TRA-4202 role management (#688)

* WIP

* wip

* Update keto.yml, socket_routes.go, and 12 more files...

* fixes and docs

* Update api.js

* Update auth.go and api.js

* Update user_role_provider.go

* Update config_routes.go and api.js

* Update consts.go

agent/pkg/providers/install_provider.go

@@ -2,9 +2,14 @@ package providers
 
 import (
 	"context"
+	"errors"
 	"mizuserver/pkg/config"
+
+	ory "github.com/ory/kratos-client-go"
 )
 
+const AdminUsername = "admin"
+
 func IsInstallNeeded() (bool, error) {
 	if !config.Config.StandaloneMode { // install not needed in ephermeral mizu
 		return false, nil
@@ -16,3 +21,27 @@ func IsInstallNeeded() (bool, error) {
 		return !anyUserExists, nil
 	}
 }
+
+func CreateAdminUser(password string, ctx context.Context) (token *string, err error, formErrorMessages map[string][]ory.UiText) {
+	if isInstallNeeded, err := IsInstallNeeded(); err != nil {
+		return nil, err, nil
+	} else if !isInstallNeeded {
+		return nil, errors.New("The admin user has already been created"), nil
+	}
+
+	token, identityId, err, formErrors := RegisterUser(AdminUsername, password, ctx)
+	if err != nil {
+		return nil, err, formErrors
+	}
+
+	err = SetUserSystemRole(AdminUsername, AdminRole)
+
+	if err != nil {
+		//Delete the user to prevent a half-setup situation where admin user is created without admin privileges
+		DeleteUser(identityId, ctx)
+
+		return nil, err, nil
+	}
+
+	return token, nil, nil
+}

agent/pkg/providers/user_provider.go

@@ -66,17 +66,17 @@ func PerformLogin(username string, password string, ctx context.Context) (*strin
 	return result.SessionToken, nil
 }
 
-func VerifyToken(token string, ctx context.Context) (bool, error) {
+func VerifyToken(token string, ctx context.Context) (*ory.Session, error) {
 	flow, _, err := client.V0alpha2Api.ToSession(ctx).XSessionToken(token).Execute()
 	if err != nil {
-		return false, err
+		return nil, err
 	}
 
