Removing perm

Perm was a valiant effort, and many good developers gave it their all. It was
time to amit that it was dead weight we were hauling along with us.

My main motivation was to get the permission querying code to be
something our vim setup could navigate through when going to the
definitions of functions named the same for db permissions and
perm. Once I got started I couldn't stop myself.

Assorted Notes:
- removed all traces of perm I could find. There are some instance of
"perm" in the codebase that have nothing to do with externalizing permissions.
- Made all perm config optional, as it's no longer used for anything.

Authored-by: Matthew Kocher <[email protected]>

.travis.yml

@@ -34,7 +34,6 @@ services:
 env:
   global:
     - CC_TEST_REPORTER_ID=301facccb751b8f202e8a382e9f74bda51055f738691cf2ee9a9b853ac807304
-    - CF_RUN_PERM_SPECS=false
 
   matrix:
     - COVERAGE=true DB=postgres TASKS=spec:all

Gemfile

@@ -63,9 +63,6 @@ gem 'fog-openstack'
 gem 'cf-uaa-lib', '~> 3.14.0'
 gem 'vcap-concurrency', git: 'https://github.com/cloudfoundry/vcap-concurrency.git', ref: '2a5b0179'
 
-gem 'cf-perm', '~> 0.0.10'
-gem 'scientist', '~> 1.1.0'
-
 group :db do
   gem 'mysql2', '~> 0.5.3'
   gem 'pg'
@@ -77,7 +74,6 @@ group :operations do
 end
 
 group :test do
-  gem 'cf-perm-test-helpers', '~> 0.0.6'
   gem 'codeclimate-test-reporter', '>= 1.0.8', require: false
   gem 'machinist', '~> 1.0.6'
   gem 'parallel_tests'

Gemfile.lock

@@ -103,11 +103,6 @@ GEM
     byebug (11.1.3)
     cf-copilot (0.0.14)
       grpc (~> 1.0)
-    cf-perm (0.0.10)
-      grpc (~> 1.0)
-    cf-perm-test-helpers (0.0.6)
-      ruby-mysql (~> 2.9.14)
-      subprocess (~> 1)
     cf-uaa-lib (3.14.3)
       httpclient (~> 2.8, >= 2.8.2.4)
       multi_json (~> 1.12.0, >= 1.12.1)
@@ -422,14 +417,12 @@ GEM
       parser (>= 3.0.1.1)
     ruby-debug-ide (0.7.2)
       rake (>= 0.8.1)
-    ruby-mysql (2.9.14)
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.2)
     ruby_parser (3.8.3)
       sexp_processor (~> 4.1)
     rubyzip (2.3.2)
     safe_yaml (1.0.4)
-    scientist (1.1.1)
     sequel (5.46.0)
     sexp_processor (4.7.0)
     signet (0.11.0)
@@ -476,7 +469,6 @@ GEM
     steno (1.3.4)
       fluent-logger
       yajl-ruby (~> 1.0)
-    subprocess (1.5.3)
     talentbox-delayed_job_sequel (4.3.0)
       delayed_job (~> 4.1.0)
       sequel (>= 3.38, < 6.0)
@@ -526,8 +518,6 @@ DEPENDENCIES
   bits_service_client (~> 3.3, >= 3.3.0)
   byebug
   cf-copilot (= 0.0.14)
-  cf-perm (~> 0.0.10)
-  cf-perm-test-helpers (~> 0.0.6)
   cf-uaa-lib (~> 3.14.0)
   clockwork
   cloudfront-signer
@@ -585,7 +575,6 @@ DEPENDENCIES
   rubocop (~> 1.18.3)
   ruby-debug-ide (>= 0.7.0.beta4)
   rubyzip (>= 1.3.0)
-  scientist (~> 1.1.0)
   sequel (~> 5.46)
   sinatra (~> 2.0)
   sinatra-contrib

app/actions/organization_create.rb

@@ -28,8 +28,6 @@ def create(message)
 
     private
 
-    attr_reader :perm_client
-
     def validation_error!(error, message)
       if error.errors.on(:name)&.include?(:unique)
         error!("Organization '#{message.name}' already exists.")

app/actions/space_create.rb

@@ -3,8 +3,7 @@ class SpaceCreate
     class Error < ::StandardError
     end
 
-    def initialize(perm_client:, user_audit_info:)
-      @perm_client = perm_client
+    def initialize(user_audit_info:)
       @user_audit_info = user_audit_info
     end
 
@@ -16,18 +15,14 @@ def create(org, message)
         Repositories::SpaceEventRepository.new.record_space_create(space, user_audit_info, message.audit_hash)
       end
 
-      VCAP::CloudController::Roles::SPACE_ROLE_NAMES.each do |role|
-        perm_client.create_space_role(role: role, space_id: space.guid)
-      end
-
       space
     rescue Sequel::ValidationFailed => e
       validation_error!(e)
     end
 
     private
 
-    attr_reader :perm_client, :user_audit_info
+    attr_reader :user_audit_info
 
     def validation_error!(error)
       if error.is_a?(Space::DBNameUniqueRaceError) || error.errors.on([:organization_id, :name])&.include?(:unique)

app/controllers/base/base_controller.rb

@@ -51,12 +51,8 @@ def initialize(config, logger, env, params, body, sinatra=nil, dependencies={})
       @opts = common_params.parse(params, query_string)
       @sinatra = sinatra
 
