Migrate to New Security Model (#5)

go.mod

@@ -7,16 +7,17 @@ require (
 	github.com/go-chi/chi/v5 v5.1.0
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.77
-	github.com/unikorn-cloud/identity v0.2.42
-	github.com/unikorn-cloud/kubernetes v0.2.43
+	github.com/unikorn-cloud/core v0.1.79
+	github.com/unikorn-cloud/identity v0.2.44
+	github.com/unikorn-cloud/kubernetes v0.2.47
 	go.opentelemetry.io/otel/sdk v1.31.0
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
 	sigs.k8s.io/controller-runtime v0.19.0
 )
 
 require (
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
@@ -49,7 +50,6 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/masterminds/semver v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
@@ -60,6 +60,7 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.60.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/unikorn-cloud/region v0.1.45 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/otel v1.31.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.31.0 // indirect

go.sum

@@ -1,5 +1,5 @@
-github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
-github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
 github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
@@ -92,8 +92,6 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/masterminds/semver v1.5.0 h1:hTxJTTY7tjvnWMrl08O6u3G6BLlKVwxSz01lVac9P8U=
-github.com/masterminds/semver v1.5.0/go.mod h1:s7KNT9fnd7edGzwwP7RBX4H0v/CYd5qdOLfkL1V75yg=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -135,12 +133,14 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/unikorn-cloud/core v0.1.77 h1:DHxIOuS5RAZylzxHF/kUt955TdmE5kJiY/Z2yqC0/e0=
-github.com/unikorn-cloud/core v0.1.77/go.mod h1:S9AF4PwTQljImb9w0P2jKjzRe8fLM+rx+ZbxrAHw/yE=
-github.com/unikorn-cloud/identity v0.2.42 h1:9amEcydDq23RZYO4rTtxOhVgw/BH1mdXQgq0fWT+RM0=
-github.com/unikorn-cloud/identity v0.2.42/go.mod h1:JMbS6iTYzt0OVt5AkqZys3WVnpLabGvUl8kGWcxzFZI=
-github.com/unikorn-cloud/kubernetes v0.2.43 h1:BTuzkCDv93TIvGFR0WqAtVaymzsVbACOmfAD4ESH9rU=
-github.com/unikorn-cloud/kubernetes v0.2.43/go.mod h1:7CqJxX5box/gtVEbKqZwn4TJAZpn6QKuynfItr6LCbc=
+github.com/unikorn-cloud/core v0.1.79 h1:fdIUG7R2Sa2wBY+x+JLhCzQYuGFQqCf7PS/lB7u1Dzg=
+github.com/unikorn-cloud/core v0.1.79/go.mod h1:wEKzCwAnIyTbo27l++Wl+gK95TAxMsFS3y3jbFB03aw=
+github.com/unikorn-cloud/identity v0.2.44 h1:tXV/qsJ77Dkx8ba8gnBFXHWUgBNsJ2oo/5TjnyhkH7U=
+github.com/unikorn-cloud/identity v0.2.44/go.mod h1:JMbS6iTYzt0OVt5AkqZys3WVnpLabGvUl8kGWcxzFZI=
+github.com/unikorn-cloud/kubernetes v0.2.47 h1:dc2V0RWabhZ6hUwrRkdWVMI48eNq5oZbgAGS3RC1r+I=
+github.com/unikorn-cloud/kubernetes v0.2.47/go.mod h1:CsQpKzcNjB7QNTN/G71n4vtfg4FhsEdjiDngvbL4kRo=
+github.com/unikorn-cloud/region v0.1.45 h1:qpUwB+s/SEZNHZqwHTYovtWUVdJB2AKEl06NbiIwnOw=
+github.com/unikorn-cloud/region v0.1.45/go.mod h1:QqWLEfB8bNRIUAU7h5JjkQsjyJdTV+2ltDYksRjKMds=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

pkg/provisioners/managers/application/provisioner.go

@@ -99,14 +99,14 @@ func (p *Provisioner) getKubernetesClient(ctx context.Context, traceName string)
 
 	tokenIssuer := identityclient.NewTokenIssuer(cli, p.options.kubernetesOptions, &p.options.clientOptions, constants.Application, constants.Version)
 
-	ctx, err = tokenIssuer.Context(ctx, traceName)
+	token, err := tokenIssuer.Issue(ctx, traceName)
 	if err != nil {
 		return nil, nil, err
 	}
 
 	getter := kubernetesclient.New(cli, p.options.kubernetesOptions, &p.options.clientOptions)
 
-	client, err := getter.Client(ctx)
+	client, err := getter.Client(ctx, token)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/server/handler/application/client.go

@@ -47,15 +47,15 @@ func convert(in *unikornv1core.HelmApplication) *openapi.ApplicationRead {
 
 	for _, version := range in.Spec.Versions {
 		v := openapi.ApplicationVersion{
-			Version: *version.Version,
+			Version: version.Version.Original(),
 		}
 
 		if len(version.Dependencies) != 0 {
 			deps := make(openapi.ApplicationDependencies, 0, len(version.Dependencies))
 
 			for _, dependency := range version.Dependencies {
 				deps = append(deps, openapi.ApplicationDependency{
-					Name: *dependency.Name,
+					Name: dependency.Name,
 				})
 			}
 
@@ -67,7 +67,7 @@ func convert(in *unikornv1core.HelmApplication) *openapi.ApplicationRead {
 
 			for _, recommend := range version.Recommends {
 				recommends = append(recommends, openapi.ApplicationDependency{
-					Name: *recommend.Name,
+					Name: recommend.Name,
 				})
 			}
 
@@ -108,9 +108,7 @@ func (c *Client) List(ctx context.Context) ([]*openapi.ApplicationRead, error) {
 		return nil, errors.OAuth2ServerError("failed to list applications").WithError(err)
 	}
 
-	exported := result.Exported()
+	slices.SortStableFunc(result.Items, unikornv1core.CompareHelmApplication)
 
-	slices.SortStableFunc(exported.Items, unikornv1core.CompareHelmApplication)
-
-	return convertList(exported.Items), nil
+	return convertList(result.Items), nil
 }

pkg/server/handler/handler.go

@@ -63,7 +63,7 @@ func (h *Handler) setUncacheable(w http.ResponseWriter) {
 }
 
 func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectIDApplications(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter) {
-	if err := rbac.AllowProjectScope(r.Context(), "applications", identityapi.Read, organizationID, projectID); err != nil {
+	if err := rbac.AllowProjectScope(r.Context(), "application:applications", identityapi.Read, organizationID, projectID); err != nil {
 		errors.HandleError(w, r, err)
 		return
 	}