 	if flow == nil {
-		return false, nil
+		return nil, nil
 	}
 
-	return true, nil
+	return flow, nil
 }
 
 func DeleteUser(identityId string, ctx context.Context) error {

agent/pkg/providers/user_role_provider.go

@@ -0,0 +1,180 @@
+package providers
+
+/*
+This provider abstracts keto role management down to what we need for mizu
+
+Keto, in the configuration we use it, is basically a tuple database. Each tuple consists of 4 strings (namespace, object, relation, subjectID) - for example ("workspaces", "sock-shop-workspace", "viewer", "ramiberman")
+
+namespace - used to organize tuples into groups - we currently use "system" for defining admins and "workspaces" for defining workspace permissions
+objects - represents something one can have permissions to (files, mizu workspaces etc)
+relation - represents the permission (viewer, editor, owner etc) - we currently use only viewer and admin
+subject - represents the user or group that has the permission - we currently use usernames
+
+more on keto here: https://www.ory.sh/keto/docs/
+*/
+
+import (
+	"fmt"
+	"mizuserver/pkg/utils"
+
+	ketoClient "github.com/ory/keto-client-go/client"
+	ketoRead "github.com/ory/keto-client-go/client/read"
+	ketoWrite "github.com/ory/keto-client-go/client/write"
+	ketoModels "github.com/ory/keto-client-go/models"
+)
+
+const (
+	ketoHost      = "localhost"
+	ketoReadPort  = 4466
+	ketoWritePort = 4467
+)
+
+var (
+	readClient              = getKetoClient(fmt.Sprintf("%s:%d", ketoHost, ketoReadPort))
+	writeClient             = getKetoClient(fmt.Sprintf("%s:%d", ketoHost, ketoWritePort))
+	systemRoleNamespace     = "system"
+	workspacesRoleNamespace = "workspaces"
+
+	systemObject = "system"
+
+	AdminRole  = "admin"
+	ViewerRole = "viewer"
+)
+
+func GetUserSystemRoles(username string) ([]string, error) {
+	return getObjectRelationsForSubjectID(systemRoleNamespace, systemObject, username)
+}
+
+func CheckIfUserHasSystemRole(username string, role string) (bool, error) {
+	systemRoles, err := GetUserSystemRoles(username)
+	if err != nil {
+		return false, err
+	}
+
+	for _, systemRole := range systemRoles {
+		if systemRole == role {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func GetUserWorkspaceRole(username string, workspace string) ([]string, error) {
+	return getObjectRelationsForSubjectID(workspacesRoleNamespace, workspace, username)
+}
+
+func SetUserWorkspaceRole(username string, workspace string, role string) error {
+	return createObjectRelationForSubjectID(workspacesRoleNamespace, workspace, username, role)
+}
+
+func SetUserSystemRole(username string, role string) error {
+	return createObjectRelationForSubjectID(systemRoleNamespace, systemObject, username, role)
+}
+
+func DeleteAllUserWorkspaceRoles(username string) error {
+	return deleteAllNamespacedRelationsForSubjectID(workspacesRoleNamespace, username)
+}
+
+func createObjectRelationForSubjectID(namespace string, object string, subjectID string, relation string) error {
+	tuple := ketoModels.RelationQuery{
+		Namespace: &namespace,
+		Object:    object,
+		Relation:  relation,
+		SubjectID: subjectID,
+	}
+
+	_, err := writeClient.Write.CreateRelationTuple(ketoWrite.
+		NewCreateRelationTupleParams().
+		WithPayload(&tuple))
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func getObjectRelationsForSubjectID(namespace string, object string, subjectID string) ([]string, error) {
+	relationTuples, err := queryRelationTuples(&namespace, &object, &subjectID, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	relations := make([]string, 0)
+
+	for _, clientRelation := range relationTuples {
+		relations = append(relations, *clientRelation.Relation)
+	}
+
+	return utils.UniqueStringSlice(relations), nil
+}
+
+func deleteAllNamespacedRelationsForSubjectID(namespace string, subjectID string) error {
+	relationTuples, err := queryRelationTuples(&namespace, nil, &subjectID, nil)
+	if err != nil {
+		return err
+	}
+
+	for _, clientRelation := range relationTuples {
+		_, err := writeClient.Write.DeleteRelationTuple(ketoWrite.
+			NewDeleteRelationTupleParams().
+			WithNamespace(*clientRelation.Namespace).
+			WithObject(*clientRelation.Object).
+			WithRelation(*clientRelation.Relation).
+			WithSubjectID(&clientRelation.SubjectID))
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func queryRelationTuples(namespace *string, object *string, subjectID *string, role *string) ([]*ketoModels.InternalRelationTuple, error) {
+	relationTuplesQuery := ketoRead.NewGetRelationTuplesParams()
+	if namespace != nil {
+		relationTuplesQuery = relationTuplesQuery.WithNamespace(*namespace)
+	}
+	if object != nil {
+		relationTuplesQuery = relationTuplesQuery.WithObject(object)
+	}
+	if subjectID != nil {
+		relationTuplesQuery = relationTuplesQuery.WithSubjectID(subjectID)
+	}
+	if role != nil {
+		relationTuplesQuery = relationTuplesQuery.WithRelation(role)
+	}
+
+	return recursiveKetoPagingTraverse(relationTuplesQuery, make([]*ketoModels.InternalRelationTuple, 0), "")
+}
+
+func recursiveKetoPagingTraverse(queryParams *ketoRead.GetRelationTuplesParams, tuples []*ketoModels.InternalRelationTuple, pagingToken string) ([]*ketoModels.InternalRelationTuple, error) {
+	params := queryParams
+	if pagingToken != "" {
+		params = queryParams.WithPageToken(&pagingToken)
+	}
+
+	clientRelationsResponse, err := readClient.Read.GetRelationTuples(params)
+
+	if err != nil {
+		return nil, err
+	}
+
+	tuples = append(tuples, clientRelationsResponse.Payload.RelationTuples...)
+
+	if clientRelationsResponse.Payload.NextPageToken != "" {
+		return recursiveKetoPagingTraverse(queryParams, tuples, clientRelationsResponse.Payload.NextPageToken)
+	}
+
+	return tuples, nil
+}
+
+func getKetoClient(url string) *ketoClient.OryKeto {
+	return ketoClient.NewHTTPClientWithConfig(nil,
+		ketoClient.
+			DefaultTransportConfig().
+			WithSchemes([]string{"http"}).
+			WithHost(url))
+}