refactor: make rbac package generic and reusable (#3581)

abelanger5 · web-flow · commit e91862da878b · 2026-04-13T09:16:06.000-04:00
* refactor: make rbac package generic and reusable

* remove sqlcv1 dep

* chore: generate

* revert to github actions

* try to remove rampup test

* revert GHA changes

* fix: tests

* add 5 second context to security check

* disable security check for testing harness

* fix: race conditions in msgqueue
diff --git a/api/v1/server/authz/middleware.go b/api/v1/server/authz/middleware.go
@@ -8,7 +8,7 @@ import (
 	"github.com/rs/zerolog"
 
 	"github.com/hatchet-dev/hatchet/api/v1/server/middleware"
-	"github.com/hatchet-dev/hatchet/api/v1/server/rbac"
+	"github.com/hatchet-dev/hatchet/pkg/auth/rbac"
 	"github.com/hatchet-dev/hatchet/pkg/config/server"
 	"github.com/hatchet-dev/hatchet/pkg/repository/sqlcv1"
 )
@@ -20,7 +20,7 @@ type AuthZ struct {
 }
 
 func NewAuthZ(config *server.ServerConfig) (*AuthZ, error) {
-	rbacAuthorizer, err := rbac.NewAuthorizer()
+	rbacAuthorizer, err := newHatchetAuthorizer()
 	if err != nil {
 		return nil, err
 	}
@@ -197,7 +197,7 @@ func (a *AuthZ) authorizeTenantOperations(tenantMemberRole sqlcv1.TenantMemberRo
 	}
 
 	// at the moment, tenant members are only restricted from creating other tenant users.
-	if !a.rbac.IsAuthorized(tenantMemberRole, r.OperationID) {
+	if !a.rbac.IsAuthorized(string(tenantMemberRole), r.OperationID) {
 		return echo.NewHTTPError(http.StatusUnauthorized, "Not authorized to perform this operation")
 	}
 
diff --git a/api/v1/server/authz/rbac.go b/api/v1/server/authz/rbac.go
@@ -0,0 +1,25 @@
+package authz
+
+import (
+	_ "embed"
+
+	"github.com/hatchet-dev/hatchet/api/v1/server/oas/gen"
+
+	"github.com/hatchet-dev/hatchet/pkg/auth/rbac"
+)
+
+//go:embed rbac.yaml
+var yamlFile []byte
+
+func newHatchetAuthorizer() (*rbac.Authorizer, error) {
+	permMap, err := rbac.LoadPermissionMap(yamlFile)
+	if err != nil {
+		return nil, err
+	}
+	spec, err := gen.GetSwagger()
+	if err != nil {
+		return nil, err
+	}
+
+	return rbac.NewAuthorizer(permMap, spec)
+}
diff --git a/api/v1/server/authz/rbac.yaml b/api/v1/server/authz/rbac.yaml
diff --git a/api/v1/server/authz/rbac_test.go b/api/v1/server/authz/rbac_test.go
@@ -1,9 +1,10 @@
-package rbac
+package authz
 
 import (
 	"testing"
 
 	"github.com/hatchet-dev/hatchet/api/v1/server/oas/gen"
+	"github.com/hatchet-dev/hatchet/pkg/auth/rbac"
 	"github.com/hatchet-dev/hatchet/pkg/repository/sqlcv1"
 
 	"github.com/stretchr/testify/assert"
@@ -34,21 +35,21 @@ func operationIdsFromSpec() []string {
 }
 
