Merge pull request #7587 from influxdata/dom/tidy-authz

refactor: move HTTP authz helpers into authz

Cargo.lock

@@ -516,6 +516,7 @@ version = "0.1.0"
 dependencies = [
  "async-trait",
  "generated_types",
+ "http",
  "observability_deps",
  "snafu",
  "tonic 0.9.2",
@@ -3011,6 +3012,7 @@ name = "ioxd_common"
 version = "0.1.0"
 dependencies = [
  "async-trait",
+ "authz",
  "bytes",
  "clap 4.2.2",
  "clap_blocks",
@@ -3031,7 +3033,6 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_urlencoded",
- "server_util",
  "service_grpc_testing",
  "snafu",
  "tokio",
@@ -4750,7 +4751,6 @@ dependencies = [
  "serde",
  "serde_json",
  "serde_urlencoded",
- "server_util",
  "service_grpc_catalog",
  "service_grpc_namespace",
  "service_grpc_object_store",
@@ -4997,14 +4997,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "server_util"
-version = "0.1.0"
-dependencies = [
- "http",
- "workspace-hack",
-]
-
 [[package]]
 name = "service_common"
 version = "0.1.0"

Cargo.toml

@@ -61,7 +61,6 @@ members = [
     "query_functions",
     "router",
     "schema",
-    "server_util",
     "service_common",
     "service_grpc_catalog",
     "service_grpc_flight",

authz/Cargo.toml

@@ -9,6 +9,7 @@ license.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
+http = {version = "0.2.9", optional = true }
 generated_types = { path = "../generated_types" }
 observability_deps = { path = "../observability_deps" }
 workspace-hack = { version = "0.1", path = "../workspace-hack" }
@@ -17,3 +18,6 @@ workspace-hack = { version = "0.1", path = "../workspace-hack" }
 async-trait = "0.1"
 snafu = "0.7"
 tonic = { workspace = true }
+
+[features]
+http = ["dep:http"]

authz/src/http.rs

@@ -1,4 +1,4 @@
-//! Common authorization helpers
+//! HTTP authorisation helpers.
 
 use http::HeaderValue;
 

authz/src/lib.rs

@@ -24,6 +24,9 @@ use snafu::Snafu;
 mod permission;
 pub use permission::{Action, Permission, Resource};
 
+#[cfg(feature = "http")]
+pub mod http;
+
 /// An authorizer is used to validate the associated with
 /// an authorization token that has been extracted from a request.
 #[async_trait]

ioxd_common/Cargo.toml

@@ -9,6 +9,7 @@ license.workspace = true
 
 [dependencies]
 # Workspace dependencies, in alphabetical order
+authz = { path = "../authz", features = ["http"] }
 clap_blocks = { path = "../clap_blocks" }
 generated_types = { path = "../generated_types" }
 heappy = { git = "https://github.com/mkmik/heappy", rev = "1d6ac77a4026fffce8680a7b31a9f6e9859b5e73", features = ["enable_heap_profiler", "jemalloc_shim", "measure_free"], optional = true }
@@ -19,7 +20,6 @@ observability_deps = { path = "../observability_deps" }
 # (honestly I thought that cargo dependencies were isolated on a per crate basis so I'm a bit surprised that pprof accidentally builds
 # successfully just because another crate happens to depend on backtrace-rs)
 pprof = { version = "0.11", default-features = false, features = ["flamegraph", "prost-codec"], optional = true }
-server_util = { path = "../server_util" }
 service_grpc_testing = { path = "../service_grpc_testing" }
 trace = { path = "../trace" }
 trace_exporters = { path = "../trace_exporters" }

ioxd_common/src/http/mod.rs

@@ -1,5 +1,6 @@
 use std::{convert::Infallible, num::NonZeroI32, sync::Arc};
 
+use authz::http::AuthorizationHeaderExtension;
 use hyper::{
     http::HeaderValue,
     server::conn::{AddrIncoming, AddrStream},
@@ -7,7 +8,6 @@ use hyper::{
 };
 use observability_deps::tracing::{debug, error};
 use serde::Deserialize;
-use server_util::authorization::AuthorizationHeaderExtension;
 use snafu::Snafu;
 use tokio_util::sync::CancellationToken;
 use tower::Layer;

router/Cargo.toml

@@ -32,7 +32,6 @@ schema = { version = "0.1.0", path = "../schema" }
 serde = "1.0"
 serde_json = "1.0.96"
 serde_urlencoded = "0.7"
-server_util = { path = "../server_util" }
 service_grpc_catalog = { path = "../service_grpc_catalog"}
 service_grpc_namespace = { path = "../service_grpc_namespace"}
 service_grpc_object_store = { path = "../service_grpc_object_store" }

router/src/server/http.rs

@@ -2,7 +2,7 @@
 
 pub mod write;
 
-use authz::{Action, Authorizer, Permission, Resource};
+use authz::{http::AuthorizationHeaderExtension, Action, Authorizer, Permission, Resource};
 use bytes::{Bytes, BytesMut};
 use futures::StreamExt;
 use hashbrown::HashMap;
@@ -12,7 +12,6 @@ use metric::{DurationHistogram, U64Counter};
 use mutable_batch::MutableBatch;
 use mutable_batch_lp::LinesConverter;
 use observability_deps::tracing::*;
-use server_util::authorization::AuthorizationHeaderExtension;
 use std::{str::Utf8Error, sync::Arc, time::Instant};
 use thiserror::Error;
 use tokio::sync::{Semaphore, TryAcquireError};

server_util/Cargo.toml

@@ -1,12 +0,0 @@
-[package]
-name = "server_util"
-description = "Shared code for IOx servers"
-version.workspace = true
-authors.workspace = true
-edition.workspace = true
-license.workspace = true
-
-[dependencies]
-http = "0.2.9"
-workspace-hack = { version = "0.1", path = "../workspace-hack" }
-

server_util/src/lib.rs

@@ -1,20 +0,0 @@
-//! Shared InfluxDB IOx API client functionality
-#![deny(
-    rustdoc::broken_intra_doc_links,
-    rustdoc::bare_urls,
-    rust_2018_idioms,
-    missing_debug_implementations,
-    unreachable_pub
-)]
-#![warn(
-    missing_docs,
-    clippy::todo,
-    clippy::dbg_macro,
-    clippy::clone_on_ref_ptr,
-    clippy::future_not_send,
-    clippy::todo,
-    clippy::dbg_macro
-)]
-#![allow(clippy::missing_docs_in_private_items)]
-
-pub mod authorization;