mindersec · teodor-yanev · Nov 19, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
@@ -9,4 +9,8 @@ WHERE e.project_id = sqlc.arg(project_id)::UUID AND e.feature = sqlc.arg(feature
 -- name: GetEntitlementFeaturesByProjectID :many
 SELECT feature
 FROM entitlements
-WHERE project_id = sqlc.arg(project_id)::UUID;
+WHERE project_id = sqlc.arg(project_id)::UUID;
+
+-- name: CreateEntitlement :exec
+INSERT INTO entitlements (feature, project_id) VALUES ($1, $2)
+ON CONFLICT DO NOTHING;
@@ -161,6 +161,12 @@ func (s *Server) CreateProject(
 			"project does not allow project hierarchy operations")
 	}
 
+	// Retrieve the role-to-feature mapping from the configuration
+	projectFeatures, err := s.cfg.Features.GetFeaturesForRoles(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "error getting features for roles: %v", err)
+	}
+
 	tx, err := s.store.BeginTransaction()
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "error starting transaction: %v", err)
@@ -201,6 +207,10 @@ func (s *Server) CreateProject(
 		return nil, status.Errorf(codes.Internal, "error creating subproject: %v", err)
 	}
 
+	if err := features.CreateEntitlements(ctx, qtx, subProject.ID, projectFeatures); err != nil {
+		return nil, status.Errorf(codes.Internal, "error creating entitlements: %v", err)
+	}
+
 	if err := s.authzClient.Adopt(ctx, parent.ID, subProject.ID); err != nil {
 		return nil, status.Errorf(codes.Internal, "error creating subproject: %v", err)
 	}

@@ -50,6 +50,13 @@ func TestCreateUser_gRPC(t *testing.T) {
 	projectID := uuid.New()
 	keyCloakUserToken := openid.New()
 	require.NoError(t, keyCloakUserToken.Set("gh_id", "31337"))
+	require.NoError(t, keyCloakUserToken.Set("realm_access", map[string]interface{}{
+		"roles": []interface{}{
+			"default-roles-stacklok",
+			"offline_access",
+			"uma_authorization",
+		},
+	}))
 
 	testCases := []struct {
 		name       string
@@ -62,7 +69,7 @@ func TestCreateUser_gRPC(t *testing.T) {
 		{
 			name: "Success",
 			req:  &pb.CreateUserRequest{},
-			buildStubs: func(ctx context.Context, store *mockdb.MockStore, jwt *mockjwt.MockValidator,
+			buildStubs: func(ctx context.Context, store *mockdb.MockStore, mockJwt *mockjwt.MockValidator,
 				_ *mockprov.MockGitHubProviderService) context.Context {
 				tx := sql.Tx{}
 				store.EXPECT().BeginTransaction().Return(&tx, nil)
@@ -83,10 +90,14 @@ func TestCreateUser_gRPC(t *testing.T) {
 				store.EXPECT().
 					CreateUser(gomock.Any(), gomock.Any()).
 					Return(returnedUser, nil)
+				store.EXPECT().
+					GetUnclaimedInstallationsByUser(gomock.Any(), sql.NullString{String: "31337", Valid: true}).
+					Return([]db.ProviderGithubAppInstallation{}, nil)
 				store.EXPECT().Commit(gomock.Any())
 				store.EXPECT().Rollback(gomock.Any())
 				tokenResult, _ := openid.NewBuilder().GivenName("Foo").FamilyName("Bar").Email("[email protected]").Subject("subject1").Build()
-				jwt.EXPECT().ParseAndValidate(gomock.Any()).Return(tokenResult, nil)
+				mockJwt.EXPECT().ParseAndValidate(gomock.Any()).Return(tokenResult, nil)
+				ctx = jwt.WithAuthTokenContext(ctx, keyCloakUserToken)
 
 				return ctx
 			},
@@ -262,6 +273,7 @@ func TestCreateUser_gRPC(t *testing.T) {
 					authz,
 					marketplaces.NewNoopMarketplace(),
 					&serverconfig.DefaultProfilesConfig{},
+					&serverconfig.FeaturesConfig{},
 				),
 			}
 

@@ -15,6 +15,7 @@ import (
 	"github.com/mindersec/minder/internal/authz"
 	"github.com/mindersec/minder/internal/db"
 	"github.com/mindersec/minder/internal/marketplaces"
+	"github.com/mindersec/minder/internal/projects/features"
 	"github.com/mindersec/minder/pkg/config/server"
 	"github.com/mindersec/minder/pkg/mindpak"
 )
@@ -39,17 +40,20 @@ type projectCreator struct {
 	authzClient authz.Client
 	marketplace marketplaces.Marketplace
 	profilesCfg *server.DefaultProfilesConfig
+	featuresCfg *server.FeaturesConfig
 }
 
