feat: Add support for Hive group ownership (#40)

* style: Remove unused import in slide_group_options.rs

Removes unused import of `leptos::leptos_dom::logging::console_log` that
I accidentally left behind previously.

* chore: Add more test users to dev environment

Adds 3 new users to the development docker compose environment:
- Diana Datalog
- Martin Median
- Karin Klubbare

Also adds the group METAdorerna to that environment, and adds all users
to that group.

This will be used when developing the auth features.

* chore(backend): Add reqwest dependency

Adds the reqwest package as a dependency to the backend crate. This will
be used for the Hive client.

* chore: Add missing libs to shell.nix

Adds pkg-config and openssl to the Nix shell configuration. Not sure
why it wasn't a problem before, but I'm not able to run `cargo check`
without it.

Also added some environment variables which I'm like 80 % are necessary.

* fix(dev): Make `app` depend on `nyckeln`

Marks the `nyckeln` service as a dependency for the app service in the
Docker compose config. This makes `app` wait until `nyckeln` has started
before continuing. This seems to improve the issue I've personally been
having with the OIDC Manager failing to initialize when launching the
containers the first time after a code change. The issue was most
likely some sort of race condition (but it's very strange that it would
start successfully after restarting the containers).

This required adding a health checker function which is ran periodically
to determine if `nyckeln` is running. The test function isn't perfect as
it only checks that the service is listening on it's ports. I decided to
not have it try any actual endpoints, as that would result in the
requests being logged every 2 seconds.

* feat(backend): Add endpoint to get Hive memberships

Adds an API endpoint to get the currently logged in user's Hive
memberships.

This required adding a new Hive client abstraction, as well as adding
support for configuring the Hive API token. Note: I have not tested the
changes to the production compose file (I wouldn't know how to). I've
tried to copy the pattern from the OIDC configuration.

* feat: Add support for Hive group ownership

Adds support for storing slide group ownership as a Hive group in the
backend. This also required changing the frontend so that it can display
group ownership.

* feat(frontend): Support transfering ownership

Adds a new transfer ownership button to the slide group options view.

Author: laxsjo

.env.example

@@ -1,2 +1,3 @@
 CLIENT_ID=
 CLIENT_SECRET=
+HIVE_SECRET=

Cargo.lock

@@ -7,6 +7,7 @@ services:
     environment:
       - ROCKET_DATABASES={sea_orm={url="postgresql://postgres:postgres@db/metatv"}}
       - ROCKET_OIDC={issuer_url="https://sso.datasektionen.se/op",client_id="${CLIENT_ID}",client_secret="${CLIENT_SECRET}",redirect_url="http://localhost:8000/auth/oidc-callback"}
+      - ROCKET_HIVE={url="https://hive.datasektionen.se/api/v1",secret="${HIVE_SECRET}"}
       - ROCKET_UPLOAD_DIR="./uploads"
       - ROCKET_SECRET_KEY=2hMUcPB1UjTd2W8aZDBxoUC27R0z9c56992m3x2MTE4D
       - ROCKET_ADDRESS=0.0.0.0

compose.prod.yml

@@ -7,6 +7,7 @@ services:
     environment:
       - ROCKET_DATABASES={sea_orm={url="postgresql://postgres:postgres@db/metatv"}}
       - ROCKET_OIDC={issuer_url="http://localhost:7003",client_id="client-id",client_secret="client-secret",redirect_url="http://localhost:8000/auth/oidc-callback"}
+      - ROCKET_HIVE={url="http://nyckeln:7004/api/v1",secret="secret"}
       - ROCKET_UPLOAD_DIR="./uploads"
       - ROCKET_SECRET_KEY=2hMUcPB1UjTd2W8aZDBxoUC27R0z9c56992m3x2MTE4D
       - ROCKET_ADDRESS=0.0.0.0
@@ -21,6 +22,8 @@ services:
     depends_on:
       db:
         condition: service_healthy
+      nyckeln:
+        condition: service_healthy
     develop:
       watch:
         - action: rebuild
@@ -48,6 +51,12 @@ services:
     configs:
       - source: nyckeln.yaml
         target: /config.yaml
+    healthcheck:
+      test: ["CMD-SHELL", "nc -z localhost 7001 && nc -z localhost 7002 && nc -z localhost 7003 && nc -z localhost 7004"]
+      interval: 2s
+      timeout: 2s
+      retries: 30
+      start_period: 5s
     ports:
       - 7001:7001
       - 7002:7002
@@ -70,6 +79,13 @@ configs:
             proxy_pass http://nyckeln:7003;
           }
         }
+        server {
+          listen 7004;
+
+          location / {
+            proxy_pass http://nyckeln:7004;
+          }
+        }
       }
 
   nyckeln.yaml:
@@ -86,9 +102,21 @@ configs:
           email: turetek@kth.se
           first_name: Ture
           family_name: Teknolog
-          hive_tags:
-            - id: personal_email
-              content: turetek@gmail.com
+        - ug_kth_id: some-other-id
+          kth_id: diadat
+          email: diadat@kth.se
+          first_name: Diana
+          family_name: Datalog
+        - ug_kth_id: yet-another-id
+          kth_id: marmed
+          email: marmed@kth.se
+          first_name: Martin
+          family_name: Median
+        - ug_kth_id: even-more
+          kth_id: karklu
+          email: karklu@kth.se
+          first_name: Karin
+          family_name: Klubbare
 