 func TestAuthorizeTenantOperations(t *testing.T) {
-	r, err := NewAuthorizer()
+	r, err := newHatchetAuthorizer()
 	assert.Nil(t, err)
 	allOperations := operationIdsFromSpec()
 	for _, operationId := range allOperations {
-		assert.Equal(t, r.IsAuthorized(sqlcv1.TenantMemberRoleADMIN, operationId), true)
-		assert.Equal(t, r.IsAuthorized(sqlcv1.TenantMemberRoleOWNER, operationId), true)
-		if OperationIn(operationId, adminAndOwnerOnly) {
-			assert.Equal(t, r.IsAuthorized(sqlcv1.TenantMemberRoleMEMBER, operationId), false)
+		assert.Equal(t, r.IsAuthorized(string(sqlcv1.TenantMemberRoleADMIN), operationId), true)
+		assert.Equal(t, r.IsAuthorized(string(sqlcv1.TenantMemberRoleOWNER), operationId), true)
+		if rbac.OperationIn(operationId, adminAndOwnerOnly) {
+			assert.Equal(t, r.IsAuthorized(string(sqlcv1.TenantMemberRoleMEMBER), operationId), false)
 		} else {
-			assert.Equal(t, r.IsAuthorized(sqlcv1.TenantMemberRoleMEMBER, operationId), true)
+			assert.Equal(t, r.IsAuthorized(string(sqlcv1.TenantMemberRoleMEMBER), operationId), true)
 		}
 	}
 }
 
 func TestValidateSpec(t *testing.T) {
-	_, err := NewAuthorizer()
+	_, err := newHatchetAuthorizer()
 	assert.Nil(t, err)
 }
diff --git a/internal/msgqueue/rabbitmq/rabbitmq.go b/internal/msgqueue/rabbitmq/rabbitmq.go
@@ -754,13 +754,10 @@ func (t *MessageQueueImpl) subscribe(
 			return err
 		}
 
-		wg.Add(1) // we add an extra delta for the deliveries channel to be closed
-		defer wg.Done()
-
 		for rabbitMsg := range deliveries {
 			wg.Add(1)
 
-			go func(rabbitMsg amqp.Delivery) {
+			go func(rabbitMsg amqp.Delivery, session int) {
 				defer wg.Done()
 
 				msg := &msgqueue.Message{}
@@ -831,7 +828,7 @@ func (t *MessageQueueImpl) subscribe(
 					}
 				}
 
-				t.l.Debug().Msgf("(session: %d) got msg", sessionCount)
+				t.l.Debug().Msgf("(session: %d) got msg", session)
 
 				if err := preAck(msg); err != nil {
 					if isPermanentPreAckError(err) {
@@ -868,15 +865,17 @@ func (t *MessageQueueImpl) subscribe(
 					t.l.Error().Msgf("error in post-ack: %v", err)
 					return
 				}
-			}(rabbitMsg)
+			}(rabbitMsg, sessionCount)
 		}
 
 		t.l.Info().Msg("deliveries channel closed")
 
 		return nil
 	}
 
+	wg.Add(1)
 	go func() {
+		defer wg.Done()
 		retryCount := 0
 		lastRetry := time.Now()
 
diff --git a/internal/services/partition/partition.go b/internal/services/partition/partition.go
@@ -284,6 +284,8 @@ func (p *Partition) StartSchedulerPartition(ctx context.Context) (func() error,
 
 	p.schedulerCron.Start()
 
+	rebalanceInactiveSchedulerPartitions(ctx, p.l, p.repo) // nolint: errcheck
+
 	return cleanup, nil
 }
 
diff --git a/pkg/auth/rbac/rbac.go b/pkg/auth/rbac/rbac.go
@@ -1,17 +1,12 @@
 package rbac
 
 import (
-	_ "embed"
 	"fmt"
 	"maps"
 	"strings"
 
 	"github.com/getkin/kin-openapi/openapi3"
 	"go.yaml.in/yaml/v3"
-
-	"github.com/hatchet-dev/hatchet/api/v1/server/oas/gen"
-
-	"github.com/hatchet-dev/hatchet/pkg/repository/sqlcv1"
 )
 
 func OperationIn(operationId string, operationIds []string) bool {
@@ -28,16 +23,11 @@ type Authorizer struct {
 	permissionMap PermissionMap
 }
 
-func NewAuthorizer() (*Authorizer, error) {
-	permMap, err := LoadYaml()
-	if err != nil {
-		return nil, err
-	}
-	spec, err := gen.GetSwagger()
-	if err != nil {
-		return nil, err
-	}
-	err = permMap.ValidateSpec(*spec)
+func NewAuthorizer(
+	permMap *PermissionMap,
+	spec *openapi3.T,
+) (*Authorizer, error) {
+	err := permMap.ValidateSpec(*spec)
 	if err != nil {
 		return nil, err
 	}
@@ -46,8 +36,8 @@ func NewAuthorizer() (*Authorizer, error) {
 	}, nil
 }
 
