[automate-3198] reduce validation #3312
Conversation
blakestier
force-pushed
the
automate-3198/reduce-validation
branch
5 times, most recently
from
4250081 to
fee7483
Compare
blakestier
changed the title
| @@ -13,7 +13,7 @@ import ( | |||
| // TimestampName returns a name with a timestamp | |||
| func TimestampName() string { | |||
| ts := time.Now() | |||
| return "integration-diagnostic-" + ts.Format("20060102150405") | |||
| return "diagnostic-" + ts.Format("20060102150405") | |||
There was a problem hiding this comment.
didn't fit the new char limit
| @@ -948,7 +948,7 @@ | |||
| end | |||
|
|
|||
| after(:all) do | |||
| resp = automate_api_request("/apis/iam/v2/projects/#{CUSTOM_RULE[:project_id]}/rules/#{CUSTOM_RULE[:id]}", http_method: 'DELETE') | |||
| resp = automate_api_request("/apis/iam/v2/projects/#{CUSTOM_RULE_1[:project_id]}/rules/#{CUSTOM_RULE_1[:id]}", http_method: 'DELETE') | |||
blakestier
added
auth-team
| @@ -134,31 +134,11 @@ func TestValidationCreatePolicy(t *testing.T) { | |||
| Statements: []*v2.Statement{&validStatement}, | |||
| }, | |||
| // projects | |||
| "whitespace projects list": &v2.CreatePolicyReq{ | |||
There was a problem hiding this comment.
these are all pushed into server tests?
There was a problem hiding this comment.
Several that were about validation are removed as they are now the equivalent of a "not found"-- instead of duplicating more invalid things that would result in "not found", I removed them.
There was a problem hiding this comment.
Looks good to me!
I did find something that we should probably fix in another card:
Fetching a rule with a missing rule ID gets the nice validation error you added.
[42][default:/src:0]# curl -kH "api-token: $TOK" https://a2-dev.test/apis/iam/v2/projects/neato/rules/ | jq
{
"error": "a rule id is required and must contain at least one non-whitespace character",
"code": 3,
"message": "a rule id is required and must contain at least one non-whitespace character",
"details": []
}
But fetching a project with a missing ID gets this error that's a bit of a red herring:
[47][default:/src:0]# curl -kH "api-token: $TOK" https://a2-dev.test/apis/iam/v2/projects/ | jq
{
"error": "error authorizing action \"iam:projects:get\" on resource \"iam:projects:\" filtered by projects [] for members [\"token:admin-token-1586543035\"]: rpc error: code = InvalidArgument desc = invalid ProjectsAuthorizedReq.Resource: value does not match regex pattern \"^[a-z][^:*]*(?::[^:*]+)*$\"",
"code": 7,
"message": "error authorizing action \"iam:projects:get\" on resource \"iam:projects:\" filtered by projects [] for members [\"token:admin-token-1586543035\"]: rpc error: code = InvalidArgument desc = invalid ProjectsAuthorizedReq.Resource: value does not match regex pattern \"^[a-z][^:*]*(?::[^:*]+)*$\"",
"details": []
}
| @@ -189,8 +189,8 @@ func TestGetProject(t *testing.T) { | |||
| grpctest.AssertCode(t, codes.InvalidArgument, err) | |||
| assert.Nil(t, resp) | |||
| }}, | |||
| {"if the project id is invalid, returns 'invalid argument'", func(t *testing.T) { | |||
| resp, err := cl.GetProject(ctx, &api.GetProjectReq{Id: "no spaces allowed"}) | |||
There was a problem hiding this comment.
so these no space allowed would return not found right? Could we add tests that verify that behavior?
There was a problem hiding this comment.
since we're not validating at this level, an invalid name is the same as a not found. there are other tests for not found names, but they seemed functionally equivalent. What do think?
| return err | ||
| } | ||
|
|
||
| func confirmRequiredField(field, fieldName, resourceName string) error { |
| if err != nil { | ||
| return nil, status.Errorf(codes.InvalidArgument, err.Error()) | ||
| } | ||
| err = validateProjects(req.Projects) |
There was a problem hiding this comment.
You have two calls to this new function, but they return very different messages from each other. Was that intentional...?
There was a problem hiding this comment.
Yes-- once it's called within the primary server call itself (where the code is processed/returned), the other time in a helper, which just bubbles the error. That said, I can try to make that less confusing!
| @@ -881,8 +881,8 @@ func TestGetPolicy(t *testing.T) { | |||
| require.Nil(t, pol) | |||
| grpctest.AssertCode(t, codes.InvalidArgument, err) | |||
| }}, | |||
| {"fails with InvalidArgument when ID isn't valid", func(t *testing.T) { | |||
| req := api_v2.GetPolicyReq{Id: "no spaces"} | |||
| {"fails with InvalidArgument when ID is whitespace", func(t *testing.T) { | |||
There was a problem hiding this comment.
I think this change to "is whitespace" is valuable; consider propagating to the other touched tests in this file that still say "is not valid".
| p, err := storage.NewProject(req.Id, req.Name, storage.Custom, storage.NoRules) | ||
| if err != nil { | ||
| return nil, status.Errorf(codes.InvalidArgument, | ||
| return nil, status.Errorf(codes.Internal, |
| @@ -74,9 +74,9 @@ func TestCreateRule(t *testing.T) { | |||
| grpctest.AssertCode(t, codes.InvalidArgument, err) | |||
| assert.Nil(t, resp) | |||
| }}, | |||
| {"if the passed rule project id is invalid, returns 'invalid argument'", func(t *testing.T) { | |||
| {"if the passed rule project id is empty spaces, returns 'invalid argument'", func(t *testing.T) { | |||
There was a problem hiding this comment.
