Update Creation Auditiing (#104)

To actually audit resource creation meaningfully, we need to get the
resource ID, and the only way to do that in a generic way is to return
the generated resource in all POST APIs.

charts/identity/Chart.yaml

@@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.2.27
-appVersion: v0.2.27
+version: v0.2.28
+appVersion: v0.2.28
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/unikorn-cloud/core v0.1.61
+	github.com/unikorn-cloud/core v0.1.62
 	go.opentelemetry.io/otel v1.28.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0
 	go.opentelemetry.io/otel/sdk v1.28.0

go.sum

@@ -127,8 +127,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/unikorn-cloud/core v0.1.61 h1:mnQ+43wKTsXYHRztiC0ddUS+ZZ2OaIdy5JYjDlaRpg4=
-github.com/unikorn-cloud/core v0.1.61/go.mod h1:Cd0zU1LrKo+OwnnCwuTQ+QL3yibnkjDHtkujfDM4AdE=
+github.com/unikorn-cloud/core v0.1.62 h1:EbXZxQxBIYjWC/LVLw8xAd46609u5GLc2DxnrZnLYxE=
+github.com/unikorn-cloud/core v0.1.62/go.mod h1:Cd0zU1LrKo+OwnnCwuTQ+QL3yibnkjDHtkujfDM4AdE=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

pkg/handler/groups/client.go

@@ -156,26 +156,22 @@ func (c *Client) generate(ctx context.Context, organization *organizations.Meta,
 	return out, nil
 }
 
-func (c *Client) Create(ctx context.Context, organizationID string, request *openapi.GroupWrite) error {
+func (c *Client) Create(ctx context.Context, organizationID string, request *openapi.GroupWrite) (*openapi.GroupRead, error) {
 	organization, err := organizations.New(c.client, c.namespace).GetMetadata(ctx, organizationID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	resource, err := c.generate(ctx, organization, request)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	if err := c.client.Create(ctx, resource); err != nil {
-		if kerrors.IsAlreadyExists(err) {
-			return errors.HTTPConflict()
-		}
-
-		return errors.OAuth2ServerError("failed to create group").WithError(err)
+		return nil, errors.OAuth2ServerError("failed to create group").WithError(err)
 	}
 
-	return nil
+	return convert(resource), nil
 }
 
 func (c *Client) Update(ctx context.Context, organizationID, groupID string, request *openapi.GroupWrite) error {

pkg/handler/handler.go

@@ -226,13 +226,14 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDOauth2providers(w http.Res
 		return
 	}
 
-	if err := oauth2providers.New(h.client, h.namespace).Create(r.Context(), organizationID, request); err != nil {
+	result, err := oauth2providers.New(h.client, h.namespace).Create(r.Context(), organizationID, request)
+	if err != nil {
 		errors.HandleError(w, r, err)
 		return
 	}
 
 	h.setUncacheable(w)
-	w.WriteHeader(http.StatusCreated)
+	util.WriteJSONResponse(w, r, http.StatusCreated, result)
 }
 
 func (h *Handler) PutApiV1OrganizationsOrganizationIDOauth2providersProviderID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, providerID openapi.Oauth2ProvderIDParameter) {
@@ -366,13 +367,14 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDGroups(w http.ResponseWrit
 		return
 	}
 
-	if err := groups.New(h.client, h.namespace).Create(r.Context(), organizationID, request); err != nil {
+	result, err := groups.New(h.client, h.namespace).Create(r.Context(), organizationID, request)
+	if err != nil {
 		errors.HandleError(w, r, err)
 		return
 	}
 
 	h.setUncacheable(w)
-	w.WriteHeader(http.StatusCreated)
+	util.WriteJSONResponse(w, r, http.StatusCreated, result)
 }
 
 func (h *Handler) GetApiV1OrganizationsOrganizationIDGroupsGroupid(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, groupID openapi.GroupidParameter) {
@@ -457,13 +459,14 @@ func (h *Handler) PostApiV1OrganizationsOrganizationIDProjects(w http.ResponseWr
 		return
 	}
 
-	if err := projects.New(h.client, h.namespace).Create(r.Context(), organizationID, request); err != nil {
+	result, err := projects.New(h.client, h.namespace).Create(r.Context(), organizationID, request)
+	if err != nil {
 		errors.HandleError(w, r, err)
 		return
 	}
 
 	h.setUncacheable(w)
-	w.WriteHeader(http.StatusAccepted)
+	util.WriteJSONResponse(w, r, http.StatusAccepted, result)
 }
 
 func (h *Handler) GetApiV1OrganizationsOrganizationIDProjectsProjectID(w http.ResponseWriter, r *http.Request, organizationID openapi.OrganizationIDParameter, projectID openapi.ProjectIDParameter) {

pkg/handler/oauth2providers/client.go

@@ -139,23 +139,19 @@ func (c *Client) generate(ctx context.Context, organization *organizations.Meta,
 	return out
 }
 
-func (c *Client) Create(ctx context.Context, organizationID string, request *openapi.Oauth2ProviderWrite) error {
+func (c *Client) Create(ctx context.Context, organizationID string, request *openapi.Oauth2ProviderWrite) (*openapi.Oauth2ProviderRead, error) {
 	organization, err := organizations.New(c.client, c.namespace).GetMetadata(ctx, organizationID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	resource := c.generate(ctx, organization, request)
 
 	if err := c.client.Create(ctx, resource); err != nil {
-		if kerrors.IsAlreadyExists(err) {
-			return errors.HTTPConflict()
-		}
-
-		return errors.OAuth2ServerError("failed to create oauth2 provider").WithError(err)
+		return nil, errors.OAuth2ServerError("failed to create oauth2 provider").WithError(err)
 	}
 
-	return nil
+	return convert(resource), nil
 }
 
 func (c *Client) Update(ctx context.Context, organizationID, providerID string, request *openapi.Oauth2ProviderWrite) error {

pkg/handler/projects/client.go

@@ -152,27 +152,22 @@ func (c *Client) generate(ctx context.Context, organization *organizations.Meta,
 }
 
 // Create creates the implicit project indentified by the JTW claims.
-func (c *Client) Create(ctx context.Context, organizationID string, request *openapi.ProjectWrite) error {
+func (c *Client) Create(ctx context.Context, organizationID string, request *openapi.ProjectWrite) (*openapi.ProjectRead, error) {
 	organization, err := organizations.New(c.client, c.namespace).GetMetadata(ctx, organizationID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	resource, err := c.generate(ctx, organization, request)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	if err := c.client.Create(ctx, resource); err != nil {
-		// TODO: we can do a cached lookup to save the API traffic.
-		if kerrors.IsAlreadyExists(err) {
-			return errors.HTTPConflict()
-		}
-
-		return errors.OAuth2ServerError("failed to create project").WithError(err)
+		return nil, errors.OAuth2ServerError("failed to create project").WithError(err)
 	}
 
-	return nil
+	return convert(resource), nil
 }
 
 func (c *Client) Update(ctx context.Context, organizationID, projectID string, request *openapi.ProjectWrite) error {