canonical · kian99 · Jul 24, 2024 · Jul 22, 2024 · Jul 22, 2024 · Jul 24, 2024
@@ -16,7 +16,7 @@ import (
 	"github.com/juju/zaputil/zapctx"
 	"go.uber.org/zap"
 
-	"github.com/canonical/jimm"
+	jimmsvc "github.com/canonical/jimm/cmd/jimmsrv/service"
 	"github.com/canonical/jimm/internal/errors"
 	"github.com/canonical/jimm/version"
 )
@@ -140,7 +140,7 @@ func start(ctx context.Context, s *service.Service) error {
 		return errors.E("jimm session store secret must be at least 64 characters")
 	}
 
-	jimmsvc, err := jimm.NewService(ctx, jimm.Params{
+	jimmsvc, err := jimmsvc.NewService(ctx, jimmsvc.Params{
 		ControllerUUID:    os.Getenv("JIMM_UUID"),
 		DSN:               os.Getenv("JIMM_DSN"),
 		ControllerAdmins:  strings.Fields(os.Getenv("JIMM_ADMINS")),
@@ -150,7 +150,7 @@ func start(ctx context.Context, s *service.Service) error {
 		VaultPath:         os.Getenv("VAULT_PATH"),
 		DashboardLocation: os.Getenv("JIMM_DASHBOARD_LOCATION"),
 		PublicDNSName:     os.Getenv("JIMM_DNS_NAME"),
-		OpenFGAParams: jimm.OpenFGAParams{
+		OpenFGAParams: jimmsvc.OpenFGAParams{
 			Scheme:    os.Getenv("OPENFGA_SCHEME"),
 			Host:      os.Getenv("OPENFGA_HOST"),
 			Store:     os.Getenv("OPENFGA_STORE"),
@@ -164,7 +164,7 @@ func start(ctx context.Context, s *service.Service) error {
 		MacaroonExpiryDuration:        macaroonExpiryDuration,
 		JWTExpiryDuration:             jwtExpiryDuration,
 		InsecureSecretStorage:         insecureSecretStorage,
-		OAuthAuthenticatorParams: jimm.OAuthAuthenticatorParams{
+		OAuthAuthenticatorParams: jimmsvc.OAuthAuthenticatorParams{
 			IssuerURL:           issuerURL,
 			ClientID:            clientID,
 			ClientSecret:        clientSecret,

@@ -1,5 +1,5 @@
 // Copyright 2023 Canonical Ltd.
-package jimm
+package service
 
 var NewOpenFGAClient = newOpenFGAClient
 

@@ -1,6 +1,8 @@
 // Copyright 2021 Canonical Ltd.
 
-package jimm
+// service defines the methods necessary to start a JIMM server
+// alongside all the config options that can be supplied to configure JIMM.
+package service
 
 import (
 	"context"

@@ -1,6 +1,6 @@
 // Copyright 2021 Canonical Ltd.
 
-package jimm_test
+package service_test
 
 import (
 	"context"
@@ -22,7 +22,7 @@ import (
 	"github.com/juju/juju/core/macaroon"
 	"github.com/juju/names/v5"
 
-	"github.com/canonical/jimm"
+	jimmsvc "github.com/canonical/jimm/cmd/jimmsrv/service"
 	"github.com/canonical/jimm/internal/dbmodel"
 	"github.com/canonical/jimm/internal/jimmtest"
 	"github.com/canonical/jimm/internal/openfga"
@@ -43,7 +43,7 @@ func TestDefaultService(t *testing.T) {
 	p := jimmtest.NewTestJimmParams(c)
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
 	p.InsecureSecretStorage = true
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 	rr := httptest.NewRecorder()
@@ -61,7 +61,7 @@ func TestServiceDoesNotStartWithoutCredentialStore(t *testing.T) {
 	c.Assert(err, qt.IsNil)
 	p := jimmtest.NewTestJimmParams(c)
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
-	_, err = jimm.NewService(context.Background(), p)
+	_, err = jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.ErrorMatches, "jimm cannot start without a credential store")
 }
 
