authz: Drop requirement for installing authz providers in every service

[eseliger]

This is a register call that is easy to forget. When forgotten, all queries against the repo store will block forever.

In addition, this adds a hard-dependency on conf to every services startup, plus a busy loop. With multi-tenant, this will not work great because authz providers would be a global, and we instead want most things to be ephemeral so they're per-provider. This is a step toward that, but doesn't yet remove the providers global variable.

Good news, it turns out that we don't actually need to register the providers in every service! The reason they were required was to check if zero providers are configured, or if authzbypass mode is enabled.

Authz bypass mode is usually ON, except when there are problems with the authz providers, meaning some authz providers might not be able to sync permissions. Bypassing of permissions is only ever happening if there are ALSO zero providers configured.

So this is basically an optimization for the case where an instance has zero authz configured so that the SQL queries are a bit simpler. This also helps in tests because with bypass mode on and no providers configured, authz enforcement is effectively off in the repo store.
This makes it so that in tests we need to do slightly more work, but also makes for a more realistic test vs at runtime setup. Also, it's highly recommended to use mocks for DB wherever possible in more high-level components to keep tests fast.

To never have a scenario where we accidentally mess up here and enable bypass mode erroneously, this PR drops that entirely. Authz is always enforced, but when a code host connection is unrestricted (i.e., will not spawn a provider) the repos are still visible, so this should be no change over before.

Test plan

The stack starts and works, and all CI tests are still passing. Code review should help as well.

[eseliger]

• searcher: Consolidate FetchTar and FetchTarPaths #64268
• chore: Move cmd/frontend/backend to internal #64261
• auth: Remove redirects to session package #64260
• chore: Cleanup more cross-cmd imports #64259
• oidc: Don't require to run refresh on provider init #64159
• chore: Remove unnecessary _ imports #64158
• chore: Move cmd/frontend/webhooks to cmd/frontend/internal #64157
• frontend: Consolidate remaining registry packages #64156
• frontend: Remove global conf server variable #64155
• chore: move internal/suspiciousnames to cmd/frontend/internal #64071
• chore: remove cmd/frontend/external redirection package #64070
• chore: move cmd/frontend/oneclickexport to cmd/frontend/internal/oneclickexport #64069
• chore: Simplify license routines #64068
• chore: Remove unused loghandlers package #64067
• chore: Deglobalize oneclickexporter instance #64066
• chore: move internal/highlight to cmd/frontend #64065
• chore: move internal/conf/validation to cmd/frontend #64064
• auth: Fix Found page response when redis is down #64063
• chore: Remove redis init side-effect of app.NewHandler #64062
• chore: Init userpasswd provider where we initialize every other authn provider #64061
• chore: Remove global externalURL watcher #64058
• cleanup: Move azure openai provider config validation to right place #64056
• chore: Don't pass nil context #64055
• chore: Remove cmd/frontend/external/app #64054
• licensecheck: Make proper goroutine #63655
• chore: Make return type more obvious #63651
• subrepo: More explicitly define supported hosts #63650
• Move internal/session into cmd/frontend/internal #63649
• chore: Move authn into cmd/frontend #63648
• authz: Compute providers on the fly #64012
• authz: Drop requirement for installing authz providers in every service #63743 👈
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @eseliger and the rest of your teammates on Graphite

[eseliger]

this join was missing, the authzquery conds could generate an invalid query here

[ggilmore]

Is this an unrelated fix that you just noticed?

[eseliger]

no, now that perms are actually enforced in tests by default this showed in a SQL error during tests 🙈

[eseliger]

this matches how this is invoked at runtime

[ggilmore]

This looks good overall, but I'm a bit lost on some of the changes (the ones I commented on) - hard for me to tell if those changes are unrelated fixes or of I'm missing something about the impact of the change here

[pjlast]

Seems good to me. Trusting tests and manual testing here as well