-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(bulk-import): add permissions support to the backend endpoints [RHIDP-1208] #1890
feat(bulk-import): add permissions support to the backend endpoints [RHIDP-1208] #1890
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
75f84f2
to
98268f7
Compare
c8c3195
to
8a441e9
Compare
8a441e9
to
ca377c0
Compare
ca377c0
to
a2db3fb
Compare
/cc @debsmita1 @ciiay |
a2db3fb
to
41f6823
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. I only have one concern that without passing any token, I got 403: Unauthorized
error instead of 401: Missing credentials
error as shown in your description.
I tested with adding backend.add(import('@janus-idp/backstage-plugin-bulk-import-backend/alpha'));
in packages/backend/src/index.ts
and run yarn start:backstage
to start the bulk-import backend. Followed the test steps to cover the below 3 test cases.
Without authentication
➜ ~ http GET http://localhost:7007/api/bulk-import-backend/organizations
{
"error": {
"message": "Unauthorized",
"name": "NotAllowedError",
"stack": "NotAllowedError: Unauthorized\n at permissionCheck (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/helpers/auth.ts:49:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at <anonymous> (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/service/router.ts:102:7)\n at OpenAPIBackend.handleRequest (/Users/yicai/redhat/backstage-plugins/node_modules/openapi-backend/src/backend.ts:299:27)"
},
"request": {
"method": "GET",
"url": "/organizations"
},
"response": {
"statusCode": 403
}
}
Without the right `bulk-import` permission
➜ ~ http -A bearer -a "<unauthorized_user_JWT_token>" GET http://localhost:7007/api/bulk-import-backend/organizations
{
"error": {
"message": "Unauthorized",
"name": "NotAllowedError",
"stack": "NotAllowedError: Unauthorized\n at permissionCheck (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/helpers/auth.ts:49:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at <anonymous> (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/service/router.ts:102:7)\n at OpenAPIBackend.handleRequest (/Users/yicai/redhat/backstage-plugins/node_modules/openapi-backend/src/backend.ts:299:27)"
},
"request": {
"method": "GET",
"url": "/organizations"
},
"response": {
"statusCode": 403
}
}
For admins or users with the expected bulk-import permission:
➜ ~ http -A bearer -a "<authorized_user_JWT_token>" GET http://localhost:7007/api/bulk-import-backend/organizations
{
"errors": [],
"organizations": [
{
"description": "The developer and operations friendly Kubernetes distro",
"errors": [],
"id": "792337",
"name": "openshift",
"url": "https://api.github.com/orgs/openshift"
},
{
"description": "Github home of the Red Hat Developer program.",
"errors": [],
"id": "11033755",
"name": "redhat-developer",
"url": "https://api.github.com/orgs/redhat-developer"
},
{
"description": "Get stuff done with Kubernetes!",
"errors": [],
"id": "30269780",
"name": "argoproj",
"url": "https://api.github.com/orgs/argoproj"
},
{
"errors": [],
"id": "77452707",
"name": "rh-gitops-midstream",
"url": "https://api.github.com/orgs/rh-gitops-midstream"
},
{
"description": "A Red Hat sponsored community for building Internal Development Platforms and Plugins with backstage.io ",
"errors": [],
"id": "117844786",
"name": "janus-idp",
"url": "https://api.github.com/orgs/janus-idp"
}
],
"totalCount": 5
}
41f6823
to
4704322
Compare
@ciiay Thanks for testing this. I tested again and, as expected, I am getting a 401 when no token is passed. See below.
Can you please run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested as well and it worked for me, lgtm
Without authentication
curl "http://localhost:7007/api/bulk-import/organizations" | jq
{
"error": {
"name": "AuthenticationError",
"message": "Missing credentials",
"stack": "AuthenticationError: Missing credentials\n at DefaultHttpAuthService.credentials (/home/patrick/Documents/janus/backstage-plugins/node_modules/@backstage/backend-defaults/src/entrypoints/httpAuth/httpAuthServiceFactory.ts:150:13)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
},
"request": {
"method": "GET",
"url": "/api/bulk-import/organizations"
},
"response": {
"statusCode": 401
}
}
With deny
curl "http://localhost:7007/api/bulk-import/organizations" -H "Authorization: Bearer $token" | jq
{
"error": {
"name": "NotAllowedError",
"message": "Unauthorized",
"stack": "NotAllowedError: Unauthorized\n at permissionCheck (/home/patrick/Documents/janus/backstage-plugins/plugins/bulk-import-backend/src/helpers/auth.ts:49:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at <anonymous> (/home/patrick/Documents/janus/backstage-plugins/plugins/bulk-import-backend/src/service/router.ts:102:7)\n at OpenAPIBackend.handleRequest (/home/patrick/Documents/janus/backstage-plugins/node_modules/openapi-backend/src/backend.ts:299:27)"
},
"request": {
"method": "GET",
"url": "/organizations"
},
"response": {
"statusCode": 403
}
}
With allow
curl "http://localhost:7007/api/bulk-import/organizations" -H "Authorization: Bearer $token" | jq
{
"errors": [],
"organizations": [
{
"id": "152328355",
"name": "test-org-pat",
"url": "https://api.github.com/users/test-org-pat",
"totalRepoCount": 3,
"errors": []
}
],
"totalCount": 1,
"pagePerIntegration": 1,
"sizePerIntegration": 20
}
These endpoints will only be accessible by admins or users with the 'bulk.import' permission.
…ckend plugins Note that this changes the default API base path from `/api/bulk-import-backend` to `/api/bulk-import`
4704322
to
7b85194
Compare
Quality Gate passedIssues Measures |
Rebased and force-pushed to fix Git conflicts with the following files:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. @debsmita1 Can you confirm that bulk import frontend plugin will be still working after changing endpoint url?
@AndrienkoAleksandr The frontend with the API integration hasn't merged yet. Once this one gets merged, I will update my PR |
What does this PR do / why we need it:
This PR adds RBAC support to the bulk-import backend plugin API endpoints.
Only admins and users with the
bulk.import
permission have access to the bulk import backend API endpoints.Which issue(s) this PR fixes:
Fixes https://issues.redhat.com/browse/RHIDP-1208
PR acceptance criteria:
Unit tests
Integration tests
Documentation
How to test changes / Special notes to the reviewer:
Note that the
GET /ping
endpoint is unauthenticated and does not enforce any permission.All the other endpoints should check for the
bulk.import
permission.Now try to query the bulk import backend API endpoints, e.g.:
bulk-import
permission:bulk-import
permission: