Add entitlements assignment at the time of project creation

[teodor-yanev]

Summary

Provide a brief overview of the changes and the issue being addressed.
Explain the rationale and any background necessary for understanding the changes.
List dependencies required by this change, if any.

This PR adds the functionality of automatically creating entitlements records for new projects. This will be done for both project creation paths - parent and sub-projects.

The process is as follows:

1. In the config we have (e.g.:)

features:
  role_feature_mapping:
    stacklok-employees: "stacklok"
    default-roles-stacklok: "default"
    offline_access: "offline"

2. From the user's JWT, we get Keycloak-related data in the form of:

  "realm_access": {
    "roles": [
      "stacklok-employees",
      "default-roles-stacklok",
      "offline_access",
      "uma_authorization"
    ]
  },

3. For each of the three features (stacklok, default, offline), a new entitlement record will be created, mapping the ID of the newly created project.

This not only introduces flexibility in setting up Minder by simply adjusting a config mapping but also helps have separate configurations for each environment and adequate telemetry data at the time of creation instead of aggregating and analysing batched data periodically.

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Tested locally and with updated Unit tests.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 54.763% (-0.002%) from 54.765%
when pulling f1dd858 on add-automatic-entitlements-assignment
into 84d517a on main.

[evankanderson]

A few top-level comments:

• I'm not sure I'd use the terms "Role" and "Feature" given that we also have OpenFGA roles and OpenFeature features. Maybe "Claim" or "membership" and "Entitlement"?
• This needs a test which covers the new code you've added to actually add some entitlements to a project.
• I'd tend to prefer "return empty" over "return error" for cases where fields are not found unless we can't proceed without that information.

[evankanderson]

Can you add a comment on what the key and value of the map are?

[evankanderson]

Also, I'm wondering if this should be a map[string][]string, to allow multiple features (entitlements) associated with a particular role.

[evankanderson]

Does this need to be an error, or could a JWT have no realm_access field?

[teodor-yanev]

Removed all errors returned from this func, I had the same thought.

[evankanderson]

Does this work as:

Suggested change

	if rolesInterface, ok := realmAccess["roles"].([]interface{}); ok {
	for _, role := range rolesInterface {
	if roleStr, ok := role.(string); ok {
	roles = append(roles, roleStr)
	}
	}
	if roles, ok := realmAccess["roles"].([]string); ok {
	return roles, nil
	}

[teodor-yanev]

This type assertion was not possible --tested at runtime locally.
Still, refactored this part.

[evankanderson]

Does this need to be an error, or is it okay for this to simply return nil (a valid empty slice).

[teodor-yanev]

No, it was removed too.

[evankanderson]

If this is simply taking a db.Querier, I don't think the name needs to be explained.

[evankanderson]

Can we write a single query that inserts multiple rows at once? I'm not sure it matters, this is more a matter of curiousity.

[teodor-yanev]

Yes, that is another thing I also had in mind, the new query cleverly handles this.

[evankanderson]

You can spell interface{} as any as of Go 1.20 or so.

[evankanderson]

Let's use some non-stacklok-specific examples, like "companyA" or "teamB"

[evankanderson]

If you're doing this multiple times, it may be worth having a helper function.

[evankanderson]

Alternatively, if you avoid the errors in features.go, you might not need to change this.

[evankanderson]

Why do this extraction up here, rather than next to the usage?

[JAORMX]

• I'm not sure I'd use the terms "Role" and "Feature" given that we also have OpenFGA roles and OpenFeature features. Maybe "Claim" or "membership" and "Entitlement"?

We do have the term feature within Minder and it's a database table which is linked to projects via entitlements. So the term feature might not be too bad after all in this context. I certainly would advice against using "role" here, though.

[teodor-yanev]

Thanks for the review @evankanderson, I've addressed all the concerns we had.

[evankanderson]

The only item I feel strongly enough to not approve is the names of the db.CreateEntitlementsParams -- I'd like names that help us avoid swapping parameters.

[evankanderson]

What a about:

Suggested change

	if feature, ok := fc.MembershipFeatureMapping[m]; ok {
	if feature := fc.MembershipFeatureMapping[m]; feature != "" {

Which will cover both "not found" and "was an empty string", which we probably don't want.

[evankanderson]

This will leave empty-string memberships if fields can't be converted to string. (Which shouldn't happen, but if we're checking, we should assume it could fail.)

Suggested change

	memberships := make([]string, len(rawMemberships))
	for i, membership := range rawMemberships {
	if membershipStr, ok := membership.(string); ok {
	memberships[i] = membershipStr
	}
	}
	memberships := make([]string, 0, len(rawMemberships))
	for i, membership := range rawMemberships {
	if membershipStr, ok := membership.(string); ok {
	memberships = append(memberships, membershipStr)
	}
	}

[evankanderson]

On line 45, you pre-allocate the slice. Do the same thing here?

Suggested change

	var features []string
	features := make([]string, 0, len(memberships))

[evankanderson]

This should probably take an existing context, so you can use it as a wrapper. (Just a standard pattern, like context.WithValue())

[evankanderson]

Can we rename these parameters from Column1 and Column2? 😁

[teodor-yanev]

Absolutely 😄

[evankanderson]

This is sort-of-weird: this is creating a child project free-form here, separate from the internal/projects code. It's not clear to me whether these child projects should:

1. Copy entitlements from the parent project
2. Use entitlements based on the specific parent project member who creates them
3. Have an empty set of entitlements, and the entitlement queries are extended to check parents.

Right now, it looks like were doing option 2, but it's not clear that is correct.

Let's file an issue and assign it to @ethomson to figure out the desired way to handle entitlements in sub-projects, because those are currently behind an entitlement, and we probably know most of the users of that feature.

[evankanderson]

Also, file a bug to move this code to internal/projects, so all project creation happens in that one module, and internal/controlplane gets a bit smaller.

[teodor-yanev]

I did find it weird that we have two separate paths for project creation, especially one of them being exclusive to the handler and was going to follow-up on that, thanks for noting it as well.

Here are the new issues:

#5001
#5002

[evankanderson]

Nice addition to have a membership that doesn't convert to a feature.