@@ -74,7 +74,7 @@ func TestAuthenticator(t *testing.T) {
 	p := jimmtest.NewTestJimmParams(c)
 	p.InsecureSecretStorage = true
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 
@@ -129,14 +129,14 @@ func TestVault(t *testing.T) {
 	ofgaClient, _, cofgaParams, err := jimmtest.SetupTestOFGAClient(c.Name())
 	c.Assert(err, qt.IsNil)
 
-	vaultClient, _, roleID, roleSecretID, _ := jimmtest.VaultClient(c, ".")
+	vaultClient, _, roleID, roleSecretID, _ := jimmtest.VaultClient(c)
 	p := jimmtest.NewTestJimmParams(c)
 	p.VaultAddress = "http://localhost:8200"
 	p.VaultPath = "/jimm-kv/"
 	p.VaultRoleID = roleID
 	p.VaultRoleSecretID = roleSecretID
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
-	svc, err := jimm.NewService(ctx, p)
+	svc, err := jimmsvc.NewService(ctx, p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 
@@ -194,7 +194,7 @@ func TestPostgresSecretStore(t *testing.T) {
 	p := jimmtest.NewTestJimmParams(c)
 	p.InsecureSecretStorage = true
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 }
@@ -210,7 +210,7 @@ func TestOpenFGA(t *testing.T) {
 	p.InsecureSecretStorage = true
 	p.ControllerAdmins = []string{"alice", "eve"}
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
-	svc, err := jimm.NewService(ctx, p)
+	svc, err := jimmsvc.NewService(ctx, p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 
@@ -231,7 +231,7 @@ func TestOpenFGA(t *testing.T) {
 		}
 	})
 
-	client, err := jimm.NewOpenFGAClient(context.Background(), p.OpenFGAParams)
+	client, err := jimmsvc.NewOpenFGAClient(context.Background(), p.OpenFGAParams)
 	c.Assert(err, qt.IsNil)
 
 	// assert controller admins have been created in openfga
@@ -257,7 +257,7 @@ func TestPublicKey(t *testing.T) {
 	p := jimmtest.NewTestJimmParams(c)
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
 	p.InsecureSecretStorage = true
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 
@@ -333,7 +333,7 @@ func TestThirdPartyCaveatDischarge(t *testing.T) {
 			p := jimmtest.NewTestJimmParams(c)
 			p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
 			p.InsecureSecretStorage = true
-			svc, err := jimm.NewService(context.Background(), p)
+			svc, err := jimmsvc.NewService(context.Background(), p)
 			c.Assert(err, qt.IsNil)
 			defer svc.Cleanup()
 
@@ -402,7 +402,7 @@ func TestDisableOAuthEndpointsWhenDashboardRedirectURLNotSet(t *testing.T) {
 	p.DashboardFinalRedirectURL = ""
 	p.InsecureSecretStorage = true
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 
@@ -425,7 +425,7 @@ func TestEnableOAuthEndpointsWhenDashboardRedirectURLSet(t *testing.T) {
 	p.InsecureSecretStorage = true
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
 
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 	defer svc.Cleanup()
 
@@ -438,10 +438,10 @@ func TestEnableOAuthEndpointsWhenDashboardRedirectURLSet(t *testing.T) {
 }
 
 // cofgaParamsToJIMMOpenFGAParams To avoid circular references, the test setup function (jimmtest.SetupTestOFGAClient)
-// does not provide us with an instance of `jimm.OpenFGAParams`, so it just returns a `cofga.OpenFGAParams` instance.
+// does not provide us with an instance of `jimmSvc.OpenFGAParams`, so it just returns a `cofga.OpenFGAParams` instance.
 // This method reshapes the later into the former.
-func cofgaParamsToJIMMOpenFGAParams(cofgaParams cofga.OpenFGAParams) jimm.OpenFGAParams {
-	return jimm.OpenFGAParams{
+func cofgaParamsToJIMMOpenFGAParams(cofgaParams cofga.OpenFGAParams) jimmsvc.OpenFGAParams {
+	return jimmsvc.OpenFGAParams{
 		Scheme:    cofgaParams.Scheme,
 		Host:      cofgaParams.Host,
 		Port:      cofgaParams.Port,
@@ -455,10 +455,10 @@ func TestCleanup(t *testing.T) {
 	c := qt.New(t)
 
