Merge pull request #955 from stacklok/providers-init

Add initial introduction of providers to the database
mindersec · Sep 25, 2023 · 625e1f8 · 625e1f8
2 parents 6195eb8 + a5a5476
commit 625e1f8
Show file tree

Hide file tree

Showing 37 changed files with 2,720 additions and 2,043 deletions.
diff --git a/cmd/cli/app/auth/auth_revoke_provider.go b/cmd/cli/app/auth/auth_revoke_provider.go
@@ -61,7 +61,7 @@ var Auth_revokeproviderCmd = &cobra.Command{
 		defer cancel()
 		client := pb.NewOAuthServiceClient(conn)
 		if all {
-			result, err := client.RevokeOauthTokens(ctx, &pb.RevokeOauthTokensRequest{Provider: provider})
+			result, err := client.RevokeOauthTokens(ctx, &pb.RevokeOauthTokensRequest{})
 			util.ExitNicelyOnError(err, "Error revoking tokens")
 			cmd.Println("Revoked a total of ", result.RevokedTokens, " tokens")
 		} else {
@@ -79,5 +79,6 @@ var Auth_revokeproviderCmd = &cobra.Command{
 func init() {
 	AuthCmd.AddCommand(Auth_revokeproviderCmd)
 	Auth_revokeproviderCmd.Flags().StringP("provider", "n", "", "Name for the provider to revoke tokens for")
+	Auth_revokeproviderCmd.Flags().Int32P("group-id", "g", 0, "ID of the group for repo registration")
 	Auth_revokeproviderCmd.Flags().BoolP("all", "a", false, "Revoke all tokens")
 }
diff --git a/database/migrations/000001_init.down.sql b/database/migrations/000001_init.down.sql
@@ -31,3 +31,4 @@ DROP TABLE IF EXISTS roles;
 DROP TABLE IF EXISTS groups;
 DROP TABLE IF EXISTS organizations;
 DROP TABLE IF EXISTS projects; 
+DROP TABLE IF EXISTS providers;
diff --git a/database/migrations/000001_init.up.sql b/database/migrations/000001_init.up.sql
@@ -87,16 +87,33 @@ CREATE TABLE user_roles (
     role_id INTEGER NOT NULL REFERENCES roles(id) ON DELETE CASCADE
 );
 
+CREATE TYPE provider_type as enum ('github', 'rest', 'git', 'oci');
+
+-- providers table
+CREATE TABLE providers (
+    id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,  -- NOTE: we could omit this and use group_id + name as primary key, for one less primary key. Downside is that we would always need group_id + name to log or look up, instead of a UUID.
+    name TEXT NOT NULL,
+    version TEXT NOT NULL DEFAULT 'v1',
+    group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    implements provider_type ARRAY NOT NULL,
+    definition JSONB NOT NULL,
+    created_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    UNIQUE (group_id, name) -- alternative primary key
+);
+
 -- provider_access_tokens table
 CREATE TABLE provider_access_tokens (
     id SERIAL PRIMARY KEY,
     provider TEXT NOT NULL,
-    group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    group_id INTEGER NOT NULL,
     owner_filter TEXT,
     encrypted_token TEXT NOT NULL,
     expiration_time TIMESTAMP NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMP NOT NULL DEFAULT NOW()
+    updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    FOREIGN KEY (group_id, provider) REFERENCES providers(group_id, name) ON DELETE CASCADE,
+    UNIQUE (group_id, provider)
 );
 
 -- signing_keys table
@@ -115,7 +132,7 @@ CREATE TABLE signing_keys (
 CREATE TABLE repositories (
     id SERIAL PRIMARY KEY,
     provider TEXT NOT NULL,
-    group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    group_id INTEGER NOT NULL,
     repo_owner TEXT NOT NULL,
     repo_name TEXT NOT NULL,
     repo_id INTEGER NOT NULL,
@@ -126,7 +143,9 @@ CREATE TABLE repositories (
     deploy_url TEXT NOT NULL,
     clone_url TEXT NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMP NOT NULL DEFAULT NOW()
+    updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    FOREIGN KEY (group_id, provider) REFERENCES providers(group_id, name) ON DELETE CASCADE
+
 );
 
 -- artifacts table
@@ -162,25 +181,28 @@ CREATE TABLE session_store (
     created_at TIMESTAMP NOT NULL DEFAULT NOW()
 );
 
+-- table for storing rule types
 CREATE TABLE rule_type (
     id SERIAL PRIMARY KEY,
     name TEXT NOT NULL,
     provider TEXT NOT NULL,
-    group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    group_id INTEGER NOT NULL,
     description TEXT NOT NULL,
     guidance TEXT NOT NULL,
     definition JSONB NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMP NOT NULL DEFAULT NOW()
+    updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    FOREIGN KEY (group_id, provider) REFERENCES providers(group_id, name) ON DELETE CASCADE
 );
 
 CREATE TABLE policies (
     id SERIAL PRIMARY KEY,
     name TEXT NOT NULL,
     provider TEXT NOT NULL,
-    group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
+    group_id INTEGER NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT NOW(),
-    updated_at TIMESTAMP NOT NULL DEFAULT NOW()
+    updated_at TIMESTAMP NOT NULL DEFAULT NOW(),
+    FOREIGN KEY (group_id, provider) REFERENCES providers(group_id, name) ON DELETE CASCADE
 );
 
