Merge pull request #1983 from mattgarmon/provisioning

feat(oagw,types-registry): make tenant_id optional in provisioned entities

Author: Artifizer

Cargo.lock

@@ -17,7 +17,7 @@ use uuid::Uuid;
 #[domain_model]
 #[derive(Debug, Clone)]
 pub struct ProvisionedUpstream {
-    pub tenant_id: Uuid,
+    pub tenant_id: Option<Uuid>,
     pub request: CreateUpstreamRequest,
 }
 
@@ -28,7 +28,7 @@ pub struct ProvisionedUpstream {
 #[domain_model]
 #[derive(Debug, Clone)]
 pub struct ProvisionedRoute {
-    pub tenant_id: Uuid,
+    pub tenant_id: Option<Uuid>,
     pub request: CreateRouteRequest,
 }
 

modules/system/oagw/oagw/src/domain/type_provisioning.rs

@@ -301,7 +301,8 @@ struct MatchRules {
 /// Intermediate serde struct for deserializing upstream GTS entity content.
 #[derive(Deserialize)]
 struct UpstreamPayload {
-    tenant_id: Uuid,
+    #[serde(default)]
+    tenant_id: Option<Uuid>,
     server: Server,
     protocol: String,
     #[serde(default)]
@@ -325,7 +326,8 @@ struct UpstreamPayload {
 /// Intermediate serde struct for deserializing route GTS entity content.
 #[derive(Deserialize)]
 struct RoutePayload {
-    tenant_id: Uuid,
+    #[serde(default)]
+    tenant_id: Option<Uuid>,
     upstream_id: String,
     #[serde(rename = "match")]
     match_rules: MatchRules,
@@ -832,7 +834,7 @@ mod tests {
 
         let upstreams = svc.list_upstreams().await.unwrap();
         assert_eq!(upstreams.len(), 1);
-        assert_eq!(upstreams[0].tenant_id, tenant);
+        assert_eq!(upstreams[0].tenant_id, Some(tenant));
         assert_eq!(upstreams[0].request.id, Some(instance_id));
         assert!(upstreams[0].request.enabled);
     }
@@ -913,7 +915,7 @@ mod tests {
 
         let routes = svc.list_routes().await.unwrap();
         assert_eq!(routes.len(), 1);
-        assert_eq!(routes[0].tenant_id, tenant);
+        assert_eq!(routes[0].tenant_id, Some(tenant));
         assert_eq!(routes[0].request.id, Some(route_instance_id));
         assert_eq!(routes[0].request.upstream_id, upstream_id);
         assert!(routes[0].request.enabled);
@@ -1033,7 +1035,7 @@ mod tests {
         let payload: UpstreamPayload = serde_json::from_value(json).unwrap();
         let provisioned = payload.into_provisioned(None);
 
-        assert_eq!(provisioned.tenant_id, tenant);
+        assert_eq!(provisioned.tenant_id, Some(tenant));
         let req = &provisioned.request;
         assert_eq!(req.server.endpoints.len(), 2);
         assert_eq!(req.server.endpoints[0].scheme, domain::Scheme::Https);
@@ -1098,7 +1100,7 @@ mod tests {
             .into_provisioned("gts.cf.core.oagw.route.v1~cf.core.oagw.test.v1", route_uuid)
             .expect("upstream_id should parse");
 
-        assert_eq!(provisioned.tenant_id, tenant);
+        assert_eq!(provisioned.tenant_id, Some(tenant));
         let req = &provisioned.request;
         assert_eq!(req.upstream_id, upstream_id);
         assert_eq!(req.priority, 10);
@@ -1128,6 +1130,67 @@ mod tests {
         assert_eq!(rl.cost, 2);
     }
 
+    #[test]
+    fn deserialize_upstream_without_tenant_id_produces_none() {
+        let json = serde_json::json!({
+            "server": {
+                "endpoints": [{"host": "api.example.com", "port": 443, "scheme": "https"}]
+            },
+            "protocol": "http"
+        });
+        let payload: UpstreamPayload = serde_json::from_value(json).unwrap();
+        let provisioned = payload.into_provisioned(None);
+        assert_eq!(provisioned.tenant_id, None);
+    }
+
+    #[test]
+    fn deserialize_route_without_tenant_id_produces_none() {
+        let upstream_id = Uuid::new_v4();
+        let json = serde_json::json!({
+            "upstream_id": upstream_id,
+            "match": {
+                "http": {
+                    "methods": ["GET"],
+                    "path": "/api/test"
+                }
+            },
+            "enabled": true,
+            "tags": [],
+            "priority": 0
+        });
+        let payload: RoutePayload = serde_json::from_value(json).unwrap();
+        let route_uuid = Uuid::new_v4();
+        let provisioned = payload
+            .into_provisioned("gts.cf.core.oagw.route.v1~cf.core.oagw.test.v1", route_uuid)
+            .unwrap();
+        assert_eq!(provisioned.tenant_id, None);
+    }
+
+    #[tokio::test]
+    async fn list_upstreams_without_tenant_id_returns_none() {
+        let instance_id = Uuid::new_v4();
+        let content = serde_json::json!({
+            "server": {
+                "endpoints": [{"host": "127.0.0.1", "port": 8080, "scheme": "http"}]
+            },
+            "protocol": "gts.cf.core.oagw.protocol.v1~cf.core.oagw.http.v1",
+            "enabled": true,
+            "tags": []
+        });
+        let gts_id = format!("gts.cf.core.oagw.upstream.v1~{instance_id}");
+
+        let registry = Arc::new(
+            MockTypesRegistryClient::new()
+                .with_instances([make_upstream_instance(&gts_id, content)]),
+        );
+        let svc = TypeProvisioningServiceImpl::new(registry);
+
+        let upstreams = svc.list_upstreams().await.unwrap();
+        assert_eq!(upstreams.len(), 1);
+        assert_eq!(upstreams[0].tenant_id, None);
+        assert_eq!(upstreams[0].request.id, Some(instance_id));
+    }
+
     #[test]
     fn deserialize_missing_field_returns_error() {
         // Missing required "server" field.

