - name: Integration tests
-  #       run: tox -e integration -- --localCharm
-  #       working-directory: ./charms/${{ env.charm-type }}
+  integration-tests:
+    name: Integration tests
+    needs:
+      - charm-build
+    runs-on: ubuntu-latest
+    env:
+      charm-type: "jimm-k8s"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup operator environment
+        uses: charmed-kubernetes/actions-operator@main
+        with:
+          channel: 1.28-strict/stable
+          juju-channel: 3.4/stable
+          provider: microk8s
+          microk8s-group: snap_microk8s
+          microk8s-addons: "ingress hostpath-storage dns registry metallb:10.64.140.43/30"
+      # Download the charm from the build to speed up integration tests.
+      - uses: actions/download-artifact@v4
+        with:
+          name: jimm-k8s-charm
+          path: ./charms/${{ env.charm-type }}
+      - name: Create OCI Image
+        run: make push-microk8s
+      - name: Install tox
+        run: python -m pip install tox
+      - name: Integration tests
+        run: tox -e integration -- --localCharm
+        working-directory: ./charms/${{ env.charm-type }}
+      - name: Dump logs
+        if: failure()
+        uses: canonical/charming-actions/dump-logs@main

.github/workflows/ci.yaml

@@ -24,7 +24,7 @@ jobs:
 
   build_test:
     name: Build and Test
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
         with:
@@ -35,15 +35,16 @@ jobs:
           go-version-file: 'go.mod'
       - name: Install dependencies
         run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential
-      - name: Remove installed mongodb
-        run: sudo apt purge mongodb-org && sudo apt autoremove
       - run: sudo snap install juju-db --channel 4.4/stable
       - name: Add volume files
         run: |
           touch ./local/vault/approle.json
           touch ./local/vault/roleid.txt
+          touch ./local/vault/vault.env
+      - name: Create test certs
+        run: make certs
       - name: Start test environment
-        run: docker compose up -d
+        run: docker compose up -d --wait
       - name: Build and Test
         run: go test -mod readonly ./... -timeout 1h -cover
         env:
@@ -65,16 +66,11 @@ jobs:
       - uses: actions/setup-go@v4
         with:
           go-version-file: 'go.mod'
-      - name: Pull candid repo for test environment
-        run: |
-          git clone https://github.com/canonical/candid.git ./tmp/candid
-          cd ./tmp/candid
-          make image
-          docker image ls candid
       - name: Add volume files
         run: |
           touch ./local/vault/approle.json
           touch ./local/vault/roleid.txt
+          touch ./local/vault/vault.env
       - run: go version
       - run: go mod vendor
       - run: docker compose --profile dev up -d --wait --timestamps

.github/workflows/jaas-snap-release.yaml

@@ -0,0 +1,14 @@
+name: Release jimmctl snap
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v3*'
+
+jobs:
+  build-and-release:
+    uses: ./.github/workflows/snap-release.yaml
+    with:
+      folder: jaas
+      release-channel: 3/edge

.github/workflows/jimmctl-snap-release.yaml

@@ -0,0 +1,15 @@
+name: Release jimmctl snap
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v3*'
+
+jobs:
+  build-and-release:
+    uses: ./.github/workflows/snap-release.yaml
+    with:
+      folder: jimmctl
+      release-channel: 3/edge
+

.github/workflows/publich-oci.yaml

@@ -0,0 +1,33 @@
+# Publish the OCI image to ghcr
+name: Publish image
+
+on:
+  # Note that when running via workflow_dispatch, the github.ref_name
+  # variable will match the selected branch name used.
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build local images
+        run: make jimm-image
+
+      - name: Push to github package
+        run: |
+          new_tag=ghcr.io/canonical/jimm:${{ github.ref_name }}
+          docker tag jimm:latest $new_tag
+          docker push $new_tag

