CSS-9389 Implement the EntitlementsService interface

go.mod

@@ -45,7 +45,7 @@ require (
 require (
 	github.com/antonlindstrom/pgstore v0.0.0-20220421113606-e3a6e3fed12a
 	github.com/canonical/ofga v0.10.0
-	github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240702080748-d1d377dd37b3
+	github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240717130927-038848181576
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/dustinkirkland/golang-petname v0.0.0-20231002161417-6a283f1aaaf2
 	github.com/go-chi/chi/v5 v5.0.12

go.sum

@@ -156,6 +156,8 @@ github.com/canonical/ofga v0.10.0 h1:DHXhG/DAXWWQT/I+2jzr4qm0uTIYrILmtMxd6ZqmEzE
 github.com/canonical/ofga v0.10.0/go.mod h1:u4Ou8dbIhO7FmVlT7W3rX2roD9AOGz/CqmGh7AdF0Lo=
 github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240702080748-d1d377dd37b3 h1:BitPbyXN2gBaARUZt/KDrH7ekdBuyCm2NOI+WtOqHAs=
 github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240702080748-d1d377dd37b3/go.mod h1:EIdBoaTHWYPkzNeUeXUBueJkglN9nQz5HLIvaOT7o1k=
+github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240717130927-038848181576 h1:i4lyP7WRFB711aLMkBYiBN23njSFJV0DaHYJn7rwOGY=
+github.com/canonical/rebac-admin-ui-handlers v0.0.0-20240717130927-038848181576/go.mod h1:EIdBoaTHWYPkzNeUeXUBueJkglN9nQz5HLIvaOT7o1k=
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=

internal/rebac_admin/backend.go

@@ -14,6 +14,7 @@ func SetupBackend(ctx context.Context) (*rebachandlers.ReBACAdminBackend, error)
 
 	rebacBackend, err := rebachandlers.NewReBACAdminBackend(rebachandlers.ReBACAdminBackendParams{
 		Authenticator: &Authenticator{},
+		Entitlements:  &EntitlementsService{},
 	})
 	if err != nil {
 		zapctx.Error(ctx, "failed to create rebac admin backend", zap.Error(err))

internal/rebac_admin/entitlements.go

@@ -0,0 +1,22 @@
+// Copyright 2023 canonical.
+
+package rebac_admin
+
+import (
+	"context"
+
+	openfgastatic "github.com/canonical/jimm/openfga"
+	"github.com/canonical/rebac-admin-ui-handlers/v1/resources"
+)
+
+type EntitlementsService struct{}
+
+// ListEntitlements returns the list of entitlements in JSON format.
+func (s *EntitlementsService) ListEntitlements(ctx context.Context, params *resources.GetEntitlementsParams) ([]resources.EntityEntitlement, error) {
+	return EntitlementsList, nil
+}
+
+// RawEntitlements returns the list of entitlements as raw text.
+func (s *EntitlementsService) RawEntitlements(ctx context.Context) (string, error) {
+	return string(openfgastatic.AuthModelFileDSL), nil
+}

