Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clean up REST API (Part 1) #2900

Conversation

willyborankin
Copy link
Collaborator

@willyborankin willyborankin commented Jun 23, 2023

Description

The aim of this PR is to start cleaning code in REST API since with the current implementation is difficult to understand and support.

Changes:

  • Implemented new RequestConetnValidator class which uses the same validation logic as AbstractConfigurationValidator
  • Removed all redundant AbstractConfigurationValidator extensions

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@codecov
Copy link

codecov bot commented Jun 23, 2023

Codecov Report

Merging #2900 (a336e88) into main (8063e1b) will increase coverage by 0.05%.
The diff coverage is 82.89%.

@@             Coverage Diff              @@
##               main    #2900      +/-   ##
============================================
+ Coverage     62.38%   62.44%   +0.05%     
+ Complexity     3379     3351      -28     
============================================
  Files           267      254      -13     
  Lines         19774    19735      -39     
  Branches       3355     3334      -21     
============================================
- Hits          12336    12323      -13     
+ Misses         5797     5779      -18     
+ Partials       1641     1633       -8     
Files Changed Coverage Δ
...curity/dlic/rest/api/AuthTokenProcessorAction.java 53.33% <0.00%> (ø)
...security/dlic/rest/api/SecuritySSLCertsAction.java 66.66% <ø> (ø)
...earch/security/dlic/rest/api/TenantsApiAction.java 27.77% <0.00%> (-13.89%) ⬇️
...arch/security/dlic/rest/api/ValidateApiAction.java 9.09% <0.00%> (-0.91%) ⬇️
...earch/security/dlic/rest/api/MigrateApiAction.java 4.71% <10.00%> (+0.90%) ⬆️
...ch/security/dlic/rest/api/FlushCacheApiAction.java 63.63% <33.33%> (+1.13%) ⬆️
...nsearch/security/dlic/rest/api/RolesApiAction.java 77.27% <70.00%> (-16.07%) ⬇️
...rch/security/dlic/rest/api/AllowlistApiAction.java 73.68% <75.00%> (-0.61%) ⬇️
...h/security/dlic/rest/api/SecurityConfigAction.java 75.00% <75.00%> (-0.76%) ⬇️
...earch/security/dlic/rest/api/NodesDnApiAction.java 86.00% <80.00%> (-0.96%) ⬇️
... and 11 more

... and 6 files with indirect coverage changes

@willyborankin willyborankin changed the title Clean up rest api classes (Part 1) Clean up REST API (Part 1) Jun 24, 2023
@willyborankin willyborankin mentioned this pull request Jun 26, 2023
3 tasks
Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @willyborankin looks pretty good. I left a couple nitpicky things but I also wanted to know what you felt was the best way to handle tests for the validator you added. Theoretically, it is always tested by everything that uses it, but perhaps we can add some explicit unit tests for the RequestContentValidator you added.

In theory, I think something could break and we would not have as straightforward of a time isolating the changes to the Validator as we could if you added some explicit tests on the class itself.

Let me know what you think.

@willyborankin willyborankin force-pushed the clean-up-rest-api-classes branch 2 times, most recently from 061d2da to 1441831 Compare June 27, 2023 12:16
@willyborankin
Copy link
Collaborator Author

Hi @willyborankin looks pretty good. I left a couple nitpicky things but I also wanted to know what you felt was the best way to handle tests for the validator you added. Theoretically, it is always tested by everything that uses it, but perhaps we can add some explicit unit tests for the RequestContentValidator you added.

In theory, I think something could break and we would not have as straightforward of a time isolating the changes to the Validator as we could if you added some explicit tests on the class itself.

Let me know what you think.

Agree I added a new RequestContentValidatorTest test

@willyborankin willyborankin force-pushed the clean-up-rest-api-classes branch 4 times, most recently from 845dabe to a1a46e2 Compare July 1, 2023 17:50
@stephen-crawford
Copy link
Contributor

@opensearch-project/security can we get another review here to move this PR forward? Thank you!

@stephen-crawford
Copy link
Contributor

@opensearch-project/security bumping this PR again for a second review.

Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @willyborankin. This is cleaner than the existing implementation and I'm looking forward to see what Part II entails. I took a first pass and left a few comments.

switch (request.method()) {
case DELETE:
handleDelete(channel, request, client, validator.getContentAsNode());
handleDelete(channel, request, client, null);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do handleDelete and handleGet use the JsonNode parameter anywhere?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are not, I intentionally left them as is, the next PR will change this logic

}

@Override
public Map<String, RequestContentValidator.DataType> allowedKeys() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is much cleaner than now. Ultimately, I'd like to see this defined with an OpenAPI spec like syntax one day

}
allowedKeys.put("allowed_actions", DataType.ARRAY);
allowedKeys.put("description", DataType.STRING);
allowedKeys.put("type", DataType.STRING);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

String is overly generic here. Is there an enum for type (i.e. INDEX, CLUSTER) somewhere?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! There are no enums or constants except MutitenecyActionApi. I can extract all of them as enums, and some of them have the same name in the next small PR.

if (isSuperAdmin()) {
allowedKeys.put("reserved", DataType.BOOLEAN);
}
allowedKeys.put("allowed_actions", DataType.ARRAY);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this go beyond defining an array? i.e. an array of action names (strings) vs an array of booleans

Copy link
Collaborator Author

@willyborankin willyborankin Jul 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No it doesn't and same for DataType.OBJECT. I noticed it as well.

}

@Override
public Set<String> mandatoryOrKeys() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I like this vs writing this as an if statement checking if at least one is nonNull.

requestedKeys.removeAll(allowed);
invalidKeys.addAll(requestedKeys);
if (!missingMandatoryKeys.isEmpty() || !invalidKeys.isEmpty() || !missingMandatoryOrKeys.isEmpty()) {
this.validationError = ValidationError.INVALID_CONFIGURATION;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Is CONFIGURATION the right term to use here? wdyt INVALID_PAYLOAD?

Would this message be able to be descriptive around what is invalid about the payload when responding to the caller? i.e. This request is missing required keys key1, key2, key3?

Copy link
Collaborator Author

@willyborankin willyborankin Jul 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Is CONFIGURATION the right term to use here? wdyt INVALID_PAYLOAD?

INVALID_PAYLOAD looks better agree originally it is INVALID_CONFIGURATION.

Would this message be able to be descriptive around what is invalid about the payload when responding to the caller? i.e. This request is missing required keys key1, key2, key3?

yes the response looks something like:

{
  "status": "error"
  "reason": "",
  "invalid_keys": {"keys":"a,b,c"},
  "missing_mandatory_keys": {"keys": "d,e,f"},
  "specify_one_of": {"keys": "g,h"}
}

@willyborankin willyborankin force-pushed the clean-up-rest-api-classes branch 2 times, most recently from d19308f to a816aac Compare July 18, 2023 10:46
@willyborankin
Copy link
Collaborator Author

Rebased with main

@cwperks
Copy link
Member

cwperks commented Jul 18, 2023

@willyborankin Please add the backport 2.x label if you want this backported to 2.x for an upcoming release.

@willyborankin
Copy link
Collaborator Author

@willyborankin Please add the backport 2.x label if you want this backported to 2.x for an upcoming release.

@scrawfor99 Let's release it in 2.10; there's no rush.

@willyborankin willyborankin force-pushed the clean-up-rest-api-classes branch from a816aac to 1c45c0c Compare July 21, 2023 15:08
Removed redundant classes for
the request content validation

Signed-off-by: Andrey Pleskach <[email protected]>
Request content validator code cleaning

Signed-off-by: Andrey Pleskach <[email protected]>
@willyborankin willyborankin force-pushed the clean-up-rest-api-classes branch from 1c45c0c to a336e88 Compare July 26, 2023 06:40
@stephen-crawford stephen-crawford merged commit 6bac470 into opensearch-project:main Jul 27, 2023
@stephen-crawford stephen-crawford added the backport 2.x backport to 2.x branch label Jul 27, 2023
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2900-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 6bac470df67b16a22f496b052776e7afdd50e900
# Push it to GitHub
git push --set-upstream origin backport/backport-2900-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2900-to-2.x.

willyborankin added a commit to willyborankin/security that referenced this pull request Aug 21, 2023
The aim of this PR is to start cleaning code in REST API since with the
current implementation is difficult to understand and support.

Changes:

- Implemented new `RequestConetnValidator` class which uses the same
validation logic as `AbstractConfigurationValidator`
- Removed all redundant `AbstractConfigurationValidator` extensions

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 6bac470)
willyborankin added a commit to willyborankin/security that referenced this pull request Aug 21, 2023
The aim of this PR is to start cleaning code in REST API since with the
current implementation is difficult to understand and support.

Changes:

- Implemented new `RequestConetnValidator` class which uses the same
validation logic as `AbstractConfigurationValidator`
- Removed all redundant `AbstractConfigurationValidator` extensions

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 6bac470)
willyborankin added a commit to willyborankin/security that referenced this pull request Aug 21, 2023
The aim of this PR is to start cleaning code in REST API since with the
current implementation is difficult to understand and support.

Changes:

- Implemented new `RequestConetnValidator` class which uses the same
validation logic as `AbstractConfigurationValidator`
- Removed all redundant `AbstractConfigurationValidator` extensions

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 6bac470)
Signed-off-by: Andrey Pleskach <[email protected]>
cwperks added a commit that referenced this pull request Aug 21, 2023
### Description

Reacting to changes from the backport of
opensearch-project/OpenSearch#9262.

This reason the main branch of Security is not encountering these errors
is because the affected class was removed in
#2900 and the change
has not been backported yet.

@willyborankin are you planning to backport
#2900?

* Category (Enhancement, New feature, Bug fix, Test fix, Refactoring,
Maintenance, Documentation)

Maintenance

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Craig Perkins <[email protected]>
willyborankin added a commit to willyborankin/security that referenced this pull request Aug 21, 2023
The aim of this PR is to start cleaning code in REST API since with the
current implementation is difficult to understand and support.

Changes:

- Implemented new `RequestConetnValidator` class which uses the same
validation logic as `AbstractConfigurationValidator`
- Removed all redundant `AbstractConfigurationValidator` extensions

[Please provide details of testing done: unit testing, integration
testing and manual testing]

- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [ ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 6bac470)
Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin added a commit to willyborankin/security that referenced this pull request Aug 21, 2023
The aim of this PR is to start cleaning code in REST API since with the
current implementation is difficult to understand and support.

Changes:

- Implemented new `RequestConetnValidator` class which uses the same
validation logic as `AbstractConfigurationValidator`
- Removed all redundant `AbstractConfigurationValidator` extensions

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 6bac470)
Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin added a commit to willyborankin/security that referenced this pull request Aug 21, 2023
The aim of this PR is to start cleaning code in REST API since with the
current implementation is difficult to understand and support.

Changes:

- Implemented new `RequestConetnValidator` class which uses the same
validation logic as `AbstractConfigurationValidator`
- Removed all redundant `AbstractConfigurationValidator` extensions

Signed-off-by: Andrey Pleskach <[email protected]>
(cherry picked from commit 6bac470)
Signed-off-by: Andrey Pleskach <[email protected]>

Signed-off-by: Andrey Pleskach <[email protected]>
cwperks pushed a commit that referenced this pull request Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants