switch to using iam-runtime (#164)

This switches to using iam-runtime for authN, authZ and relationship changes.

The helm chart has been updated to include the iam-runtime-infratographer chart.
Helm values will need to be updated to configure it properly.

Signed-off-by: Mike Mason <mimason@equinix.com>

chart/tenant-api/Chart.lock

@@ -2,5 +2,8 @@ dependencies:
 - name: common
   repository: https://charts.bitnami.com/bitnami
   version: 2.19.1
-digest: sha256:2a9ab4ca7b05187107fb4cf472bbe63bc3026b2b058172ecafb89442dc7b8f3a
-generated: "2024-04-05T02:12:06.617483386Z"
+- name: iam-runtime-infratographer
+  repository: https://infratographer.github.io/charts
+  version: v0.4.2
+digest: sha256:13ddf1ab8f3dabf2ca0fa885e3b848b58c454b15755679469725a009058c9834
+generated: "2024-05-09T16:09:48.024544645Z"

chart/tenant-api/Chart.yaml

@@ -12,3 +12,8 @@ dependencies:
     tags:
       - bitnami-common
     version: 2.19.1
+  - name: iam-runtime-infratographer
+    repository: https://infratographer.github.io/charts
+    tags:
+      - iam-runtime
+    version: v0.4.2

chart/tenant-api/templates/deployment.yaml

@@ -24,8 +24,8 @@ spec:
       {{- if .Values.api.extraLabels }}
       {{- toYaml .Values.api.extraLabels | nindent 8 }}
       {{- end }}
+      annotations: {{- include "iam-runtime-infratographer.annotations" $ | nindent 8 }}
       {{- if .Values.api.extraAnnotations }}
-      annotations:
         {{- toYaml .Values.api.extraAnnotations | nindent 8 }}
       {{- end }}
     spec:
@@ -64,8 +64,6 @@ spec:
               value: ":{{ .Values.api.listenPort }}"
             - name: TENANTAPI_SERVER_SHUTDOWN_GRACE_PERIOD
               value: "{{ .Values.api.shutdownGracePeriod }}"
-            - name: TENANTAPI_PERMISSIONS_URL
-              value: "{{ .Values.api.permissions.url }}"
             - name: TENANTAPI_TRACING_ENABLED
               value: "{{ .Values.api.tracing.enabled }}"
             - name: TENANTAPI_TRACING_PROVIDER
@@ -119,20 +117,8 @@ spec:
             - name: TENANTAPI_EVENTS_NATS_CREDSFILE
               value: "{{ .Values.api.events.nats.credsFile }}"
           {{- end }}
-          {{- if .Values.api.oidc.issuer }}
-          {{- with .Values.api.oidc.audience }}
-            - name: TENANTAPI_OIDC_AUDIENCE
-              value: "{{ . }}"
-          {{- end }}
-          {{- with .Values.api.oidc.issuer }}
-            - name: TENANTAPI_OIDC_ISSUER
-              value: "{{ . }}"
-          {{- end }}
-          {{- with .Values.api.oidc.refreshTimeout }}
-            - name: TENANTAPI_OIDC_REFRESH_TIMEOUT
-              value: "{{ . }}"
-          {{- end }}
-          {{- end }}
+            - name: TENANTAPI_RUNTIMESOCKET
+              value: "unix:///var/iam-runtime/runtime.sock"
           envFrom:
             - secretRef:
                 name: {{ .Values.api.db.uriSecret }}
@@ -156,7 +142,7 @@ spec:
             httpGet:
               path: /readyz
               port: http
-          volumeMounts:
+          volumeMounts: {{- include "iam-runtime-infratographer.volumeMounts" $ | nindent 12 }}
             {{- if .Values.api.events.nats.credsSecretName  }}
             - name: events-creds
               mountPath: /nats
@@ -168,6 +154,7 @@ spec:
             {{- end }}
           resources:
             {{- toYaml .Values.api.resources | nindent 12 }}
+        - {{- include "iam-runtime-infratographer.container" $ | nindent 10 }}
       {{- with .Values.api.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -180,7 +167,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      volumes:
+      volumes: {{- include "iam-runtime-infratographer.volumes" $ | nindent 8 }}
         {{- if .Values.api.events.nats.credsSecretName  }}
         - name: events-creds
           secret:
@@ -191,3 +178,4 @@ spec:
           secret:
             secretName: "{{ .Values.api.db.certSecret }}"
         {{- end }}
+{{- include "iam-runtime-infratographer.configmap" $ }}

chart/tenant-api/values.yaml

@@ -35,6 +35,7 @@ api:
   extraLabels: {}
   extraAnnotations: {}
   extraEnvVars: {}
+  extraVolumes: []
   resources: {}
   podSecurityContext: {}
   securityContext: {}
@@ -65,14 +66,6 @@ api:
     certMountPath: /dbcerts
     migrateOnInit: true
 
