New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(build/testing): add authz specific integration tests #3163

Merged

kodiakhq merged 14 commits into main from gm/authz-its

Jun 11, 2024

Contributor

GeorgeMac commented Jun 10, 2024 •

edited

Loading

This PRs does a few things, but primarily it adds ITs for Authz.

In addition, there were a couple features I snuck in to make it all possible:

The ability to add metadata to static tokens though the API
The ability to add metadata to the bootstrap token through config
All JWT claims prefixed with io.flipt.auth are copied into authentication metadata

Update:

The addition of more cases demonstrated a couple bugs, which this PR address:

DeleteNamespace was reporting itself as flag resource type. Meaning you could delete a namespace with flag delete perms.
We were not normalizing empty string for namespace to default namespace when creating requests. Meaning you would have to explicitly say I can do X in namespace "" and "default". I changed this so that it normalizes as expected.

Outstanding:

Cases around mutating actions (create, update, delete)
Cases specifically for JWT
Cases specifically for k8s
Add IT to GH workflow matrix

GeorgeMac added 7 commits

June 11, 2024 12:34


          feat(rpc/flipt): add ability to specify metadata on token creation

615dba8

Signed-off-by: George MacRorie <me@georgemac.com>


          feat(config): add ability to add arbitrary metadata on bootstrap token

57da2f3

Signed-off-by: George MacRorie <me@georgemac.com>


          feat(build/testing): add initial set of authz specific integration tests

1c0b2f6

Signed-off-by: George MacRorie <me@georgemac.com>


          fix(cmd): reorder validation interceptor after authz

27345f4

Signed-off-by: George MacRorie <me@georgemac.com>


          fix(rpc/flipt): return correct resource type for delete namespace req…

f433e0c

…uest

Signed-off-by: George MacRorie <me@georgemac.com>


          fix(rpc/flipt): normalize request namespace from empty string to default

ce53d4f

Signed-off-by: George MacRorie <me@georgemac.com>


          test(build/integration): ensure writes behave as expected for differe…

61fb467

…nt authz roles

Signed-off-by: George MacRorie <me@georgemac.com>

GeorgeMac force-pushed the gm/authz-its branch from 5baf59c to 61fb467 Compare

June 11, 2024 11:35

GeorgeMac added 2 commits

June 11, 2024 12:35


          feat(gh): add authz/sqlite IT to matrix

f109d2f

Signed-off-by: George MacRorie <me@georgemac.com>


          fix(config): update schema to support bootstrap token metadata

5a48f9a

Signed-off-by: George MacRorie <me@georgemac.com>

GeorgeMac force-pushed the gm/authz-its branch from c901dbc to 5a48f9a Compare

June 11, 2024 11:43

GeorgeMac added 3 commits

June 11, 2024 13:21


          test(build/integration): ensure we're scoping clients properly in authn

c2a7364

Signed-off-by: George MacRorie <me@georgemac.com>


          feat(authn/jwt): support copying io.flipt.auth prefixed claims into m…

754834f

…etadata

Signed-off-by: George MacRorie <me@georgemac.com>


          test(build/integration): add k8s client to authz cases

d60f217

Signed-off-by: George MacRorie <me@georgemac.com>

GeorgeMac marked this pull request as ready for review

June 11, 2024 14:31

GeorgeMac requested a review from a team as a code owner

June 11, 2024 14:31

GeorgeMac commented

View reviewed changes

internal/cmd/grpc.go Outdated Show resolved Hide resolved


          chore: remove comment in internal/cmd/grpc.go

762f638

Signed-off-by: George MacRorie <me@georgemac.com>

GeorgeMac force-pushed the gm/authz-its branch from d56843a to 762f638 Compare

June 11, 2024 14:36

GeorgeMac added the needs docs label

flipt-release-bot bot mentioned this pull request

Document: feat(build/testing): add authz specific integration tests flipt-io/docs#230

Closed

markphelps approved these changes

View reviewed changes

Collaborator

markphelps left a comment

looks great to me! thank you for doing all this! has already proven it was necessary

build/testing/integration/authz/auth.go

+              		})
+              		for _, namespace := range integration.Namespaces {
+              			t.Run(fmt.Sprintf("InNamespace(%q)", namespace.Key), func(t *testing.T) {

Collaborator

markphelps Jun 11, 2024

Suggested change

      
            			t.Run(fmt.Sprintf("InNamespace(%q)", namespace.Key), func(t *testing.T) {
          
            			t.Run(fmt.Sprintf("InNamespace(%q)", namespace.Expected), func(t *testing.T) {

Will prevent "" from showing in output

Contributor Author

GeorgeMac Jun 11, 2024 •

edited

Loading

This is to test both default and "" (blank) explicitly.
Otherwise, those two test suites will be duplicately named.

rpc/flipt/request.go

@@ @@ -107,7 +110,7 @@ func (req *UpdateNamespaceRequest) Request() Request { @@
               }
               func (req *DeleteNamespaceRequest) Request() Request {
-              	return NewRequest(ResourceFlag, ActionDelete, WithNamespace(req.Key))
+              	return NewRequest(ResourceNamespace, ActionDelete, WithNamespace(req.Key))

Collaborator

markphelps Jun 11, 2024

💯

rpc/flipt/request.go

+              		Resource:  r,
+              		Action:    a,
+              		Status:    StatusSuccess,
+              		Namespace: DefaultNamespace,

Collaborator

markphelps Jun 11, 2024

😲


          Merge branch 'main' into gm/authz-its

64876a3

markphelps added the automerge label

kodiakhq bot merged commit ca7038d into main

35 checks passed

kodiakhq bot deleted the gm/authz-its branch

June 11, 2024 19:11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automerge needs docs