 CREATE TYPE entities as enum ('repository', 'build_environment', 'artifact', 'pull_request');
@@ -225,7 +247,6 @@ CREATE TABLE rule_evaluation_status (
 ALTER TABLE projects ADD CONSTRAINT parent_child_not_equal CHECK (id != parent_id);
 
 -- Unique constraint
-ALTER TABLE provider_access_tokens ADD CONSTRAINT unique_group_id UNIQUE (group_id);
 ALTER TABLE repositories ADD CONSTRAINT unique_repo_id UNIQUE (repo_id);
 ALTER TABLE signing_keys ADD CONSTRAINT unique_key_identifier UNIQUE (key_identifier);
 
@@ -236,15 +257,15 @@ CREATE INDEX idx_users_organization_id ON users(organization_id);
 CREATE INDEX idx_groups_organization_id ON groups(organization_id);
 CREATE INDEX idx_roles_group_id ON roles(group_id);
 CREATE UNIQUE INDEX roles_organization_id_name_lower_idx ON roles (organization_id, LOWER(name));
-CREATE INDEX idx_provider_access_tokens_group_id ON provider_access_tokens(group_id);
 CREATE UNIQUE INDEX users_organization_id_email_lower_idx ON users (organization_id, LOWER(email));
 CREATE UNIQUE INDEX users_organization_id_username_lower_idx ON users (organization_id, LOWER(username));
 CREATE UNIQUE INDEX repositories_repo_id_idx ON repositories(repo_id);
-CREATE UNIQUE INDEX policies_group_id_policy_name_idx ON policies(provider, group_id, name);
+CREATE UNIQUE INDEX policies_policy_name_idx ON policies(provider, name);
 CREATE UNIQUE INDEX rule_type_idx ON rule_type(provider, group_id, name);
 CREATE UNIQUE INDEX rule_evaluation_status_results_idx ON rule_evaluation_status(policy_id, repository_id, COALESCE(artifact_id, 0), entity, rule_type_id);
 CREATE UNIQUE INDEX artifact_name_lower_idx ON artifacts (repository_id, LOWER(artifact_name));
 CREATE UNIQUE INDEX artifact_versions_idx ON artifact_versions (artifact_id, sha);
+CREATE UNIQUE INDEX provider_name_group_id_idx ON providers (name, group_id);
 
 -- triggers
 
@@ -326,3 +347,7 @@ VALUES (1, 'root@localhost', 'root', '$argon2id$v=19$m=16,t=2,p=1$c2VjcmV0aGFzaA
 
 INSERT INTO user_groups (user_id, group_id) VALUES (1, 1);
 INSERT INTO user_roles (user_id, role_id) VALUES (1, 1);
+
+-- Create default GitHub provider
+INSERT INTO providers (name, group_id, implements, definition)
+VALUES ('github', 1, ARRAY ['github', 'git', 'rest']::provider_type[], '{}');
diff --git a/database/mock/store.go b/database/mock/store.go
diff --git a/database/query/providers.sql b/database/query/providers.sql
@@ -0,0 +1,21 @@
+-- name: CreateProvider :one
+INSERT INTO providers (
+    name,
+    group_id,
+    implements,
+    definition) VALUES ($1, $2, $3, sqlc.arg(definition)::jsonb) RETURNING *;
+
+-- name: GetProviderByName :one
+SELECT * FROM providers WHERE name = $1 AND group_id = $2;
+
+-- name: GetProviderByID :one
+SELECT * FROM providers WHERE id = $1 AND group_id = $2;
+
+-- name: ListProvidersByGroupID :many
+SELECT * FROM providers WHERE group_id = $1;
+
+-- name: GlobalListProviders :many
+SELECT * FROM providers;
+
+-- name: DeleteProvider :exec
+DELETE FROM providers WHERE id = $1 AND group_id = $2;
diff --git a/database/query/repositories.sql b/database/query/repositories.sql
@@ -16,7 +16,7 @@ INSERT INTO repositories (
 SELECT * FROM repositories WHERE id = $1;
 
 -- name: GetRepositoryByRepoID :one
-SELECT * FROM repositories WHERE provider = $1 AND repo_id = $2;
+SELECT * FROM repositories WHERE repo_id = $1;
 
 -- name: GetRepositoryByRepoName :one
 SELECT * FROM repositories WHERE provider = $1 AND repo_owner = $2 AND repo_name = $3;

diff --git a/docs/docs/protodocs/proto.md b/docs/docs/protodocs/proto.md
diff --git a/internal/controlplane/common.go b/internal/controlplane/common.go
@@ -0,0 +1,33 @@
+//
+// Copyright 2023 Stacklok, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controlplane
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+
+	"google.golang.org/grpc/codes"
+
+	"github.com/stacklok/mediator/internal/util"
+)
+
+func providerError(err error) error {
+	if errors.Is(err, sql.ErrNoRows) {
+		return util.UserVisibleError(codes.NotFound, "provider not found")
+	}
+	return fmt.Errorf("provider error: %w", err)
+}