modules/system/oagw/oagw/src/infra/type_provisioning.rs

@@ -46,6 +46,7 @@ pub struct AppState {
 pub struct OutboundApiGatewayModule {
     state: arc_swap::ArcSwapOption<AppState>,
     registry_client: OnceLock<Arc<dyn TypesRegistryClient>>,
+    tenant_resolver: OnceLock<Arc<dyn TenantResolverClient>>,
     type_provisioning: OnceLock<Arc<dyn TypeProvisioningService>>,
 }
 
@@ -54,6 +55,7 @@ impl Default for OutboundApiGatewayModule {
         Self {
             state: arc_swap::ArcSwapOption::from(None),
             registry_client: OnceLock::new(),
+            tenant_resolver: OnceLock::new(),
             type_provisioning: OnceLock::new(),
         }
     }
@@ -88,7 +90,7 @@ impl Module for OutboundApiGatewayModule {
         let cp: Arc<dyn ControlPlaneService> = Arc::new(ControlPlaneServiceImpl::new(
             upstream_repo,
             route_repo,
-            tenant_resolver,
+            tenant_resolver.clone(),
             policy_enforcer.clone(),
             credstore.clone(),
             ssrf_guard.clone(),
@@ -193,6 +195,10 @@ impl Module for OutboundApiGatewayModule {
             .set(registry)
             .map_err(|_| anyhow::anyhow!("TypesRegistryClient already set"))?;
 
+        self.tenant_resolver
+            .set(tenant_resolver)
+            .map_err(|_| anyhow::anyhow!("TenantResolverClient already set"))?;
+
         let app_state = AppState {
             cp,
             dp,
@@ -215,6 +221,12 @@ impl SystemCapability for OutboundApiGatewayModule {
             .ok_or_else(|| anyhow::anyhow!("TypesRegistryClient not set — init() must run first"))?
             .clone();
 
+        let tenant_resolver = self
+            .tenant_resolver
+            .get()
+            .ok_or_else(|| anyhow::anyhow!("TenantResolverClient not set — init() must run first"))?
+            .clone();
+
         let provisioning: Arc<dyn TypeProvisioningService> =
             Arc::new(TypeProvisioningServiceImpl::new(registry));
 
@@ -227,48 +239,62 @@ impl SystemCapability for OutboundApiGatewayModule {
             .as_ref()
             .clone();
 
+        // Resolve root tenant for provisioning context.
+        let bootstrap_ctx = SecurityContext::builder()
+            .subject_id(modkit_security::constants::DEFAULT_SUBJECT_ID)
+            .subject_tenant_id(modkit_security::constants::DEFAULT_TENANT_ID)
+            .build()?;
+        let root_tenant_id = tenant_resolver
+            .get_root_tenant(&bootstrap_ctx)
+            .await
+            .map_err(|e| anyhow::anyhow!("Failed to resolve root tenant: {e}"))?
+            .id
+            .0;
+
         // -- Materialise upstreams and routes from types-registry --
         // GTS instance UUIDs are passed through as `CreateUpstreamRequest.id`
         // and `CreateRouteRequest.id`, so OAGW uses the config-provided IDs
         // directly. Route `upstream_id` already references the upstream's GTS
         // instance UUID, so no remapping is needed.
         let upstreams = provisioning.list_upstreams().await?;
         for u in &upstreams {
+            let tenant_id = u.tenant_id.unwrap_or(root_tenant_id);
             let ctx = SecurityContext::builder()
-                .subject_tenant_id(u.tenant_id)
+                .subject_tenant_id(tenant_id)
                 .subject_id(modkit_security::constants::DEFAULT_SUBJECT_ID)
                 .build()?;
             let created = app_state
                 .cp
                 .create_upstream(&ctx, u.request.clone())
                 .await
                 .map_err(|e| {
-                    anyhow::anyhow!("Failed to provision upstream (tenant={}): {e}", u.tenant_id)
+                    anyhow::anyhow!("Failed to provision upstream (tenant={tenant_id}): {e}")
                 })?;
             info!(
                 id = %created.id,
-                tenant_id = %u.tenant_id,
+                tenant_id = %tenant_id,
                 alias = %created.alias,
                 "Provisioned upstream from types-registry"
             );
         }
 