.github/workflows/snap-release.yaml

@@ -1,10 +1,14 @@
-name: Release jimmctl snap
+name: Release snap
 
 on:
-  workflow_dispatch:
-  push:
-    tags:
-      - 'v3*'
+  workflow_call:
+    inputs:
+      folder:
+        required: true
+        type: string
+      release-channel:
+        required: true
+        type: string
 
 # Note this workflow requires a Github secret to provide auth against snapstore.
 # snapcraft export-login --snaps=PACKAGE_NAME --acls package_access,package_push,package_update,package_release exported.txt
@@ -23,7 +27,7 @@ jobs:
     - name: scripts
       run: |
         mkdir -p ./snap
-        cp ./snaps/jimmctl/snapcraft.yaml ./snap/
+        cp ./snaps/${{ inputs.folder }}/snapcraft.yaml ./snap/
     - uses: snapcore/action-build@v1
       id: snapcraft
     - uses: actions/upload-artifact@v2
@@ -44,5 +48,4 @@ jobs:
       with:
         store_login: ${{ secrets.STORE_LOGIN }}
         snap: ${{needs.build.outputs.snap}}
-        release: '3/edge'
-
+        release: '${{ inputs.release-channel }}'

.gitignore

@@ -14,11 +14,13 @@
 /local/vault/approle.json
 local/vault/approle.json
 local/vault/roleid.txt
+local/vault/vault.env
 
 *.crt
 *.key
 *.csr
 /jimmctl
+/jimmsrv
 qa-controller
 
 /cloudinit.temp.yaml

Dockerfile

@@ -17,8 +17,11 @@ RUN go build -tags version -o jimmsrv -v ./cmd/jimmsrv
 
 # Define a smaller single process image for deployment
 FROM ${DOCKER_REGISTRY}ubuntu:20.04 AS deploy-env
+LABEL org.opencontainers.image.source=https://github.com/canonical/jimm
+LABEL org.opencontainers.image.description="JIMM server container image"
 RUN apt-get -qq update && apt-get -qq install -y ca-certificates postgresql-client
 WORKDIR /root/
+COPY --from=build-env /usr/src/jimm/openfga/authorisation_model.json ./openfga/
 COPY --from=build-env /usr/src/jimm/jimmsrv .
 COPY --from=build-env /usr/src/jimm/internal/dbmodel/sql ./sql/
 ENTRYPOINT [ "./jimmsrv" ]

Makefile

@@ -29,24 +29,25 @@ clean:
 	-$(RM) -r jimm-release/
 	-$(RM) jimm-*.tar.xz
 
-test-env: sysdeps
-	@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt
-	@docker compose up --force-recreate
+certs:
+	@cd local/traefik/certs; ./certs.sh; cd -
+
+test-env: sysdeps certs
+	@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt && touch ./local/vault/vault.env
+	@docker compose up --force-recreate -d --wait
 
 test-env-cleanup:
 	@docker compose down -v --remove-orphans
 
-dev-env-setup: sysdeps pull/candid
-	@cd local/traefik/certs; ./certs.sh; cd -
-	@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt
+dev-env-setup: sysdeps certs
+	@touch ./local/vault/approle.json && touch ./local/vault/roleid.txt && touch ./local/vault/vault.env
 	@make version/commit.txt && make version/version.txt
-	@go mod vendor
 
-dev-env:
+dev-env: dev-env-setup
 	@docker compose --profile dev up --force-recreate
 
 dev-env-cleanup:
-	@docker compose down -v --remove-orphans
+	@docker compose --profile dev down -v --remove-orphans
 
 # Reformat all source files.
 format:
@@ -88,15 +89,15 @@ jimmctl-snap:
 	cp -R ./snaps/jimmctl/* ./snap/
 	snapcraft
 
+jaas-snap:
+	mkdir -p ./snap
+	cp -R ./snaps/jaas/* ./snap/
+	snapcraft
+
 push-microk8s: jimm-image
 	docker tag jimm:latest localhost:32000/jimm:latest
 	docker push localhost:32000/jimm:latest
 
