CSS-9389 Implement the EntitlementsService interface

go.mod

@@ -45,7 +45,7 @@ require (
 require (
 	github.com/antonlindstrom/pgstore v0.0.0-20220421113606-e3a6e3fed12a
 	github.com/canonical/ofga v0.10.0
-	github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240702080748-d1d377dd37b3
+	github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240717130927-038848181576
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/dustinkirkland/golang-petname v0.0.0-20231002161417-6a283f1aaaf2
 	github.com/go-chi/chi/v5 v5.0.12

go.sum

@@ -156,6 +156,8 @@ github.com/canonical/ofga v0.10.0 h1:DHXhG/DAXWWQT/I+2jzr4qm0uTIYrILmtMxd6ZqmEzE
 github.com/canonical/ofga v0.10.0/go.mod h1:u4Ou8dbIhO7FmVlT7W3rX2roD9AOGz/CqmGh7AdF0Lo=
 github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240702080748-d1d377dd37b3 h1:BitPbyXN2gBaARUZt/KDrH7ekdBuyCm2NOI+WtOqHAs=
 github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240702080748-d1d377dd37b3/go.mod h1:EIdBoaTHWYPkzNeUeXUBueJkglN9nQz5HLIvaOT7o1k=
+github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240717130927-038848181576 h1:i4lyP7WRFB711aLMkBYiBN23njSFJV0DaHYJn7rwOGY=
+github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240717130927-038848181576/go.mod h1:EIdBoaTHWYPkzNeUeXUBueJkglN9nQz5HLIvaOT7o1k=
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=

internal/jimmtest/openfga.go

@@ -36,7 +36,7 @@ type testSetup struct {
 
 func getAuthModelDefinition() (*sdk.AuthorizationModel, error) {
 	authModel := sdk.AuthorizationModel{}
-	err := json.Unmarshal(auth_model.AuthModelFile, &authModel)
+	err := json.Unmarshal(auth_model.AuthModelJSON, &authModel)
 	if err != nil {
 		return nil, err
 	}

internal/rebac_admin/backend.go

@@ -14,6 +14,7 @@ func SetupBackend(ctx context.Context) (*rebachandlers.ReBACAdminBackend, error)
 
 	rebacBackend, err := rebachandlers.NewReBACAdminBackend(rebachandlers.ReBACAdminBackendParams{
 		Authenticator: &Authenticator{},
+		Entitlements:  &EntitlementsService{},
 	})
 	if err != nil {
 		zapctx.Error(ctx, "failed to create rebac admin backend", zap.Error(err))

internal/rebac_admin/entitlements.go

@@ -0,0 +1,75 @@
+// Copyright 2024 canonical.
+
+package rebac_admin
+
+import (
+	"context"
+
+	openfgastatic "github.com/canonical/jimm/openfga"
+	"github.com/canonical/rebac-admin-ui-handlers/v1/resources"
+)
+
+// For rebac v1 this list is kept manually.
+// The reason behind that is we want to decide what relations to expose to rebac admin ui.
+var EntitlementsList = []resources.EntityEntitlement{
+	// applicationoffer
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "applicationoffer"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "applicationoffer"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "applicationoffer"},
+	{EntitlementType: "consumer", EntityName: "user", EntityType: "applicationoffer"},
+	{EntitlementType: "consumer", EntityName: "user:*", EntityType: "applicationoffer"},
+	{EntitlementType: "consumer", EntityName: "group#member", EntityType: "applicationoffer"},
+	{EntitlementType: "reader", EntityName: "user", EntityType: "applicationoffer"},
+	{EntitlementType: "reader", EntityName: "user:*", EntityType: "applicationoffer"},
+	{EntitlementType: "reader", EntityName: "group#member", EntityType: "applicationoffer"},
+
+	// cloud
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "cloud"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "cloud"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "cloud"},
+	{EntitlementType: "can_addmodel", EntityName: "user", EntityType: "cloud"},
+	{EntitlementType: "can_addmodel", EntityName: "user:*", EntityType: "cloud"},
+	{EntitlementType: "can_addmodel", EntityName: "group#member", EntityType: "cloud"},
+
+	// controller
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "controller"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "controller"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "controller"},
+	{EntitlementType: "audit_log_viewer", EntityName: "user", EntityType: "controller"},
+	{EntitlementType: "audit_log_viewer", EntityName: "user:*", EntityType: "controller"},
+	{EntitlementType: "audit_log_viewer", EntityName: "group#member", EntityType: "controller"},
+
+	// group
+	{EntitlementType: "member", EntityName: "user", EntityType: "group"},
+	{EntitlementType: "member", EntityName: "user:*", EntityType: "group"},
+	{EntitlementType: "member", EntityName: "group#member", EntityType: "group"},
+
+	// model
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "model"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "model"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "model"},
+	{EntitlementType: "reader", EntityName: "user", EntityType: "model"},
+	{EntitlementType: "reader", EntityName: "user:*", EntityType: "model"},
+	{EntitlementType: "reader", EntityName: "group#member", EntityType: "model"},
+	{EntitlementType: "writer", EntityName: "user", EntityType: "model"},
+	{EntitlementType: "writer", EntityName: "user:*", EntityType: "model"},
+	{EntitlementType: "writer", EntityName: "group#member", EntityType: "model"},
+
+	// serviceaccount
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "serviceaccount"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "serviceaccount"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "serviceaccount"},
+}
+
+// EntitlementsService implements the `EntitlementsService` interface from rebac-admin-ui-handlers library
+type EntitlementsService struct{}
+
+// ListEntitlements returns the list of entitlements in JSON format.
+func (s *EntitlementsService) ListEntitlements(ctx context.Context, params *resources.GetEntitlementsParams) ([]resources.EntityEntitlement, error) {
+	return EntitlementsList, nil
+}
+
+// RawEntitlements returns the list of entitlements as raw text.
+func (s *EntitlementsService) RawEntitlements(ctx context.Context) (string, error) {
+	return string(openfgastatic.AuthModelDSL), nil
+}

openfga/auth_model.go

@@ -9,4 +9,7 @@ import (
 )
 
 //go:embed authorisation_model.json
-var AuthModelFile []byte
+var AuthModelJSON []byte
+
+//go:embed authorisation_model.fga
+var AuthModelDSL []byte