Modify that web action in the bound package can be accessed.

[upgle]

Description

Recently, many users want to share their web actions with the package.
but, the web action in the bound package can't be accessed in the browser.

Because when it is invoked in the browser, it doesn't resolve an action to find original fully qualified action name. so, I added the action name resolver.

HOW TO TEST.

bind a package that contains web actions and access web action which is in the bound package using your browser, you may see errors like the image below.

Fixed

Now, the bound web action can be accessed in the browser.

Related issue and scope

• I opened an issue to propose and discuss this change (#????)

My changes affect the following components

• API
• Controller
• Message Bus (e.g., Kafka)
• Loadbalancer
• Invoker
• Intrinsic actions (e.g., sequences, conductors)
• Data stores (e.g., CouchDB)
• Tests
• Deployment
• CLI
• General tooling
• Documentation

Types of changes

• Bug fix (generally a non-breaking change which closes an issue).
• Enhancement or new feature (adds new functionality).
• Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

• I signed an Apache CLA.
• I reviewed the style guides and followed the recommendations (Travis CI will check :).
• I added tests to cover my changes.
• My changes require further changes to the documentation.
• I updated the documentation where necessary.

[codecov-io]

Codecov Report

Merging #3880 into master will decrease coverage by 4.86%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #3880      +/-   ##
==========================================
- Coverage   86.09%   81.22%   -4.87%     
==========================================
  Files         148      148              
  Lines        7249     7240       -9     
  Branches      442      440       -2     
==========================================
- Hits         6241     5881     -360     
- Misses       1008     1359     +351

Impacted Files	Coverage Δ
.../main/scala/whisk/core/controller/WebActions.scala	92.43% <100%> (+1.27%)	⬆️
...core/database/cosmosdb/RxObservableImplicits.scala	0% <0%> (-100%)	⬇️
...core/database/cosmosdb/CosmosDBArtifactStore.scala	0% <0%> (-95.54%)	⬇️
...sk/core/database/cosmosdb/CosmosDBViewMapper.scala	0% <0%> (-92.6%)	⬇️
...whisk/core/database/cosmosdb/CosmosDBSupport.scala	0% <0%> (-83.34%)	⬇️
...abase/cosmosdb/CosmosDBArtifactStoreProvider.scala	0% <0%> (-58.83%)	⬇️
...la/whisk/core/database/cosmosdb/CosmosDBUtil.scala	92% <0%> (-4%)	⬇️
...ain/scala/whisk/core/entitlement/Entitlement.scala	88.42% <0%> (-2.48%)	⬇️
...cala/src/main/scala/whisk/http/ErrorResponse.scala	93.25% <0%> (+1.12%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 708274c...eb9f4d8. Read the comment docs.

[rabbah]

Thanks for trying this. There are some issues to be aware of for packaged actions as web actions via bindings. The lack of support isn’t a bug (it was intentional at the time). This has come up before so it’s worthwhile to try and enable this.

1. If an action isn’t already a web action in the package, it can’t be accessed as a web action through the binding. That is a subject that binds the action can’t make it a web action (unless they already own it). So the creator/sharer of the package decides which of the actions to make available as web actions. Inherently this could create a dependence the subject can't control.

2. The entitlement check for a web action today is straightforward: namespace must own both and so implicitly entitled to them. With a binding you need to check if the binding continues to have rights to the bound package.

3. And of course you’ll need to add tests for the change/new feature.

[upgle]

@rabbah
Thank you for your feedback and sorry that I thought it was a bug.
I will add some test codes including the rights check and suggest it again.

[upgle]

@rabbah

I modified it to check the entitlement and added tests.
Now, It returns the authentication error if a web action has no entitlement.

{
  "error": "The supplied authentication is not authorized to access 'whisk.system/share'.",
  "code": "NmSIY4dJanMT7YS3MPwFoOPL4Np72g5B"
}

Could you please remove WIP label and review again?

[upgle]

I fixed a conflict. please review it.

[rabbah]

I don't think this is quite right - take a look at my comment. I suggest therefore also adding additional tests to cover the issues I pointed out.

[rabbah]

i dont believe this is right - the resolveAction method returns just the name of the action in the base package, and so getting that action means you'll miss the bound parameters. I think you want to use resolveActionAndMergeParameters instead.

[upgle]

Oh... I understand I'll modify it soon.

[rabbah]

this check also checks the throttles - which means there's now a redundant check for throttles.
the code (before this pr), did not check entitlement through the provider because it can implicitly infer the owner (there's no indirection through a binding) so it only checked throttles.

[upgle]

Thank you for your kind review. I've removed existing entitlementProvider.checkThrottles(), then modified to use only entitlementProvider.check ().

[upgle]

build passed :)

[upgle]

@rabbah Maybe it's done. could you please review it again? 😅

[rabbah]

i think here you've missed the throttle check that was removed above.

[rabbah]

i think this is complicating logic unnecessary - now you're dealing with 3 cases:

1. action in default package
2. action in a proper package
3. action in a bound package (new)

You might as well normalize all three code paths - it's not clear to me from looking at this small change here that the changes are complete (and as noted above, I think you missed on throttle check).

[upgle]

@rabbah
yes, I agree that it looks complicated. so I've changed some codes. (removed pkgLookup method which is not necessary anymore)

1. action in a default package no need to resolve, just check entitlement and if it is exported.
2. action in a bound package(new) is handled by actionLookup() and resolveActionAndMergeParameters(), it would resolve action and merge parameters.
3. check whether action is in a proper package -> It check whether an action is exported by confirmExportedAction() method
4. and all types of action is checked for entitlement and throttle by checkEntitlement() method

please check changed code here

private def verifyWebAction(actionName: FullyQualifiedEntityName, authenticated: Boolean)(
    implicit transid: TransactionId) = {

    // lookup the identity for the action namespace
    identityLookup(actionName.path.root) flatMap { actionOwnerIdentity =>
      confirmExportedAction(actionLookup(actionName), authenticated) flatMap { a =>
        checkEntitlement(actionOwnerIdentity, a) map { _ => (actionOwnerIdentity, a)}
      }
    }
  }

https://github.com/apache/incubator-openwhisk/pull/3880/files#diff-a356e6b010b8aeb5ea7b6f7fec395038R535

[junoyoon]

@upgle is it done?

[rabbah]

The last commit looks a lot better now - I'll review more thoroughly.

[upgle]

@junoyoon no, i'm waiting for review.

@rabbah ok, tell me if I missed something.

[rabbah]

I apologize that I couldn't review this sooner. I think the changes are correct now but please see the comments - there's a couple more minor things we should address for this change.

[rabbah]

We should add a comment that while parameters are merged, annotations are not. This is important because the web annotation is on an action not an entire package. We should separately add a test for this invariant.

[rabbah]

need to update the docs here: https://github.com/apache/incubator-openwhisk/blob/master/docs/webactions.md#additional-features the precedence order would now also include package binding parameters.

[upgle]

ok I'll update the docs soon.

[rabbah]

thank you - it might be worth adding a section in the docs about web actions for packages and bindings (taking in some of my comments below). what do you think?

[rabbah]

here the identity is tied to how the action is invoked: if the path is relative to the package, it's the owner of the package. But if it's via the binding, the identity is the owner binding. The two identities are not the same. It might also not make sense to invoke an action in a public package since it might require a binding to work correctly.

[rabbah]

another aspect to document: a web action in a public package cannot be disabled so any (private) binding of the package will have the web action exposed.

[rabbah]

we should add some tests for resolveActionAndMergeParameters to preserve the behavior represented by these request rejections (missing package or malformed package).

[upgle]

resolveActionAndMergeParameters method is for mock testing, and the code which is removed here is covered in this line. https://github.com/apache/incubator-openwhisk/blob/91ec9bca7d5f6d0c8c95018a2c9fede131b02b6b/core/controller/src/main/scala/whisk/core/controller/WebActions.scala#L677

also, test for missing package exists already here.
https://github.com/apache/incubator-openwhisk/blob/91ec9bca7d5f6d0c8c95018a2c9fede131b02b6b/tests/src/test/scala/whisk/core/controller/test/WebActionsApiTests.scala#L362

[rabbah]

another aspect to document: a web action in a public package cannot be disabled so any (private) binding of the package will have the web action exposed.

[rabbah]

need to update the docs here: https://github.com/apache/incubator-openwhisk/blob/master/docs/webactions.md#additional-features the precedence order would now also include package binding parameters.

[rabbah]

there's no test for actually using a package binding here (if there is, it would fail since the parameter inheritance does not include the binding).

[rabbah]

I fixed the test fixture cleanup and also tweaked one test.

[upgle]

@rabbah test is passed. thank you for your support 👍

[rabbah]

Thank you @upgle for your contribution.