UI/update auth form to fetchRoles after a namespace is inputted, prior to OIDC auth #19541
Conversation
|
Thanks for going after this. I know we're waiting for an AD FS environment, but a reminder to add the backport labels. |
This is a different bug actually, so no need to wait for AD FS to reproduce. There aren't release milestone tags made for the next patch version yet - so holding off on adding PR tags until they've been created. Should have mentioned this! |
hellobontempo
added
backport/1.11.x
backport/1.13.x
hellobontempo
changed the title
hellobontempo
changed the title
hellobontempo
changed the title
| try { | ||
| await this.fetchRole.perform(this.roleName, { debounce: false }); | ||
| } catch (error) { | ||
| // this task could be cancelled if the instances in didReceiveAttrs resolve after this was started | ||
| if (error?.name !== 'TaskCancelation') { | ||
| throw error; | ||
| } | ||
| } |
There was a problem hiding this comment.
I can't see an issue with moving this above the conditional. If anything, since a role is required it should have come before in the first place to ensure we have the necessary data.
There was a problem hiding this comment.
That's my understanding? I'm guessing it wasn't above before because firing it off in didReceiveAttrs seems like it'd be sufficient. Unfortunately the conditionals that wrap fetchRole in that function don't account for the namespace updating
| @@ -32,18 +32,16 @@ | |||
| </li> | |||
| {{/let}} | |||
| {{/each}} | |||
| {{#if this.hasMethodsWithPath}} | |||
There was a problem hiding this comment.
This condition is already wrapped higher up correct? It looks like removing it is the only change here.
There was a problem hiding this comment.
Yeah - meant to comment. It looked like this was redundant? So removed to clean it up - but want to make sure I'm not misreading...
| @@ -88,4 +89,90 @@ module('Acceptance | Enterprise | namespaces', function (hooks) { | |||
| 'Does not prepend root to namespace' | |||
| ); | |||
| }); | |||
|
|
|||
| module('auth form', function (hooks) { | |||
There was a problem hiding this comment.
I don't think I've seen modules nested in other modules before. Neat idea!
There was a problem hiding this comment.
I copied @hashishaw 's idea from the pki tests, thought it was a neat way to organize. (And make the setup reusable if/when we add more namespace tests?) : https://github.com/hashicorp/vault/blob/main/ui/tests/acceptance/pki/pki-engine-workflow-test.js#L154
|
|
||
| module('auth form', function (hooks) { | ||
| setupMirage(hooks); | ||
| const SELECTORS = { |
There was a problem hiding this comment.
Usually these live outside of the module, not sure if it's necessary but this here caught me off guard
There was a problem hiding this comment.
Yeah I didn't know what to do with the module in a module situation? Should I move them just outside this module? or outside the "parent" module?
| }); | ||
| await visit('/vault/auth?with=oidc%2F'); | ||
| assert.dom(SELECTORS.authTab(this.rootOidc)).exists('renders oidc method tab for root'); | ||
| await authPage.namespaceInput(this.namespace); |
There was a problem hiding this comment.
Is it worth using the typeIn method here rather than the page object's fillable (which I think uses fillin under the hood)?
There was a problem hiding this comment.
I actually used fillIn on purpose because that's what caused the bug in the first place
…r to OIDC auth (#19541) * re-fetch roles if there is a namespace * remove redundant conditional * reorder oidc auth operations * add test * test cleanup * add changelog
…is inputted, prior to OIDC auth #19541 (#19661) * UI/update auth form to fetchRoles after a namespace is inputted, prior to OIDC auth (#19541) * re-fetch roles if there is a namespace * remove redundant conditional * reorder oidc auth operations * add test * test cleanup * add changelog * UI: fix enterprise test failures (#19671) * move oidc tests into new file * remove module from namespace test * remove entered line * add logout to afterEach hook * remove ns test * move test setup to within test * use logout.visit() instead * updates oidc auth namespaces test * reverts to authPage logout --------- Co-authored-by: Jordan Reimer <zofskeez@gmail.com> --------- Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
hellobontempo
deleted the
ui/VAULT-12868/update-auth-method-with-direct-nav
branch
So this was tricky to reproduce and due to the whack-a-mole nature of these bugs, here is a very thorough breakdown:
The auth form component updates as the namespace changes to show the correct associated login methods (and corresponding button styles, if applicable). This means the form often reverts to the dropdown menu because by default auth methods are not listed as tabs when unauthenticated (this is a separate config option)
Notice in the gif below, there is an
oidctab because in/Rootoidc has been configured solisting_visibility='unauth'(docs). However, as another namespace is typed, the default form changes becausetestnshas no unuath'd methods.the bug 🐛
For both OIDC and JWT, the
roleis updated when the method is selected and theAuthJwtcomponent fires off itsdidReceiveAttrslifecycle hook which runs the taskfetchRolewith whatever namespace has been set by the url params.If a user very quickly types in a namespace (
admin) that has the same method (oidc), mounted at the same path (alsooidc) but only one of them have a default role configured (stick with me!) then the UI remains on theoidctab, but the task to fetch for a role is not re-fired with the new namespace value. This is because thefetchRoleonly fires if the auth path has changed. You can see in the gif when we go from root to theadminnamespace, we get theInvalid roleerror because root does not have a default role. However, after refreshing, the namespace stays in the url params and thus the role is set properly.fix 🔧
Because the component is often torn down when the namespace changes it doesn't make sense to check if the namespace has changed (like we do for the auth path by
this.oldSelectedAuthPath !== this.selectedAuthPath).Instead, opted to reorder the methods in
startOIDCAuthand tested with the following situations to insure the bug fixes introduced by #17661 were preserved.incorrect-uris-oidc/with missing URI datamissing-role-oidcwith no role configuredproper-config-oidcwith a default role setup, properly