-      @queryer = VCAP::CloudController::Permissions::Queryer.build(
-        dependencies.fetch(:perm_client),
-        dependencies.fetch(:statsd_client),
-        VCAP::CloudController::SecurityContext,
-        config.get(:perm, :enabled),
-      )
+      @queryer = VCAP::CloudController::Permissions.new(VCAP::CloudController::SecurityContext.current_user)
+
       @access_context = Security::AccessContext.new(queryer)
 
       inject_dependencies(dependencies)

app/controllers/v3/application_controller.rb

@@ -119,22 +119,12 @@ def logger
     @logger ||= Steno.logger('cc.api')
   end
 
-  def perm_client
-    @perm_client ||= CloudController::DependencyLocator.instance.perm_client
-  end
-
   def statsd_client
     @statsd_client ||= CloudController::DependencyLocator.instance.statsd_client
   end
 
   def permission_queryer
-    @permission_queryer ||= VCAP::CloudController::Permissions::Queryer.build(
-      perm_client,
-      statsd_client,
-      SecurityContext,
-      configuration.get(:perm, :enabled),
-      configuration.get(:perm, :query_raise_on_mismatch)
-    )
+    @permission_queryer ||= VCAP::CloudController::Permissions.new(VCAP::CloudController::SecurityContext.current_user)
   end
 
   def add_warning_headers(warnings)

app/controllers/v3/spaces_controller.rb

@@ -56,7 +56,7 @@ def create
 
     org = fetch_organization(message.organization_guid)
     unprocessable!(missing_org) unless org
-    space = SpaceCreate.new(perm_client: perm_client, user_audit_info: user_audit_info).create(org, message)
+    space = SpaceCreate.new(user_audit_info: user_audit_info).create(org, message)
 
     render status: 201, json: Presenters::V3::SpacePresenter.new(space)
   rescue SpaceCreate::Error => e

app/controllers/v3/tasks_controller.rb

@@ -100,16 +100,15 @@ def show
   private
 
   def readable_space_guids
-    permission_queryer.readable_space_guids | permission_queryer.task_readable_space_guids
+    permission_queryer.readable_space_guids
   end
 
   def can_read_secrets?(org, space)
     permission_queryer.can_read_secrets_in_space?(space.guid, org.guid)
   end
 
   def can_read_task?(org, space)
-    permission_queryer.can_read_from_space?(space.guid, org.guid) ||
-      permission_queryer.can_read_task?(org_guid: org.guid, space_guid: space.guid)
+    permission_queryer.can_read_from_space?(space.guid, org.guid)
   end
 
   def task_not_found!

config/cloud_controller.yml

@@ -364,13 +364,6 @@ pending_builds:
   expiration_in_seconds: 42
   frequency_in_seconds: 300
 
-perm:
-  enabled: false
-  hostname: perm.service.cf.internal
-  port: 6283
-  ca_cert_path: "spec/fixtures/certs/perm_ca.crt"
-  timeout_in_milliseconds: 100
-
 credhub_api:
   internal_url: https://credhub.capi.internal:8844
   external_url: https://credhub.capi.external:8844

lib/cloud_controller.rb

@@ -95,14 +95,6 @@ module VCAP::CloudController; end
 
 require 'cloud_controller/errors/instances_unavailable'
 
-require 'cloud_controller/permissions/queryer'
-
-require 'cloud_controller/perm/client'
-require 'cloud_controller/perm/permissions'
-require 'cloud_controller/perm/errors'
-
-require 'cloud_controller/science/experiment'
-
 require 'cloud_controller/uaa/errors'
 require 'cloud_controller/uaa/uaa_client'
 require 'cloud_controller/uaa/uaa_token_cache'

lib/cloud_controller/config_schemas/base/api_schema.rb

@@ -311,8 +311,11 @@ class ApiSchema < VCAP::Config
               optional(:diego_sync) => { timeout_in_seconds: Integer },
             },
 
-            perm: {
-              enabled: bool,
+            # perm settings no longer have any effect but are preserved here
+            # for the time being to avoid breaking users as the perm
+            # setting was once required.
+            optional(:perm) => {
+              optional(:enabled) => bool,
               optional(:hostname) => String,
               optional(:port) => Integer,
               optional(:timeout_in_milliseconds) => Integer,

lib/cloud_controller/controller_factory.rb

@@ -25,7 +25,6 @@ def dependency_locator
     def default_dependencies
       {
         statsd_client: dependency_locator.statsd_client,
-        perm_client: dependency_locator.perm_client,
         object_renderer:     dependency_locator.object_renderer,
         collection_renderer: dependency_locator.paginated_collection_renderer,
       }

lib/cloud_controller/dependency_locator.rb

@@ -37,8 +37,6 @@
 
 require 'bits_service_client'
 
-require 'perm'
-
 module CloudController
   class DependencyLocator
     include Singleton
@@ -125,10 +123,6 @@ def index_stopper
       @dependencies[:index_stopper] || register(:index_stopper, IndexStopper.new(runners))
     end
 
-    def perm_client
-      @dependencies[:perm_client] || register(:perm_client, build_perm_client)
-    end
-
     def droplet_blobstore
       options = config.get(:droplets)
 
@@ -555,9 +549,5 @@ def create_paginated_collection_renderer(opts={})
         collection_transformer: collection_transformer
       })
     end
-
-    def build_perm_client
-      VCAP::CloudController::Perm::Client.build_from_config(config, File)
-    end
   end
 end