Add validate namespace endpoint to m3ctl

[m-sandusky]

This PR adds a namespace validation endpoint to m3ctl. Will probably add a couple more tests before merging.

[coveralls]

Coverage decreased (-0.06%) to 52.727% when pulling 136e0a5 on add-validation-endpoint into 706b2dd on master.

[coveralls]

Coverage decreased (-0.06%) to 52.727% when pulling 136e0a5 on add-validation-endpoint into 706b2dd on master.

[coveralls]

Coverage decreased (-0.4%) to 52.42% when pulling e4dd37f on add-validation-endpoint into 706b2dd on master.

[coveralls]

Coverage decreased (-0.4%) to 52.42% when pulling e4dd37f on add-validation-endpoint into 706b2dd on master.

[xichen2020]

Perhaps make validator part of the StoreOptions?

[m-sandusky]

I thought about this, and to me if we're going to throw an error on the validator no being present (from the below comment) then it would make sense to have the Validator be a required param.

However, if passing a Validator should be optional then the endpoint should have a successful validation for every request if no validator was configured for the store. I've added the logic for this but can change it back.

[xichen2020]

Perhaps call this ValidateRuleSet to be more accurate?

[xichen2020]

I'd check if s.validator is nil and return an errNilValidator = errors.New("validator not provided") just to be defensive.

[jskelcy]

would it be reasonable to panic on NewStore if no validator is passed in? We have a stub validator so even for tests there should always be one available.

[m-sandusky]

That's interesting - essentially we want the validator that is used in the instance of kv.TxnStore in the construction of NewStore to be the same. We allow for a nil validator to be passed in there (and bypass any validation if so) so if that's the case I'd assume everything passed to the validation endpoint should succeed.

[xichen2020]

nit: error messages should start with lowercase letters. Also might be easier on the eyes to say
namespaceID param %s and ruleset namespaceID %s do not match?

[xichen2020]

Perhaps just return Ruleset is valid?

[xichen2020]

How is auth going to work for validation endpoint? Is it "if a user has read access, then he/she can validate?" Or does he/she need to have write access to validate?

[m-sandusky]

Left a comment on this earlier - not sure why it didn't post. In any case this is a good point. If the requester does not have write access, due to how the current auth is set up, they will not be validated for the endpoint. The way around this is to make the endpoint GET or to change how we do auth.

[xichen2020]

I think we can make the NewAuthHandler take an additional parameter authType:

type authorizationType int

const (
  none authorizationType
  readOnly
  writeOnly
  readWrite
)

func (a simpleAuth) NewAuthHandler(
  authType authorizationType,
  next http.Handler,
  errHandler errorResponseHandler,
) http.Handler {
  ...
}

return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  ...
  switch authType {
    case none:
      ...
    case readOnly:
      ...
    case writeOnly:
      ...
    case readWrite:
      ...
}

Then in service.go, register the auth type

func registerRoute(router *mux.Router, path, method string, handler http.Handler) error {
  authType, exists := authRegistry[endpoint{Path:path, Method: method}]
  if !exists {
    // Should make this a method instead.
    switch method:
    case http.GET:
      authType = readOnly
    case http.POST, ...:
      authType = writeOnly
    default:
      return errUnknownHTTPMethod
  }
  fn := h.wrap(authType, handler)
  router.Handle(path, fn).Methods(method)
  return nil
}

func (h r2Handler) wrap(authType authorizationType, fn r2HandlerFunc) http.Handler {
	f := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if err := fn(w, r); err != nil {
			h.handleError(w, err)
		}
	})
	return h.auth.NewAuthHandler(authType, f, writeAPIResponse)
}

type endpoint struct {
  Path string
  Method string
}

var authRegistry = map[endpoint]authorizationType{
  {Path: namespaceValidePath, Method: http.POST}: readOnly
}

[xichen2020]

Hm we should use the UUID rather than the name no?

[m-sandusky]

Yup, changed.

[xichen2020]

Hm we should use the UUID rather than the name no?

[xichen2020]

nit: add a period at the end.

[xichen2020]

ValidateRuleSet is probably more accurate in this case.

[jskelcy]

NIT:
Given that this function is only called in this file, and ruleSetSnapshot would be the only stuct with methods on it. Perhaps make this function take a ruleSetJSON and return a ruleSetSnapshot. The It might also have it as sort of public util function.

