Merge branch 'main' into add-datasources-cli-stubs

mindersec · Nov 22, 2024 · afff20c · afff20c
2 parents e533249 + 0c315ea
commit afff20c
Show file tree

Hide file tree

Showing 10 changed files with 2,203 additions and 1,967 deletions.
diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml
@@ -55,7 +55,7 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
       - name: Install Syft
-        uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
       - name: Install Cosign
         uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Run GoReleaser

diff --git a/database/migrations/000108_data_sources.down.sql b/database/migrations/000108_data_sources.down.sql
@@ -0,0 +1,10 @@
+-- SPDX-FileCopyrightText: Copyright 2024 The Minder Authors
+-- SPDX-License-Identifier: Apache-2.0
+
+BEGIN;
+
+DROP TABLE rule_type_data_sources;
+DROP TABLE data_sources_functions;
+DROP TABLE data_sources;
+
+COMMIT;
diff --git a/database/migrations/000108_data_sources.up.sql b/database/migrations/000108_data_sources.up.sql
@@ -0,0 +1,60 @@
+-- SPDX-FileCopyrightText: Copyright 2024 The Minder Authors
+-- SPDX-License-Identifier: Apache-2.0
+
+BEGIN;
+
+-- This migration adds storage support for data sources. The only
+-- constraints we enforce at the database layer are
+--
+-- * functions can only reference one data source, and must be deleted
+--   if the data source is deleted
+-- * data sources are tied to a project, and must be deleted if the
+--   project is deleted
+-- * rule types can reference one or more data source, and we want to
+--   prevent deletion of a data source if there's a rule type
+--   referencing it
+--
+-- The first two are simple foreign keys, while the third one is
+-- enforced by the lack of `ON DELETE ...` clause in the
+-- `rule_type_data_sources` table.
+--
+-- We also want to prevent the creation of a data source with a given
+-- name if another data source with the same name exists in the
+-- project hierarchy. I'm not sure how to express this as a database
+-- constraint, nor I believe this would be efficient, so we decided to
+-- let the application layer enforce that as we do with profiles.
+
+CREATE TABLE data_sources(
+    id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
+    name TEXT NOT NULL,
+    display_name TEXT NOT NULL,
+    project_id UUID NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX data_sources_name_lower_idx ON data_sources (project_id, lower(name));
+
+CREATE TABLE data_sources_functions(
+    id UUID NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
+    name TEXT NOT NULL,
+    type TEXT NOT NULL,
+    data_source_id UUID NOT NULL,
+    definition JSONB NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    FOREIGN KEY (data_source_id) REFERENCES data_sources(id) ON DELETE CASCADE
+);
+
+CREATE UNIQUE INDEX data_sources_functions_name_lower_idx ON data_sources_functions (data_source_id, lower(name));
+
+CREATE TABLE rule_type_data_sources(
+    rule_type_id UUID NOT NULL,
+    data_sources_id UUID NOT NULL,
+    FOREIGN KEY (rule_type_id) REFERENCES rule_type(id),
+    FOREIGN KEY (data_sources_id) REFERENCES data_sources(id),
+    UNIQUE (rule_type_id, data_sources_id)
+);
+
+COMMIT;
diff --git a/docs/docs/ref/proto.md b/docs/docs/ref/proto.md
diff --git a/docs/static/img/minder/schema.png b/docs/static/img/minder/schema.png
diff --git a/internal/controlplane/handlers_ruletype.go b/internal/controlplane/handlers_ruletype.go
@@ -23,6 +23,7 @@ import (
 
 	"github.com/mindersec/minder/internal/db"
 	"github.com/mindersec/minder/internal/engine/engcontext"
+	"github.com/mindersec/minder/internal/flags"
 	"github.com/mindersec/minder/internal/logger"
 	"github.com/mindersec/minder/internal/util"
 	minderv1 "github.com/mindersec/minder/pkg/api/protobuf/go/minder/v1"
@@ -174,6 +175,11 @@ func (s *Server) CreateRuleType(
 		return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err)
 	}
 
+	ds := crt.GetRuleType().GetDef().GetEval().GetDataSources()
+	if len(ds) > 0 && !flags.Bool(ctx, s.featureFlags, flags.DataSources) {
+		return nil, status.Errorf(codes.Unavailable, "DataSources feature is disabled")
+	}
+
 	newRuleType, err := db.WithTransaction(s.store, func(qtx db.ExtendQuerier) (*minderv1.RuleType, error) {
 		return s.ruleTypes.CreateRuleType(ctx, projectID, uuid.Nil, crt.GetRuleType(), qtx)
 	})
@@ -214,6 +220,11 @@ func (s *Server) UpdateRuleType(
 		return nil, util.UserVisibleError(codes.InvalidArgument, "%s", err)
 	}
 
+	ds := urt.GetRuleType().GetDef().GetEval().GetDataSources()
+	if len(ds) > 0 && !flags.Bool(ctx, s.featureFlags, flags.DataSources) {
+		return nil, status.Errorf(codes.Unavailable, "DataSources feature is disabled")
+	}
+
 	updatedRuleType, err := db.WithTransaction(s.store, func(qtx db.ExtendQuerier) (*minderv1.RuleType, error) {
 		return s.ruleTypes.UpdateRuleType(ctx, projectID, uuid.Nil, urt.GetRuleType(), qtx)
 	})

diff --git a/internal/db/models.go b/internal/db/models.go
diff --git a/pkg/api/openapi/minder/v1/minder.swagger.json b/pkg/api/openapi/minder/v1/minder.swagger.json