-  permissions:
-    url: ""
-
-  oidc:
-    audience: ""
-    issuer: ""
-    refreshTimeout: 1m
-
   shutdownGracePeriod: 5s
 
   trustedProxies: []
@@ -100,5 +93,13 @@ api:
       # insecure is true if TLS should not be required when sending traces
       insecure: false
 
+# -- iam-runtime-infratographer defines the configuration for the runtime.
+# ref: https://github.com/infratographer/iam-runtime-infratographer/tree/main/chart/iam-runtime-infratographer
+iam-runtime-infratographer:
+  config:
+    events:
+      nats:
+        credsFile: /nats/creds
+
 serviceMonitor:
   enabled: false

cmd/server.go

@@ -9,21 +9,19 @@ import (
 
 	"entgo.io/ent/dialect"
 	entsql "entgo.io/ent/dialect/sql"
-	echojwt "github.com/labstack/echo-jwt/v4"
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
+	"github.com/metal-toolbox/iam-runtime-contrib/iamruntime"
+	"github.com/metal-toolbox/iam-runtime-contrib/middleware/echo/iamruntimemiddleware"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"go.infratographer.com/x/crdbx"
-	"go.infratographer.com/x/echojwtx"
 	"go.infratographer.com/x/echox"
 	"go.infratographer.com/x/events"
 	"go.infratographer.com/x/otelx"
 	"go.infratographer.com/x/versionx"
 	"go.uber.org/zap"
 
-	"go.infratographer.com/permissions-api/pkg/permissions"
-
 	"go.infratographer.com/tenant-api/internal/config"
 	ent "go.infratographer.com/tenant-api/internal/ent/generated"
 	"go.infratographer.com/tenant-api/internal/ent/generated/eventhooks"
@@ -54,23 +52,24 @@ func init() {
 	rootCmd.AddCommand(serveCmd)
 
 	echox.MustViperFlags(viper.GetViper(), serveCmd.Flags(), APIDefaultListen)
-	echojwtx.MustViperFlags(viper.GetViper(), serveCmd.Flags())
 	events.MustViperFlags(viper.GetViper(), serveCmd.Flags(), appName)
-	permissions.MustViperFlags(viper.GetViper(), serveCmd.Flags())
+	config.MustViperFlags(viper.GetViper(), serveCmd.Flags())
 
 	// only available as a CLI arg because it shouldn't be something that could accidentially end up in a config file or env var
 	serveCmd.Flags().BoolVar(&serveDevMode, "dev", false, "dev mode: enables playground, disables all auth checks, sets CORS to allow all, pretty logging, etc.")
 	serveCmd.Flags().BoolVar(&enablePlayground, "playground", false, "enable the graph playground")
 }
 
 func serve(ctx context.Context) {
+	iamMiddlewareConfig := iamruntimemiddleware.NewConfig()
+
 	if serveDevMode {
 		enablePlayground = true
 		config.AppConfig.Logging.Debug = true
 		config.AppConfig.Logging.Pretty = true
 		config.AppConfig.Server.WithMiddleware(middleware.CORS())
-		// this is a hack, echojwt needs to be updated to go into AppConfig
-		viper.Set("oidc.enabled", false)
+
+		iamMiddlewareConfig.Skipper = func(_ echo.Context) bool { return true }
 	}
 
 	events, err := events.NewConnection(config.AppConfig.Events, events.WithLogger(logger))
@@ -113,26 +112,17 @@ func serve(ctx context.Context) {
 
 	var middleware []echo.MiddlewareFunc
 
-	if authConfig := config.AppConfig.OIDC; authConfig.Issuer != "" {
-		auth, err := echojwtx.NewAuth(ctx, authConfig, echojwtx.WithJWTConfig(echojwt.Config{
-			Skipper: echox.SkipDefaultEndpoints,
-		}))
-		if err != nil {
-			logger.Fatal("failed to initialize jwt authentication", zap.Error(err))
-		}
-
-		middleware = append(middleware, auth.Middleware())
+	runtime, err := iamruntime.NewClient(config.AppConfig.RuntimeSocket)
+	if err != nil {
+		logger.Fatal("failed to initialize IAM runtime", zap.Error(err))
 	}
 