-func (a *Authorizer) IsAuthorized(role sqlcv1.TenantMemberRole, operation string) bool {
-	return a.permissionMap.HasPermission(string(role), operation)
+func (a *Authorizer) IsAuthorized(role string, operation string) bool {
+	return a.permissionMap.HasPermission(role, operation)
 }
 
 type Role struct {
@@ -146,12 +136,9 @@ func (p *PermissionMap) ValidateSpec(spec openapi3.T) error {
 	return nil
 }
 
-//go:embed rbac.yaml
-var yamlFile []byte
-
-func LoadYaml() (*PermissionMap, error) {
+func LoadPermissionMap(yamlBytes []byte) (*PermissionMap, error) {
 	var yamlContents PermissionMap
-	err := yaml.Unmarshal(yamlFile, &yamlContents)
+	err := yaml.Unmarshal(yamlBytes, &yamlContents)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/config/loader/loader.go b/pkg/config/loader/loader.go
@@ -512,7 +512,7 @@ func createControllerLayer(dc *database.Layer, cf *server.ServerConfigFile, vers
 			Version:  version,
 		}, dc.V1.SecurityCheck())
 
-		defer securityCheck.Check()
+		go securityCheck.Check()
 	}
 
 	var analyticsEmitter analytics.Analytics
diff --git a/pkg/security/security.go b/pkg/security/security.go
@@ -1,9 +1,11 @@
 package security
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
+	"time"
 
 	v1 "github.com/hatchet-dev/hatchet/pkg/repository"
 
@@ -51,8 +53,17 @@ func (a DefaultSecurityCheck) Check() {
 		return
 	}
 
-	req := fmt.Sprintf("%s/check?version=%s&tag=%s", a.Endpoint, a.Version, ident)
-	resp, err := http.Get(req) // #nosec
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	reqURL := fmt.Sprintf("%s/check?version=%s&tag=%s", a.Endpoint, a.Version, ident)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, reqURL, nil)
+	if err != nil {
+		a.Logger.Debug().Msgf("Error creating security check request: %s", err)
+		return
+	}
+
+	resp, err := http.DefaultClient.Do(req) // #nosec
 	if err != nil {
 		a.Logger.Debug().Msgf("Error making request to security endpoint: %s", err)
 		return
diff --git a/pkg/testing/harness/engine.go b/pkg/testing/harness/engine.go
@@ -147,6 +147,7 @@ func startEngine() func() {
 	os.Setenv("SERVER_LOGGER_FORMAT", "console")
 	os.Setenv("DATABASE_LOGGER_LEVEL", "error")
 	os.Setenv("DATABASE_LOGGER_FORMAT", "console")
+	os.Setenv("SERVER_SECURITY_CHECK_ENABLED", "false")
 	os.Setenv("SERVER_ADDITIONAL_LOGGERS_QUEUE_LEVEL", "error")
 	os.Setenv("SERVER_ADDITIONAL_LOGGERS_QUEUE_FORMAT", "console")
 	os.Setenv("SERVER_ADDITIONAL_LOGGERS_PGXSTATS_LEVEL", "error")

