bug: non-path mapping

ZEISS · Nov 13, 2024 · 11d77e1 · 11d77e1
1 parent 4eee473
commit 11d77e1
Show file tree

Hide file tree

Showing 17 changed files with 729 additions and 1,492 deletions.
diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+tmp
 
 # Go workspace file
 go.work
@@ -250,4 +251,4 @@ terraform.rc
 # Azure Toolkit for IntelliJ plugin
 # https://plugins.jetbrains.com/plugin/8053-azure-toolkit-for-intellij
 
-# End of https://www.toptal.com/developers/gitignore/api/go,intellij,webstorm,terraform
+# End of https://www.toptal.com/developers/gitignore/api/go,intellij,webstorm,terraform
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,15 +1,10 @@
 run:
-  deadline: 6m
-
-  skip-files:
-  - "zz_generated\\..+\\.go$"
-
-  skip-dirs:
-    - vendor$
+  timeout: 6m
 
 output:
   # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
-  format: colored-line-number
+  formats:
+    - format: colored-line-number
 
 linters-settings:
   errcheck:
@@ -21,19 +16,15 @@ linters-settings:
     # default is false: such cases aren't reported by default.
     check-blank: false
 
-    # [deprecated] comma-separated list of pairs of the form pkg:regex
-    # the regex is used to ignore names within pkg. (default "fmt:.*").
-    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
-    ignore: fmt:.*,io/ioutil:^Read.*
+    # report about not checking of errors in assignments: `num, err := strconv.Atoi(numStr)`;
+    exclude-functions:
+      - fmt:.*
+      - io/ioutil:^Read.*
 
   govet:
     # report about shadowed variables
     check-shadowing: false
 
-  golint:
-    # minimal confidence for issues, default is 0.8
-    min-confidence: 0.8
-
   gofmt:
     # simplify code: gofmt with `-s` option, true by default
     simplify: true
@@ -47,10 +38,6 @@ linters-settings:
     # minimal code complexity to report, 30 by default (but we recommend 10-20)
     min-complexity: 10
 
-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true
-
   dupl:
     # tokens count to trigger issue, 150 by default
     threshold: 100
@@ -109,35 +96,39 @@ linters-settings:
     severity: warning
     confidence: 0.8
 
-
 linters:
   enable:
-    - megacheck
     - govet
     - gocyclo
     - gocritic
+    - gosimple
+    - staticcheck
+    - unused
     - goconst
     - goimports
-    - gofmt  # We enable this as well as goimports for its simplify mode.
+    - gofmt # We enable this as well as goimports for its simplify mode.
     - prealloc
     - revive
     - unconvert
     - misspell
     - nakedret
-    - exportloopref
+    - copyloopvar
     - gosec
 
   disable:
-    - scopelint
     - errcheck
 
   presets:
     - bugs
     - unused
   fast: false
 
-
 issues:
+  exclude-files:
+    - "zz_generated\\..+\\.go$"
+  exclude-dirs:
+    - vendor$
+
   exclude:
     - "G103: Use of unsafe calls should be audited"
 
@@ -164,31 +155,36 @@ issues:
     # rather than using a pointer.
     - text: "(hugeParam|rangeValCopy):"
       linters:
-      - gocritic
+        - gocritic
 
     # This "TestMain should call os.Exit to set exit code" warning is not clever
     # enough to notice that we call a helper method that calls os.Exit.
     - text: "SA3000:"
       linters:
-      - staticcheck
+        - staticcheck
 
     - text: "k8s.io/api/core/v1"
       linters:
-      - goimports
+        - goimports
 
     # This is a "potential hardcoded credentials" warning. It's triggered by
     # any variable with 'secret' in the same, and thus hits a lot of false
     # positives in Kubernetes land where a Secret is an object type.
     - text: "G101:"
       linters:
-      - gosec
-      - gas
+        - gosec
+        - gas
 
     # This is an 'errors unhandled' warning that duplicates errcheck.
     - text: "G104:"
       linters:
-      - gosec
-      - gas
+        - gosec
+        - gas
+
+    - text: "G115:"
+      linters:
+        - gosec
+        - gas
 
   # Independently from option `exclude` we use default exclude patterns,
   # it can be disabled by this option. To list all

diff --git a/Makefile b/Makefile
@@ -1,13 +1,13 @@
 .DEFAULT_GOAL := build
 
-GO 				?= go
+include .env
+export
+
+GO 						?= go
 GO_RUN_TOOLS 	?= $(GO) run -modfile ./tools/go.mod
-GO_TEST 		?= $(GO_RUN_TOOLS) gotest.tools/gotestsum --format pkgname
+GO_TEST 			?= $(GO_RUN_TOOLS) gotest.tools/gotestsum --format pkgname
 GO_RELEASER 	?= $(GO_RUN_TOOLS) github.com/goreleaser/goreleaser
-GO_MOD 			?= $(shell ${GO} list -m)
-
-# Module name
-MODULE_NAME ?= github.com/katallaxie/template-go
+GO_MOD 				?= $(shell ${GO} list -m)
 
 .PHONY: build
 build: ## Build the binary file.
@@ -50,9 +50,13 @@ clean: ## Remove previous build.
 