[m-sandusky]

I was following the general convention with converting the JSON structs to View/Snapshots (for better or for worse), open to change if you feel strongly about it :)

[jskelcy]

I dont know enough to say either way, but could the validator go on the r2StoreOptions? If we already have a catch-all for parameters to this function perhaps we should just add it there instead.

[m-sandusky]

Yup, added there

[m-sandusky]

@xichen2020 @jskelcy Thanks for the review! I've addressed your comments.

[m-sandusky]

I thought about this, and to me if we're going to throw an error on the validator no being present (from the below comment) then it would make sense to have the Validator be a required param.

However, if passing a Validator should be optional then the endpoint should have a successful validation for every request if no validator was configured for the store. I've added the logic for this but can change it back.

[m-sandusky]

That's interesting - essentially we want the validator that is used in the instance of kv.TxnStore in the construction of NewStore to be the same. We allow for a nil validator to be passed in there (and bypass any validation if so) so if that's the case I'd assume everything passed to the validation endpoint should succeed.

[m-sandusky]

Should we edit the actual endpoint to reflect this as well? ie (/namespaces/{namespace_id}/validate_rule_set)

[m-sandusky]

I was following the general convention with converting the JSON structs to View/Snapshots (for better or for worse), open to change if you feel strongly about it :)

[m-sandusky]

Yup, changed.

[m-sandusky]

Yup, added there

[coveralls]

Coverage increased (+4.0%) to 56.772% when pulling 658b6a7 on add-validation-endpoint into 706b2dd on master.

[coveralls]

Coverage increased (+4.0%) to 56.772% when pulling 658b6a7 on add-validation-endpoint into 706b2dd on master.

[jskelcy]

This appears to be the convention but is there a need for this deref @xichen2020 ?

[xichen2020]

Yeah so this is to ensure the options are immutable.

[jskelcy]

1. I think you can just return a string, no need to use fmt.Sprintf

2. Given that this just returns a string that tells the caller that seems a little self-explanatory do you think this function could just return an error?

[m-sandusky]

1. Thanks - nice catch.
2. Following convention on the other endpoints that return string values in the service (ie deleteMappingRule, deleteRollupRule, etc.) I'm open to whatever either way.

[jskelcy]

Im double checking on this for OSS but I think we may want to use github.com/satori/go.uuid

[m-sandusky]

Yeah, I've used this on in the past as well. m3ctl uses "github.com/pborman/uuid" in other places though so I didn't want add a new dependency for a similar use case. @xichen2020 Do you have any thoughts?

[xichen2020]

Fine w/ either, as long as there's only one for the repo.

Also, please add a blank line between m3db imports and 3rd party imports.

[jskelcy]

If a rule is being added, not updated is that when there would not be an ID for a rule? I might update the comment to explain what the scenario is where this happens.

[m-sandusky]

Yeah that's exactly it - I'll add a comment for this scenario.

[xichen2020]

nit: Change the comment to ruleSetSnapshot creates a ....

You might also make this behavior controlled by an enum passed in though (e.g., genIDType), e.g., if this is an update request, we probably shouldn't generate the missing IDs since that should be a validation error.

[coveralls]

Coverage increased (+4.0%) to 56.772% when pulling 3965184 on add-validation-endpoint into 706b2dd on master.

[jskelcy]

If the mapping id is an empty string and opts.generateMissingID is false this will continuously overwrite rss.MappingRules[""]. Im not sure what the best behavior is, maybe just leave it out of the list? But I think just taking whatever the last rule is and adding that to the snapshot while dropping all the other ones is kind of confusing.

[m-sandusky]

Updated per in person conversation

[jskelcy]

address the empty string rule id issue.

[coveralls]

Coverage increased (+4.0%) to 56.772% when pulling abc04c3 on add-validation-endpoint into 706b2dd on master.

[coveralls]

Coverage increased (+4.0%) to 56.772% when pulling abc04c3 on add-validation-endpoint into 706b2dd on master.

[xichen2020]

Yeah so this is to ensure the options are immutable.

[xichen2020]

Perhaps we should return an error here instead? If we accidentally forget setting the validator in the options, and someone calls the validation endpoint, we should return an error saying the validator is not set instead of returning ok?

[xichen2020]

Fine w/ either, as long as there's only one for the repo.

Also, please add a blank line between m3db imports and 3rd party imports.

[xichen2020]

I think we can make the NewAuthHandler take an additional parameter authType:

type authorizationType int

const (
  none authorizationType
  readOnly
  writeOnly
  readWrite
)

func (a simpleAuth) NewAuthHandler(
  authType authorizationType,
  next http.Handler,
  errHandler errorResponseHandler,
) http.Handler {
  ...
}

return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  ...
  switch authType {
    case none:
      ...
    case readOnly:
      ...
    case writeOnly:
      ...
    case readWrite:
      ...
}

Then in service.go, register the auth type

func registerRoute(router *mux.Router, path, method string, handler http.Handler) error {
  authType, exists := authRegistry[endpoint{Path:path, Method: method}]
  if !exists {
    // Should make this a method instead.
    switch method:
    case http.GET:
      authType = readOnly
    case http.POST, ...:
      authType = writeOnly
    default:
      return errUnknownHTTPMethod
  }
  fn := h.wrap(authType, handler)
  router.Handle(path, fn).Methods(method)
  return nil
}

func (h r2Handler) wrap(authType authorizationType, fn r2HandlerFunc) http.Handler {
	f := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if err := fn(w, r); err != nil {
			h.handleError(w, err)
		}
	})
	return h.auth.NewAuthHandler(authType, f, writeAPIResponse)
}

type endpoint struct {
  Path string
  Method string
}

var authRegistry = map[endpoint]authorizationType{
  {Path: namespaceValidePath, Method: http.POST}: readOnly
}

[xichen2020]

nit: Change the comment to ruleSetSnapshot creates a ....

You might also make this behavior controlled by an enum passed in though (e.g., genIDType), e.g., if this is an update request, we probably shouldn't generate the missing IDs since that should be a validation error.

[xichen2020]

nit: it's more efficient to do the following to avoid repeated map reallocations.

mappingRules := make(map[string]*rules.MappingRuleView, len(r.MappingRules))
for _, mr := r.MappingRules {
  ...
}

rollupRules := make(map[string]*rules.RollupRuleView, len(r.RollupRules))
for _, rr := range r.RollupRules {
  ..
}
return rules.RuleSetSnapshot{
  Namespace: r.Namespace,
  Version: r.Version,
  MappingRules: mappingRules,
  RollupRules: rollupRules,
}

[xichen2020]

Reorder the imports.

[xichen2020]

Brilliant, thanks for the tests! 👍

[coveralls]

Coverage increased (+4.2%) to 56.993% when pulling be98154 on add-validation-endpoint into 706b2dd on master.

[coveralls]

Coverage increased (+4.2%) to 56.993% when pulling be98154 on add-validation-endpoint into 706b2dd on master.

[jskelcy]

What is a write-only user? Who would fall into this bucket?

[m-sandusky]

Write only users would be those that are say whitelisted to make writes but not whitelisted for reads. I can't really think of a current situation where that would be the case but theoretically it could happen (ie a service that writes data potentially sensitive and doesn't have permissions to access any of the read endpoints). I realize that this doesn't really fit our current uses but this is why it was included.

[jskelcy]

Looks like there is a significant overhaul to how auth works. Can you give a quick rundown on why you made the changes?

[jskelcy]

You can use fmt.Errorf here dont need to mess with imports.

[xichen2020]

The general rule of thumb is actually to only use fmt.Errorf when you need to format some values as part of the error message. For errors that are just a const string, errors.New is preferred.

[xichen2020]

nit: make this a errNilValidator = errors.New("no validator set on StoreOptions so validation is not applicable")

[coveralls]

Coverage increased (+4.6%) to 57.4% when pulling c25d9fe on add-validation-endpoint into 706b2dd on master.

[m-sandusky]

@jskelcy In reference to explanation for the auth revamp:

This was done because previously, the Auth handler would authorize users based on HTTP verb sent by the request. Ie In order to be authorized for a POST request, you needed to be a whiltelisted writer and for GET requests, you needed to be a whitelisted reader. The validation endpoint brought up the situation where it is a POST request but you really shouldn't need write whitelist credentials to access it. Xi and I discussed that certain endpoints can have different needs for auth which is where this notion of authorization type comes into play. Each endpoint has an authorization type which is configured when registering the routes for the service (with defaults falling back to GET -> need read access, POST/PUT/DELETE/PATCH need write credentials).

