feat(bulk-import): add permissions support to the backend endpoints [RHIDP-1208] #1890
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3 tasks
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
from
75f84f2
to
98268f7
Compare
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
3 times, most recently
from
c8c3195
to
8a441e9
Compare
rm3l
changed the title
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
from
8a441e9
to
ca377c0
Compare
rm3l
changed the title
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
from
ca377c0
to
a2db3fb
Compare
rm3l
requested review from
AndrienkoAleksandr,
PatAKnight and
a team
as code owners
|
/cc @debsmita1 @ciiay |
3 tasks
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
from
a2db3fb
to
41f6823
Compare
rm3l
changed the title
ciiay
reviewed
Aug 2, 2024
There was a problem hiding this comment.
Looks good to me. I only have one concern that without passing any token, I got 403: Unauthorized error instead of 401: Missing credentials error as shown in your description.
I tested with adding backend.add(import('@janus-idp/backstage-plugin-bulk-import-backend/alpha')); in packages/backend/src/index.ts and run yarn start:backstage to start the bulk-import backend. Followed the test steps to cover the below 3 test cases.
Without authentication
➜ ~ http GET http://localhost:7007/api/bulk-import-backend/organizations
{
"error": {
"message": "Unauthorized",
"name": "NotAllowedError",
"stack": "NotAllowedError: Unauthorized\n at permissionCheck (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/helpers/auth.ts:49:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at <anonymous> (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/service/router.ts:102:7)\n at OpenAPIBackend.handleRequest (/Users/yicai/redhat/backstage-plugins/node_modules/openapi-backend/src/backend.ts:299:27)"
},
"request": {
"method": "GET",
"url": "/organizations"
},
"response": {
"statusCode": 403
}
}
Without the right `bulk-import` permission
➜ ~ http -A bearer -a "<unauthorized_user_JWT_token>" GET http://localhost:7007/api/bulk-import-backend/organizations
{
"error": {
"message": "Unauthorized",
"name": "NotAllowedError",
"stack": "NotAllowedError: Unauthorized\n at permissionCheck (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/helpers/auth.ts:49:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at <anonymous> (/Users/yicai/redhat/backstage-plugins/plugins/bulk-import-backend/src/service/router.ts:102:7)\n at OpenAPIBackend.handleRequest (/Users/yicai/redhat/backstage-plugins/node_modules/openapi-backend/src/backend.ts:299:27)"
},
"request": {
"method": "GET",
"url": "/organizations"
},
"response": {
"statusCode": 403
}
}
For admins or users with the expected bulk-import permission:
➜ ~ http -A bearer -a "<authorized_user_JWT_token>" GET http://localhost:7007/api/bulk-import-backend/organizations
{
"errors": [],
"organizations": [
{
"description": "The developer and operations friendly Kubernetes distro",
"errors": [],
"id": "792337",
"name": "openshift",
"url": "https://api.github.com/orgs/openshift"
},
{
"description": "Github home of the Red Hat Developer program.",
"errors": [],
"id": "11033755",
"name": "redhat-developer",
"url": "https://api.github.com/orgs/redhat-developer"
},
{
"description": "Get stuff done with Kubernetes!",
"errors": [],
"id": "30269780",
"name": "argoproj",
"url": "https://api.github.com/orgs/argoproj"
},
{
"errors": [],
"id": "77452707",
"name": "rh-gitops-midstream",
"url": "https://api.github.com/orgs/rh-gitops-midstream"
},
{
"description": "A Red Hat sponsored community for building Internal Development Platforms and Plugins with backstage.io ",
"errors": [],
"id": "117844786",
"name": "janus-idp",
"url": "https://api.github.com/orgs/janus-idp"
}
],
"totalCount": 5
}
debsmita1
reviewed
Aug 13, 2024
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
from
41f6823
to
4704322
Compare
rm3l
changed the title
@ciiay Thanks for testing this. I tested again and, as expected, I am getting a 401 when no token is passed. See below. Can you please run |
PatAKnight
previously approved these changes
Aug 19, 2024
There was a problem hiding this comment.