 // NewProjectCreator creates a new instance of the project creator
 func NewProjectCreator(authzClient authz.Client,
 	marketplace marketplaces.Marketplace,
 	profilesCfg *server.DefaultProfilesConfig,
+	featuresCfg *server.FeaturesConfig,
 ) ProjectCreator {
 	return &projectCreator{
 		authzClient: authzClient,
 		marketplace: marketplace,
 		profilesCfg: profilesCfg,
+		featuresCfg: featuresCfg,
 	}
 }
 
@@ -75,6 +79,12 @@ func (p *projectCreator) ProvisionSelfEnrolledProject(
 		return nil, fmt.Errorf("failed to marshal meta: %w", err)
 	}
 
+	// Retrieve the role-to-feature mapping from the configuration
+	projectFeatures, err := p.featuresCfg.GetFeaturesForRoles(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("error getting features for roles: %w", err)
+	}
+
 	projectID := uuid.New()
 
 	// Create authorization tuple
@@ -105,6 +115,10 @@ func (p *projectCreator) ProvisionSelfEnrolledProject(
 		return nil, fmt.Errorf("failed to create default project: %v", err)
 	}
 
+	if err := features.CreateEntitlements(ctx, qtx, project.ID, projectFeatures); err != nil {
+		return nil, fmt.Errorf("error creating entitlements: %w", err)
+	}
+
 	// Enable any default profiles and rule types in the project.
 	// For now, we subscribe to a single bundle and a single profile.
 	// Both are specified in the service config.

@@ -9,10 +9,13 @@ import (
 	"testing"
 
 	"github.com/google/uuid"
+	"github.com/lestrrat-go/jwx/v2/jwt/openid"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 
 	mockdb "github.com/mindersec/minder/database/mock"
+	"github.com/mindersec/minder/internal/auth/jwt"
 	"github.com/mindersec/minder/internal/authz/mock"
 	"github.com/mindersec/minder/internal/db"
 	"github.com/mindersec/minder/internal/marketplaces"
@@ -35,8 +38,17 @@ func TestProvisionSelfEnrolledProject(t *testing.T) {
 		}, nil)
 
 	ctx := context.Background()
-
-	creator := projects.NewProjectCreator(authzClient, marketplaces.NewNoopMarketplace(), &server.DefaultProfilesConfig{})
+	keyCloakUserToken := openid.New()
+	require.NoError(t, keyCloakUserToken.Set("realm_access", map[string]interface{}{
+		"roles": []interface{}{
+			"default-roles-stacklok",
+			"offline_access",
+			"uma_authorization",
+		},
+	}))
+	ctx = jwt.WithAuthTokenContext(ctx, keyCloakUserToken)
+
+	creator := projects.NewProjectCreator(authzClient, marketplaces.NewNoopMarketplace(), &server.DefaultProfilesConfig{}, &server.FeaturesConfig{})
 	_, err := creator.ProvisionSelfEnrolledProject(
 		ctx,
 		mockStore,
@@ -62,8 +74,17 @@ func TestProvisionSelfEnrolledProjectFailsWritingProjectToDB(t *testing.T) {
 		Return(db.Project{}, fmt.Errorf("failed to create project"))
 
 	ctx := context.Background()
-
-	creator := projects.NewProjectCreator(authzClient, marketplaces.NewNoopMarketplace(), &server.DefaultProfilesConfig{})
+	keyCloakUserToken := openid.New()
+	require.NoError(t, keyCloakUserToken.Set("realm_access", map[string]interface{}{
+		"roles": []interface{}{
+			"default-roles-stacklok",
+			"offline_access",
+			"uma_authorization",
+		},
+	}))
+	ctx = jwt.WithAuthTokenContext(ctx, keyCloakUserToken)
+
+	creator := projects.NewProjectCreator(authzClient, marketplaces.NewNoopMarketplace(), &server.DefaultProfilesConfig{}, &server.FeaturesConfig{})
 	_, err := creator.ProvisionSelfEnrolledProject(
 		ctx,
 		mockStore,
@@ -94,7 +115,7 @@ func TestProvisionSelfEnrolledProjectInvalidName(t *testing.T) {
 
 	mockStore := mockdb.NewMockStore(ctrl)
 	ctx := context.Background()
-	creator := projects.NewProjectCreator(authzClient, marketplaces.NewNoopMarketplace(), &server.DefaultProfilesConfig{})
+	creator := projects.NewProjectCreator(authzClient, marketplaces.NewNoopMarketplace(), &server.DefaultProfilesConfig{}, &server.FeaturesConfig{})
 
 	for _, tc := range testCases {
 		_, err := creator.ProvisionSelfEnrolledProject(

diff --git a/internal/projects/features/features.go b/internal/projects/features/features.go
@@ -30,6 +30,22 @@ func ProjectAllowsProjectHierarchyOperations(ctx context.Context, store db.Store
 	return featureEnabled(ctx, store, projectID, projectHierarchyOperationsEnabledFlag)
 }
 