         let routes = provisioning.list_routes().await?;
         for r in &routes {
+            let tenant_id = r.tenant_id.unwrap_or(root_tenant_id);
             let ctx = SecurityContext::builder()
-                .subject_tenant_id(r.tenant_id)
+                .subject_tenant_id(tenant_id)
                 .subject_id(modkit_security::constants::DEFAULT_SUBJECT_ID)
                 .build()?;
             let created = app_state
                 .cp
                 .create_route(&ctx, r.request.clone())
                 .await
                 .map_err(|e| {
-                    anyhow::anyhow!("Failed to provision route (tenant={}): {e}", r.tenant_id)
+                    anyhow::anyhow!("Failed to provision route (tenant={tenant_id}): {e}")
                 })?;
             info!(
                 id = %created.id,
-                tenant_id = %r.tenant_id,
+                tenant_id = %tenant_id,
                 "Provisioned route from types-registry"
             );
         }

modules/system/oagw/oagw/src/module.rs

@@ -45,7 +45,6 @@ modkit = { workspace = true }
 modkit-canonical-errors = { workspace = true, features = ["axum"] }
 modkit-gts = { workspace = true }
 modkit-macros = { workspace = true }
-modkit-security = { workspace = true }
 modkit-utils = { workspace = true }
 
 [dev-dependencies]

modules/system/types-registry/types-registry/Cargo.toml

@@ -3,7 +3,6 @@
 use std::time::Duration;
 
 use serde::Deserialize;
-use uuid::Uuid;
 
 use crate::infra::cache::{CacheConfig, DEFAULT_CACHE_CAPACITY, DEFAULT_CACHE_TTL};
 
@@ -19,14 +18,6 @@ pub struct TypesRegistryConfig {
     /// Default: `["$schema", "gtsTid", "type"]`
     pub schema_id_fields: Vec<String>,
 
-    /// Default tenant ID injected into static entities that don't specify one.
-    ///
-    /// When a static entity in `entities` has no `tenant_id` field, this value
-    /// is automatically inserted before registration. Defaults to
-    /// `modkit_security::constants::DEFAULT_TENANT_ID`.
-    #[serde(default = "default_tenant_id")]
-    pub default_tenant_id: Uuid,
-
     /// Raw GTS entity JSON values to register at startup.
     ///
     /// Each entry must be a valid GTS entity with at least an `$id` (or
@@ -96,16 +87,11 @@ impl SingleCacheSettings {
     }
 }
 
-fn default_tenant_id() -> Uuid {
-    modkit_security::constants::DEFAULT_TENANT_ID
-}
-
 impl Default for TypesRegistryConfig {
     fn default() -> Self {
         Self {
             entity_id_fields: vec!["$id".to_owned(), "gtsId".to_owned(), "id".to_owned()],
             schema_id_fields: vec!["$schema".to_owned(), "gtsTid".to_owned(), "type".to_owned()],
-            default_tenant_id: default_tenant_id(),
             entities: Vec::new(),
             local_client: LocalClientSettings::default(),
         }
@@ -133,10 +119,6 @@ mod tests {
         assert_eq!(cfg.entity_id_fields, vec!["$id", "gtsId", "id"]);
         assert_eq!(cfg.schema_id_fields, vec!["$schema", "gtsTid", "type"]);
         assert!(cfg.entities.is_empty());
-        assert_eq!(
-            cfg.default_tenant_id,
-            modkit_security::constants::DEFAULT_TENANT_ID
-        );
     }
 
     #[test]

modules/system/types-registry/types-registry/src/config.rs

@@ -75,7 +75,6 @@ impl Module for TypesRegistryModule {
 
         let gts_config = cfg.to_gts_config();
         let static_entities = cfg.entities.clone();
-        let default_tenant_id = cfg.default_tenant_id;
         let type_schemas_cache_cfg = cfg.local_client.cache.type_schemas.to_cache_config();
         let instances_cache_cfg = cfg.local_client.cache.instances.to_cache_config();
 
@@ -105,20 +104,8 @@ impl Module for TypesRegistryModule {
 
         // Register static entities from config (before ready-mode validation)
         if !static_entities.is_empty() {
-            let tenant_id_str = default_tenant_id.to_string();
-            let entities: Vec<serde_json::Value> = static_entities
-                .into_iter()
-                .map(|mut v| {
-                    if let Some(obj) = v.as_object_mut() {
-                        obj.entry("tenant_id")
-                            .or_insert_with(|| serde_json::Value::String(tenant_id_str.clone()));
-                    }
-                    v
-                })
-                .collect();
-
-            let entity_count = entities.len();
-            let results = service.register(entities);
+            let entity_count = static_entities.len();
+            let results = service.register(static_entities);
             let summary = RegisterSummary::from_results(&results);
 
             if !summary.all_succeeded() {