Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 1 addition & 20 deletions cmd/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,22 +134,6 @@ func StartServer(logger *slog.Logger, cfg *config.Frontier) error {
}
}()

// load resource config
if cfg.App.ResourcesConfigPath != "" {
logger.Warn("app.resources_config_path is deprecated and will be removed after a deprecation window; " +
"manage permissions and roles with 'frontier reconcile' instead")
}
resourceBlobFS, err := blob.NewStore(ctx, cfg.App.ResourcesConfigPath, cfg.App.ResourcesConfigPathSecret)
if err != nil {
return err
}
defer func() {
logger.Debug("cleaning up resource blob")
if err := resourceBlobFS.Close(); err != nil {
logger.Warn("resource blob cleanup failed", "err", err)
}
}()

// load billing plans
billingBlobFS, err := blob.NewStore(ctx, cfg.Billing.PlansPath, "")
if err != nil {
Expand Down Expand Up @@ -182,7 +166,7 @@ func StartServer(logger *slog.Logger, cfg *config.Frontier) error {
return err
}

deps, err := buildAPIDependencies(logger, cfg, dbClient, spiceDBClient, resourceBlobFS, billingPlanRepository)
deps, err := buildAPIDependencies(logger, cfg, dbClient, spiceDBClient, billingPlanRepository)
if err != nil {
return err
}
Expand Down Expand Up @@ -361,7 +345,6 @@ func buildAPIDependencies(
cfg *config.Frontier,
dbc *db.Client,
sdb *spicedb.SpiceDB,
resourceBlobBucket blob.Bucket,
planBlobRepository *blob.PlanRepository,
) (api.Deps, error) {
// Load additional traits from config file if specified
Expand Down Expand Up @@ -594,11 +577,9 @@ func buildAPIDependencies(

usageService := usage.NewService(creditService)

resourceSchemaRepository := blob.NewSchemaConfigRepository(resourceBlobBucket)
bootstrapService := bootstrap.NewBootstrapService(
logger,
cfg.App.Admin,
resourceSchemaRepository,
namespaceService,
roleService,
permissionService,
Expand Down
14 changes: 0 additions & 14 deletions config/sample.config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,20 +63,6 @@ app:
host: "127.0.0.1"
# WARNING: identity_proxy_header bypass all authorization checks and shouldn't be used in production
identity_proxy_header: X-Frontier-Email
# DEPRECATED: will be removed after a deprecation window. Manage permissions
# and roles with 'frontier reconcile' instead (see docs/rfcs/0001-declarative-reconcile.md).
# full path prefixed with scheme where resources config yaml files are kept
# e.g.:
# local storage file "file:///tmp/resources_config"
# GCS Bucket "gs://frontier/resources_config"
resources_config_path: file:///tmp/resources_config\
# secret required to access resources config
# e.g.:
# system environment variable "env://TEST_RULESET_SECRET"
# local file "file:///opt/auth.json"
# secret string "val://user:password"
# optional
resources_config_path_secret: env://TEST_RESOURCE_CONFIG_SECRET

# cross-origin resource sharing configuration
cors:
Expand Down
44 changes: 11 additions & 33 deletions internal/bootstrap/service.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,6 @@ type RelationService interface {
Delete(ctx context.Context, rel relation.Relation) error
}

type FileService interface {
GetDefinition(ctx context.Context) (*schema.ServiceDefinition, error)
}

type AuthzEngine interface {
WriteSchema(ctx context.Context, schema string) error
}
Expand Down Expand Up @@ -87,7 +83,6 @@ type AdminConfig struct {
type Service struct {
logger *slog.Logger
adminConfig AdminConfig
schemaConfig FileService
namespaceService NamespaceService
roleService RoleService
permissionService PermissionService
Expand All @@ -108,7 +103,6 @@ type Service struct {
func NewBootstrapService(
logger *slog.Logger,
config AdminConfig,
schemaConfig FileService,
namespaceService NamespaceService,
roleService RoleService,
actionService PermissionService,
Expand All @@ -126,7 +120,6 @@ func NewBootstrapService(
return &Service{
logger: logger,
adminConfig: config,
schemaConfig: schemaConfig,
namespaceService: namespaceService,
roleService: roleService,
permissionService: actionService,
Expand All @@ -144,25 +137,18 @@ func NewBootstrapService(
}

func (s Service) MigrateSchema(ctx context.Context) error {
customServiceDefinition, err := s.schemaConfig.GetDefinition(ctx)
if err != nil {
return err
}

return s.AppendSchema(ctx, *customServiceDefinition)
// Custom permissions are managed through the reconcile flow now. Boot only
// re-applies the base schema merged with the permissions already in the
// database (AppendSchema keeps existing ones), so no config file is read.
return s.AppendSchema(ctx, schema.ServiceDefinition{})
}

