Add Groups Foundation

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/google/uuid v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.18
+	github.com/unikorn-cloud/core v0.1.19
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0
 	go.opentelemetry.io/otel/sdk v1.22.0

go.sum

@@ -261,8 +261,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/unikorn-cloud/core v0.1.18 h1:jc8Euf5mRGMJiSpZfnPLboJwG744AMsjW5r0bGn5Xd0=
-github.com/unikorn-cloud/core v0.1.18/go.mod h1:5LzHGYsCfMxC9tv+QblOKH6CDYryX1umvaLrYFh0y6M=
+github.com/unikorn-cloud/core v0.1.19 h1:nMXAnSEdE1q6rLqOt5fNvPSqTDx2fGk2kp0dHXqQDL0=
+github.com/unikorn-cloud/core v0.1.19/go.mod h1:5LzHGYsCfMxC9tv+QblOKH6CDYryX1umvaLrYFh0y6M=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=

openapi/server.spec.yaml

@@ -216,9 +216,11 @@ paths:
       - oauth2Authentication: []
       responses:
         '200':
-          description: A list of groups.
+          $ref: '#/components/responses/groupsResponse'
         '401':
-          description: Invalid credentials were provided.
+          $ref: '#/components/responses/unauthorizedResponse'
+        '403':
+          $ref: '#/components/responses/forbiddenResponse'
     post:
       description: |-
         Allows creation of a new group.
@@ -230,11 +232,11 @@ paths:
         '201':
           description: Group successfully created and returned.
         '401':
-          description: Invalid credentials were provided.
+          $ref: '#/components/responses/unauthorizedResponse'
         '403':
-          description: The user is forbidden from creating groups.
+          $ref: '#/components/responses/forbiddenResponse'
         '409':
-          description: The group already exists.
+          $ref: '#/components/responses/conflictResponse'
   /api/v1/organizations/{organization}/groups/{groupid}:
     description: |-
       Allows management of organization groups. Groups provide an identity
@@ -255,25 +257,25 @@ paths:
         '200':
           description: Group successfully updated and returned.
         '401':
-          description: Invalid credentials were provided.
+          $ref: '#/components/responses/unauthorizedResponse'
         '403':
-          description: The user is forbidden from creating groups.
+          $ref: '#/components/responses/forbiddenResponse'
         '404':
-          description: The requested group does not exist.
+          $ref: '#/components/responses/notFoundResponse'
     delete:
       description: |-
           Allows the deletion of an existing group.
       security:
       - oauth2Authentication: []
       responses:
-        '204':
+        '200':
           description: Group successfully deleted.
         '401':
-          description: Invalid credentials were provided.
+          $ref: '#/components/responses/unauthorizedResponse'
         '403':
-          description: The user is forbidden from deleting groups.
-        '410':
-          description: The requested group does not exist.
+          $ref: '#/components/responses/forbiddenResponse'
+        '404':
+          $ref: '#/components/responses/notFoundResponse'
 components:
   parameters:
     organizationParameter:
@@ -606,6 +608,41 @@ components:
       type: array
       items:
         $ref: '#/components/schemas/organization'
+    userList:
+      description: A list of users.
+      type: array
+      items:
+        description: A canonical user name (e.g email address).
+        type: string
+    roleList:
+      description: A list of roles.
+      type: array
+      items:
+        description: A role name.
+        type: string
+    group:
+      description: A group.
+      type: object
+      required:
+      - id
+      - name
+      - roles
+      properties:
+        id:
+          description: An immutable group ID.
+          type: string
+        name:
+          description: The group name.
+          type: string
+        users:
+          $ref: '#/components/schemas/userList'
+        roles:
+          $ref: '#/components/schemas/roleList'
+    groups:
+      description: A list of groups.
+      type: array
+      items:
+        $ref: '#/components/schemas/group'
   requestBodies:
     loginRequest:
       description: Information necessary to resolve a federated SSO provider.
@@ -650,14 +687,14 @@ components:
       content:
         application/json:
           schema:
-            type: object
+            $ref: '#/components/schemas/group'
     updateGroupRequest:
       description: Body required to update a group.
       required: true
       content:
         application/json:
           schema:
-            type: object
+            $ref: '#/components/schemas/group'
   responses:
     badRequestResponse:
       description: |-
@@ -800,6 +837,20 @@ components:
           - name: acme-corp
             domain: acme.corp
             providerName: google-identity
+    groupsResponse:
+      description: |-
+        A list of groups for the organization.
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/groups'
+          example:
+          - id: 401cfc2c-2135-4619-a6ff-1ac247a3b2ad
+            name: The A-Team
+            users:
+            - face@a-team.com
+            roles:
+            - admin
   securitySchemes:
     oauth2Authentication:
       description: Operation requires OAuth2 bearer token authentication.

org.yaml

@@ -0,0 +1,15 @@
+apiVersion: identity.unikorn-cloud.org/v1alpha1
+kind: Organization
+metadata:
+  name: nscale
+  namespace: unikorn-identity
+spec:
+    domain: nscale.com
+    providerName: google-identity
+    groups:
+    - id: 8e4516ed-69f1-4509-889b-a1de21738294
+      name: Platform Administrators
+      roles:
+      - superAdmin
+      users:
+      - simon.murray@nscale.com