Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ONYX-13631 - token-app-property supports nested claims #2397

Merged
merged 16 commits into from
Oct 31, 2021
Merged

ONYX-13631 - token-app-property supports nested claims #2397

merged 16 commits into from
Oct 31, 2021

Conversation

sashaCher
Copy link
Contributor

@sashaCher sashaCher commented Oct 27, 2021
edited
Loading

Desired Outcome

token-app-property supports fetching identity from nested claims
Check that value fetched using token-app-property can be a String only

Implemented Changes

ParseClaimPath became a dependency of IdentityFromDecodedTokenProvider.
IdentityFromDecodedTokenProvider changed the way it brings value from decoded token: it uses HASH.dig function instead of fetching by index.

Connected Issue/Story

Follows design #2394
ONYX-13604

Definition of Done

  • Desired outcome achieved
  • New code has appropriate UT and System tests

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@sashaCher sashaCher requested a review from a team October 27, 2021 11:57
@sashaCher sashaCher marked this pull request as ready for review October 28, 2021 07:40
@sashaCher sashaCher requested a review from a team as a code owner October 28, 2021 07:40
@sashaCher sashaCher force-pushed the nested-token-app-property branch from 0026a2c to 64e5962 Compare October 28, 2021 07:42
sashaCher
sashaCher commented Oct 28, 2021
View reviewed changes
app/domain/errors.rb Outdated Show resolved Hide resolved
sashaCher
sashaCher commented Oct 28, 2021
View reviewed changes
app/domain/errors.rb
code: "CONJ00117E"
)

TokenAppPropertyValueIsNotString = ::Util::TrackableErrorClass.new(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hilagross @shulifink Please review

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any idea why this was failed?
does the error explain the reason?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication Error: #<Errors::Authentication::AuthnJwt::InvalidTokenAppPropertyValue: CONJ00117E Failed to parse 'token-app-property' value. Error: '#<Errors::Authentication::AuthnJwt::InvalidClaimPath: CONJ00116E Failed to parse claim path: 'account[0]/project/id'. The claim path is in an invalid format. The valid format should meet the following regex: '(?-mix:^[a-zA-Z|$|][a-zA-Z|$||0-9|.](/[a-zA-Z|$|][a-zA-Z|$||0-9|.])*$)'>'>

This is how it will look like, it is clear, thanks @sashaCher

shulifink
shulifink reviewed Oct 28, 2021
View reviewed changes
app/domain/errors.rb Outdated Show resolved Hide resolved
app/domain/errors.rb Outdated Show resolved Hide resolved
app/domain/errors.rb Outdated
)

TokenAppPropertyValueIsNotString = ::Util::TrackableErrorClass.new(
msg: "{0-claim-path} value in token is an {1-type}. Only string value can be an identity.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an? will this always start with a vowel? What are the options?

What does "Only string value can be an identity" mean? DO you mean "An identity must be a string"?

tzheleznyak
tzheleznyak reviewed Oct 29, 2021
View reviewed changes
cucumber/authenticators_jwt/features/authn_jwt_nested_claims.feature Outdated
And I am the super-user
And I initialize remote JWKS endpoint with file "authn-jwt-general" and alg "RS256"
And I successfully set authn-jwt "jwks-uri" variable value to "http://jwks_py:8090/authn-jwt-general/RS256" in service "raw"
And I successfully set authn-jwt "token-app-property" variable to value "host"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this from background each test should will have its own value

cucumber/authenticators_jwt/features/authn_jwt_nested_claims.feature Outdated
And I successfully set authn-jwt "token-app-property" variable to value "host"

@sanity
Scenario: ONYX-????: Token-app-property from nested claim
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move the test to the feature file of tests for identity from decoded token

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@sashaCher sashaCher force-pushed the nested-token-app-property branch from f72be20 to 2c5e06f Compare October 30, 2021 17:37
@sashaCher sashaCher force-pushed the nested-token-app-property branch from 2c5e06f to 43546ff Compare October 30, 2021 17:39
codeclimate[bot]
codeclimate bot reviewed Oct 30, 2021
View reviewed changes
app/domain/authentication/authn_jwt/identity_providers/identity_from_decoded_token_provider.rb
end

def id_claim_value_not_empty
return unless id_claim_value.nil? || id_claim_value.empty?
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnJwt::IdentityProviders#id_claim_value_not_empty performs a nil-check

app/domain/authentication/authn_jwt/parse_claim_path.rb
claim.nil? || !claim.match?(NESTED_CLAIM_NAME_REGEX)
def call(claim:, parts_separator: PATH_DELIMITER)
raise Errors::Authentication::AuthnJwt::InvalidClaimPath.new(claim, PURE_NESTED_CLAIM_NAME_REGEX) if
claim.nil? || !claim.match?(PURE_NESTED_CLAIM_NAME_REGEX)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnJwt::ParseClaimPath#call performs a nil-check

nessiLahav
nessiLahav suggested changes Oct 31, 2021
View reviewed changes
Copy link
Contributor

@nessiLahav nessiLahav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put some comments

tzheleznyak
tzheleznyak approved these changes Oct 31, 2021
View reviewed changes
Copy link
Contributor

@tzheleznyak tzheleznyak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codeclimate
Copy link

codeclimate bot commented Oct 31, 2021

Code Climate has analyzed commit 4848eaa and detected 2 issues on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 2

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 90.8% (0.0% change).

View more on Code Climate.

nessiLahav
nessiLahav approved these changes Oct 31, 2021
View reviewed changes
Copy link
Contributor

@nessiLahav nessiLahav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sashaCher sashaCher merged commit ee7d340 into master Oct 31, 2021
@sashaCher sashaCher deleted the nested-token-app-property branch October 31, 2021 10:26
@jtuttle jtuttle mentioned this pull request Nov 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeclimate codeclimate[bot] codeclimate[bot] left review comments

@hilagross hilagross hilagross left review comments

@shulifink shulifink shulifink left review comments

@nessiLahav nessiLahav nessiLahav approved these changes

@tzheleznyak tzheleznyak tzheleznyak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sashaCher @nessiLahav @hilagross @shulifink @tzheleznyak