internal/rebac_admin/static_entitlements.go

@@ -0,0 +1,59 @@
+// Copyright 2023 canonical.
+
+package rebac_admin
+
+import "github.com/canonical/rebac-admin-ui-handlers/v1/resources"
+
+// For rebac v1 this list is kept manually
+var EntitlementsList = []resources.EntityEntitlement{
+	// applicationoffer
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "applicationoffer"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "applicationoffer"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "applicationoffer"},
+	{EntitlementType: "consumer", EntityName: "user", EntityType: "applicationoffer"},
+	{EntitlementType: "consumer", EntityName: "user:*", EntityType: "applicationoffer"},
+	{EntitlementType: "consumer", EntityName: "group#member", EntityType: "applicationoffer"},
+	{EntitlementType: "reader", EntityName: "user", EntityType: "applicationoffer"},
+	{EntitlementType: "reader", EntityName: "user:*", EntityType: "applicationoffer"},
+	{EntitlementType: "reader", EntityName: "group#member", EntityType: "applicationoffer"},
+	{EntitlementType: "model", EntityName: "model", EntityType: "applicationoffer"},
+
+	// cloud
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "cloud"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "cloud"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "cloud"},
+	{EntitlementType: "can_addmodel", EntityName: "user", EntityType: "cloud"},
+	{EntitlementType: "can_addmodel", EntityName: "user:*", EntityType: "cloud"},
+	{EntitlementType: "can_addmodel", EntityName: "group#member", EntityType: "cloud"},
+	{EntitlementType: "controller", EntityName: "controller", EntityType: "cloud"},
+
+	// controller
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "controller"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "controller"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "controller"},
+	{EntitlementType: "audit_log_viewer", EntityName: "user", EntityType: "controller"},
+	{EntitlementType: "audit_log_viewer", EntityName: "user:*", EntityType: "controller"},
+	{EntitlementType: "audit_log_viewer", EntityName: "group#member", EntityType: "controller"},
+
+	// group
+	{EntitlementType: "member", EntityName: "user", EntityType: "group"},
+	{EntitlementType: "member", EntityName: "user:*", EntityType: "group"},
+	{EntitlementType: "member", EntityName: "group#member", EntityType: "group"},
+
+	// model
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "model"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "model"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "model"},
+	{EntitlementType: "reader", EntityName: "user", EntityType: "model"},
+	{EntitlementType: "reader", EntityName: "user:*", EntityType: "model"},
+	{EntitlementType: "reader", EntityName: "group#member", EntityType: "model"},
+	{EntitlementType: "writer", EntityName: "user", EntityType: "model"},
+	{EntitlementType: "writer", EntityName: "user:*", EntityType: "model"},
+	{EntitlementType: "writer", EntityName: "group#member", EntityType: "model"},
+	{EntitlementType: "controller", EntityName: "controller", EntityType: "model"},
+
+	// serviceaccount
+	{EntitlementType: "administrator", EntityName: "user", EntityType: "serviceaccount"},
+	{EntitlementType: "administrator", EntityName: "user:*", EntityType: "serviceaccount"},
+	{EntitlementType: "administrator", EntityName: "group#member", EntityType: "serviceaccount"},
+}

openfga/auth_model.go

@@ -10,3 +10,6 @@ import (
 
 //go:embed authorisation_model.json
 var AuthModelFile []byte
+
+//go:embed authorisation_model.fga
+var AuthModelFileDSL []byte

service_test.go

@@ -293,6 +293,32 @@ func TestRebacAdminApi(t *testing.T) {
 	c.Assert(response.StatusCode, qt.Equals, 200)
 }
 
+func TestRebacEntitlementsApi(t *testing.T) {
+	c := qt.New(t)
+
+	_, _, cofgaParams, err := jimmtest.SetupTestOFGAClient(c.Name())
+	c.Assert(err, qt.IsNil)
+
+	p := jimmtest.NewTestJimmParams(c)
+	p.InsecureSecretStorage = true
+	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
+
+	svc, err := jimm.NewService(context.Background(), p)
+	c.Assert(err, qt.IsNil)
+	defer svc.Cleanup()
+
+	srv := httptest.NewTLSServer(svc)
+	c.Cleanup(srv.Close)
+
+	response, err := srv.Client().Get(srv.URL + "/rebac/v1/entitlements")
+	c.Assert(err, qt.IsNil)
+	c.Assert(response.StatusCode, qt.Equals, 200)
+
+	responseRaw, err := srv.Client().Get(srv.URL + "/rebac/v1/entitlements/raw")
+	c.Assert(err, qt.IsNil)
+	c.Assert(responseRaw.StatusCode, qt.Equals, 200)
+}
+
 func TestThirdPartyCaveatDischarge(t *testing.T) {
 	c := qt.New(t)