Legalhold: dynamic whitelisted teams & whitelist-teams-and-implicit-consent feature in tests #1557
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
remove config remove setting & use dynamic whitelist
smatting
force-pushed
the
SQSERVICES-490-dynamic-whitelisting
branch
from
d191c64
to
b1c9d03
Compare
The end-point already is internal, and has to be by design. It may be easier for the operator to be able to update the table *before* turning it on; I certainly can't think of a reason why it they should be forbidden to do it.
fisx
changed the title
fisx
approved these changes
May 31, 2021
There was a problem hiding this comment.
I've deactivated the test suite so you can deploy this on staging to make some progress with QA and the team.
Ideas for getting the test suite back on track:
- Don't use
deleteLHWhitelistTeam, butdeleteTeam. The latter is implicit inwithTeam. (See my commits and the comments that come with them.) - Don't remove
grantConsent*, but check the galley server config. If LH isdisabled-by-default, usegrantConsent*(those tests did work until before this PR); if it iswhitelist-implicit-consent, useputLHWhitelistTeam. Remember to usewithTeamif you do that. - Where the behavior differs, branch on feature flag again. Again, the old behavior should work already, the new may need adjusting.
I am still hoping all of the necessary changes will be quite local, but I can't see that very clearly yet.
smatting
commented
Jun 1, 2021
smatting
commented
Jun 1, 2021
smatting
changed the title
smatting
changed the title
These should still pass if galley.integration.yaml sets legalhold to `disabled-by-default` again.
underscoring names that we want to keep is still a bit rancid, but at least this way we'll get warnings about new things we introduce accidentally.
|
I sometimes get the tests to pass now locally, sometimes this happens: I'd try to get the call stack next. (The way we create this error should be banned, it's been costing me so much time! Or I should just figure out which one it is, and avoid it.) |
jschaul
requested changes
Jun 2, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes to production code
This PR removes the
legalHoldTeamsWhitelistgalley config item and introduces a new internal endpoint/i/legalhold/whitelisted-teamsto manage the set of whitelisted teams (the underlying table isgalley.legalhold_whitelisted). Since the whitelisted teams are needed on every team member lookup this list is cached: at the beginning of every request the list is fetched and stored in an ioref in galley's environment.The API is
PUT /i/legalhold/whitelisted-teams/{tid}to whitelist a teamGET /i/legalhold/whitelisted-teamswhich returns a list of team uuids as a JSON arrayChanges to integration tests (CI + local development)
This PR updates the galley configuration for 1) CI and and for 2) local development:
legalhold: whitelist-teams-and-implicit-consent(waslegalhold: disabled-by-defaultbefore)All legalhold integration tests written for the
disabled-by-defaultfeature flag are moved to moduleLegalHold.DisabledByDefault(wasLegalHoldbefore). The tests configured to run only whenlegalhold: disabled-by-defaultis set, otherwise they pass without running.All legalhold integration tests in the
LegalHoldmodule are updated so that they specify the behaviour under thewhitelist-teams-and-implicit-consentfeature flag. The tests configured to run only whenlegalhold: whitelist-teams-and-implicit-consentis set, otherwise they pass without running.This PR also adapts some of brig's integration tests to work under the assumption that
legalhold: whitelist-teams-and-implicit-consentis set.Notes
Note: Running galley with
legalhold: whitelist-teams-and-implicit-consentconfiguration changes the error codes of some endpoints, namely:DELETE /teams/{tid}/legalhold/setttingslegalhold-disable-unimplemented.It's not possible to deactivate legalhold for a team.
POST /teams/{tid}/legalhold/setttingslegalhold-unavailablewhen team is not whitelisted(is 403
legalhold-not-enabledwhen lh is not enabled for the teamwith
legalhold: disabled-by-defaultgalley config)
POST /teams/{tid}/legalhold/{uid}legalhold-not-enabledwhen user has not given consent(is 403 with label
operation-deniedor 409 with label
legalhold-no-consentwith
legalhold: disabled-by-defaultgalley config)PUT /teams/{tid}/legalhold/{uid}/approveaccess-deniedwhen user has not given consent(is 403
legalhold-not-enabledwith labelwith
legalhold: disabled-by-defaultgalley config)These API differences are not introduced by this PR.