From 430d3734cfc7002771ce41b521d1045a89271222 Mon Sep 17 00:00:00 2001
From: Ho Kim <ho.kim@ulagbulag.io>
Date: Tue, 16 Jul 2024 08:11:26 +0000
Subject: [PATCH] feat(vine): add keycloak support

---
 crates/vine/api/src/user_auth.rs              |  1 +
 .../vine/plugin/src/routes/desktop/batch.rs   |  3 +-
 .../vine/plugin/src/routes/desktop/single.rs  |  7 +++--
 crates/vine/plugin/src/routes/session.rs      |  3 +-
 crates/vine/rbac/src/auth.rs                  | 28 +++++++++++--------
 5 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/crates/vine/api/src/user_auth.rs b/crates/vine/api/src/user_auth.rs
index a7ee1020..157e4baa 100644
--- a/crates/vine/api/src/user_auth.rs
+++ b/crates/vine/api/src/user_auth.rs
@@ -116,6 +116,7 @@ pub enum UserAuthResponse {
         box_name: Option<String>,
         box_quota_bindings: Vec<UserBoxQuotaBindingSpec<UserBoxQuotaSpec>>,
         user: UserSpec,
+        user_name: String,
     },
     Error(UserAuthError),
 }
diff --git a/crates/vine/plugin/src/routes/desktop/batch.rs b/crates/vine/plugin/src/routes/desktop/batch.rs
index 7d90c328..fc88051f 100644
--- a/crates/vine/plugin/src/routes/desktop/batch.rs
+++ b/crates/vine/plugin/src/routes/desktop/batch.rs
@@ -5,7 +5,7 @@ use actix_web::{
 };
 use ark_core::result::Result;
 use kube::Client;
-use tracing::{instrument, Level};
+use tracing::{instrument, warn, Level};
 use vine_api::user_session::{UserSessionCommandBatch, UserSessionMetadata};
 use vine_rbac::auth::AuthUserSession;
 use vine_session::batch::{BatchCommandArgs, BatchCommandUsers};
@@ -27,6 +27,7 @@ pub async fn post_exec_broadcast(
         .await
         .and_then(|metadata| metadata.assert_admin())
     {
+        warn!("{error}");
         return HttpResponse::from(Result::<()>::Err(error.to_string()));
     };
 
diff --git a/crates/vine/plugin/src/routes/desktop/single.rs b/crates/vine/plugin/src/routes/desktop/single.rs
index 8dd152e8..799665bf 100644
--- a/crates/vine/plugin/src/routes/desktop/single.rs
+++ b/crates/vine/plugin/src/routes/desktop/single.rs
@@ -5,7 +5,7 @@ use actix_web::{
 };
 use ark_core::result::Result;
 use kube::Client;
-use tracing::{instrument, Level};
+use tracing::{instrument, warn, Level};
 use vine_api::user_session::{UserSessionCommand, UserSessionRef};
 use vine_rbac::auth::{AuthUserSession, AuthUserSessionRef};
 use vine_session::exec::SessionExecExt;
@@ -23,7 +23,10 @@ pub async fn post_exec(
         .and_then(|session| session.try_into_ark_session())
     {
         Ok(session) => session,
-        Err(error) => return HttpResponse::from(Result::<()>::Err(error.to_string())),
+        Err(error) => {
+            warn!("{error}");
+            return HttpResponse::from(Result::<()>::Err(error.to_string()));
+        }
     };
 
     let result = session.exec_without_tty(kube, command).await.map(|_| ());
diff --git a/crates/vine/plugin/src/routes/session.rs b/crates/vine/plugin/src/routes/session.rs
index 74e3e045..9d2528dc 100644
--- a/crates/vine/plugin/src/routes/session.rs
+++ b/crates/vine/plugin/src/routes/session.rs
@@ -2,7 +2,7 @@ use actix_web::{get, web::Data, HttpRequest, HttpResponse, Responder};
 use ark_api::SessionRef;
 use ark_core::result::Result;
 use kube::Client;
-use tracing::{instrument, Level};
+use tracing::{instrument, warn, Level};
 use vine_api::user_session::UserSessionMetadata;
 use vine_rbac::auth::AuthUserSession;
 use vine_session::exec::SessionExec;
@@ -15,6 +15,7 @@ pub async fn list(request: HttpRequest, kube: Data<Client>) -> impl Responder {
         .await
         .and_then(|metadata| metadata.assert_admin())
     {
+        warn!("{error}");
         return HttpResponse::from(Result::<()>::Err(error.to_string()));
     };
 
diff --git a/crates/vine/rbac/src/auth.rs b/crates/vine/rbac/src/auth.rs
index 8dd089a1..4cec38c8 100644
--- a/crates/vine/rbac/src/auth.rs
+++ b/crates/vine/rbac/src/auth.rs
@@ -135,21 +135,26 @@ impl AuthUserSession for UserSessionMetadata {
         let user_name = get_user_name_with_timestamp(request, now)
             .map_err(|error| anyhow!("failed to get user name: {error}"))?;
 
-        let role = get_user_role(client, &user_name, now)
-            .await
-            .map_err(|error| anyhow!("failed to get user role: {error}"))?;
-
-        execute_with_timestamp(client, &user_name, now)
-            .await
-            .and_then(|response| match response {
-                UserAuthResponse::Accept { box_name, user, .. } => Ok(Self {
+        match execute_with_timestamp(client, &user_name, now).await? {
+            UserAuthResponse::Accept {
+                box_name,
+                user,
+                user_name,
+                ..
+            } => {
+                let role = get_user_role(client, &user_name, now)
+                    .await
+                    .map_err(|error| anyhow!("failed to get user role: {error}"))?;
+
+                Ok(Self {
                     box_name,
                     role,
                     user,
                     user_name,
-                }),
-                UserAuthResponse::Error(error) => bail!("failed to auth user: {error}"),
-            })
+                })
+            }
+            UserAuthResponse::Error(error) => bail!("failed to auth user: {error}"),
+        }
     }
 }
 
@@ -436,6 +441,7 @@ async fn execute_with_timestamp(
         box_name,
         box_quota_bindings,
         user: user.spec,
+        user_name,
     })
 }