 .PHONY: docs
 docs: ## Generate documentation.
-	npx @redocly/cli build-docs api/api.yml 
+	npx @redocly/cli build-docs api/api.yml
 	mv redoc-static.html public/index.html
 
+.PHONY: migrate
+migrate: ## Run database migrations.
+	$(GO) run main.go migrate
+
 .PHONY: help
 help: ## Display this help screen.
-	@grep -E '^[a-z.A-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+	@grep -E '^[a-z.A-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
diff --git a/api/api.yml b/api/api.yml
@@ -234,9 +234,7 @@ paths:
           name: admin
         object:
           namespace: system
-          components:
-            - in: path
-              name: teamName
+          name: global
 
     get:
       tags:
@@ -284,6 +282,7 @@ paths:
           name: admin
         object:
           namespace: system
+          components:
           name: global
 
   /teams/{teamName}:

diff --git a/cmd/root.go b/cmd/root.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"log"
 
-	"github.com/zeiss/fiber-authz/oas"
 	"github.com/zeiss/knox/internal/adapters/authz"
 	"github.com/zeiss/knox/internal/adapters/database"
 	"github.com/zeiss/knox/internal/adapters/handlers"
@@ -22,9 +21,10 @@ import (
 	middleware "github.com/oapi-codegen/fiber-middleware"
 	openfga "github.com/openfga/go-sdk/client"
 	"github.com/spf13/cobra"
+	"github.com/zeiss/fiber-authz/oas"
 	"github.com/zeiss/fiber-authz/oas/oidc"
 	ofga "github.com/zeiss/fiber-authz/openfga"
-	authx "github.com/zeiss/pkg/authz"
+	authx "github.com/zeiss/pkg/authx/fga"
 	"github.com/zeiss/pkg/dbx"
 	"github.com/zeiss/pkg/server"
 	"gorm.io/driver/postgres"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,64 +1,58 @@
 services:
-
-  crdb:
-    image: cockroachdb/cockroach:latest-v24.1
-    ports:
-      - "26257:26257"
-      - "8082:8080"
+  postgres:
+    image: postgres:14
+    container_name: postgres
+    command: postgres -c 'max_connections=100'
     networks:
-      - knox
-    command: start-single-node --insecure
-    volumes:
-      - crdb:/cockroach/cockroach-data
+      - default
+    ports:
+      - "5432:5432"
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=password
     healthcheck:
-      test:
-        [
-          "CMD",
-          "curl",
-          "-f",
-          "http://localhost:8080/health?ready=1"
-        ]
-      interval: 3s
-      timeout: 3s
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
       retries: 5
 
   migrate:
     depends_on:
-      crdb:
+      postgres:
         condition: service_healthy
     image: openfga/openfga:latest
     container_name: migrate
-    command: migrate
     environment:
       - OPENFGA_DATASTORE_ENGINE=postgres
-      - OPENFGA_DATASTORE_URI=postgres://root@crdb:26257/defaultdb?sslmode=disable
+      - OPENFGA_DATASTORE_URI=postgres://postgres:password@postgres:5432/postgres?sslmode=disable
+    command: migrate
     networks:
-      - knox
+      - default
 
   openfga:
     depends_on:
       migrate:
         condition: service_completed_successfully
     image: openfga/openfga:latest
     container_name: openfga
+    command: run
     environment:
       - OPENFGA_DATASTORE_ENGINE=postgres
-      - OPENFGA_DATASTORE_URI=postgres://root@crdb:26257/defaultdb?sslmode=disable
-      - OPENFGA_LOG_FORMAT=json
-    command: run
+      - OPENFGA_DATASTORE_URI=postgres://postgres:password@postgres:5432/postgres?sslmode=disable
+      - OPENFGA_DATASTORE_MAX_OPEN_CONNS=100 #see postgres container
+      - OPENFGA_PLAYGROUND_ENABLED=true
     networks:
-      - knox
+      - default
     ports:
-      # Needed for the http server
-      - "8080:8080"
-      # Needed for the grpc server (if used)
-      - "8081:8081"
-      # Needed for the playground (Do not enable in prod!)
-      - "3000:3000"
+      - "8080:8080" #http
+      - "8081:8081" #grpc
+      - "3000:3000" #playground
+      - "2112:2112" #prometheus metrics
+    healthcheck:
+      test: ["CMD", "/usr/local/bin/grpc_health_probe", "-addr=openfga:8081"]
+      interval: 5s
+      timeout: 30s
+      retries: 3
 
 volumes:
   crdb:
-
-
-networks:
-  knox: