Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add permission control service for saved objects and workspace saved objects client wrapper #230

Conversation

raintygao
Copy link
Collaborator

@raintygao raintygao commented Oct 16, 2023

Description

  1. add permission control service for saved objects
  2. define workspaceSavedObjectsClientWrapper class and add the client wrapper to savedObjects
  3. add workspace permission control enabled flag

Testing the changes

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@codecov-commenter
Copy link

codecov-commenter commented Oct 17, 2023

Codecov Report

Attention: Patch coverage is 74.05858% with 62 lines in your changes are missing coverage. Please review.

Project coverage is 66.99%. Comparing base (d165b88) to head (b36c380).
Report is 1 commits behind head on workspace-pr-integr.

Files Patch % Lines
..._objects/workspace_saved_objects_client_wrapper.ts 82.97% 13 Missing and 11 partials ⚠️
...gins/workspace/server/permission_control/client.ts 53.65% 16 Missing and 3 partials ⚠️
src/plugins/workspace/server/routes/index.ts 13.33% 13 Missing ⚠️
src/plugins/workspace/server/plugin.ts 63.63% 2 Missing and 2 partials ⚠️
src/plugins/workspace/server/utils.ts 86.66% 0 Missing and 2 partials ⚠️
Additional details and impacted files
@@                   Coverage Diff                   @@
##           workspace-pr-integr     #230      +/-   ##
=======================================================
+ Coverage                66.96%   66.99%   +0.02%     
=======================================================
  Files                     3323     3325       +2     
  Lines                    64208    64439     +231     
  Branches                 10309    10382      +73     
=======================================================
+ Hits                     42998    43168     +170     
- Misses                   18687    18730      +43     
- Partials                  2523     2541      +18     
Flag Coverage Δ
Linux_ 66.32% <74.05%> (+0.03%) ⬆️
_1 32.14% <67.36%> (+0.16%) ⬆️
_2 55.35% <100.00%> (+0.02%) ⬆️
_3 43.30% <0.00%> (-0.12%) ⬇️
_4 35.11% <0.00%> (-0.08%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@wanglam wanglam force-pushed the feat-add-workspace-saved-objects-client-wrapper-offcial-PR branch from 0cb02db to 98d21a6 Compare October 17, 2023 06:49
@wanglam wanglam marked this pull request as ready for review October 18, 2023 05:42
@wanglam wanglam force-pushed the workspace-pr-integr branch from 8ff9e88 to 1a52b29 Compare February 26, 2024 07:16
@wanglam wanglam force-pushed the feat-add-workspace-saved-objects-client-wrapper-offcial-PR branch 3 times, most recently from ee72f38 to 7db84d9 Compare February 28, 2024 04:19
src/core/utils/constants.ts Outdated Show resolved Hide resolved
src/core/public/saved_objects/saved_objects_client.ts Outdated Show resolved Hide resolved
src/core/server/http/index.ts Outdated Show resolved Hide resolved
src/plugins/workspace/server/permission_control/client.ts Outdated Show resolved Hide resolved
src/plugins/workspace/server/permission_control/client.ts Outdated Show resolved Hide resolved
savedObjects: SavedObjectsBulkGetObject[]
): Promise<Record<string, TransformedPermission>> {
const detailedSavedObjects = await this.bulkGetSavedObjects(request, savedObjects);
return detailedSavedObjects.reduce((total, current) => {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still need to check user's permissions to savedObjects before returning the results, isn't it?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is for get the principals of specific object. It's a part of permission validation. Since we do the permission validation in the server side. We need to get the principals of specific object without check user's permission. This function should not expose to the frontend. This function was only be used in ${WORKSPACES_API_BASE_URL}/principals, I think we can remove it.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, if there is no clear use case, I suggest to remove it.

src/plugins/workspace/server/plugin.ts Outdated Show resolved Hide resolved
src/plugins/workspace/server/routes/index.ts Outdated Show resolved Hide resolved
* It means OSD can not recognize who the user is even if authentication is enabled,
* use a fake user that won't be granted permission explicitly.
*/
payload[PrincipalType.Users] = [`_user_fake_${Date.now()}_`];
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an example of when authentication is enabled but OSD can not recognize who the user is?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SuZhou-Joe Could you help me elaborate more that part?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are three auth status, unknown(no authentication), noauthenticated(authN fail) and authenticated(authN success). I do not know how we can reproduce the case for noauthenticated(as before we handle the unauthenticated request user will be redirect to login page) but I have to write specific if/else to handle according to the interface. Change the comment and please find the latest change in wanglam#4

src/plugins/workspace/server/permission_control/client.ts Outdated Show resolved Hide resolved
* The params here will be combined with bool clause and is used for filtering with ACL structure.
*/
ACLSearchParams?: {
workspaces?: string[];
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot really remember the difference of ACLSearchParams.workspaces vs SavedObjectsFindOptions.workspaces, could you help me to recall? :D

Copy link
Collaborator

@wanglam wanglam Mar 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the code, the SavedObjectsFindOptions.workspaces support pass * to match workspaces. The ACLSearchParams.workspaces doesn't support that. @SuZhou-Joe Could we remove the ACLSearchParams.workspaces? It's a little bit confused.

The SavedObjectsFindOptions.workspaces support * to match all workspaces. It's using 'and' operator when generate search dsl. Here is the code.
The ACLSearchParams.workspaces doesn't support * to match all workspaces. It's using 'or' operator with permission modes and principals, which means used to find all permitted saved objects.
They are the differences in the repository part.
In the WorkspaceSavedObjectClientWrapper, the ACLSearchParams.workspaces will be set to all permitted workspaces, if no workspaces passed. It will always return saved objects inner permitted saved objects.

*/
options.workspaces = undefined;
options.ACLSearchParams.workspaces = permittedWorkspaceIds;
options.ACLSearchParams.permissionModes = options.ACLSearchParams.permissionModes ?? [
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could options.ACLSearchParams.permissionModes be an empty array []? What's the consequence when permissionModes = [] is passed in options?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, it can be an an empty array. If empty array passed, I think it will return all the results. @SuZhou-Joe Shall we add an empty array check when generate search dsl function?

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed with @wanglam offline, just for transparency, when listing workspaces, passing empty array makes it to return all workspaces including those workspaces that the current user doesn't have access to.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wanglam
Copy link
Collaborator

wanglam commented Mar 4, 2024

@ruanyl I've addressed all the comments and add an unit test for workspace saved objects client wrapper. Would you like to help me review it again?

@wanglam wanglam force-pushed the feat-add-workspace-saved-objects-client-wrapper-offcial-PR branch from 633f9b8 to 6e28b92 Compare March 5, 2024 03:04
Hailong-am and others added 4 commits March 5, 2024 12:08
* support disable permission check for workspace

Signed-off-by: Hailong Cui <[email protected]>

* fix typos

Signed-off-by: Hailong Cui <[email protected]>

---------

Signed-off-by: Hailong Cui <[email protected]>
wanglam and others added 14 commits March 5, 2024 12:08
* feat: add workspace into includeHiddenTypes of client wrapper and permission control client

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: hiddenType side effect

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>
Signed-off-by: Lin Wang <[email protected]>
* feat: address concerns on ensureRawRequest

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: add check for empty array

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: make find api backward compatible

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: remove useless code

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>
@wanglam wanglam force-pushed the feat-add-workspace-saved-objects-client-wrapper-offcial-PR branch from 786de38 to 6386883 Compare March 5, 2024 04:08
Copy link
Owner

@ruanyl ruanyl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! Thanks for keeping polishing the code based the comments and discussions, it looks good to me now 👍

@wanglam wanglam merged commit 370dbc6 into ruanyl:workspace-pr-integr Mar 6, 2024
44 of 45 checks passed
SuZhou-Joe added a commit that referenced this pull request Mar 18, 2024
…objects client wrapper (#230)

* feat: add basic workspace saved objects client wrapper

Signed-off-by: Lin Wang <[email protected]>

* feat: add unit test (#2)

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: update client wrapper

Signed-off-by: tygao <[email protected]>

* feat: init permission control in workspace plugin

Signed-off-by: Lin Wang <[email protected]>

* Support disable permission check on workspace (#228)

* support disable permission check for workspace

Signed-off-by: Hailong Cui <[email protected]>

* fix typos

Signed-off-by: Hailong Cui <[email protected]>

---------

Signed-off-by: Hailong Cui <[email protected]>

* feat: add ACLSearchParams consumer in repository (#3)

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: ACLSearchParams missing in search dsl

Signed-off-by: Lin Wang <[email protected]>

* test: add integration test for workspace saved objects client wrapper

Signed-off-by: Lin Wang <[email protected]>

* style: add empty line under license

Signed-off-by: Lin Wang <[email protected]>

* test: enable workspace permission control for integration tests

Signed-off-by: Lin Wang <[email protected]>

* feat: add workspace into includeHiddenTypes (#249)

* feat: add workspace into includeHiddenTypes of client wrapper and permission control client

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: hiddenType side effect

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* fix workspace client wrapper integration tests

Signed-off-by: Lin Wang <[email protected]>

* add permissions fields to workspace CRUD APIs

Signed-off-by: Lin Wang <[email protected]>

* Move WorkspacePermissionMode inside workspace plugin

Signed-off-by: Lin Wang <[email protected]>

* Address pr comments

Signed-off-by: Lin Wang <[email protected]>

* Remove ACLSearchParams in public SavedObjectsFindOptions

Signed-off-by: Lin Wang <[email protected]>

* Remove lodash and Add default permissionModes

Signed-off-by: Lin Wang <[email protected]>

* feat: address concerns on ensureRawRequest (#4)

* feat: address concerns on ensureRawRequest

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: add check for empty array

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: make find api backward compatible

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: remove useless code

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* Update annotations and  error

Signed-off-by: Lin Wang <[email protected]>

* Add unit tests for worksapce saved objects client wrapper

Signed-off-by: Lin Wang <[email protected]>

* Remove getPrincipalsOfObjects in permission

Signed-off-by: Lin Wang <[email protected]>

* Fix permissionEnabled flag missed in workspace plugin setup test

Signed-off-by: Lin Wang <[email protected]>

* Change back to Not Authorized error

Signed-off-by: Lin Wang <[email protected]>

* Fix unit tests for query_params and plugin setup

Signed-off-by: Lin Wang <[email protected]>

* Fix unittests in workspace server utils

Signed-off-by: Lin Wang <[email protected]>

* feat: add workspacesSearchOperators to decouple ACLSearchParams

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: update test cases

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: optimize test cases

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: optimize comment

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: omit defaultSearchOperator in public savedobjetcs client

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: omit workspacesSearchOperator field

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Signed-off-by: tygao <[email protected]>
Signed-off-by: Hailong Cui <[email protected]>
Co-authored-by: Lin Wang <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
Co-authored-by: Hailong Cui <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants