Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
VERSION := $(shell git describe --tags ${TAG})
.PHONY: build check fmt lint test test-race vet test-cover-html help install proto admin-app compose-up-dev
.DEFAULT_GOAL := build
PROTON_COMMIT := "795c70f359264a3c21a4c6412097f139dfc387e6"
PROTON_COMMIT := "ee05c27600bd7d2782da4fde0997f84aa69e7eeb"

admin-app:
@echo " > generating admin build"
Expand Down
76 changes: 76 additions & 0 deletions cmd/reconcile.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
package cmd

import (
"fmt"
"os"

"github.com/MakeNowJust/heredoc"
"github.com/raystack/frontier/internal/reconcile"
cli "github.com/spf13/cobra"
)

func ReconcileCommand(cliConfig *Config) *cli.Command {
var (
filePath string
dryRun bool
header string
)
cmd := &cli.Command{
Use: "reconcile",
Short: "Reconcile platform configuration to a desired-state file",
Long: heredoc.Doc(`
Make platform resources match a desired-state YAML file, through the admin API.

Supports the PlatformUser kind (platform admins and members) for now. The file
decides who has access: anyone listed is added, anyone not listed is removed.
Log in as a superuser (for example the bootstrap service account) with --header.
`),
Example: heredoc.Doc(`
$ frontier reconcile -f platform-users.yaml --dry-run -H "Authorization:Basic <base64>"
$ frontier reconcile -f platform-users.yaml -H "Authorization:Basic <base64>"
`),
Annotations: map[string]string{
"group": "core",
"client": "true",
},
RunE: func(cmd *cli.Command, args []string) error {
data, err := os.ReadFile(filePath)
if err != nil {
return fmt.Errorf("read desired-state file: %w", err)
}
adminClient, err := createAdminClient(cliConfig.Host)
if err != nil {
return err
}
registry := map[string]reconcile.Reconciler{
reconcile.KindPlatformUser: reconcile.NewPlatformUserReconciler(adminClient, header),
}
reports, runErr := reconcile.Run(cmd.Context(), registry, data, dryRun)
for _, rep := range reports {
printReconcileReport(cmd, rep)
}
return runErr
},
}
cmd.Flags().StringVarP(&filePath, "file", "f", "", "Path to the desired-state YAML file")
cmd.MarkFlagRequired("file")
cmd.Flags().BoolVar(&dryRun, "dry-run", false, "Print the plan without applying changes")
cmd.Flags().StringVarP(&header, "header", "H", "", "Header <key>:<value> for auth, e.g. 'Authorization:Basic <base64>'")
bindFlagsFromClientConfig(cmd)
return cmd
}

func printReconcileReport(cmd *cli.Command, rep reconcile.Report) {
if len(rep.Planned) == 0 {
cmd.Printf("%s: no changes\n", rep.Kind)
return
}
verb, count := "applied", rep.Applied
if rep.DryRun {
verb, count = "planned", len(rep.Planned)
}
cmd.Printf("%s (%s %d):\n", rep.Kind, verb, count)
for _, p := range rep.Planned {
cmd.Printf(" - %s\n", p)
}
}
1 change: 1 addition & 0 deletions cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ func New(cliConfig *Config) *cli.Command {
cmd.AddCommand(PermissionCommand(cliConfig))
cmd.AddCommand(PolicyCommand(cliConfig))
cmd.AddCommand(SeedCommand(cliConfig))
cmd.AddCommand(ReconcileCommand(cliConfig))
cmd.AddCommand(configCommand())
cmd.AddCommand(versionCommand())
cmd.AddCommand(PreferencesCommand(cliConfig))
Expand Down
13 changes: 8 additions & 5 deletions cmd/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -212,8 +212,9 @@ func StartServer(logger *slog.Logger, cfg *config.Frontier) error {
if err = deps.BootstrapService.MigrateRoles(ctx); err != nil {
return err
}
// promote normal users to superusers
if err = deps.BootstrapService.MakeSuperUsers(ctx); err != nil {
// ensure the config-seeded bootstrap superuser service account (for automation/GitOps).
// all other platform-user management is handled out-of-band via the GitOps reconcile flow.
if err = deps.BootstrapService.EnsureBootstrapSuperUser(ctx); err != nil {
return err
}

