Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: add banneduser middleware #455

Merged
merged 21 commits into from
Sep 12, 2024

Conversation

filariow
Copy link
Contributor

@filariow filariow commented Aug 28, 2024

proposal for the BannedUser middleware as discussed in #443's review

linked to codeready-toolchain/host-operator#1079 and codeready-toolchain/toolchain-e2e#1045

Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
@filariow
Copy link
Contributor Author

/retest

Copy link
Contributor

@alexeykazakov alexeykazakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall. I left a few comments though.

pkg/informers/informers.go Outdated Show resolved Hide resolved
pkg/informers/service/informer_service.go Outdated Show resolved Hide resolved
pkg/informers/service/informer_service.go Show resolved Hide resolved
pkg/proxy/proxy.go Outdated Show resolved Hide resolved
pkg/proxy/proxy.go Outdated Show resolved Hide resolved
pkg/proxy/proxy.go Show resolved Hide resolved
pkg/proxy/proxy.go Outdated Show resolved Hide resolved
pkg/proxy/proxy.go Outdated Show resolved Hide resolved
pkg/proxy/proxy.go Outdated Show resolved Hide resolved
pkg/proxy/proxy.go Show resolved Hide resolved
filariow and others added 13 commits August 29, 2024 10:12
Co-authored-by: Alexey Kazakov <alkazako@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Co-authored-by: Alexey Kazakov <alkazako@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
Signed-off-by: Francesco Ilario <filario@redhat.com>
@@ -1168,7 +1245,7 @@ func (s *TestProxySuite) token(userID uuid.UUID, extraClaims ...authsupport.Extr
Username: "username-" + userID.String(),
}

extra := append(extraClaims, authsupport.WithEmailClaim("someemail@comp.com"))
extra := append([]authsupport.ExtraClaim{authsupport.WithEmailClaim("someemail@comp.com")}, extraClaims...)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for context: this change allows us to override the default email set by this auxiliary function. As a result if you don't define an email, you'll have someemail@comp.com. Otherwise you'll have the one you are explicitly setting

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth moving this comment to the code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done in d81542b

Copy link
Contributor

@alexeykazakov alexeykazakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Runtime code looks good! Thank you for addressing my comments. I'm going to review the test code next.

Copy link
Contributor

@alexeykazakov alexeykazakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just one question.
And how are we doing in terms of e2e-tests? We already have some tests which check banned users in proxy, right? Let's make sure that we add some e2e-tests for banned users for the public-viewer proxy PR.

pkg/proxy/proxy_test.go Show resolved Hide resolved
@openshift-ci openshift-ci bot added the approved label Sep 4, 2024
Signed-off-by: Francesco Ilario <filario@redhat.com>
@filariow
Copy link
Contributor Author

filariow commented Sep 5, 2024

And how are we doing in terms of e2e-tests? We already have some tests which check banned users in proxy, right?

It seems to me the only test we have is https://github.com/codeready-toolchain/toolchain-e2e/blob/1753fd31f70edc8b1645461a70580488157cf45d/test/e2e/parallel/proxy_test.go#L1036 and I don't know why but it fails with BannedUser middleware: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/codeready-toolchain_registration-service/455/pull-ci-codeready-toolchain-registration-service-master-e2e/1831624866889994240. Do you have any idea?

I'm working at some more tests here: codeready-toolchain/toolchain-e2e@master...filariow:toolchain-e2e:banneduser-middleware

@filariow
Copy link
Contributor Author

filariow commented Sep 5, 2024

/retest

@filariow
Copy link
Contributor Author

filariow commented Sep 9, 2024

Looks good! Just one question. And how are we doing in terms of e2e-tests? We already have some tests which check banned users in proxy, right? Let's make sure that we add some e2e-tests for banned users for the public-viewer proxy PR.

I opened a PR for improving banned users test cases: codeready-toolchain/toolchain-e2e#1045

@filariow
Copy link
Contributor Author

filariow commented Sep 9, 2024

/retest

1 similar comment
@filariow
Copy link
Contributor Author

filariow commented Sep 9, 2024

/retest

Copy link
Contributor

@mfrancisc mfrancisc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great Job 🚀

Copy link

openshift-ci bot commented Sep 10, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alexeykazakov, filariow, mfrancisc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [alexeykazakov,mfrancisc]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link

codecov bot commented Sep 11, 2024

Codecov Report

Attention: Patch coverage is 79.06977% with 9 lines in your changes missing coverage. Please review.

Project coverage is 78.69%. Comparing base (c7890b8) to head (b465d18).
Report is 1 commits behind head on master.

Files with missing lines Patch % Lines
pkg/informers/service/informer_service.go 63.15% 4 Missing and 3 partials ⚠️
pkg/proxy/proxy.go 91.66% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master     #455      +/-   ##
==========================================
- Coverage   78.75%   78.69%   -0.06%     
==========================================
  Files          42       42              
  Lines        2739     2774      +35     
==========================================
+ Hits         2157     2183      +26     
- Misses        489      494       +5     
- Partials       93       97       +4     
Flag Coverage Δ
unittests 78.69% <79.06%> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@rsoaresd rsoaresd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job 🚀

Just a minor question:


bb := []toolchainv1alpha1.BannedUser{}
for _, obj := range objs {
unobj := obj.(*unstructured.Unstructured)
Copy link
Contributor

@rsoaresd rsoaresd Sep 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check here the type assertion?

unobj, ok := obj.(*unstructured.Unstructured)
if !ok { 
     .... 
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this can happen. If I'm not mistaken it's stored internally as *unstructured.Unstructured (cf. https://github.com/kubernetes/client-go/blob/2666bd29867c96168c5e9429fd74fd9bfbedac8b/dynamic/dynamicinformer/informer.go#L138). Also I can not immagine how to write a test for covering this check.

The other functions in this file are using an unchecked casting like this too. I'd say that -if we find out it to be a problem- we can create a PR for fixing this in all the functions. WDYT?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood! Thank you :)

@filariow filariow requested a review from rsoaresd September 11, 2024 18:10
Copy link

@filariow filariow merged commit 92998a6 into codeready-toolchain:master Sep 12, 2024
10 of 11 checks passed
@filariow filariow deleted the banneduser-middleware branch September 12, 2024 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants