Skip to content

Commit

Permalink
Add mirror access control
Browse files Browse the repository at this point in the history 
Motivation:

Sometimes you need to restrict access to specific repositories
without allowing mirroring for all repositories. These repositories may
contain sensitive information or code that is only available to a
select group of members.

Modifications:

- Add `MirrorAccessController` that can allow or disallow access to
  the remote repositories for mirroring.
  - It is used to check a scheduled mirroring task or a task triggered
    by UI is allowed to access.
  - `MirrorListener.onCreate()` and `MirrorListener.onUpdate()` events
    are newly added. The events could be used as an extension point to
    detect a new remote URL pattern and integrate external systems
    such as a workflow or a email notification.
- Add CRUD REST API for administrators
  - GET `/api/v1/mirror/access` to retrieve all mirror access
    controls.
  - POST `/api/v1/mirror/access` to create a mirror access
    controls.
  - and so on...
- In addition to the REST API, a mirror access control can be added
  with `MirrorAccessController.allow(...)` API which is exposed by
  `PluginContext.mirrorAccessController()`.
- Add `CrudRepository` abstraction to easily create and update a
  collection of entities in a directory.
  - This API would be useful especially when we implement UI-based CRUD
    operations.
- Add mirror access control UI for administrators
  - CRUD are supported.

Result:

- Administrators can restrict access to remote repositories when mirroring.
- You can receive notifications when a new mirror is created or an
  existing mirror is updated through `MirrorListener`.
  • Loading branch information
@ikhoon
ikhoon committed Jan 3, 2025
1 parent c3f635a commit a2845f2
Show file tree
Hide file tree
Showing 87 changed files with 3,573 additions and 440 deletions.
13 changes: 4 additions & 9 deletions ...eria-xds/src/test/java/com/linecorp/centraldogma/client/armeria/xds/AuthUpstreamTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
Expand Down Expand Up @@ -71,14 +70,10 @@ protected void configure(CentralDogmaBuilder builder) {

@Override
protected void configureClient(ArmeriaCentralDogmaBuilder builder) {
try {
final String accessToken = getAccessToken(
WebClient.of("http://127.0.0.1:" + dogma.serverAddress().getPort()),
TestAuthMessageUtil.USERNAME, TestAuthMessageUtil.PASSWORD);
builder.accessToken(accessToken);
} catch (JsonProcessingException e) {
throw new RuntimeException(e);
}
final String accessToken = getAccessToken(
WebClient.of("http://127.0.0.1:" + dogma.serverAddress().getPort()),
TestAuthMessageUtil.USERNAME, TestAuthMessageUtil.PASSWORD);
builder.accessToken(accessToken);
}

@Override
Expand Down
31 changes: 31 additions & 0 deletions common/src/main/java/com/linecorp/centraldogma/common/MirrorAccessException.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
* Copyright 2025 LINE Corporation
*
* LINE Corporation licenses this file to you under the Apache License,
* version 2.0 (the "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at:
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations
* under the License.
*/

package com.linecorp.centraldogma.common;

/**
* A {@link MirrorException} raised when failed to access to the remote repository for mirroring.
*/
public final class MirrorAccessException extends MirrorException {
private static final long serialVersionUID = 6673537965128335081L;

/**
* Creates a new instance.
*/
public MirrorAccessException(String message) {
super(message);
}
}
153 changes: 13 additions & 140 deletions common/src/main/java/com/linecorp/centraldogma/internal/api/v1/MirrorDto.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,6 @@

package com.linecorp.centraldogma.internal.api.v1;

import static com.google.common.base.MoreObjects.firstNonNull;
import static java.util.Objects.requireNonNull;

import java.util.Objects;

import javax.annotation.Nullable;
Expand All @@ -28,28 +25,11 @@
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonInclude.Include;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.base.MoreObjects;

@JsonInclude(Include.NON_NULL)
public final class MirrorDto {
public final class MirrorDto extends MirrorRequest {

private final String id;
private final boolean enabled;
private final String projectName;
@Nullable
private final String schedule;
private final String direction;
private final String localRepo;
private final String localPath;
private final String remoteScheme;
private final String remoteUrl;
private final String remotePath;
private final String remoteBranch;
@Nullable
private final String gitignore;
private final String credentialId;
@Nullable
private final String zone;
private final boolean allow;

@JsonCreator
public MirrorDto(@JsonProperty("id") String id,
Expand All @@ -65,94 +45,16 @@ public MirrorDto(@JsonProperty("id") String id,
@JsonProperty("remoteBranch") String remoteBranch,
@JsonProperty("gitignore") @Nullable String gitignore,
@JsonProperty("credentialId") String credentialId,
@JsonProperty("zone") @Nullable String zone) {
this.id = requireNonNull(id, "id");
this.enabled = firstNonNull(enabled, true);
this.projectName = requireNonNull(projectName, "projectName");
this.schedule = schedule;
this.direction = requireNonNull(direction, "direction");
this.localRepo = requireNonNull(localRepo, "localRepo");
this.localPath = requireNonNull(localPath, "localPath");
this.remoteScheme = requireNonNull(remoteScheme, "remoteScheme");
this.remoteUrl = requireNonNull(remoteUrl, "remoteUrl");
this.remotePath = requireNonNull(remotePath, "remotePath");
this.remoteBranch = requireNonNull(remoteBranch, "remoteBranch");
this.gitignore = gitignore;
this.credentialId = requireNonNull(credentialId, "credentialId");
this.zone = zone;
}

@JsonProperty("id")
public String id() {
return id;
}

@JsonProperty("enabled")
public boolean enabled() {
return enabled;
}

@JsonProperty("projectName")
public String projectName() {
return projectName;
}

@Nullable
@JsonProperty("schedule")
public String schedule() {
return schedule;
}

@JsonProperty("direction")
public String direction() {
return direction;
}

@JsonProperty("localRepo")
public String localRepo() {
return localRepo;
}

@JsonProperty("localPath")
public String localPath() {
return localPath;
}

@JsonProperty("remoteScheme")
public String remoteScheme() {
return remoteScheme;
}

@JsonProperty("remoteUrl")
public String remoteUrl() {
return remoteUrl;
}

@JsonProperty("remotePath")
public String remotePath() {
return remotePath;
}

@JsonProperty("remoteBranch")
public String remoteBranch() {
return remoteBranch;
}

@Nullable
@JsonProperty("gitignore")
public String gitignore() {
return gitignore;
}

@JsonProperty("credentialId")
public String credentialId() {
return credentialId;
@JsonProperty("zone") @Nullable String zone,
@JsonProperty("allow") boolean allow) {
super(id, enabled, projectName, schedule, direction, localRepo, localPath, remoteScheme, remoteUrl,
remotePath, remoteBranch, gitignore, credentialId, zone);
this.allow = allow;
}

@Nullable
@JsonProperty("zone")
public String zone() {
return zone;
@JsonProperty("allow")
public boolean allow() {
return allow;
}

@Override
Expand All @@ -164,45 +66,16 @@ public boolean equals(Object o) {
return false;
}
final MirrorDto mirrorDto = (MirrorDto) o;
return id.equals(mirrorDto.id) &&
enabled == mirrorDto.enabled &&
projectName.equals(mirrorDto.projectName) &&
Objects.equals(schedule, mirrorDto.schedule) &&
direction.equals(mirrorDto.direction) &&
localRepo.equals(mirrorDto.localRepo) &&
localPath.equals(mirrorDto.localPath) &&
remoteScheme.equals(mirrorDto.remoteScheme) &&
remoteUrl.equals(mirrorDto.remoteUrl) &&
remotePath.equals(mirrorDto.remotePath) &&
remoteBranch.equals(mirrorDto.remoteBranch) &&
Objects.equals(gitignore, mirrorDto.gitignore) &&
credentialId.equals(mirrorDto.credentialId) &&
Objects.equals(zone, mirrorDto.zone);
return super.equals(o) && allow == mirrorDto.allow;
}

@Override
public int hashCode() {
return Objects.hash(id, projectName, schedule, direction, localRepo, localPath, remoteScheme,
remoteUrl, remotePath, remoteBranch, gitignore, credentialId, enabled, zone);
return super.hashCode() * 31 + Objects.hash(allow);
}

@Override
public String toString() {
return MoreObjects.toStringHelper(this)
.omitNullValues()
.add("id", id)
.add("enabled", enabled)
.add("projectName", projectName)
.add("schedule", schedule)
.add("direction", direction)
.add("localRepo", localRepo)
.add("localPath", localPath)
.add("remoteScheme", remoteScheme)
.add("remoteUrl", remoteUrl)
.add("remotePath", remotePath)
.add("gitignore", gitignore)
.add("credentialId", credentialId)
.add("zone", zone)
.toString();
return toStringHelper().add("allow", allow).toString();
}
}
Loading

0 comments on commit a2845f2

Please sign in to comment.