Tested as well and it worked for me, lgtm
Without authentication
curl "http://localhost:7007/api/bulk-import/organizations" | jq
{
"error": {
"name": "AuthenticationError",
"message": "Missing credentials",
"stack": "AuthenticationError: Missing credentials\n at DefaultHttpAuthService.credentials (/home/patrick/Documents/janus/backstage-plugins/node_modules/@backstage/backend-defaults/src/entrypoints/httpAuth/httpAuthServiceFactory.ts:150:13)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
},
"request": {
"method": "GET",
"url": "/api/bulk-import/organizations"
},
"response": {
"statusCode": 401
}
}
With deny
curl "http://localhost:7007/api/bulk-import/organizations" -H "Authorization: Bearer $token" | jq
{
"error": {
"name": "NotAllowedError",
"message": "Unauthorized",
"stack": "NotAllowedError: Unauthorized\n at permissionCheck (/home/patrick/Documents/janus/backstage-plugins/plugins/bulk-import-backend/src/helpers/auth.ts:49:11)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at <anonymous> (/home/patrick/Documents/janus/backstage-plugins/plugins/bulk-import-backend/src/service/router.ts:102:7)\n at OpenAPIBackend.handleRequest (/home/patrick/Documents/janus/backstage-plugins/node_modules/openapi-backend/src/backend.ts:299:27)"
},
"request": {
"method": "GET",
"url": "/organizations"
},
"response": {
"statusCode": 403
}
}
With allow
curl "http://localhost:7007/api/bulk-import/organizations" -H "Authorization: Bearer $token" | jq
{
"errors": [],
"organizations": [
{
"id": "152328355",
"name": "test-org-pat",
"url": "https://api.github.com/users/test-org-pat",
"totalRepoCount": 3,
"errors": []
}
],
"totalCount": 1,
"pagePerIntegration": 1,
"sizePerIntegration": 20
}
These endpoints will only be accessible by admins or users with the 'bulk.import' permission.
…ckend plugins Note that this changes the default API base path from `/api/bulk-import-backend` to `/api/bulk-import`
rm3l
force-pushed
the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
from
4704322
to
7b85194
Compare
|
|
Rebased and force-pushed to fix Git conflicts with the following files:
|
rm3l
changed the title
There was a problem hiding this comment.
Looks good to me. @debsmita1 Can you confirm that bulk import frontend plugin will be still working after changing endpoint url?
@AndrienkoAleksandr The frontend with the API integration hasn't merged yet. Once this one gets merged, I will update my PR |
AndrienkoAleksandr
approved these changes
Aug 20, 2024
rm3l
deleted the
RHIDP-1208--add-rbac-support-to-the-import-from-git-plugin
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do / why we need it:
This PR adds RBAC support to the bulk-import backend plugin API endpoints.
Only admins and users with the
bulk.importpermission have access to the bulk import backend API endpoints.Which issue(s) this PR fixes:
Fixes https://issues.redhat.com/browse/RHIDP-1208
PR acceptance criteria:
Unit tests
Integration tests
Documentation
How to test changes / Special notes to the reviewer:
Note that the
GET /pingendpoint is unauthenticated and does not enforce any permission.All the other endpoints should check for the
bulk.importpermission.Now try to query the bulk import backend API endpoints, e.g.:
$ http GET http://localhost:7007/api/bulk-import-backend/organizations { "error": { "message": "Missing credentials", "name": "AuthenticationError", "stack": "AuthenticationError: Missing credentials\n at DefaultHttpAuthService.credentials (/home/asoro/work/projects/backstage/janus-idp/backstage-plugins/node_modules/@backstage/backend-defaults/src/entrypoints/httpAuth/httpAuthServiceFactory.ts:150:13)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)" }, "request": { "method": "GET", "url": "/api/bulk-import-backend/organizations" }, "response": { "statusCode": 401 } }bulk-importpermission:bulk-importpermission: