enterprise-portal: implement basic MSP IAM and RPCs (#63173)

Closes CORE-99, closes CORE-176

This PR is based off (and was also served as PoC of) [RFC 962: MSP IAM
framework](https://docs.google.com/document/d/1ItJlQnpR5AHbrfAholZqjH8-8dPF1iQcKh99gE6SSjs/edit).
It comes with two main parts:

1. The initial version of the MSP IAM SDK:
`lib/managedservicesplatform/iam`
- Embeds the [OpenFGA server
implementation](https://github.com/openfga/openfga/tree/main/pkg/server)
and exposes the a `ClientV1` for interacting with it.
- Automagically manages the both MSP IAM's and OpenFGA's database
migrations upon initializing the `ClientV1`.
![CleanShot 2024-06-18 at 15 09
24@2x](https://github.com/sourcegraph/sourcegraph/assets/2946214/387e0e28-a6c2-4664-b946-0ea4a1dd0804)
- Ensures the specified OpenFGA's store and automatization model DSL
exists.
- Utility types and helpers to avoid easy mistakes (i.e. make the
relation tuples a bit more strongly-typed).
- Decided to put all types and pre-defined values together to simulate a
"central registry" and acting as a forcing function for services to form
some sort of convention. Then when we migrate the OpenFGA server to a
separate standalone service, it will be less headache about
consolidating similar meaning types/relations but different string
literals.
1. The first use case of the MSP IAM:
`cmd/enterprise-portal/internal/subscriptionsservice`
	- Added/updated RPCs:
		- Listing enterprise subscriptions via permissions
		- Update enterprise subscriptions to assign instance domains
- Update enterprise subscriptions membership to assign roles (and
permissions)
- A database table for enterprise subscriptions, only storing the extra
instance domains as Enterprise Portal is not the
writeable-source-of-truth.

## Other minor changes

- Moved `internal/redislock` to `lib/redislock` to be used in MSP IAM
SDK.
- Call `createdb ...` as part of `enterprise-portal` install script in
`sg.config.yaml` (`msp_iam` database is a hard requirement of MSP IAM
framework).

## Test plan

Tested with gRPC UI:

- `UpdateEnterpriseSubscription` to assign an instance domain
- `UpdateEnterpriseSubscriptionMembership` to assign roles
- `ListEnterpriseSubscriptions`:
	- List by subscription ID
	- List by instance domain
	- List by view cody analytics permissions

---------

Co-authored-by: Robert Lin <robert@bobheadxi.dev>

Author: unknwon

cmd/enterprise-portal/internal/codyaccessservice/BUILD.bazel

@@ -6,6 +6,7 @@ go_library(
     srcs = [
         "adapters.go",
         "v1.go",
+        "v1_store.go",
     ],
     importpath = "github.com/sourcegraph/sourcegraph/cmd/enterprise-portal/internal/codyaccessservice",
     tags = [TAG_INFRA_CORESERVICES],
@@ -21,6 +22,7 @@ go_library(
         "//lib/errors",
         "@com_connectrpc_connect//:connect",
         "@com_github_sourcegraph_log//:log",
+        "@com_github_sourcegraph_sourcegraph_accounts_sdk_go//:sourcegraph-accounts-sdk-go",
         "@com_github_sourcegraph_sourcegraph_accounts_sdk_go//scopes",
         "@org_golang_google_protobuf//types/known/durationpb",
     ],

cmd/enterprise-portal/internal/codyaccessservice/v1.go

@@ -30,16 +30,16 @@ type DotComDB interface {
 func RegisterV1(
 	logger log.Logger,
 	mux *http.ServeMux,
-	samsClient samsm2m.TokenIntrospector,
+	store StoreV1,
 	dotcom DotComDB,
 	opts ...connect.HandlerOption,
 ) {
 	mux.Handle(
 		codyaccessv1connect.NewCodyAccessServiceHandler(
 			&handlerV1{
-				logger:     logger.Scoped("codyaccess.v1"),
-				samsClient: samsClient,
-				dotcom:     dotcom,
+				logger: logger.Scoped("codyaccess.v1"),
+				store:  store,
+				dotcom: dotcom,
 			},
 			opts...,
 		),
@@ -48,10 +48,10 @@ func RegisterV1(
 
 type handlerV1 struct {
 	codyaccessv1connect.UnimplementedCodyAccessServiceHandler
-	logger log.Logger
 
-	samsClient samsm2m.TokenIntrospector
-	dotcom     DotComDB
+	logger log.Logger
+	store  StoreV1
+	dotcom DotComDB
 }
 
 var _ codyaccessv1connect.CodyAccessServiceHandler = (*handlerV1)(nil)
@@ -62,7 +62,7 @@ func (s *handlerV1) GetCodyGatewayAccess(ctx context.Context, req *connect.Reque
 
 	// 🚨 SECURITY: Require approrpiate M2M scope.
 	requiredScope := samsm2m.EnterprisePortalScope("codyaccess", scopes.ActionRead)
-	clientAttrs, err := samsm2m.RequireScope(ctx, logger, s.samsClient, requiredScope, req)
+	clientAttrs, err := samsm2m.RequireScope(ctx, logger, s.store, requiredScope, req)
 	if err != nil {
 		return nil, err
 	}
@@ -106,7 +106,7 @@ func (s *handlerV1) ListCodyGatewayAccesses(ctx context.Context, req *connect.Re
 
 	// 🚨 SECURITY: Require approrpiate M2M scope.
 	requiredScope := samsm2m.EnterprisePortalScope("codyaccess", scopes.ActionRead)
-	clientAttrs, err := samsm2m.RequireScope(ctx, logger, s.samsClient, requiredScope, req)
+	clientAttrs, err := samsm2m.RequireScope(ctx, logger, s.store, requiredScope, req)
 	if err != nil {
 		return nil, err
 	}

cmd/enterprise-portal/internal/codyaccessservice/v1_store.go

@@ -0,0 +1,38 @@
+package codyaccessservice
+
+import (
+	"context"
+
+	sams "github.com/sourcegraph/sourcegraph-accounts-sdk-go"
+)
+
+// StoreV1 is the data layer carrier for Cody access service v1. This interface
+// is meant to abstract away and limit the exposure of the underlying data layer
+// to the handler through a thin-wrapper.
+type StoreV1 interface {
+	// IntrospectSAMSToken takes a SAMS access token and returns relevant metadata.
+	//
+	// 🚨SECURITY: SAMS will return a successful result if the token is valid, but
+	// is no longer active. It is critical that the caller not honor tokens where
+	// `.Active == false`.
+	IntrospectSAMSToken(ctx context.Context, token string) (*sams.IntrospectTokenResponse, error)
+}
+
+type storeV1 struct {
+	SAMSClient *sams.ClientV1
+}
+
+type StoreV1Options struct {
+	SAMSClient *sams.ClientV1
+}
+
+// NewStoreV1 returns a new StoreV1 using the given resource handles.
+func NewStoreV1(opts StoreV1Options) StoreV1 {
+	return &storeV1{
+		SAMSClient: opts.SAMSClient,
+	}
+}
+
+func (s *storeV1) IntrospectSAMSToken(ctx context.Context, token string) (*sams.IntrospectTokenResponse, error) {
+	return s.SAMSClient.Tokens().IntrospectToken(ctx, token)
+}

cmd/enterprise-portal/internal/database/BUILD.bazel

@@ -1,29 +1,55 @@
+load("//dev:go_defs.bzl", "go_test")
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 
 go_library(
     name = "database",
     srcs = [
         "database.go",
         "migrate.go",
-        "permissions.go",
         "subscriptions.go",
     ],
     importpath = "github.com/sourcegraph/sourcegraph/cmd/enterprise-portal/internal/database",
     visibility = ["//cmd/enterprise-portal:__subpackages__"],
     deps = [
-        "//internal/redislock",
         "//lib/errors",
         "//lib/managedservicesplatform/runtime",
+        "//lib/redislock",
+        "@com_github_jackc_pgx_v5//:pgx",
         "@com_github_jackc_pgx_v5//pgxpool",
         "@com_github_redis_go_redis_v9//:go-redis",
         "@com_github_sourcegraph_log//:log",
         "@io_gorm_driver_postgres//:postgres",
         "@io_gorm_gorm//:gorm",
         "@io_gorm_gorm//logger",
+        "@io_gorm_gorm//schema",
         "@io_gorm_plugin_opentelemetry//tracing",
         "@io_opentelemetry_go_otel//:otel",
         "@io_opentelemetry_go_otel//attribute",
         "@io_opentelemetry_go_otel//codes",
         "@io_opentelemetry_go_otel_trace//:trace",
     ],
 )
+
+go_test(
+    name = "database_test",
+    srcs = [
+        "main_test.go",
+        "subscriptions_test.go",
+    ],
+    embed = [":database"],
+    tags = [
+        # Test requires localhost database
+        "requires-network",
+    ],
+    deps = [
+        "//internal/database/dbtest",
+        "@com_github_google_uuid//:uuid",
+        "@com_github_jackc_pgx_v5//:pgx",
+        "@com_github_jackc_pgx_v5//pgxpool",
+        "@com_github_stretchr_testify//assert",
+        "@com_github_stretchr_testify//require",
+        "@io_gorm_driver_postgres//:postgres",
+        "@io_gorm_gorm//:gorm",
+        "@io_gorm_gorm//schema",
+    ],
+)

cmd/enterprise-portal/internal/database/database.go

@@ -2,11 +2,14 @@ package database
 
 import (
 	"context"
+	"os"
 
+	"github.com/jackc/pgx/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/redis/go-redis/v9"
 	"github.com/sourcegraph/log"
 	"go.opentelemetry.io/otel"
+	"gorm.io/gorm/schema"
 
 	"github.com/sourcegraph/sourcegraph/lib/errors"
 	"github.com/sourcegraph/sourcegraph/lib/managedservicesplatform/runtime"
@@ -19,13 +22,23 @@ type DB struct {
 	db *pgxpool.Pool
 }
 
+func (db *DB) Subscriptions() *SubscriptionsStore {
+	return newSubscriptionsStore(db.db)
+}
+
 // ⚠️ WARNING: This list is meant to be read-only.
-var allTables = []any{
+var allTables = []schema.Tabler{
 	&Subscription{},
-	&Permission{},
 }
 
-const databaseName = "enterprise-portal"
+func databaseName(msp bool) string {
+	if msp {
+		return "enterprise_portal"
+	}
+
+	// Use whatever the current database is for local development.
+	return os.Getenv("PGDATABASE")
+}
 
 // NewHandle returns a new database handle with the given configuration. It may
 // attempt to auto-migrate the database schema if the application version has
@@ -36,9 +49,34 @@ func NewHandle(ctx context.Context, logger log.Logger, contract runtime.Contract
 		return nil, errors.Wrap(err, "maybe migrate")
 	}
 
-	pool, err := contract.PostgreSQL.GetConnectionPool(ctx, databaseName)
+	pool, err := contract.PostgreSQL.GetConnectionPool(ctx, databaseName(contract.MSP))
 	if err != nil {
 		return nil, errors.Wrap(err, "get connection pool")
 	}
 	return &DB{db: pool}, nil
 }
+
+// transaction executes the given function within a transaction. If the function
+// returns an error, the transaction will be rolled back.
+func transaction(ctx context.Context, db *pgxpool.Pool, fn func(tx pgx.Tx) error) (err error) {
+	tx, err := db.Begin(ctx)
+	if err != nil {
+		return errors.Wrap(err, "begin")
+	}
+	defer func() {
+		rollbackErr := tx.Rollback(ctx)
+		// Only return the rollback error if there is no other error.
+		if err == nil {
+			err = errors.Wrap(rollbackErr, "rollback")
+		}
+	}()
+
+	if err = fn(tx); err != nil {
+		return err
+	}
+
+	if err = tx.Commit(ctx); err != nil {
+		return errors.Wrap(err, "commit")
+	}
+	return nil
+}

cmd/enterprise-portal/internal/database/main_test.go

@@ -0,0 +1,111 @@
+package database
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	"gorm.io/gorm/schema"
+
+	"github.com/sourcegraph/sourcegraph/internal/database/dbtest"
+)
+
+// newTestDB creates a new test database and initializes the given list of
+// tables for the suite. The test database is dropped after testing is completed
+// unless failed.
+//
+// Future: Move to a shared package when more than Enterprise Portal uses it.
+func newTestDB(t testing.TB, system, suite string, tables ...schema.Tabler) *pgxpool.Pool {
+	if testing.Short() {
+		t.Skip("skipping DB test since -short specified")
+	}
+
+	dsn, err := dbtest.GetDSN()
+	require.NoError(t, err)
+
+	// Open a connection to control the test database lifecycle.
+	sqlDB, err := sql.Open("pgx", dsn.String())
+	require.NoError(t, err)
+
+	// Set up test suite database.
+	dbName := fmt.Sprintf("sourcegraph-test-%s-%s-%d", system, suite, time.Now().Unix())
+	_, err = sqlDB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS %q", dbName))
+	require.NoError(t, err)
+
+	_, err = sqlDB.Exec(fmt.Sprintf("CREATE DATABASE %q", dbName))
+	require.NoError(t, err)
+
+	// Swap out the database name to be the test suite database in the DSN.
+	dsn.Path = "/" + dbName
+
+	now := time.Now().UTC().Truncate(time.Second)
+	db, err := gorm.Open(
+		postgres.Open(dsn.String()),
+		&gorm.Config{
+			SkipDefaultTransaction: true,
+			NowFunc: func() time.Time {
+				return now
+			},
+		},
+	)
+	require.NoError(t, err)
+	for _, table := range tables {
+		err = db.AutoMigrate(table)
+		require.NoError(t, err)
+	}
+
+	// Close the connection used to auto-migrate the database.
+	migrateDB, err := db.DB()
+	require.NoError(t, err)
+	err = migrateDB.Close()
+	require.NoError(t, err)
+
+	// Open a new connection to the test suite database.
+	testDB, err := pgxpool.New(context.Background(), dsn.String())
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		if t.Failed() {
+			t.Logf("Database %q left intact for inspection", dbName)
+			return
+		}
+
+		testDB.Close()
+
+		_, err = sqlDB.Exec(fmt.Sprintf(`DROP DATABASE %q`, dbName))
+		if err != nil {
+			t.Errorf("Failed to drop test suite database %q: %v", dbName, err)
+		}
+		err = sqlDB.Close()
+		if err != nil {
+			t.Errorf("Failed to close test database connection %q: %v", dbName, err)
+		}
+	})
+
+	return testDB
+}
+
+// clearTables removes all rows from the list of tables in the original order.
+// It uses soft-deletion when available and skips deletion when the test suite
+// failed.
+//
+// Future: Move to a shared package when more than Enterprise Portal uses it.
+func clearTables(t *testing.T, db *pgxpool.Pool, tables ...schema.Tabler) error {
+	if t.Failed() {
+		return nil
+	}
+
+	tableNames := make([]string, 0, len(tables))
+	for _, t := range tables {
+		tableNames = append(tableNames, t.TableName())
+	}
+	_, err := db.Exec(context.Background(), "TRUNCATE TABLE "+strings.Join(tableNames, ", ")+" RESTART IDENTITY")
+	return err
+}