// BuiltinPermissions returns the permissions that come from the base schema and
// the config files — the ones bootstrap recreates on every boot. It looks only
// at the base schema and config, not at the permissions already in the database.
// BuiltinPermissions returns the permissions that come from the base schema —
// the ones bootstrap recreates on every boot and that cannot be deleted through
// the API. It looks only at the base schema, not at the permissions already in
// the database.
func (s Service) BuiltinPermissions(ctx context.Context) (map[string]struct{}, error) {
custom, err := s.schemaConfig.GetDefinition(ctx)
if err != nil {
return nil, err
}
custom.Permissions = filterDefaultAppNamespacePermissions(custom.Permissions)

defs, err := ApplyServiceDefinitionOverAZSchema(custom, GetBaseAZSchema())
defs, err := ApplyServiceDefinitionOverAZSchema(&schema.ServiceDefinition{}, GetBaseAZSchema())
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -269,16 +255,8 @@ func (s Service) MigrateRoles(ctx context.Context) error {
}
}

// migrate user defined roles to org
serviceDefinition, err := s.schemaConfig.GetDefinition(ctx)
if err != nil {
return err
}
for _, defRole := range serviceDefinition.Roles {
if err = s.migrateRole(ctx, defaultOrgID, defRole); err != nil {
return err
}
}
// Custom roles are managed through the reconcile flow now; boot no longer
// creates them from a config file.

// backfill PAT wildcard tuples for all existing roles
if err = s.migratePATRelations(ctx); err != nil {
Expand Down
58 changes: 0 additions & 58 deletions internal/store/blob/schema_repository.go

This file was deleted.

100 changes: 0 additions & 100 deletions internal/store/blob/schema_repository_test.go

This file was deleted.

8 changes: 0 additions & 8 deletions pkg/server/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,6 @@ type Config struct {
// Headers which will have user's email id
IdentityProxyHeader string `yaml:"identity_proxy_header" mapstructure:"identity_proxy_header" default:""`

// ResourcesPath is a directory path where resources is defined
// that this service should implement
ResourcesConfigPath string `yaml:"resources_config_path" mapstructure:"resources_config_path"`

// ResourcesPathSecretSecret could be an env name, file path or actual value required
// to access ResourcesPathSecretPath files
ResourcesConfigPathSecret string `yaml:"resources_config_path_secret" mapstructure:"resources_config_path_secret"`

Authentication authenticate.Config `yaml:"authentication" mapstructure:"authentication"`

// Cors configuration setup origin value from where we want to allow cors
Expand Down
16 changes: 7 additions & 9 deletions test/e2e/regression/api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ import (
"io"
"net/http"
"net/http/httptest"
"os"
"path"
"strings"
"testing"
"time"
Expand Down Expand Up @@ -69,10 +67,6 @@ type APIRegressionTestSuite struct {
}

func (s *APIRegressionTestSuite) SetupSuite() {
wd, err := os.Getwd()
s.Require().Nil(err)
testDataPath := path.Join("file://", wd, fixturesDir)

connectPort, err := testbench.GetFreePort()
s.Require().NoError(err)

Expand All @@ -82,9 +76,8 @@ func (s *APIRegressionTestSuite) SetupSuite() {
AuditEvents: "db",
},
App: server.Config{
Host: "localhost",
Connect: server.ConnectConfig{Port: connectPort},
ResourcesConfigPath: path.Join(testDataPath, "resource"),
Host: "localhost",
Connect: server.ConnectConfig{Port: connectPort},
Authentication: authenticate.Config{
Session: authenticate.SessionConfig{
HashSecretKey: "hash-secret-should-be-32-chars--",
Expand All @@ -106,6 +99,11 @@ func (s *APIRegressionTestSuite) SetupSuite() {

ctx := context.Background()

// Seed the custom "compute" permissions and roles the tests below rely on,
// via the admin API. This replaces the removed boot-time resources_config
// loader — tests now seed custom resources the same way operators do.
s.Require().NoError(testbench.SeedComputeResources(ctx, s.testBench.AdminClient))

adminCookie, err := testbench.AuthenticateUser(ctx, s.testBench.Client, testbench.OrgAdminEmail)
s.Require().NoError(err)
s.adminCookie = adminCookie
Expand Down
Loading
Loading