-pull/candid:
-	-git clone https://github.com/canonical/candid.git ./tmp/candid
-	(cd ./tmp/candid && make image)
-	docker image ls candid
-
 get-local-auth:
 	@go run ./local/authy
 
@@ -133,7 +134,6 @@ help:
 	@echo 'make sysdeps - Install the development environment system packages.'
 	@echo 'make format - Format the source files.'
 	@echo 'make simplify - Format and simplify the source files.'
-	@echo 'make pull/candid - Pull candid for local development environment.'
 	@echo 'make get-local-auth - Get local auth to the API WSS endpoint locally.'
 
 .PHONY: build check install release clean format server simplify sysdeps help FORCE

README.md

@@ -45,6 +45,12 @@ See [here](./local/README.md) on how to get started.
 
 ## Testing
 
+## TLDR
+Run:
+```
+$ make test-env
+$ go test ./...
+```
 ### Pre-requisite
 To check if your system has all the prequisites installed simply run `make sysdeps`.
 This will check for all test prequisites and inform you how to install them if not installed. 
@@ -56,6 +62,11 @@ This can be installed via: `sudo snap install juju-db`.
 The latest JIMM has an upgraded dependency on Juju which requires in turn requires juju-db from channel `4.4/stable`,
  this can be installed with `sudo snap install juju-db --channel=4.4/stable`
 
+Tests inside of `cmd/` create a JIMM server and test the jimmctl and jaas CLI packages. The Juju CLI requires that it connects to
+an HTTPS server, but these tests also start a Juju controller which expects to be able to fetch a JWKS and macaroon publickey
+from JIMM (which is running as an HTTPS server). This would normally result in a TLS certificate error, however JIMM will
+attempt to use a custom self-signed cert from the certificate generated in `local/traefik/certs`. The make command `make certs` will generate these certs and place the CA in your system's cert pool which will be picked up by the Go HTTP client.
+
 The rest of the suite relies on PostgreSQL, OpenFGA and Hashicorp Vault which are dockerised
 and as such you may simple run `make test-env` to be integration test ready.
 The above command won't start a dockerised instance of JIMM as tests are normally run locally. Instead, to start a 

api/jimm.go

@@ -190,3 +190,27 @@ func (c *Client) MigrateModel(req *params.MigrateModelRequest) (*jujuparams.Init
 	err := c.caller.APICall("JIMM", 4, "", "MigrateModel", req, &response)
 	return &response, err
 }
+
+// AddServiceAccount binds a service account to a user allowing them to manage it.
+func (c *Client) AddServiceAccount(req *params.AddServiceAccountRequest) error {
+	return c.caller.APICall("JIMM", 4, "", "AddServiceAccount", req, nil)
+}
+
+// ListServiceAccountCredentials lists the cloud credentials belonging to a service account.
+func (c *Client) ListServiceAccountCredentials(req *params.ListServiceAccountCredentialsRequest) (*jujuparams.CredentialContentResults, error) {
+	var response jujuparams.CredentialContentResults
+	err := c.caller.APICall("JIMM", 4, "", "ListServiceAccountCredentials", req, &response)
+	return &response, err
+}
+
+// UpdateServiceAccountCredentials updates credentials associated with a service account.
+func (c *Client) UpdateServiceAccountCredentials(req *params.UpdateServiceAccountCredentialsRequest) (*jujuparams.UpdateCredentialResults, error) {
+	var response jujuparams.UpdateCredentialResults
+	err := c.caller.APICall("JIMM", 4, "", "UpdateServiceAccountCredentials", req, &response)
+	return &response, err
+}
+
+// GrantServiceAccountAccess grants admin access to a service account to given groups/identities.
+func (c *Client) GrantServiceAccountAccess(req *params.GrantServiceAccountAccess) error {
+	return c.caller.APICall("JIMM", 4, "", "GrantServiceAccountAccess", req, nil)
+}