Consistency with previous 2 files suggest "is whitespace":
| {"if the passed rule project id is empty spaces, returns 'invalid argument'", func(t *testing.T) { | |
| {"if the passed rule project id is whitespace, returns 'invalid argument'", func(t *testing.T) { |
| if len(actions) == 0 { | ||
| return errors.New("a role must contain at least one action") |
There was a problem hiding this comment.
I see this check is covered by the proto file so OK to remove it here. (Just wondering if we are happy with that error message vs. this one, thinking about our move away from proto-validation. 🤔 ).
| if len(actions) == 0 { | ||
| return errors.New("a role must contain at least one action") | ||
| } | ||
| err := ValidateProjects(projects) |
There was a problem hiding this comment.
Is this check covered elsewhere?
There was a problem hiding this comment.
Oh the unassigned! Now it is :D
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Co-Authored-By: M Sorens <[email protected]>
Co-Authored-By: M Sorens <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
Signed-off-by: Blake Johnson <[email protected]>
blakestier
force-pushed
the
automate-3198/reduce-validation
branch
from
4a8cc20 to
b324067
Compare
blakestier
force-pushed
the
automate-3198/reduce-validation
branch
4 times, most recently
from
7bc89f0 to
8d31cf9
Compare
Signed-off-by: Blake Johnson <[email protected]>
blakestier
force-pushed
the
automate-3198/reduce-validation
branch
from
8d31cf9 to
9511906
Compare
bcmdarroch
force-pushed
the
automate-3198/reduce-validation
branch
from
c5d745f to
50060ef
Compare
Signed-off-by: Brenna Hewer-Darroch <[email protected]>
bcmdarroch
force-pushed
the
automate-3198/reduce-validation
branch
from
50060ef to
e4dd2b9
Compare
| @@ -151,10 +160,15 @@ func (s *ProjectState) CreateProject(ctx context.Context, | |||
|
|
|||
| func (s *ProjectState) UpdateProject(ctx context.Context, | |||
| req *api.UpdateProjectReq) (*api.UpdateProjectResp, error) { | |||
|
|
|||
| err := confirmRequiredIDandName(req.Id, req.Name, "project") | |||
There was a problem hiding this comment.
[nit] It looks weird, but the canonical casing here would be this:
| err := confirmRequiredIDandName(req.Id, req.Name, "project") | |
| err := confirmRequiredIDAndName(req.Id, req.Name, "project") |
...but I'm down to turning a blind eye 🙈
There was a problem hiding this comment.
this does seem like an opportunity conceding that the "right" way is not always the most readable, huh
There was a problem hiding this comment.
Yeah probably. Also naming is hard 😉
Co-Authored-By: Stephan Renatus <[email protected]>
Co-Authored-By: Stephan Renatus <[email protected]>
|
FYI: Created issue #3371 to mirror this strategy change to teams and authn services. |
Signed-off-by: Blake Johnson <[email protected]>
blakestier
force-pushed
the
automate-3198/reduce-validation
branch
2 times, most recently
from
751ac0f to
cb80e5b
Compare
Signed-off-by: Blake Johnson <[email protected]>
blakestier
force-pushed
the
automate-3198/reduce-validation
branch
from
cb80e5b to
bb21886
Compare
🔩 Description: What code changed, and why?
When creating a project, we use the same validation as other objects at the server level: character count must be 64 or less.
However, we auto-generate several roles and policies using that id and additional characters. The resulting policy id can then be over the expected limit, making it impossible to Get the policy bc of our validation on id length in Get requests.
With this change,
project_idsmust be 48 chars or less (allowing the other id creation without trouble).Validation on policy Get requests (and, while I was in there, all other resource requests that didn't create the id) no longer validate on length. Instead, validation confirms the required field is present and has more than whitespace characters.
It was a toss up whether to put the validation for this in the server (where we do our other proto validations, and where the problem would be caught early) or in the db (where we probably should have our more fine-grained validation code). The answer is probably both, but this change keeps it in the server, with a few moves to storage-level validation that had parity with this kind of validation.
👟 How to Build and Test the Change
start on a studio without this version of authz
make a project with an id longer than 50 chars
curl -kH "api-token: $TOK" -d '{"name":"p123456789p123456789p123456789p123456789p123456789p123456789", "id":"p123456789p123456789p123456789p123456789p12342222"}' https://a2-dev.test/apis/iam/v2/projectsattempt to fetch the associated policy (this should fail)
curl -kH "api-token: $TOK" https://a2-dev.test/apis/iam/v2/policies/p123456789p123456789p123456789p123456789p123456789p123456789-project-editorsrebuild components/authz-serviceattempt to fetch the same policy (should now succeed)
curl -kH "api-token: $TOK" https://a2-dev.test/apis/iam/v2/policies/p123456789p123456789p123456789p123456789p123456789p123456789-project-editorsattempt to create a project with an id longer than 48 chars (should now fail)
curl -kH "api-token: $TOK" -d '{"name":"p123456789p123456789p123456789p123456789p123456789p123456789", "id":"p123456789p123456789p123456789p123456789p12342222"}' https://a2-dev.test/apis/iam/v2/projects {"error":"invalid CreateProjectReq.Id: value does not match regex pattern \"^[a-z0-9-_]{1,48}$\"","code":3,"message":"invalid CreateProjectReq.Id: value does not match regex pattern \"^[a-z0-9-_]{1,48}$\"","details":[]}Also, any other requests (GetRule, GetPolicy, etc) now fail with InvalidArg if the required ids are blank or absent.
✅ Checklist
📷 Screenshots, if applicable