[xichen2020]

nit: These are a bit of verbose, perhaps just None, ReadOnly, WriteOnly, and ReadWrite?

[m-sandusky]

Agreed that they're verbose but I'd argue for them based on clarity for a couple reasons:

1. Changing them to None/ReadOnly/etc reserves those names for the entire auth package
2. Due to the way Go does (or rather doesn't do) enums it's not clear that something like None or ReadOnly would be associated with an AuthorizationType

[xichen2020]

That's fair, in that case perhaps call them UnknownAuthorization, NoAuthorization, ReadOnlyAuthorization, etc.?

[xichen2020]

nit: omit the parameter name authType or use _ since it's not used here.

[xichen2020]

nit: This can be moved to a a.authorizeUserForRead method

[xichen2020]

nit: This can be moved to a a.authorizeUserForWrite method.

[xichen2020]

nit: This can reusea.authorizeUserForRead and a.authorizeUserForWrite methods defined above.

[xichen2020]

Same question as above.

[xichen2020]

nit: idGenType might be better.

[xichen2020]

generateID

[xichen2020]

dontGenerateID.

[xichen2020]

Remove blank line.

[coveralls]

Coverage increased (+2.6%) to 55.832% when pulling c4c62a8 on add-validation-endpoint into 98073fe on master.

[coveralls]

Coverage increased (+2.6%) to 55.832% when pulling c4c62a8 on add-validation-endpoint into 98073fe on master.

[jskelcy]

NIT: Given that this is a flag, and probably always will be, this name is a little misleading. Making it sound like there could be more than 2 values.

[jskelcy]

What does this function need to return something now?

[jskelcy]

are we returning an empty error here?

[coveralls]

Coverage increased (+2.7%) to 55.906% when pulling 4e8d3a2 on add-validation-endpoint into 98073fe on master.

[xichen2020]

Can we pull the common code from authorizeUserForRead and authorizeUserForWrite into a common authorizeUserForAccess function and reuse it? The authorizeUserForAccess implementation can just be the same as the old authorizeUser function.

[xichen2020]

Blank line between m3db imports and 3rd party imports.

[xichen2020]

Is this TODO still necessary?

[xichen2020]

Blank line between m3db imports and 3rd party imports.

[xichen2020]

super nit: might read a little better to say "no validator set so validation is not applicable".

[xichen2020]

Comments should end w/ a period.

[xichen2020]

super nit: might wanna consider moving route to the bottom so the service related pieces are in one piece.

[xichen2020]

I'd still return an error here just to make it very explicit that if we don't see one of the expected methods, it should be an error, and check error in registerRoute.

[xichen2020]

super nit: initialize -> create.

[xichen2020]

Might be more cleaner to do:

// Register routes.
routeWithHandlers := []struct{
   route route
   handler r2HandlerFnc
} {
  {route: {path: namespacePath: method: http.MethodGet}, handler: s.fetchNamespaces},
  {route: {path: namespacePath: method: http.MethodPost}, handler: s.createNamespace},
  ...
}
for _, rh := range routeWithHandlers {
  if err := registerRoute(router, rh.route.path, rh.route.method, h, rh.handler); err != nil {
    return err
  }
}
return nil

[coveralls]

Coverage increased (+3.8%) to 56.991% when pulling e94056e on add-validation-endpoint into 98073fe on master.

[coveralls]

Coverage increased (+3.8%) to 56.991% when pulling e94056e on add-validation-endpoint into 98073fe on master.

[xichen2020]

nit: could take a boolean parameter enabled and further extract the enabled check in the read and write methods below.

[xichen2020]

swap method and path?

[m-sandusky]

Thanks for the catch.

[xichen2020]

LGTM, good stuff!

Might wanna wait for travis though.

[xichen2020]

LGTM

[coveralls]

Coverage increased (+4.1%) to 57.333% when pulling 88cc790 on add-validation-endpoint into 98073fe on master.

[coveralls]

Coverage increased (+4.1%) to 57.333% when pulling 88cc790 on add-validation-endpoint into 98073fe on master.