 	outputs := make(chan string, 2)
-	service := jimm.Service{}
-	service.AddCleanup(func() error { outputs <- "first"; return nil })
-	service.AddCleanup(func() error { outputs <- "second"; return nil })
-	service.Cleanup()
+	svc := jimmsvc.Service{}
+	svc.AddCleanup(func() error { outputs <- "first"; return nil })
+	svc.AddCleanup(func() error { outputs <- "second"; return nil })
+	svc.Cleanup()
 	c.Assert([]string{<-outputs, <-outputs}, qt.DeepEquals, []string{"second", "first"})
 }
 
@@ -471,7 +471,7 @@ func TestCleanupDoesNotPanic_SessionStoreRelatedCleanups(t *testing.T) {
 	p.OpenFGAParams = cofgaParamsToJIMMOpenFGAParams(*cofgaParams)
 	p.InsecureSecretStorage = true
 
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 	c.Assert(err, qt.IsNil)
 
 	// Make sure `cleanups` is not empty.

@@ -26,7 +26,7 @@ import (
 	"github.com/juju/names/v5"
 	gc "gopkg.in/check.v1"
 
-	service "github.com/canonical/jimm"
+	service "github.com/canonical/jimm/cmd/jimmsrv/service"
 	"github.com/canonical/jimm/internal/db"
 	"github.com/canonical/jimm/internal/dbmodel"
 	"github.com/canonical/jimm/internal/jimm"

@@ -191,7 +191,7 @@ func TestAddController(t *testing.T) {
 func TestAddControllerWithVault(t *testing.T) {
 	c := qt.New(t)
 
-	client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(c, "../../")
+	client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(c)
 	if !ok {
 		c.Skip("vault not available")
 	}

@@ -10,15 +10,15 @@ import (
 	"github.com/google/uuid"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 
-	"github.com/canonical/jimm"
+	jimmsvc "github.com/canonical/jimm/cmd/jimmsrv/service"
 	"github.com/canonical/jimm/internal/jimm/credentials"
 	"github.com/canonical/jimm/internal/jimmjwx"
 	"github.com/canonical/jimm/internal/jimmtest"
 	"github.com/canonical/jimm/internal/vault"
 )
 
 func newStore(t testing.TB) *vault.VaultStore {
-	client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(t, "../../")
+	client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(t)
 	if !ok {
 		t.Skip("vault not available")
 	}
@@ -82,7 +82,7 @@ func startAndTestRotator(c *qt.C, ctx context.Context, store credentials.Credent
 
 // setupService sets up a JIMM service with the correct params to connect to vault. It also ensures
 // that vault is wiped each time this is called. The test server is cleaned up on test completion.
-func setupService(ctx context.Context, c *qt.C) (*jimm.Service, *httptest.Server, credentials.CredentialStore) {
+func setupService(ctx context.Context, c *qt.C) (*jimmsvc.Service, *httptest.Server, credentials.CredentialStore) {
 	store := newStore(c)
 	// Ensure store is wiped
 	err := store.CleanupJWKS(ctx)
@@ -91,7 +91,7 @@ func setupService(ctx context.Context, c *qt.C) (*jimm.Service, *httptest.Server
 	_, _, cofgaParams, err := jimmtest.SetupTestOFGAClient(c.Name())
 	c.Assert(err, qt.IsNil)
 
-	_, path, roleID, roleSecretID, ok := jimmtest.VaultClient(c, "../../")
+	_, path, roleID, roleSecretID, ok := jimmtest.VaultClient(c)
 	c.Assert(ok, qt.IsTrue)
 
