feat(cred): credential test table

[tthvo]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed the last commit: git commit --amend --signoff

---

Fixes: #592
Fixes: #593
Related to #914
Depends on https://github.com/cryostatio/cryostat/issues/1431

Description of the change:

• Added a table for testing credentials against matching targets.
• Hide/Fade targets when match expression is empty.
• Listview should be scrollable (allow sticky radio button)
• Remove explicit mentioning of JMX Credentials (mostly internals that are not visible to the users).

Motivation for the change:

See #591

How to manually test:

1. Run CRYOSTAT_IMAGE=quay.io... sh smoketest.sh...
2. Go to Security -> Add Store Credentials -> Test tab.

Screenshots

EDIT: See #920 (comment)

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-7e884f78ebb78118782b5484e0f38a429a1696cc sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-33d26258c30644b7d11489e7b47c1ae9cdaf996e sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-b538da5c82db7f30010c20a6f308dd225062b0b0 sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-3c7ed6a03152122e02e7a8916ff4b207617ac8cf sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-9ef46ad794df3f185504e7395fd2a1373d4a4f4e sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-74c4ac556267adc5e38a60b9ea75b4ff5f3a2667 sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-cf5c7d7413f4b103983ccbdf04abedcf72adabb9 sh smoketest.sh

[maxcao13]

The UI looks great! Just a few questions:

Using a "true" matchExpr and a smoketest smoketest credentials:

Should there be an indication that a target does not need credentials? Right now the test will say that it is "valid" it doesn't mean the credentials are valid for that target.

[tthvo]

Should there be an indication that a target does not need credentials? Right now the test will say that it is "valid" it doesn't mean the credentials are valid for that target.

Try hover over the valid label. It should say some warning :)) Any suggestion for that?

Should there be an indication that a target does not need credentials?

Was thinking about it but it seems quite hard. The way it validates credentials now is to fetch active recordings while putting the credentials in X-JMX-Authentication. This means if the target already has a valid credential, in this context, its no different from not-requiring ones.

I could try sending an initial check with some very random bad username/password. However, no guarantee it is not being used, maybe we can utilize empty username/password?

[maxcao13]

The only thing I can think of right now, is to send a graphql request to each of the targets with the form

query {
    targetNodes {
        mbeanMetrics {
            runtime {
                inputArguments
            }
        }
    }
}

and then parse the resulting array for the input argument:

"-Dcom.sun.management.jmxremote.authenticate=false"

and checking if it [exists, false, or true].

Not sure if there are better ways. The query should fail if the credentials are wrong anyways since we are calling the remote mxbean on the target, so it would be similar to getting the recordings in terms of checking if credentials work.

EDIT: Apprently that authenticate property is default true, so I assume if it doesn't exist, the jvm should need auth.

[maxcao13]

I think the hint is wrong, there is no longer a target select dropdown here. There is also no context object. Should there be a context object for the user? I think I would find it hard to know what the match expression should include. The ? only includes two fields I could query (annotations, and alias).

[tthvo]

The only thing I can think of right now, is to send a graphql request to each of the targets with the form

Oh niceee! Sounds good I will redirect to this approach :))

I think the hint is wrong, there is no longer a target select dropdown here. There is also no context object. Should there be a context object for the user? I think I would find it hard to know what the match expression should include. The ? only includes two fields I could query (annotations, and alias).

Ahh the hint is basically constructed from any target (i.e. first one). It just serves as an overall and simple hint for arbitrary target similar to before. It is this way cuz now we don't have target dropdown anymore.

EDIT: I seee now! U mean the input helper text. Thanks!

The ? only includes two fields I could query (annotations, and alias).

We can include all fields but would it be too clustered? There is also a property path hint when hovering over the field name in the detail sidecar. We can always add a quickstart/guide for this? What do you think?

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-57465567c7fe6c61dd1dc12edbba8d4e4cce3711 sh smoketest.sh

[tthvo]

Worked very nicee! Thanks a lot!

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-f838681a924937bd7ae9765216906d910ef6a072 sh smoketest.sh

[andrewazores]

The only thing I can think of right now, is to send a graphql request to each of the targets with the form

query {
    targetNodes {
        mbeanMetrics {
            runtime {
                inputArguments
            }
        }
    }
}

and then parse the resulting array for the input argument:

"-Dcom.sun.management.jmxremote.authenticate=false"

and checking if it [exists, false, or true].

Not sure if there are better ways. The query should fail if the credentials are wrong anyways since we are calling the remote mxbean on the target, so it would be similar to getting the recordings in terms of checking if credentials work.

EDIT: Apprently that authenticate property is default true, so I assume if it doesn't exist, the jvm should need auth.

This feels a little fragile...

https://docs.oracle.com/javadb/10.10.1.2/adminguide/radminjmxenablepwd.html#radminjmxenablepwd

I would need to do a lot more checking of different docs for different JDK versions, but I would hesitate to say that -Dcom.sun.management.jmxremote.authenticate alone is sufficient to tell if the JVM is configured to use JMX credentials or not. Neglecting that property but setting -Dcom.sun.management.jmxremote.password.file would probably implicitly enable credentials too, I think, and there are probably other such combinations, and the behaviour could be different for different JDK versions. It also feels particularly fragile to do it this way since this is specifically the inputArguments property, which I believe is really just the command line passed to the process when it was forked, but what we're trying to examine is a Java System Property and those are actually mutable at runtime. So the value of that property within the target at the time that we read it may not be the same as the value that the target had as an input argument at the time the process forked.

---

If we are able to make this query and determine the inputArguments then this already means we're able to establish a connection to the target, so either it did not require credentials or we were successfully able to use stored ones.

Why don't we just have a connection checking endpoint that specifically does not load any stored credentials? It either uses only the session credentials header for the test, or it ignores the session credentials header and requires the credentials to test to be passed as part of the request body. We can use this endpoint and pass no credentials at first, and just try to open a JMX connection to read some basic MBean data. If that succeeds then we know the target did not require auth. Then the user can supply credentials and we can repeat the test using those.

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-7c7071fd5df03d26e6a8d37806aaaecaee18b202 sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-62c37d8c07f85c2045adfa06e26c4332ba1ca5fc sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-f4bfac612a46d6a1f0f089c66f37c5bfdf844bdd sh smoketest.sh

[github-actions]

This PR/issue depends on:

• cryostatio/cryostat#1431
  By Dependent Issues (🤖). Happy coding!

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-697e6c78da23e7b8c92a6554072ac615a38cc366 sh smoketest.sh

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-c8c0a4d23d119aa94ad2bc6e90ec21f00a8e2e22 sh smoketest.sh

[maxcao13]

The tooltip says "ignoring filters", does that mean the test all feature should ignore filters and test all anyways?

[tthvo]

Yehh it just means that all matching targets will start testing even if you filter it out (e.g. for example, by status or by name).

Opps I got myself confused. It was the old implementation. Will remove that

[github-actions]

Test image available:

CRYOSTAT_IMAGE=ghcr.io/cryostatio/cryostat-web:pr-920-edb9dd02cf433a0480d39e9a36ac3561f1d65ee1 sh smoketest.sh

[maxcao13]

Looks great to me! Awesome job.

[andrewazores]

Awesome indeed.