       hive:
         groups:
@@ -100,3 +128,14 @@ configs:
             permissions:
               - id: admin
                 scope: null
+            tags:
+              - id: slide-manager
+          - name: METAdorerna
+            id: metadorerna
+            domain: example.com
+            members:
+              - diadat
+              - marmed
+            tags:
+              - id: slide-manager
+

compose.yml

@@ -13,6 +13,7 @@ entity = { path = "../entity" }
 entity-tag = "0.1.8"
 migration = { path = "../migration" }
 openidconnect = { version = "4.0.0", features = ["timing-resistant-secret-traits"] }
+reqwest = { version = "0.12.24", default-features = false, features = ["charset", "rustls-tls", "http2", "system-proxy", "json"] }
 rocket = { version = "0.5.1", features = ["json", "secrets"] }
 sea-orm = { version = "1.1.4", features = ["runtime-tokio-rustls", "sqlx-postgres", "sqlx-sqlite"] }
 sea-orm-rocket = "0.5.5"

crates/backend/Cargo.toml

@@ -0,0 +1,108 @@
+use common::dtos::{LangDto, TaggedGroupDto};
+use reqwest::Url;
+use rocket::{
+    fairing::{self, Fairing},
+    Build, Rocket,
+};
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct HiveConfig {
+    pub url: Url,
+    pub secret: String,
+}
+
+pub struct HiveClient {
+    client: reqwest::Client,
+    config: HiveConfig,
+}
+
+impl HiveClient {
+    pub fn new(config: HiveConfig) -> reqwest::Result<Self> {
+        let client = reqwest::Client::builder().build()?;
+
+        Ok(Self { client, config })
+    }
+
+    /// Get group memberships for the user with the specified username that have been tagged with
+    /// META TV's tag.
+    ///
+    /// On a high level this can be thought of as returning the group memberships for the user that
+    /// this application is allowed to see.
+    ///
+    /// Wrapper around `/tagged/slide-manager/memberships/{username}`.
+    pub async fn tagged_memberships(
+        &self,
+        username: &str,
+        lang: LangDto,
+    ) -> reqwest::Result<Vec<TaggedGroupDto>> {
+        let mut url = self.config.url.clone();
+        url.path_segments_mut()
+            .expect("url can be a base")
+            .pop_if_empty()
+            .extend(&["tagged", "slide-manager", "memberships", username]);
+        url.query_pairs_mut()
+            .append_pair("lang", &format!("{}", lang));
+        self.client
+            .get(url)
+            .bearer_auth(&self.config.secret)
+            .send()
+            .await?
+            .error_for_status()?
+            .json::<Vec<TaggedGroupDto>>()
+            .await
+    }
+
+    /// Get all groups that have been tagged with META TV's tag.
+    ///
+    /// Wrapper around `/tagged/slide-manager/groups`.
+    pub async fn tagged_groups(&self, lang: LangDto) -> reqwest::Result<Vec<TaggedGroupDto>> {
+        let mut url = self.config.url.clone();
+        url.path_segments_mut()
+            .expect("url can be a base")
+            .pop_if_empty()
+            .extend(&["tagged", "slide-manager", "groups"]);
+        url.query_pairs_mut()
+            .append_pair("lang", &format!("{}", lang));
+        self.client
+            .get(url)
+            .bearer_auth(&self.config.secret)
+            .send()
+            .await?
+            .error_for_status()?
+            .json::<Vec<TaggedGroupDto>>()
+            .await
+    }
+}
+
+pub struct HiveInitializer;
+
+#[rocket::async_trait]
+impl Fairing for HiveInitializer {
+    fn info(&self) -> fairing::Info {
+        fairing::Info {
+            name: "Hive Client",
+            kind: fairing::Kind::Ignite,
+        }
+    }
+
+    async fn on_ignite(&self, rocket: Rocket<Build>) -> fairing::Result {
+        let config = match rocket.figment().focus("hive").extract::<HiveConfig>() {
+            Ok(config) => config,
+            Err(e) => {
+                error!("hive configuration incomplete: {}", e);
+                return Err(rocket);
+            }
+        };
+
+        let client = match HiveClient::new(config) {
+            Ok(client) => client,
+            Err(e) => {
+                error!("failed to initialize hive client: {}", e);
+                return Err(rocket);
+            }
+        };
+
+        Ok(rocket.manage(client))
+    }
+}

crates/backend/src/auth/hive.rs

@@ -9,6 +9,7 @@ use serde::{Deserialize, Serialize};
 
 use crate::error::AppError;
 
+pub mod hive;
 pub mod oidc;
 
 // can't be __Host- because it would not work on http://localhost in Chrome

crates/backend/src/auth/mod.rs

@@ -43,6 +43,8 @@ pub enum AppError {
     StateSerializationError(#[source] serde_json::Error),
     #[error("failed to deserialize internal state from secure storage: {0}")]
     StateDeserializationError(#[source] serde_json::Error), // not from client-controlled
+    #[error("failed to complete internal request: {0}")]
+    InternalRequestFailure(#[from] reqwest::Error),
     #[error("authentication flow expired and can no longer be completed")]
     AuthenticationFlowExpired,
 }
@@ -64,6 +66,7 @@ impl AppError {
             AppError::OidcAuthenticationError(_) => Status::InternalServerError,
             AppError::StateSerializationError(_) => Status::InternalServerError,
             AppError::StateDeserializationError(_) => Status::InternalServerError,
+            AppError::InternalRequestFailure(_) => Status::InternalServerError,
             AppError::AuthenticationFlowExpired => Status::Gone,
         }
     }