Authenticator classes reflection rules and authn-jwt
#2365
Conversation
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
cucumber/authenticators_config/features/step_definitions/available_authn_steps.rb
Outdated
Show resolved
Hide resolved
|
|
||
| #### Functional Tests | ||
|
|
||
| [//]: # "Fill in the table below to depict the tests that should run to validate your solution" |
| [//]: # "2. Design documents should not be updated after implementation" | ||
| [//]: # "3. Design decisions should be made before writing this document, and as such this document should not include options / choices" | ||
|
|
||
|
|
There was a problem hiding this comment.
Multiple consecutive blank lines
sashaCher
force-pushed
the
authn-jwt-verify
branch
2 times, most recently
from
565b660 to
5cd4e3b
Compare
| @@ -1,7 +1,19 @@ | |||
| Feature: The list of available authentication providers is discoverable | |||
| through the API. | |||
|
|
|||
| Background: | |||
| Scenario: Verify installed authenticators | |||
| When I retrieve the list of authenticators | |||
There was a problem hiding this comment.
Given a running master
If we have the test in XRAY we need to add it here as well
There was a problem hiding this comment.
@eladkug You've mismatched repos. There's no master in OSS so there's no any given.
There was a problem hiding this comment.
Will add a test to XRAY.
There was a problem hiding this comment.
@sashaCher How are we using XRAY? Are we duplicating the cucumber tests somewhere?
There was a problem hiding this comment.
Are we duplicating the cucumber tests somewhere
Briefly. See ONYX-12104 for example in Jira and in the PR
There was a problem hiding this comment.
@jonahx for now we using XRAY for manual testing only and the cucumber represent the test.
In the future we plan to update the feature from our repo
sashaCher
force-pushed
the
authn-jwt-verify
branch
from
5cd4e3b to
83ea064
Compare
| ### 3. Rethink this area from scratch and to create a new contract meat all known needs | ||
|
|
||
| From my perspective this approach does not worth ROI at the moment and | ||
| should be taken as a part of core-authenticators separation if occur. |
There was a problem hiding this comment.
I agree though I do think this would be a good thing to do. I wrote the original interface with a lot less context than we have now and would probably do things differently today.
|
This proposal looks reasonable to me. In fact, if I were doing this over, I would probably remove all the reflection stuff from the code. I haven't thought much about what I'd do instead -- there are a few options -- but I think using reflection to inspect the classes at runtime is just too fancy for my taste now. That said, I understand if you want to keep the scope small, which it is now. |
sashaCher
force-pushed
the
authn-jwt-verify
branch
2 times, most recently
from
fc8e9ee to
126fd28
Compare
sashaCher
force-pushed
the
authn-jwt-verify
branch
3 times, most recently
from
f1497c1 to
51e01f2
Compare
| @@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. | |||
|
|
|||
| ### Fixed | |||
| - Fix bug of cache not working in authn jwt. [cyberark/conjur#2353](https://github.com/cyberark/conjur/pull/2353) | |||
| - Fix bug `authn-jwt` now appears in `installed` authenticators list of `authenticators` endpoint output. [cyberark/conjur#2365](https://github.com/cyberark/conjur/pull/2365) | |||
| The general authentication flow does not suite needs of all existing authenticators | ||
| from both flow and authentication parameters view. | ||
| Today it's often solved by adding degenerate `valid?` method to an `Authenticator` class. | ||
| It makes code less readable and can cause [bugs](https://github.com/cyberark/conjur/pull/2348/commits/7db01a6ab8a19f33c157c519ff903b11a392a8aa). |
| with the same class definition `MyClass` for example ruby will "choose" the class from `myclass.rb` file. | ||
| In our use-case all `Authenticator` classes are in `authenticator.rb` files and it's | ||
| highly unlikely that we somehow will break this convention. In any case it will behave | ||
| the same with or without `valid?` method rule. |
| - Authenticator module must have a class named `Authenticator` | ||
| - `Authenticator` class must have `valid?` method | ||
|
|
||
| All rules together define authenticator appearance in `installed` authenticators of the `authenticators` rest call. |
|
|
||
| The general authentication flow does not suite needs of all existing authenticators | ||
| from both flow and authentication parameters view. | ||
| Today it's often solved by adding degenerate `valid?` method to an `Authenticator` class. |
sashaCher
force-pushed
the
authn-jwt-verify
branch
from
51e01f2 to
a90ff6a
Compare
sashaCher
force-pushed
the
authn-jwt-verify
branch
from
a90ff6a to
6379224
Compare
| The general authentication flow does not suite needs of all existing authenticators | ||
| from both flow and authentication parameters view. | ||
| Today it's often solved by adding degenerate `valid?` method to an `Authenticator` class. | ||
| It makes code less readable and can cause [bugs](https://github.com/cyberark/conjur/pull/2348/commits/7db01a6ab8a19f33c157c519ff903b11a392a8aa). |
| ## Issue Description | ||
|
|
||
| A recently introduced `authn-jwt` authenticator does not appear in `installed` authenticators | ||
| of the `authenticators` rest call. It has its own authentication flow hence it has no `valid?` method. |
| - makes contract weaker? | ||
|
|
||
| Actually the reflection rules are looking for the first level class in the module. | ||
| Ruby prioritizes classes with respective file name, means if there are multiple files |
|
|
||
| Actually the reflection rules are looking for the first level class in the module. | ||
| Ruby prioritizes classes with respective file name, means if there are multiple files | ||
| with the same class definition `MyClass` for example ruby will "choose" the class from `myclass.rb` file. |
| Actually the reflection rules are looking for the first level class in the module. | ||
| Ruby prioritizes classes with respective file name, means if there are multiple files | ||
| with the same class definition `MyClass` for example ruby will "choose" the class from `myclass.rb` file. | ||
| In our use-case all `Authenticator` classes are in `authenticator.rb` files and it's |
|
Code Climate has analyzed commit 6379224 and detected 12 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 90.9% (0.0% change). View more on Code Climate. |
What does this PR do?
There's an issue that new
authn-jwtauthenticator does not appear ininstalledauthenticators list.The PR contains a document analyzes root causes of the issue and proposes number solutions for it.
The PR also contains chosen solution implementation.
What ticket does this PR close?
ONYX-11396
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, orAPI Changes