Deploy userinfofetcher regorules

rust/bundle-builder/Cargo.toml

@@ -17,6 +17,7 @@ flate2.workspace = true
 futures.workspace = true
 hyper.workspace = true
 snafu.workspace = true
+stackable-opa-regorule-library = { version = "0.0.0-dev", path = "../regorule-library" }
 stackable-operator.workspace = true
 tar.workspace = true
 tokio.workspace = true

rust/bundle-builder/src/main.rs

@@ -171,14 +171,19 @@ enum BundleError {
     #[snafu(display("ConfigMap is missing required metadata"))]
     ConfigMapMetadataMissing,
 
-    #[snafu(display("file {file_name:?} in {config_map} is too large ({file_size} bytes)"))]
+    #[snafu(display("file {file_path:?} is too large ({file_size} bytes)"))]
     FileSizeOverflow {
         source: TryFromIntError,
-        config_map: ObjectRef<ConfigMap>,
-        file_name: String,
+        file_path: String,
         file_size: usize,
     },
 
+    #[snafu(display("failed to add static file {file_path:?} to tarball"))]
+    AddStaticRuleToTarball {
+        source: std::io::Error,
+        file_path: String,
+    },
+
     #[snafu(display("failed to add file {file_name:?} from {config_map} to tarball"))]
     AddFileToTarball {
         source: std::io::Error,
@@ -201,20 +206,15 @@ impl BundleError {
 
 async fn build_bundle(store: Store<ConfigMap>) -> Result<Vec<u8>, BundleError> {
     use bundle_error::*;
-    fn file_header(
-        config_map: &ObjectRef<ConfigMap>,
-        file_name: &str,
-        data: &[u8],
-    ) -> Result<tar::Header, BundleError> {
+    fn file_header(file_path: &str, data: &[u8]) -> Result<tar::Header, BundleError> {
         let mut header = tar::Header::new_gnu();
         header.set_mode(0o644);
         let file_size = data.len();
         header.set_size(
             file_size
                 .try_into()
                 .with_context(|_| FileSizeOverflowSnafu {
-                    config_map: config_map.clone(),
-                    file_name,
+                    file_path,
                     file_size,
                 })?,
         );
@@ -227,6 +227,16 @@ async fn build_bundle(store: Store<ConfigMap>) -> Result<Vec<u8>, BundleError> {
     let mut tar = tar::Builder::new(GzEncoder::new(Vec::new(), flate2::Compression::default()));
     let mut resource_versions = BTreeMap::<String, String>::new();
     let mut bundle_file_paths = BTreeSet::<String>::new();
+
+    for (file_path, data) in stackable_opa_regorule_library::REGORULES {
+        let mut header = file_header(file_path, data.as_bytes())?;
+        tar.append_data(&mut header, file_path, data.as_bytes())
+            .context(AddStaticRuleToTarballSnafu {
+                file_path: *file_path,
+            })?;
+        bundle_file_paths.insert(file_path.to_string());
+    }
+
     for cm in store.state() {
         let ObjectMeta {
             name: Some(cm_ns),
@@ -239,8 +249,8 @@ async fn build_bundle(store: Store<ConfigMap>) -> Result<Vec<u8>, BundleError> {
         };
         let cm_ref = ObjectRef::from_obj(&*cm);
         for (file_name, data) in cm.data.iter().flatten() {
-            let mut header = file_header(&cm_ref, file_name, data.as_bytes())?;
             let file_path = format!("configmap/{cm_ns}/{cm_name}/{file_name}");
+            let mut header = file_header(&file_path, data.as_bytes())?;
             tar.append_data(&mut header, &file_path, data.as_bytes())
                 .with_context(|_| AddFileToTarballSnafu {
                     config_map: cm_ref.clone(),

rust/regorule-library/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "stackable-opa-regorule-library"
+description = "Contains Stackable's library of common regorules"
+version.workspace = true
+authors.workspace = true
+license.workspace = true
+edition.workspace = true
+repository.workspace = true
+publish = false
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]

rust/regorule-library/README.md

@@ -0,0 +1,16 @@
+# Stackable library of shared regorules
+
+This contains regorules that are shipped by the Stackable Data Platform (SDP) as libraries to help simplify writing authorization rules.
+
+## What this is not
+
+This library should *not* contain rules that only concern one SDP product. Those are the responsibility of their individual operators.
+
+## Versioning
+
+All regorules exposed by this library should be versioned, according to Kubernetes conventions.
+
+This version covers _breaking changes to the interface_, not the implementation. If a proposed change breaks existing clients,
+add a new version. Otherwise, change the latest version inline.
+
+Ideally, old versions should be implemented on top of newer versions, rather than carry independent implementations.

rust/regorule-library/src/lib.rs

@@ -0,0 +1,4 @@
+pub const REGORULES: &[(&str, &str)] = &[(
+    "stackable/opa/userinfo/v1.rego",
+    include_str!("userinfo/v1.rego"),
+)];

rust/regorule-library/src/userinfo/v1.rego

@@ -0,0 +1,23 @@
+package stackable.opa.userinfo.v1
+
+# Lookup by (human-readable) username
+userInfoByUsername(username) := http.send({
+  "method": "POST",
+  "url": "http://127.0.0.1:9476/user",
+  "body": {"username": username}, <2>
+  "headers": {"Content-Type": "application/json"},
+  "raise_error": true
+}).body
+
+# Lookup by stable user identifier
+userInfoById(id) := http.send({
+  "method": "POST",
+  "url": "http://127.0.0.1:9476/user",
+  "body": {"id": id}, <3>
+  "headers": {"Content-Type": "application/json"},
+  "raise_error": true
+}).body
+
+# Lookup by context
+currentUserInfoByUsername := userInfoByUsername(input.username)
+currentUserInfoById := userInfoById(input.id)