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ import (`
`8`	`8`	`"github.com/rs/zerolog"`
`9`	`9`
`10`	`10`	`"github.com/hatchet-dev/hatchet/api/v1/server/middleware"`
`11`		`- "github.com/hatchet-dev/hatchet/api/v1/server/rbac"`
	`11`	`+ "github.com/hatchet-dev/hatchet/pkg/auth/rbac"`
`12`	`12`	`"github.com/hatchet-dev/hatchet/pkg/config/server"`
`13`	`13`	`"github.com/hatchet-dev/hatchet/pkg/repository/sqlcv1"`
`14`	`14`	`)`
`@@ -20,7 +20,7 @@ type AuthZ struct {`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`func NewAuthZ(config server.ServerConfig) (AuthZ, error) {`
`23`		`- rbacAuthorizer, err := rbac.NewAuthorizer()`
	`23`	`+ rbacAuthorizer, err := newHatchetAuthorizer()`
`24`	`24`	`if err != nil {`
`25`	`25`	`return nil, err`
`26`	`26`	`}`
`@@ -197,7 +197,7 @@ func (a *AuthZ) authorizeTenantOperations(tenantMemberRole sqlcv1.TenantMemberRo`
`197`	`197`	`}`
`198`	`198`
`199`	`199`	`// at the moment, tenant members are only restricted from creating other tenant users.`
`200`		`- if !a.rbac.IsAuthorized(tenantMemberRole, r.OperationID) {`
	`200`	`+ if !a.rbac.IsAuthorized(string(tenantMemberRole), r.OperationID) {`
`201`	`201`	`return echo.NewHTTPError(http.StatusUnauthorized, "Not authorized to perform this operation")`
`202`	`202`	`}`
`203`	`203`
Original file line number	Diff line number	Diff line change
`@@ -754,13 +754,10 @@ func (t *MessageQueueImpl) subscribe(`
`754`	`754`	`return err`
`755`	`755`	`}`
`756`	`756`
`757`		`- wg.Add(1) // we add an extra delta for the deliveries channel to be closed`
`758`		`- defer wg.Done()`
`759`		`-`
`760`	`757`	`for rabbitMsg := range deliveries {`
`761`	`758`	`wg.Add(1)`
`762`	`759`
`763`		`- go func(rabbitMsg amqp.Delivery) {`
	`760`	`+ go func(rabbitMsg amqp.Delivery, session int) {`
`764`	`761`	`defer wg.Done()`
`765`	`762`
`766`	`763`	`msg := &msgqueue.Message{}`
`@@ -831,7 +828,7 @@ func (t *MessageQueueImpl) subscribe(`
`831`	`828`	`}`
`832`	`829`	`}`
`833`	`830`
`834`		`- t.l.Debug().Msgf("(session: %d) got msg", sessionCount)`
	`831`	`+ t.l.Debug().Msgf("(session: %d) got msg", session)`
`835`	`832`
`836`	`833`	`if err := preAck(msg); err != nil {`
`837`	`834`	`if isPermanentPreAckError(err) {`
`@@ -868,15 +865,17 @@ func (t *MessageQueueImpl) subscribe(`
`868`	`865`	`t.l.Error().Msgf("error in post-ack: %v", err)`
`869`	`866`	`return`
`870`	`867`	`}`
`871`		`- }(rabbitMsg)`
	`868`	`+ }(rabbitMsg, sessionCount)`
`872`	`869`	`}`
`873`	`870`
`874`	`871`	`t.l.Info().Msg("deliveries channel closed")`
`875`	`872`
`876`	`873`	`return nil`
`877`	`874`	`}`
`878`	`875`
	`876`	`+ wg.Add(1)`
`879`	`877`	`go func() {`
	`878`	`+ defer wg.Done()`
`880`	`879`	`retryCount := 0`
`881`	`880`	`lastRetry := time.Now()`
`882`	`881`
Original file line number	Diff line number	Diff line change
`@@ -284,6 +284,8 @@ func (p *Partition) StartSchedulerPartition(ctx context.Context) (func() error,`
`284`	`284`
`285`	`285`	`p.schedulerCron.Start()`
`286`	`286`
	`287`	`+ rebalanceInactiveSchedulerPartitions(ctx, p.l, p.repo) // nolint: errcheck`
	`288`	`+`
`287`	`289`	`return cleanup, nil`
`288`	`290`	`}`
`289`	`291`
Original file line number	Diff line number	Diff line change
`@@ -512,7 +512,7 @@ func createControllerLayer(dc database.Layer, cf server.ServerConfigFile, vers`
`512`	`512`	`Version: version,`
`513`	`513`	`}, dc.V1.SecurityCheck())`
`514`	`514`
`515`		`- defer securityCheck.Check()`
	`515`	`+ go securityCheck.Check()`
`516`	`516`	`}`
`517`	`517`
`518`	`518`	`var analyticsEmitter analytics.Analytics`