Add policy file generation and CI pipeline setup

reearth · Oct 30, 2024 · 9db6ea8 · 9db6ea8
1 parent e639f9b
commit 9db6ea8
Show file tree

Hide file tree

Showing 6 changed files with 276 additions and 12 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,6 +9,7 @@ jobs:
     outputs:
       ui: ${{ steps.ui.outputs.any_changed }}
       api: ${{ steps.api.outputs.any_changed }}
+      policies: ${{ steps.policies.outputs.any_changed }}
       engine: ${{ steps.engine.outputs.any_changed }}
       websocket: ${{ steps.websocket.outputs.any_changed }}
     steps:
@@ -20,13 +21,24 @@ jobs:
         id: api
         uses: tj-actions/changed-files@v41
         with:
-            files: |
-              api/**
-              .github/workflows/ci.yml
-              .github/workflows/ci_api.yml
-              .github/workflows/build_api.yml
-              .github/workflows/deploy_api_nightly.yml
-              CHANGELOG.md
+          files: |
+            api/**
+            .github/workflows/ci.yml
+            .github/workflows/ci_api.yml
+            .github/workflows/build_api.yml
+            .github/workflows/deploy_api_nightly.yml
+            CHANGELOG.md
+
+      - name: changed files for policies
+        id: policies
+        uses: tj-actions/changed-files@v41
+        with:
+          files: |
+            api/internal/rbac/**
+            .github/workflows/ci.yml
+            .github/workflows/check_cerbos_policies.yml
+            .github/workflows/update_cerbos_policies.yml
+            CHANGELOG.md
 
       - name: changed files for ui
         id: ui
@@ -63,14 +75,18 @@ jobs:
     needs: prepare
     if: needs.prepare.outputs.api == 'true'
     uses: ./.github/workflows/ci_api.yml
+  ci-policies:
+    needs: prepare
+    if: needs.prepare.outputs.policies == 'true'
+    uses: ./.github/workflows/ci_policies.yml
   ci-ui:
     needs: prepare
     if: needs.prepare.outputs.ui == 'true'
     uses: ./.github/workflows/ci_ui.yml
   ci-websocket:
-      needs: prepare
-      if: needs.prepare.outputs.websocket == 'true'
-      uses: ./.github/workflows/ci_websocket.yml
+    needs: prepare
+    if: needs.prepare.outputs.websocket == 'true'
+    uses: ./.github/workflows/ci_websocket.yml
   ci-engine:
     needs: prepare
     if: needs.prepare.outputs.engine == 'true'
@@ -79,6 +95,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - ci-api
+      - ci-policies
       - ci-ui
       - ci-websocket
       - ci-engine
@@ -138,7 +155,15 @@ jobs:
       new_tag_short: ${{ needs.ci-collect-info.outputs.new_tag_short }}
       name: ${{ needs.ci-collect-info.outputs.name }}
       sha: ${{ github.sha }}
-    secrets: inherit  
+    secrets: inherit
+  update-policies:
+    needs:
+      - ci
+      - ci-policies
+      - ci-collect-info
+    uses: ./.github/workflows/update_policies.yml
+    if: ${{ !failure() && needs.ci-policies.result == 'success' && github.event_name == 'push' && (github.ref_name == 'main' || github.ref_name == 'release' || startsWith(github.ref_name, 'release/')) }}
+    secrets: inherit
   build-and-deploy-ui:
     needs:
       - ci

diff --git a/.github/workflows/ci_policies.yml b/.github/workflows/ci_policies.yml
@@ -0,0 +1,28 @@
+name: ci-policies
+on:
+  workflow_call:
+env:
+  GO_VERSION: '1.22'
+
+jobs:
+  cerbosCheck:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: set up
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: Generate policies
+        run: make generate-policies
+        working-directory: api
+      - name: Setup Cerbos
+        uses: cerbos/cerbos-setup-action@v1
+        with:
+          version: latest
+      - name: Compile and test policies
+        uses: cerbos/cerbos-compile-action@v1
+        with:
+          policyDir: api/policies
diff --git a/.github/workflows/update_policies.yml b/.github/workflows/update_policies.yml
@@ -0,0 +1,58 @@
+name: update-policies
+on:
+  workflow_call:
+env:
+  GO_VERSION: '1.22'
+  GCS_BUCKET_PATH: gs://cerbos-oss-policyfile-bucket
+
+jobs:
+  update-policies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: set up
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+      - name: Generate policies
+        run: make generate-policies
+        working-directory: api
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+      - name: Sync policies with Cloud Storage
+        run: |
+          echo "All files in bucket (before sync):"
+          gsutil ls $GCS_BUCKET_PATH/ || true
+
+          echo "Current flow files in bucket:"
+          bucket_files=$(gsutil ls $GCS_BUCKET_PATH/flow_*.yaml || true)
+          echo "$bucket_files"
+
+          echo "Local policy files:"
+          local_files=$(ls api/policies/flow_*.yaml || true)
+          echo "$local_files"
+
+          for file in api/policies/flow_*.yaml; do
+            if [ -f "$file" ]; then
+              file_name=$(basename "$file")
+              echo "Uploading/Updating: $file_name"
+              gsutil cp "$file" "$GCS_BUCKET_PATH/$file_name"
+            fi
+          done
+
+          for bucket_file in $GCS_BUCKET_PATH/flow_*.yaml; do
+            file_name=$(basename "$bucket_file")
+            if [ ! -f "api/policies/$file_name" ] && [[ "$file_name" == flow_* ]]; then
+              echo "Deleting: $file_name"
+              gsutil rm "$bucket_file"
+            fi
+          done
+
+          echo "Sync completed. All files in bucket:"
+          gsutil ls $GCS_BUCKET_PATH/ || true
diff --git a/api/Makefile b/api/Makefile
@@ -19,4 +19,7 @@ run-db:
 gql:
 	go generate ./internal/adapter/gql
 