+// CreateEntitlements creates entitlements for a project
+// It takes a 'qtx' because it is usually called within a transaction
+func CreateEntitlements(ctx context.Context, qtx db.Querier, projectID uuid.UUID, features []string) error {
+	for _, feature := range features {
+		err := qtx.CreateEntitlement(ctx, db.CreateEntitlementParams{
+			ProjectID: projectID,
+			Feature:   feature,
+		})
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // Is a simple helper function to check if a feature is enabled for a project.
 // This does not check the feature's configuration, if any, just that it's enabled.
 func featureEnabled(ctx context.Context, store db.Store, projectID uuid.UUID, featureFlag string) bool {

@@ -102,7 +102,7 @@ func AllInOneServerService(
 	fallbackTokenClient := ghprov.NewFallbackTokenClient(cfg.Provider)
 	ghClientFactory := clients.NewGitHubClientFactory(providerMetrics)
 	providerStore := providers.NewProviderStore(store)
-	projectCreator := projects.NewProjectCreator(authzClient, marketplace, &cfg.DefaultProfiles)
+	projectCreator := projects.NewProjectCreator(authzClient, marketplace, &cfg.DefaultProfiles, &cfg.Features)
 	propSvc := propService.NewPropertiesService(store)
 
 	// TODO: isolate GitHub-specific wiring. We'll need to isolate GitHub

@@ -30,6 +30,7 @@ type Config struct {
 	Auth            AuthConfig            `mapstructure:"auth"`
 	WebhookConfig   WebhookConfig         `mapstructure:"webhook-config"`
 	Events          EventConfig           `mapstructure:"events"`
+	Features        FeaturesConfig        `mapstructure:"features"`
 	Authz           AuthzConfig           `mapstructure:"authz"`
 	Provider        ProviderConfig        `mapstructure:"provider"`
 	Marketplace     MarketplaceConfig     `mapstructure:"marketplace"`

@@ -0,0 +1,55 @@
+// SPDX-FileCopyrightText: Copyright 2024 The Minder Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package server
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/mindersec/minder/internal/auth/jwt"
+)
+
+// FeaturesConfig is the configuration for the features
+type FeaturesConfig struct {
+	RoleFeatureMapping map[string]string `mapstructure:"role_feature_mapping"`
+}
+
+// GetFeaturesForRoles returns the features associated with the roles in the context
+func (fc *FeaturesConfig) GetFeaturesForRoles(ctx context.Context) ([]string, error) {
+	roles, err := extractRolesFromContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("error extracting roles: %v", err)
+	}
+
+	var features []string
-	var features []string
+	features := make([]string, 0, len(memberships))
-	var features []string
+	features := make([]string, 0, len(memberships))
+	for _, role := range roles {
+		if feature, ok := fc.RoleFeatureMapping[role]; ok {
+			features = append(features, feature)
+		}
+	}
+	return features, nil
+}
+
+// extractRolesFromContext extracts roles from the JWT in the context
+func extractRolesFromContext(ctx context.Context) ([]string, error) {
+	var realmAccess map[string]interface{}
+	if claim, ok := jwt.GetUserClaimFromContext[map[string]interface{}](ctx, "realm_access"); ok {
+		realmAccess = claim
+	} else {
+		return nil, fmt.Errorf("realm_access claim not found")
+	}
+
+	var roles []string
+	if rolesInterface, ok := realmAccess["roles"].([]interface{}); ok {
+		for _, role := range rolesInterface {
+			if roleStr, ok := role.(string); ok {
+				roles = append(roles, roleStr)
+			}
+		}
-	if rolesInterface, ok := realmAccess["roles"].([]interface{}); ok {
-		for _, role := range rolesInterface {
-			if roleStr, ok := role.(string); ok {
-				roles = append(roles, roleStr)
-			}
-		}
+	if roles, ok := realmAccess["roles"].([]string); ok {
+		return roles, nil
+	}
-	if rolesInterface, ok := realmAccess["roles"].([]interface{}); ok {
-		for _, role := range rolesInterface {
-			if roleStr, ok := role.(string); ok {
-				roles = append(roles, roleStr)
-			}
-		}
+	if roles, ok := realmAccess["roles"].([]string); ok {
+		return roles, nil
+	}
+	} else {
+		return nil, fmt.Errorf("roles not found in realm_access")
+	}
+
+	return roles, nil
+}