Expand Down Expand Up @@ -395,7 +396,7 @@ func buildAPIDependencies(

svUserRepo := postgres.NewServiceUserRepository(dbc)
scUserCredRepo := postgres.NewServiceUserCredentialRepository(dbc)
serviceUserService := serviceuser.NewService(logger, svUserRepo, scUserCredRepo, relationService)
serviceUserService := serviceuser.NewService(logger, svUserRepo, scUserCredRepo, relationService, auditRecordRepository)

var mailDialer mailer.Dialer = mailer.NewMockDialer()
if cfg.App.Mailer.SMTPHost != "" && cfg.App.Mailer.SMTPHost != "smtp.example.com" {
Expand Down Expand Up @@ -432,7 +433,7 @@ func buildAPIDependencies(
// back here because role.Service depends on permission.Service
permissionService.SetRoleService(roleService)
policyService := policy.NewService(policyPGRepository, relationService, roleService)
userService := user.NewService(userRepository, relationService, sessionService)
userService := user.NewService(userRepository, relationService, sessionService, auditRecordRepository)
patValidator := userpat.NewValidator(logger, userPATRepo, cfg.App.PAT)
authnService := authenticate.NewService(logger, cfg.App.Authentication,
postgres.NewFlowRepository(logger, dbc), mailDialer, tokenService, sessionService, userService, serviceUserService, webAuthConfig, patValidator)
Expand Down Expand Up @@ -569,14 +570,16 @@ func buildAPIDependencies(
namespaceService,
roleService,
permissionService,
userService,
authzSchemaRepository,
relationService,
policyService,
svUserRepo,
cfg.App.PAT.DeniedPermissionsSet(),
planService,
planBlobRepository,
svUserRepo,
scUserCredRepo,
serviceUserService,
)

cascadeDeleter := deleter.NewCascadeDeleter(organizationService, projectService, resourceService,
Expand Down
20 changes: 14 additions & 6 deletions config/sample.config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -179,12 +179,20 @@ app:

# platform level administration
admin:
# Email list of users which needs to be converted as superusers
# if the user is already present in the system, it is promoted to su
# if not, a new account is created with provided email id and promoted to su.
# UUIDs/slugs of existing users can also be provided instead of email ids
# but in that case a new user will not be created.
users: []
# bootstrap seeds a superuser SERVICE ACCOUNT from config (a username/password-style
# client_id + client_secret), so automation like the GitOps reconcile flow always has
# a superuser to log in as. This means you don't need an existing superuser to create
# the first one. The account is created and promoted to superuser on every boot (safe
# to run again), and the secret is rotated if you change it here. Log in with:
# Authorization: Basic base64(client_id:client_secret).
# Leave client_id/client_secret empty to turn this off — but then no superuser is
# seeded, and since granting one needs a superuser, none can be created via the API
# either. client_id must be a UUID (it is the service-account credential id); generate
# one (e.g. uuidgen) and keep it stable. client_secret is your chosen password.
bootstrap:
client_id: ""
client_secret: ""
# title: "GitOps Bootstrap Superuser"
# smtp configuration for sending emails
mailer:
smtp_host: smtp.example.com
Expand Down
3 changes: 3 additions & 0 deletions core/serviceuser/errors.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,7 @@ var (
ErrConflict = errors.New("service user already exist")
ErrEmptyKey = errors.New("empty key")
ErrDisabled = errors.New("service user is disabled")
// ErrProtected marks a server-managed service user (the config-bootstrapped
// bootstrap SA) whose credentials must not be mutated via the API.
ErrProtected = errors.New("service user is protected")
)
94 changes: 94 additions & 0 deletions core/serviceuser/mocks/audit_record_repository.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading