Add support for general permissions

CONTRIBUTING.md

@@ -1 +1,60 @@
-We happily welcome contributions to databricks-terraform. We use GitHub Issues to track community reported issues and GitHub Pull Requests for accepting changes.
+We happily welcome contributions to databricks-terraform. We use GitHub Issues to track community reported issues and GitHub Pull Requests for accepting changes.
+
+## Unit testing resources
+
+In order to unit test a resource, which runs fast and could be included in code coverage, one should use `ResourceTester`, that launches embedded HTTP server with `HTTPFixture`'s containing all calls that should have been made in given scenario:
+
+```go
+func TestPermissionsCreate(t *testing.T) {
+	_, err := ResourceTester(t, []HTTPFixture{
+		{
+            Method:   http.MethodPatch,
+            // requires full URI
+            Resource: "/api/2.0/preview/permissions/clusters/abc",
+            // works with entities, not JSON. Diff is displayed in case of missmatch 
+			ExpectedRequest: model.AccessControlChangeList{
+				AccessControlList: []*model.AccessControlChange{
+					{
+						UserName:        &TestingUser,
+						PermissionLevel: "CAN_USE",
+					},
+				},
+			},
+		},
+		{
+			Method:   http.MethodGet,
+			Resource: "/api/2.0/preview/permissions/clusters/abc?",
+			Response: model.AccessControlChangeList{
+				AccessControlList: []*model.AccessControlChange{
+					{
+						UserName:        &TestingUser,
+						PermissionLevel: "CAN_MANAGE",
+					},
+				},
+			},
+		},
+		{
+			Method:   http.MethodGet,
+			Resource: "/api/2.0/preview/scim/v2/Me?",
+			Response: model.User{
+				UserName: "chuck.norris",
+			},
+		},
+    }, 
+    // next argument is function, that creates resource (to make schema for ResourceData)
+    resourcePermissions, 
+    // state represented as native structure (though a bit clunky)
+    map[string]interface{}{
+		"cluster_id": "abc",
+		"access_control": []interface{}{
+			map[string]interface{}{
+				"user_name":        TestingUser,
+				"permission_level": "CAN_USE",
+			},
+		},
+    },
+    // the last argument is a function, that performs a stage on resource (Create/update/delete/read)
+    resourcePermissionsCreate)
+	assert.NoError(t, err, err)
+}
+```

client/model/permissions.go

@@ -0,0 +1,75 @@
+package model
+
+// ObjectACL is a structure to generically describe access control
+type ObjectACL struct {
+	ObjectID          string           `json:"object_id,omitempty"`
+	ObjectType        string           `json:"object_type,omitempty"`
+	AccessControlList []*AccessControl `json:"access_control_list"`
+}
+
+// AccessControl is a structure to describe user/group permissions
+type AccessControl struct {
+	UserName       *string       `json:"user_name,omitempty"`
+	GroupName      *string       `json:"group_name,omitempty"`
+	AllPermissions []*Permission `json:"all_permissions,omitempty"`
+}
+
+// Permission is a structure to describe permission level
+type Permission struct {
+	PermissionLevel     string   `json:"permission_level"`
+	Inherited           bool     `json:"inherited,omitempty"`
+	InheritedFromObject []string `json:"inherited_from_object,omitempty"`
+}
+
+// AccessControlChangeList is wrapper around ACL changes for REST API
+type AccessControlChangeList struct {
+	AccessControlList []*AccessControlChange `json:"access_control_list"`
+}
+
+// AccessControlChange is API wrapper for changing permissions
+type AccessControlChange struct {
+	UserName             *string `json:"user_name,omitempty"`
+	GroupName            *string `json:"group_name,omitempty"`
+	ServicePrincipalName *string `json:"service_principal_name,omitempty"`
+	PermissionLevel      string  `json:"permission_level"`
+}
+
+// ToAccessControlChangeList converts data formats
+func (oa *ObjectACL) ToAccessControlChangeList() *AccessControlChangeList {
+	acl := new(AccessControlChangeList)
+	for _, accessControl := range oa.AccessControlList {
+		for _, permission := range accessControl.AllPermissions {
+			if permission.Inherited {
+				continue
+			}
+			item := new(AccessControlChange)
+			acl.AccessControlList = append(acl.AccessControlList, item)
+			item.PermissionLevel = permission.PermissionLevel
+			if accessControl.UserName != nil {
+				item.UserName = accessControl.UserName
+			} else if accessControl.GroupName != nil {
+				item.GroupName = accessControl.GroupName
+			}
+		}
+	}
+	return acl
+}
+
+// AccessControl exports data for TF
+func (acl *AccessControlChangeList) AccessControl(me string) []map[string]string {
+	result := []map[string]string{}
+	for _, control := range acl.AccessControlList {
+		item := map[string]string{}
+		if control.UserName != nil && *control.UserName != "" {
+			if me == *control.UserName {
+				continue
+			}
+			item["user_name"] = *control.UserName
+		} else if control.GroupName != nil && *control.GroupName != "" {
+			item["group_name"] = *control.GroupName
+		}
+		item["permission_level"] = control.PermissionLevel
+		result = append(result, item)
+	}
+	return result
+}

client/service/apis.go

@@ -116,6 +116,11 @@ func (c *DBApiClient) MWSCustomerManagedKeys() MWSCustomerManagedKeysAPI {
 	return MWSCustomerManagedKeysAPI{Client: c}
 }
 
+// Permissions returns an instance of CommandsAPI
+func (c *DBApiClient) Permissions() PermissionsAPI {
+	return PermissionsAPI{Client: c}
+}
+
 func (c *DBApiClient) performQuery(method, path string, apiVersion string, headers map[string]string, data interface{}, secretsMask *SecretsMask) ([]byte, error) {
 	err := c.Config.getOrCreateToken()
 	if err != nil {

client/service/permissions.go

@@ -0,0 +1,50 @@
+package service
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/databrickslabs/databricks-terraform/client/model"
+)
+
+// PermissionsAPI exposes general permission related methods
+type PermissionsAPI struct {
+	Client *DBApiClient
+}
+
+// AddOrModify works with permissions change list
+func (a PermissionsAPI) AddOrModify(objectID string, objectACL *model.AccessControlChangeList) error {
+	_, err := a.Client.performQuery(http.MethodPatch,
+		"/preview/permissions"+objectID,
+		"2.0", nil, objectACL, nil)
+	if err != nil {
+		return err
+	}
+
+	return err
+}
+
+// SetOrDelete updates object permissions
+func (a PermissionsAPI) SetOrDelete(objectID string, objectACL *model.AccessControlChangeList) error {
+	_, err := a.Client.performQuery(http.MethodPut,
+		"/preview/permissions"+objectID,
+		"2.0", nil, objectACL, nil)
+	if err != nil {
+		return err
+	}
+
+	return err
+}
+
+// Read gets all relevant permissions for the object, including inherited ones
+func (a PermissionsAPI) Read(objectID string) (*model.ObjectACL, error) {
+	resp, err := a.Client.performQuery(http.MethodGet,
+		"/preview/permissions"+objectID,
+		"2.0", nil, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	var objectACL = new(model.ObjectACL)
+	err = json.Unmarshal(resp, &objectACL)
+	return objectACL, err
+}

client/service/users.go

@@ -72,14 +72,21 @@ func (a UsersAPI) Read(userID string) (model.User, error) {
 }
 
 func (a UsersAPI) read(userID string) (model.User, error) {
-	var user model.User
 	userPath := fmt.Sprintf("/preview/scim/v2/Users/%v", userID)
+	return a.readByPath(userPath)
+}
+
+// Me gets user information about caller
+func (a UsersAPI) Me() (model.User, error) {
+	return a.readByPath("/preview/scim/v2/Me")
+}
 
+func (a UsersAPI) readByPath(userPath string) (model.User, error) {
+	var user model.User
 	resp, err := a.Client.performQuery(http.MethodGet, userPath, "2.0", scimHeaders, nil, nil)
 	if err != nil {
 		return user, err
 	}
-
 	err = json.Unmarshal(resp, &user)
 	return user, err
 }

databricks/provider.go

@@ -30,6 +30,7 @@ func Provider(version string) terraform.ResourceProvider {
 			"databricks_secret_scope":  resourceSecretScope(),
 			"databricks_secret":        resourceSecret(),
 			"databricks_secret_acl":    resourceSecretACL(),
+			"databricks_permissions":   resourcePermissions(),
 			"databricks_instance_pool": resourceInstancePool(),
 			"databricks_scim_user":     resourceScimUser(),
 			"databricks_scim_group":    resourceScimGroup(),