-.PHONY: lint test e2e build run-app run-db gql
+gen-policies:
+	go run ./cmd/policy-generator
+
+.PHONY: lint test e2e build run-app run-db gql gen-policies
diff --git a/api/cmd/policy-generator/main.go b/api/cmd/policy-generator/main.go
@@ -0,0 +1,77 @@
+// cmd/policy-generator/main.go
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/reearth/reearth-flow/api/internal/rbac"
+	"gopkg.in/yaml.v2"
+)
+
+type CerbosPolicy struct {
+	APIVersion     string         `yaml:"apiVersion"`
+	ResourcePolicy ResourcePolicy `yaml:"resourcePolicy"`
+}
+
+type ResourcePolicy struct {
+	Version  string `yaml:"version"`
+	Resource string `yaml:"resource"`
+	Rules    []Rule `yaml:"rules"`
+}
+
+type Rule struct {
+	Actions []string `yaml:"actions"`
+	Effect  string   `yaml:"effect"`
+	Roles   []string `yaml:"roles"`
+}
+
+func main() {
+	resources := rbac.DefineResources()
+
+	for _, resource := range resources {
+		policy := CerbosPolicy{
+			APIVersion: "api.cerbos.dev/v1",
+			ResourcePolicy: ResourcePolicy{
+				Version:  "default",
+				Resource: resource.Resource,
+				Rules:    make([]Rule, 0, len(resource.Actions)),
+			},
+		}
+
+		for _, action := range resource.Actions {
+			roles := make([]string, 0, len(action.Roles))
+			for _, role := range action.Roles {
+				roles = append(roles, string(role))
+			}
+
+			rule := Rule{
+				Actions: []string{string(action.Action)},
+				Effect:  "EFFECT_ALLOW",
+				Roles:   roles,
+			}
+			policy.ResourcePolicy.Rules = append(policy.ResourcePolicy.Rules, rule)
+		}
+
+		// ポリシーファイルの出力
+		filename := strings.ReplaceAll(resource.Resource, ":", "_")
+		outputPath := filepath.Join("policies", fmt.Sprintf("%s.yaml", filename))
+		data, err := yaml.Marshal(policy)
+		if err != nil {
+			fmt.Printf("Error marshaling policy: %v\n", err)
+			os.Exit(1)
+		}
+
+		if err := os.MkdirAll("policies", 0755); err != nil {
+			fmt.Printf("Error creating directory: %v\n", err)
+			os.Exit(1)
+		}
+
+		if err := os.WriteFile(outputPath, data, 0644); err != nil {
+			fmt.Printf("Error writing file: %v\n", err)
+			os.Exit(1)
+		}
+	}
+}
diff --git a/api/internal/rbac/definitions.go b/api/internal/rbac/definitions.go
@@ -0,0 +1,73 @@
+package rbac
+
+const (
+	serviceName = "flow"
+)
+
+type resourceType string
+
+const (
+	resourceProject  resourceType = "project"
+	resourceWorkflow resourceType = "workflow"
+)
+
+type actionType string
+
+const (
+	actionRead actionType = "read"
+	actionEdit actionType = "edit"
+)
+
+type roleType string
+
+const (
+	roleOwner      roleType = "owner"
+	roleMaintainer roleType = "maintainer"
+	roleWriter     roleType = "writer"
+	roleReader     roleType = "reader"
+)
+
+type resourceDefinition struct {
+	resource string
+	actions  []actionDefinition
+}
+
+type actionDefinition struct {
+	action actionType
+	roles  []roleType
+}
+
+func makeResourceName(resource resourceType) string {
+	return serviceName + ":" + string(resource)
+}
+
+func DefineResources() []resourceDefinition {
+	return []resourceDefinition{
+		{
+			resource: makeResourceName(resourceProject),
+			actions: []actionDefinition{
+				{
+					action: actionRead,
+					roles:  []roleType{roleOwner, roleMaintainer, roleWriter, roleReader},
+				},
+				{
+					action: actionEdit,
+					roles:  []roleType{roleOwner, roleMaintainer, roleWriter},
+				},
+			},
+		},
+		{
+			resource: makeResourceName(resourceWorkflow),
+			actions: []actionDefinition{
+				{
+					action: actionRead,
+					roles:  []roleType{roleOwner, roleMaintainer, roleWriter, roleReader},
+				},
+				{
+					action: actionEdit,
+					roles:  []roleType{roleOwner, roleMaintainer, roleWriter},
+				},
+			},
+		},
+	}
+}