-	perms, err := permissions.New(config.AppConfig.Permissions,
-		permissions.WithLogger(logger),
-		permissions.WithEventsPublisher(events),
-	)
+	iamMiddleware, err := iamMiddlewareConfig.WithRuntime(runtime).ToMiddleware()
 	if err != nil {
-		logger.Fatal("failed to initialize permissions", zap.Error(err))
+		logger.Fatal("failed to initialize IAM runtime middleware", zap.Error(err))
 	}
 
-	middleware = append(middleware, perms.Middleware())
+	middleware = append(middleware, iamMiddleware)
 
 	r := graphapi.NewResolver(client, logger.Named("resolvers"))
 	handler := r.Handler(enablePlayground, middleware)

cmd/tenant_create.go

@@ -5,11 +5,8 @@ import (
 	"os"
 
 	"github.com/spf13/cobra"
-	"github.com/spf13/viper"
 	"go.infratographer.com/x/gidx"
 
-	"go.infratographer.com/permissions-api/pkg/permissions"
-
 	ent "go.infratographer.com/tenant-api/internal/ent/generated"
 )
 
@@ -23,8 +20,6 @@ var tenantCreateCmd = &cobra.Command{
 func init() {
 	tenantCmd.AddCommand(tenantCreateCmd)
 
-	permissions.MustViperFlags(viper.GetViper(), tenantCreateCmd.Flags())
-
 	tenantCreateCmd.Flags().String("description", "", "description of tenant")
 	tenantCreateCmd.Flags().String("parent", "", "parent tenant id")
 }

cmd/tenant_list.go

@@ -9,8 +9,6 @@ import (
 	"go.infratographer.com/x/events"
 	"go.infratographer.com/x/gidx"
 
-	"go.infratographer.com/permissions-api/pkg/permissions"
-
 	ent "go.infratographer.com/tenant-api/internal/ent/generated"
 	"go.infratographer.com/tenant-api/internal/ent/generated/tenant"
 )
@@ -25,7 +23,6 @@ func init() {
 	tenantCmd.AddCommand(tenantList)
 
 	events.MustViperFlags(viper.GetViper(), tenantList.Flags(), appName)
-	permissions.MustViperFlags(viper.GetViper(), tenantList.Flags())
 
 	tenantList.Flags().Bool("all", false, "query all")
 	tenantList.Flags().String("only", "", "only get the provided tenant id")

go.mod

@@ -1,6 +1,6 @@
 module go.infratographer.com/tenant-api
 
-go 1.22
+go 1.22.1
 
 toolchain go1.22.2
 
@@ -11,18 +11,21 @@ require (
 	github.com/99designs/gqlgen-contrib v0.1.1-0.20230605152740-d49a0a0239a7
 	github.com/Yamashou/gqlgenc v0.19.3
 	github.com/brianvoe/gofakeit/v7 v7.0.2
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/labstack/echo-jwt/v4 v4.2.0
 	github.com/labstack/echo/v4 v4.12.0
 	github.com/lib/pq v1.10.9
 	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/metal-toolbox/iam-runtime v0.4.1
+	github.com/metal-toolbox/iam-runtime-contrib v0.1.2
 	github.com/spf13/cobra v1.8.0
+	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.9.0
 	github.com/vektah/gqlparser/v2 v2.5.11
 	github.com/wundergraph/graphql-go-tools v1.67.2
 	go.infratographer.com/permissions-api v0.4.0
-	go.infratographer.com/x v0.5.1
+	go.infratographer.com/x v0.5.2
 	go.uber.org/zap v1.27.0
 )
 
@@ -58,7 +61,6 @@ require (
 	github.com/go-openapi/inflect v0.19.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
@@ -75,6 +77,7 @@ require (
 	github.com/jaevor/go-nanoid v1.3.0 // indirect
 	github.com/klauspost/compress v1.17.7 // indirect
 	github.com/labstack/echo-contrib v0.16.0 // indirect
+	github.com/labstack/echo-jwt/v4 v4.2.0 // indirect
 	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -115,7 +118,6 @@ require (
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/testcontainers/testcontainers-go v0.29.1 // indirect
@@ -152,7 +154,7 @@ require (
 	golang.org/x/tools v0.20.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect
-	google.golang.org/grpc v1.63.0 // indirect
+	google.golang.org/grpc v1.63.2 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect