feat(pipeline executions/orca) : Added ability to add roles to manual… #3983
Conversation
… judgment stage. This is part of: spinnaker/spinnaker#4792. Enhanced OperationsController.groovy to Get the application roles, stage roles and the user roles. Check each of the user roles whether they are contained in the stage and application roles. Once the user role is contained in the manual judgment stage. We check for whether the stage role has 'READ', 'WRITE', 'EXECUTE', 'CREATE' role in the application permissions, if the role has application permission as 'READ', then the user will not be allowed to proceed further to subsequent(downstream) stages. if the role has application permission as 'WRITE, EXECUTE,CREATE', then the user will be allowed to proceed further to subsequent stages. If yes/no, set a isAuthorized flag to true/false in each of the stage. By default, all the stages except Manual Judgment are true. Enhanced ManualJudgmentStage.groovy to Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not. If yes/no, continue with the next stages/continues running the same stage. Enhanced ManualJudgmentStageSpec.groovy to Modified the testcases as per the requirement. Added ManualJudgmentAuthzGroupsUtil.groovy Added a utlity method to check authorized groups of the manual judgment stage.
| WaitForManualJudgmentTask() { | ||
| } | ||
|
|
||
| WaitForManualJudgmentTask(Optional<FiatPermissionEvaluator> fpe) { | ||
| this.fiatPermissionEvaluator = fpe.orElse(null) | ||
| } |
There was a problem hiding this comment.
Remove both. Neither of these constructors are necessary and would cause issues when doing dependency injection because none of them are annotated with @Autowired.
| @@ -0,0 +1,50 @@ | |||
| /* | |||
There was a problem hiding this comment.
Convert to Java: We don't accept new files in src/main that is Groovy.
| @@ -0,0 +1,50 @@ | |||
| /* | |||
| * Copyright 2020 Netflix, Inc. | |||
There was a problem hiding this comment.
Should probably update this new file's copyright such that it reflects OpsMx's legal name instead of Netflix.
| if (application.getPermission().permissions && application.getPermission().permissions.permissions) { | ||
| def permissions = objectMapper.convertValue(application.getPermission().permissions.permissions, | ||
| new TypeReference<Map<String, Object>>() {}) | ||
| UserPermission.View permission = fiatPermissionEvaluator.getPermission(username); |
There was a problem hiding this comment.
fiatPermissionEvaluator is nullable (based on @Autowired(required = false). If fiat is not enabled, this code block will cause an NPE.
| Application application = front50Service.get(applicationName) | ||
| if (application) { |
There was a problem hiding this comment.
This usage is still incorrect - front50Service will throw a RetrofitError if applicationName is not found, so the conditional if (application) is always going to evaluate to true. I'd recommend doing something like this instead:
… judgment stage. This is part of: spinnaker/spinnaker#4792. Enhanced OperationsController.groovy to Get the application roles, stage roles and the user roles. Check each of the user roles whether they are contained in the stage and application roles. Once the user role is contained in the manual judgment stage. We check for whether the stage role has 'READ', 'WRITE', 'EXECUTE', 'CREATE' role in the application permissions, if the role has application permission as 'READ', then the user will not be allowed to proceed further to subsequent(downstream) stages. if the role has application permission as 'WRITE, EXECUTE,CREATE', then the user will be allowed to proceed further to subsequent stages. If yes/no, set a isAuthorized flag to true/false in each of the stage. By default, all the stages except Manual Judgment are true. Enhanced ManualJudgmentStage.groovy to Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not. If yes/no, continue with the next stages/continues running the same stage. Enhanced ManualJudgmentStageSpec.groovy to Modified the testcases as per the requirement. Added ManualJudgmentAuthzGroupsUtil.groovy Added a utlity method to check authorized groups of the manual judgment stage.
… judgment stage. This is part of: spinnaker/spinnaker#4792. Enhanced OperationsController.groovy to Get the application roles, stage roles and the user roles. Check each of the user roles whether they are contained in the stage and application roles. Once the user role is contained in the manual judgment stage. We check for whether the stage role has 'READ', 'WRITE', 'EXECUTE', 'CREATE' role in the application permissions, if the role has application permission as 'READ', then the user will not be allowed to proceed further to subsequent(downstream) stages. if the role has application permission as 'WRITE, EXECUTE,CREATE', then the user will be allowed to proceed further to subsequent stages. If yes/no, set a isAuthorized flag to true/false in each of the stage. By default, all the stages except Manual Judgment are true. Enhanced ManualJudgmentStage.groovy to Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not. If yes/no, continue with the next stages/continues running the same stage. Enhanced ManualJudgmentStageSpec.groovy to Modified the testcases as per the requirement. Added ManualJudgmentAuthzGroupsUtil.groovy Added a utlity method to check authorized groups of the manual judgment stage.
… judgment stage. This is part of: spinnaker/spinnaker#4792. Enhanced OperationsController.groovy to Get the application roles, stage roles and the user roles. Check each of the user roles whether they are contained in the stage and application roles. Once the user role is contained in the manual judgment stage. We check for whether the stage role has 'READ', 'WRITE', 'EXECUTE', 'CREATE' role in the application permissions, if the role has application permission as 'READ', then the user will not be allowed to proceed further to subsequent(downstream) stages. if the role has application permission as 'WRITE, EXECUTE,CREATE', then the user will be allowed to proceed further to subsequent stages. If yes/no, set a isAuthorized flag to true/false in each of the stage. By default, all the stages except Manual Judgment are true. Enhanced ManualJudgmentStage.groovy to Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not. If yes/no, continue with the next stages/continues running the same stage. Enhanced ManualJudgmentStageSpec.groovy to Modified the testcases as per the requirement. Added ManualJudgmentAuthzGroupsUtil.groovy Added a utlity method to check authorized groups of the manual judgment stage.
|
Addressed all the feedback and review. |
| if (!Strings.isNullOrEmpty(username)) { | ||
| UserPermission.View permission = fiatPermissionEvaluator.getPermission(username); | ||
| if (permission == null) { // Should never happen? | ||
| return false; |
There was a problem hiding this comment.
If this should never happen, I presume we want to know when it does happen? Perhaps would be useful to have a warn-level log about it?
log.warn("Attempted to get user permission for '$username' but none were found." or something.
| public static boolean checkAuthorizedGroups( | ||
| List<String> userRoles, List<String> stageRoles, Map<String, Object> permissions) { |
There was a problem hiding this comment.
Expected to see a test for this class.
There was a problem hiding this comment.
6 test cases are written/added in ManualJudgmentStageSpec.groovy only to test this logic. Please have a look at this test case.
@unroll
void "should return execution status based on authorizedGroups"() {
There was a problem hiding this comment.
Seems weird to have a test case for a different class (ManualJudgmentStage) specifically testing a different class, doesn't it?
There was a problem hiding this comment.
We are using the logic in the ManualJudgmentStage.groovy. So i have written 6 test cases to check the ManualJudgmentAuthzGroupsUtil.java logic in the ManualJudgmentStageSpec.groovy.
There was a problem hiding this comment.
You're also using it in a controller, which means that the test cases don't belong where there are today.
I'd say the tests that are testing this code should live in ManualJudgmentAuthzGroupsUtilSpec, then test the implementation in ManualJudgmentStageSpec and OperationsControllerSpec, as you would with any other unit under test.
| if (optApplication.isPresent()) { | ||
| Application application = optApplication.get(); |
There was a problem hiding this comment.
nit: Could be simplified to getApplication(applicationName).ifPresent(application -> { /* ... */ });
|
Can you review the code |
|
Raised a new PR. |
feat(pipeline executions/orca) : Added ability to add roles to manual judgment stage.
This is part of: spinnaker/spinnaker#4792.
Enhanced OperationsController.groovy to
Get the application roles, stage roles and the user roles.
Check each of the user roles whether they are contained in the stage and application roles.
Once the user role is contained in the manual judgment stage.
We check for whether the stage role has 'READ', 'WRITE', 'EXECUTE', 'CREATE' role in the application permissions,
if the role has application permission as 'READ', then the user will not be allowed to proceed further to subsequent(downstream) stages.
if the role has application permission as 'WRITE, EXECUTE,CREATE', then the user will be allowed to proceed further to subsequent stages.
If yes/no, set a isAuthorized flag to true/false in each of the stage. By default, all the stages except Manual Judgment are true.
Enhanced ManualJudgmentStage.groovy to
Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not.
If yes/no, continue with the next stages/continues running the same stage.
Enhanced ManualJudgmentStageSpec.groovy to
Modified the testcases as per the requirement.
Added ManualJudgmentAuthzGroupsUtil.groovy
Added a utlity method to check authorized groups of the manual judgment stage.