feat: [WD-16894] Add bulk deletion and group modification of TLS Users

[Kxiru]

Done

• [✔] Allow selection of tls identities in the permission- > identity list
• [✔] Use the new DELETE 1.0/auth/identities/tls/:id endpoint for the bulk delete
• [✔] Unhide “delete” and “modify groups” button for tls users of the new type in the identities list
• [✔] Modify bulk actions "delete" and "modify groups" on the identity list page to also allow inclusion of tls users
• [✔] Legacy TLS users should be disabled, not deleted.

QA

1. Run the LXD-UI:

• On the demo server via the link posted by @webteam-app below. This is only available for PRs created by collaborators of the repo. Ask @mas-who or @edlerd for access.
• With a local copy of this branch, build and run as described in the docs.

2. Perform the following QA steps:

Create "new" TLS Fine grained identities

• To add a new TLS Identity Client (Pending) please follow the steps for creating a pending fine-grained TLS identity in the 'Authenticate with the LXD server' section of the LXD documentation.
• Be sure to use the API instructions to create pending fine grained identities, as the CLI instructions require a remote to be specified.
• Be sure to authenticate the client by following the instructions through step 2.

Delete TLS Users

• Navigate to the Permissions > Identities
• Attempt to delete individual TLS Client (Pending) identities using the inline delete identity button.
• Attempt to delete bulk TLS Client (Pending) identities.
• Verify that Legacy TLS identities (Client Certificate (Unrestricted) identities) cannot be selected via the checkbox or modified/deleted via inline buttons.

Add TLS users users to a group

• Navigate to Permissions > Groups
• Create a new group and add permissions to the group.
• Navigate to the Permissions > Identities
• Attempt to add an individual TLS identity to a group using the inline modify groups button.
• Attempt to add several TLS identities (Pending) to a group.

Test TLS user permissions / Login as a TLS User

• Concatenate the .key and .crt files to create a .pem file using the following command:
• cat <KEY-FILE> <CRT-FILE> > <PEM-FILE-NAME>.pem
• Change lines 11 and 22 of the haproxy-dev.cfg file to the following, respectively.
• bind 0.0.0.0:8407 ssl verify optional crt <PEM-FILE-PATH> ca-file <CRT-FILE-PATH>
• server lxd_https LXD_UI_BACKEND_IP:8443 ssl verify none crt <PEM-FILE-PATH>
• TLS Fine grained identities have been tested with the following permissions:
  

Screenshots

[webteam-app]

Demo

Jenkins

demos.haus

[edlerd]

Some comments below, I think this is still missing to address the requirement "Legacy TLS users should be disabled, not deleted.". But maybe that is why it is still in draft state.

[mas-who]

Good work so far @Kxiru for figuring out the difference between legacy and fine-grained tls identities. I think before conducting a proper review for the PR, there are a few items I'd like to see covered first:

1. Please would you adjust the PR title to reflect that group modification for tls identities are included in this PR
2. Please tidy up the PR description with respect to formatting, correctness and clarity (If you are not sure about this one, please reach out to me). When we merge the PR, the description becomes part of the merge commit message so we should keep it neat.
3. Since this PR includes modifying groups for a tls identity, have you QA'd locally if permissions work for those identities? If not, then you should do so by getting the actual certificate for the tls identity from the lxd server, add it to our haproxy configs and "log in" as the tls identity to test group permissions (can chat about this if you need direction for what to do).
4. Please also include detailed QA steps in the PR description for testing tls identity deletion and group modification.

[mas-who]

Nice update on the PR details 🔥

I've left some code related comments so far. Will QA tomorrow.

[mas-who]

QA comments

1. When the screen is large enough, I think the link chip should show the full content and not truncate. Currently, the chip for tls certificate identities are truncated.
   

2. When bulk editing identity groups, upon completion, the tls identities are de-selected whereas the oidc identities remain selected. We should keep things consistent i.e. keep identities selected after modifying groups which corresponds to the original behaviour.
   Screencast from 09-12-2024 10:48:20.webm

3. The table header seems incorrect when selecting multiple identities e.g. "3 identities selected. Select all 5 identities" (see example below). The correct heading should mention "Select all 3 identities" which corresponds to the maximum number of selectable identities in the table.
   

4. The notification message for deleting an identity still includes the auth method, it should be removed. Furthermore, the identity I deleted in the example below is a tls certificate, the icon included in the notification is incorrect.
   

[mas-who]

@Kxiru I think you didn't push the changes for the review comments. Please would you double check that. I have unresolved the comments for now.

[Kxiru]

@Kxiru I think you didn't push the changes for the review comments. Please would you double check that. I have unresolved the comments for now.

Apologies, you are right, I hadn't pushed the changes.
I will review push the changes now and address the QA comments (2 of which are already addressed within my changes) in a further commit amend.

[Kxiru]

QA comments

1. When the screen is large enough, I think the link chip should show the full content and not truncate. Currently, the chip for tls certificate identities are truncated.
   ...

Comments 3 and 4 have been addressed in my last commit. Comment no.2 can not be recreated on my machine and therefore I believe that I have addressed this in my last commit as well. I'll address the dynamic identity chips now :).

[mas-who]

Almost there, some small nits

[mas-who]

Found another minor QA issue, you may need to remove the margin below the buttons for a fine-grained identity. Currently it's causing the rows in the identities table to have unequal height.

[mas-who]

After completing group modification for mixed type identities, I am still seeing that tls identities gets de-selected.

Screencast.from.09-12-2024.17.20.37.webm

[edlerd]

Two ideas to avoid duplication and make the code a bit cleaner.

[Kxiru]

Addiitonal feature: Enable user feedback when the user is deleitng an identity such as a spinner.

[mas-who]

@Kxiru just noticed the tests are failing, looking at the failure, it's probably due to the change where we no longer reset identities selection after modifying their groups

[edlerd]

Thanks for the iteration on this one. It seems very good already, a handful of comments for things that I discovered that can be a bit simpler or improved slightly. Most are tiny changes.

[edlerd]

QA and Code LGTM, good stuff :)