 	p := jimmtest.NewTestJimmParams(c)
@@ -100,7 +100,7 @@ func setupService(ctx context.Context, c *qt.C) (*jimm.Service, *httptest.Server
 	p.VaultPath = path
 	p.VaultRoleID = roleID
 	p.VaultRoleSecretID = roleSecretID
-	p.OpenFGAParams = jimm.OpenFGAParams{
+	p.OpenFGAParams = jimmsvc.OpenFGAParams{
 		Scheme:    cofgaParams.Scheme,
 		Host:      cofgaParams.Host,
 		Port:      cofgaParams.Port,
@@ -109,7 +109,7 @@ func setupService(ctx context.Context, c *qt.C) (*jimm.Service, *httptest.Server
 		AuthModel: cofgaParams.AuthModelID,
 	}
 	p.CookieSessionKey = []byte("test-secret")
-	svc, err := jimm.NewService(context.Background(), p)
+	svc, err := jimmsvc.NewService(context.Background(), p)
 
 	c.Assert(err, qt.IsNil)
 

@@ -3,20 +3,20 @@ package jimmtest
 import (
 	"time"
 
-	"github.com/canonical/jimm"
+	jimmsvc "github.com/canonical/jimm/cmd/jimmsrv/service"
 	"github.com/coreos/go-oidc/v3/oidc"
 )
 
 // NewTestJimmParams returns a set of JIMM params with sensible defaults
 // for tests. A test can override any parameter that it needs.
 // Note that NewTestJimmParams will create an empty test database.
-func NewTestJimmParams(t Tester) jimm.Params {
-	return jimm.Params{
+func NewTestJimmParams(t Tester) jimmsvc.Params {
+	return jimmsvc.Params{
 		DSN:            CreateEmptyDatabase(t),
 		ControllerUUID: "6acf4fd8-32d6-49ea-b4eb-dcb9d1590c11",
 		PrivateKey:     "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=",
 		PublicKey:      "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=",
-		OAuthAuthenticatorParams: jimm.OAuthAuthenticatorParams{
+		OAuthAuthenticatorParams: jimmsvc.OAuthAuthenticatorParams{
 			IssuerURL:           "http://localhost:8082/realms/jimm",
 			ClientID:            "jimm-device",
 			Scopes:              []string{oidc.ScopeOpenID, "profile", "email"},

@@ -4,9 +4,8 @@ package jimmtest
 
 import (
 	"encoding/json"
-	"os"
-	"path"
 
+	vault_test "github.com/canonical/jimm/local/vault"
 	"github.com/hashicorp/vault/api"
 )
 
@@ -16,19 +15,14 @@ type fatalF interface {
 }
 
 // VaultClient returns a new vault client for use in a test.
-func VaultClient(tb fatalF, prefix string) (*api.Client, string, string, string, bool) {
+func VaultClient(tb fatalF) (*api.Client, string, string, string, bool) {
 	cfg := api.DefaultConfig()
 	cfg.Address = "http://localhost:8200"
 	vaultClient, _ := api.NewClient(cfg)
 
-	b, err := os.ReadFile(path.Join(prefix, "./local/vault/approle.json"))
-	if err != nil {
-		wd, _ := os.Getwd()
-		panic("cannot read " + path.Join(prefix, "./local/vault/approle.json") + " " + wd)
-	}
-
+	appRole := vault_test.AppRole
 	var vaultAPISecret api.Secret
-	err = json.Unmarshal(b, &vaultAPISecret)
+	err := json.Unmarshal(appRole, &vaultAPISecret)
 	if err != nil {
 		panic("cannot unmarshal vault secret")
 	}

@@ -28,7 +28,7 @@ func TestMain(m *testing.M) {
 }
 
 func newStore(t testing.TB) *vault.VaultStore {
-	client, path, roleID, secretID, ok := jimmtest.VaultClient(t, "../../")
+	client, path, roleID, secretID, ok := jimmtest.VaultClient(t)
 	if !ok {
 		t.Skip("vault not available")
 	}

@@ -20,7 +20,7 @@ import (
 )
 
 func newStore(t testing.TB) *vault.VaultStore {
-	client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(t, "../../")
+	client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(t)
 	if !ok {
 		t.Skip("vault not available")
 	}

@@ -0,0 +1,11 @@
+// Copyright 2024 Canonical Ltd.
+
+// This package exists to hold files used to authenticate with Vault during tests.
+package vault
+
+import (
+	_ "embed"
+)
+
+//go:embed approle.json
+var AppRole []byte