-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[auth-4300] Correct guard for "Create Rule" button #4317
Conversation
The code was incorrectly using a guard for the CreateProject endpoint. I suspect that may have been done as a stop-gap before <app-authorized> supported parameterized endpoints. Signed-off-by: michael sorens <msorens@chef.io>
Adding the correct guard (previous commit) made the "Create Rule" button disappear for everybody! Tracked down to this feature/bug (take your pick). We have two endpoints that use the same endpoint path: ``` ListRulesForProject /apis/iam/v2/projects/{id}/rules CreateRule /apis/iam/v2/projects/{project_id}/rules ``` They are equivalent--but not identical: different variable names. If they had used the same variable name, the code would have handled it. But the code did not support multiple (i.e. non-identical) entries. Now it does. Signed-off-by: michael sorens <msorens@chef.io>
Deploy preview for chef-automate ready! Built with commit 5477331 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Author notes.
// Note: For POST /introspect (this handler), it should be safe to assume | ||
// that there's only ever one endpoint under consideration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... Unless you use different variable names in parameterized endpoints in the proto file! π€·
&request.IntrospectReq{Path: "/apis/iam/v2/projects/42/rules/509"}, | ||
map[string]*response.MethodsAllowed{"/apis/iam/v2/projects/42/rules/509": {Put: true, Delete: true}}, | ||
}, | ||
"multiple response pairs matching the request with multiple http methods": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the test that confirms the new supported functionality.
π© Description: What code changed, and why?
Users who have
iam:projects:update
permissions were unable to see the Create Rule button on the project details page becuase of this incorrect guard:This PR corrects the guard to this:
But that is only a small part of the story of this PR. It turns out that just making that guard change did not do the job--in fact, the Create Rule button was not showing up at all! This change exposed that automate-gateway was not supporting this introspection call.
And when I say "this", I mean this single, solitary, unique endpoint. Any other endpoint would have been fine! Go figure...
This could be viewed as either a bug or a feature--take your pick. π We have two endpoints that use the same endpoint path:
They are equivalent--but not identical: different variable names. If they had used the same variable name, the code would have handled it. And one could argue that they should be the same variable name, but that would introduce a breaking change to the API, so did not seem prudent. The alternative was to revise introspection to now support multiple (i.e. non-identical) entries.
After eliminating the front-end as culpable, I was able to confirm this was a back-end issue.
When introspecting parameterized endpoints, one provides the inflated endpoint in the payload, not the "template". So here it is filled in with project
proj1
.BEFORE (this result is incorrect):
AFTER (this result is correct):
Notice that the HTTP methods are supposed to be combined under the single, inflated endpoint (GET and POST are both true), rather than getting the templates back individually with their individual permissions.
Caveat: Since introspection is not yet project-aware, anyone with iam:projects:update permission will see the buttons, regardless of whether they have that permission on a specific project or not.
βοΈ Related Resources
π Definition of Done
π How to Build and Test the Change
In hab studio
rebuild components/automate-gateway
.As an admin:
proj-update
policy:Login as bob:
proj-update
policy:β Checklist