TopicDelete Ensign integration #223
Conversation
|
This pull request has been linked to Shortcut Story #13773: Update TopicDelete. |
pkg/utils/secrets/token.go
Outdated
| } | ||
| } | ||
| return true | ||
| } |
There was a problem hiding this comment.
Copied directly from GDS
There was a problem hiding this comment.
Doh, not sure why we didn't use crypto/rand in GDS - but that's probably a problem. Would you mind copying the quarterdeck/keygen package instead?
https://github.com/rotationalio/ensign/blob/main/pkg/quarterdeck/keygen/keygen.go
(You can use it directly if you'd like, but copying it into a secrets utils is fine; I'd like them decoupled so that we can change the way that Quarterdeck issues api keys; e.g. either use the keygen package directly or port it to utils so quarterdeck does not have a dependency on utils).
I'll create a story to fix GDS.
There was a problem hiding this comment.
Sure that works for me
| err = suite.client.TopicDelete(ctx, "01GNA926JCTKDH3VZBTJM8MAF6") | ||
| suite.requireError(err, http.StatusNotFound, "could not delete topic", "expected error when topic ID is not found") | ||
| _, err = suite.client.TopicDelete(ctx, req) | ||
| suite.requireError(err, http.StatusNotFound, "topic not found", "expected error when topic ID is not found") |
There was a problem hiding this comment.
The rest of the endpoint will be tested in SC-13774
pkg/tenant/db/topics.go
Outdated
| ConfirmDeleteToken string `msgpack:"confirm_delete_token"` | ||
| ConfirmDeleteExpire time.Time `msgpack:"confirm_delete_expire"` |
There was a problem hiding this comment.
I'd recommend the token be a base64 encoded msgpack data structure that includes the topic ID and expiration time stamp as well as a cryptographically randomly generated string. That way the token is self composed and in the future we can do things like cryptographically sign the token for further security.
pkg/tenant/api/v1/api.go
Outdated
| // data by including a confirmation token in the request. | ||
| type Confirmation struct { | ||
| ID string `json:"id"` | ||
| Name string `json:"name"` |
There was a problem hiding this comment.
Is the name something you're thinking the user should supply?
There was a problem hiding this comment.
I think it would be part of the response, so the user shouldn't supply it in the request but it gives the frontend something to display in the confirmation prompt without having to reference the original object.
| // as all of the data in Ensign. Because this is irreversible, the first call returns | ||
| // a confirmation token to the user. The user must provide this token in a subsequent | ||
| // request in order to confirm the deletion. Because this operation is asynchronous, | ||
| // the endpoint returns a 202 Accepted response. |
There was a problem hiding this comment.
Good choice of status code!
pkg/tenant/topics.go
Outdated
| log.Error().Err(err).Msg("could not parse topic ulid") | ||
| c.JSON(http.StatusBadRequest, api.ErrorResponse("could not parse topic ulid")) | ||
| log.Warn().Err(err).Msg("could not parse topic id") | ||
| c.JSON(http.StatusBadRequest, api.ErrorResponse("could not parse topic id")) |
There was a problem hiding this comment.
I'm thinking I'd actually prefer to return a 404 here (I know this has nothing to do with your PR, but just thinking about it again. E.g. if the user puts in /project/:projectID/topics/foo - that's not parseable as a ULID, but it should be not found not 400 right? The 404 is a little more secure and will allow us to change ID types in the future.
| c.JSON(http.StatusBadRequest, api.ErrorResponse("could not parse topic id")) | |
| c.JSON(http.StatusNotFound, api.ErrorResponse("topic not found")) |
There was a problem hiding this comment.
Agreed, I think we've gone back and forth but it does seem to make a bit more sense to return 404 since the ID is a part of the URL.
pkg/tenant/topics.go
Outdated
| // Verify that the user owns the topic | ||
| if claims.OrgID != topic.OrgID.String() { | ||
| log.Warn().Err(err).Str("user_org", claims.OrgID).Str("topic_org", topic.OrgID.String()).Msg("topic OrgID does not match user OrgID") | ||
| c.JSON(http.StatusForbidden, api.ErrorResponse("user is not authorized to delete this topic")) |
There was a problem hiding this comment.
This is not for this PR - but in general I've been thinking about security principles with our responses. If we return a 403 here then we're letting someone know that the topic exists and belongs to a different organization -- which could be information they could use to get a topic ID to do other attacks.
E.g. a user simply has to register for an account to get valid claims then submit API requests with different Topic IDs - once they get a 403 instead of a 404 they know they have a good topic id belonging to someone else.
Because of this I think it is probably better to return a 404 here; e.g. semantically it is "no topic found belonging to that organization". But that gives no information that the topic even exists.
| c.JSON(http.StatusForbidden, api.ErrorResponse("user is not authorized to delete this topic")) | |
| c.JSON(http.StatusNotFound, api.ErrorResponse("topic not found")) |
There was a problem hiding this comment.
Yeah that makes sense, at some point we might need to audit the other Tenant endpoints to make sure we're being consistent about the responses and not accidentally exposing info.
There was a problem hiding this comment.
Could you create a future story for that?
pkg/tenant/topics.go
Outdated
| // Verify that the confirmation token is correct | ||
| if confirm.ConfirmToken != topic.ConfirmDeleteToken { | ||
| log.Warn().Err(err).Msg("confirmation token does not match") | ||
| c.JSON(http.StatusBadRequest, api.ErrorResponse("unrecognized confirmation token")) |
There was a problem hiding this comment.
I think we should return a 412 Precondition Failed here to let the user know they should try the delete without the confirmation token again and then use a valid confirmation token.
| c.JSON(http.StatusBadRequest, api.ErrorResponse("unrecognized confirmation token")) | |
| c.JSON(http.StatusPreconditionFailed, api.ErrorResponse("unrecognized confirmation token")) |
pkg/tenant/topics.go
Outdated
| // Verify the confirmation token has not expired | ||
| if time.Now().After(topic.ConfirmDeleteExpire) { | ||
| log.Warn().Err(err).Msg("confirmation token has expired") | ||
| c.JSON(http.StatusBadRequest, api.ErrorResponse("confirmation token has expired")) |
There was a problem hiding this comment.
| c.JSON(http.StatusBadRequest, api.ErrorResponse("confirmation token has expired")) | |
| c.JSON(http.StatusPreconditionFailed, api.ErrorResponse("confirmation token has expired")) |
There was a problem hiding this comment.
Going to be fun to document this in Postman!
| // The delete request is asynchronous so just update the state in the database | ||
| topic.State = tombstone.State | ||
| if err = db.UpdateTopic(ctx, topic); err != nil { | ||
| log.Error().Err(err).Str("topicID", topicID.String()).Msg("could not update topic state") | ||
| c.JSON(http.StatusInternalServerError, api.ErrorResponse("could not delete topic")) |
pkg/utils/secrets/token.go
Outdated
| } | ||
| } | ||
| return true | ||
| } |
There was a problem hiding this comment.
Doh, not sure why we didn't use crypto/rand in GDS - but that's probably a problem. Would you mind copying the quarterdeck/keygen package instead?
https://github.com/rotationalio/ensign/blob/main/pkg/quarterdeck/keygen/keygen.go
(You can use it directly if you'd like, but copying it into a secrets utils is fine; I'd like them decoupled so that we can change the way that Quarterdeck issues api keys; e.g. either use the keygen package directly or port it to utils so quarterdeck does not have a dependency on utils).
I'll create a story to fix GDS.
| ConfirmToken string `json:"confirm_token,omitempty"` | ||
| ID string `json:"id,omitempty"` | ||
| Name string `json:"name,omitempty"` | ||
| Token string `json:"token,omitempty"` |
There was a problem hiding this comment.
I agree this is a bit nicer.
pkg/tenant/topics.go
Outdated
| // Create a short-lived confirmation token in the database | ||
| topic.ConfirmDeleteToken = secrets.CreateToken(16) | ||
| topic.ConfirmDeleteExpire = time.Now().Add(5 * time.Minute) | ||
| if topic.ConfirmDeleteToken, err = db.NewResourceToken(topic.OrgID); err != nil { |
There was a problem hiding this comment.
Why is the resource token ID the topic's OrgID? I was expecting it to be the topic ID?
| log.Warn().Err(err).Msg("confirmation token has expired") | ||
| c.JSON(http.StatusBadRequest, api.ErrorResponse("confirmation token has expired")) | ||
| // Verify that we have the right token | ||
| if token.ID.Compare(topic.ID) != 0 { |
There was a problem hiding this comment.
Am I missing something? It looks like the OrgID is put in but then it is compared to the topic ID. If I am not missing anything why aren't the tests catching this?
There was a problem hiding this comment.
My bad, it should be the topic ID and the test coverage isn't complete yet so I didn't catch it.
There was a problem hiding this comment.
No worries - that's what code reviews are for!
Scope of changes
This updates the
TopicDeleteendpoint so that it actually calls Ensign to delete the topic. This endpoint is protected by a confirmation token to prevent accidental deletes, since this will destroy all of the data in the topic. The user must call the endpoint once to retrieve the confirmation token. At this point the frontend should prompt the user for a confirmation, then send a second request to the endpoint including the token to actually perform the delete.Since the delete is actually performed in Ensign, the Tenant database object will stay around, although the frontend can interpret the
statevalue on the topic in order to determine whether or not to render the resource for the user. In a future story we will actually implement a routine on Tenant which polls Ensign asynchronously and makes the database updates.Fixes SC-13773
Type of change
Acceptance criteria
See checklist
Author checklist
Reviewer(s) checklist