Create endpoint for listing spaces a user has a role in #545 #586
Conversation
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@xcoulon snapshot fabric8-auth image is available for testing. |
| require.Len(t, roles, 1) | ||
| assert.Equal(t, space.Resource().ResourceType.Name, roles[0].ResourceType) | ||
| assert.Equal(t, authorization.SpaceAdminRole, roles[0].RoleName) | ||
| assert.ElementsMatch(t, roles[0].Scopes, []string{ |
There was a problem hiding this comment.
Interesting, wasn't aware of this.
gormtestsupport/db_test_suite.go
Outdated
| @@ -85,7 +87,9 @@ func (s *DBTestSuite) PopulateDBTestSuite(ctx context.Context) { | |||
|
|
|||
| // TearDownSuite implements suite.TearDownAllSuite | |||
| func (s *DBTestSuite) TearDownSuite() { | |||
| s.cleanSuite() | |||
| if s.Configuration.IsCleanTestDataEnabled() { | |||
There was a problem hiding this comment.
Could you add a comment why this is being done?
There was a problem hiding this comment.
well, I thought that the comment on the configuration.ConfigurationData.IsCleanTestDataEnabled() was clear enough?
There was a problem hiding this comment.
Sure, but a line of comment explaining why would we have to sometimes disable the test data cleanup, would be helpful.
There was a problem hiding this comment.
ok, let me add this, then ;)
| @@ -0,0 +1,2 @@ | |||
| -- We must not allow multiple creations of role mapping for a given type of resource with the same 'from' and 'to' roles. | |||
| alter table default_role_mapping add constraint unique_default_role_mapping UNIQUE (resource_type_id, from_role_id, to_role_id); | |||
There was a problem hiding this comment.
Thankfully, we don't have an exposed API for this, else you would have had to consider migration.
There was a problem hiding this comment.
right, that's something we would have needed to handle, too. Same would need to apply for "custom" role mappings, but I have not started work on those ones yet. Probably in another PR
|
@xcoulon snapshot fabric8-auth image is available for testing. |
Codecov Report
@@ Coverage Diff @@
## master #586 +/- ##
==========================================
+ Coverage 72.6% 72.81% +0.21%
==========================================
Files 84 84
Lines 8331 8480 +149
==========================================
+ Hits 6049 6175 +126
- Misses 1817 1835 +18
- Partials 465 470 +5
Continue to review full report at Codecov.
|
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@xcoulon snapshot fabric8-auth image is available for testing. |
adding a new endpoint in the `/user` base: `/spaces` to list spaces in which the current user (identitfied by the request token) has a role. includes changes in the `UserService` and `RoleRepository` to retrieve resources of a given type for which a user as a direct role, or a role via a team, or a role via a default role mapping while having a direct role or via a team on another resource. For example, a user has `admin` role on an org and is given the `contributor` on the space via a default role mapping. Custom role mappings are not supported yet. also: - refactor `identityIDFromWrapper` as standalone function - fix the missing call to the gorm callback when adding a member to a team, by calling the repository instead of performing a direct SQL insert. Fixes #545 Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
xcoulon
changed the title
|
[test] |
Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
There was a problem hiding this comment.
Thank you @xcoulon. I have a few minor comments to address. Also, I haven't seen anything related to account in design/account.go. How about renaming it to design/user.go?
design/account.go
Outdated
| a.Attribute("scopes", a.ArrayOf(d.String), "The scopes associated with the role of the user in the corresponding resource") | ||
| a.Required("role", "scopes") | ||
| }) | ||
|
|
||
| // updateidentityDataAttributes represents an identified user object attributes used for updating a user. | ||
| var updateUserDataAttributes = a.Type("UpdateIdentityDataAttributes", func() { |
There was a problem hiding this comment.
variable updateUserDataAttributes has different name in documentation. Can you please change it?
There was a problem hiding this comment.
sure, let me fix that
controller/user_blackbox_test.go
Outdated
|
|
||
| t.Run("role on no space", func(t *testing.T) { | ||
| // given | ||
| g := s.NewTestGraph() |
There was a problem hiding this comment.
I think you can use s.Graph directly here, because we are creating it beforeEach test. https://github.com/fabric8-services/fabric8-auth/blob/master/gormtestsupport/db_test_suite.go#L72
There was a problem hiding this comment.
I'd rather create a new TestGraph for each subtest because in the latest commits of this PR, I need to pass the current *testing.T as an argument, because in case of assertion failure, the test panics (that's a side-effect of using sub tests)
There was a problem hiding this comment.
It's one of the reason I don't like subtests :) It looks nicer in test reports but doesn't provide good isolation between separate tests.
There was a problem hiding this comment.
@alexeykazakov I do not agree with you on that: sub tests also allow for running a set of tests at once, which can be very convenient.
There was a problem hiding this comment.
I’m not saying that nicer reports is the only advantage of subtests. I just pointed that there are some disadvantages too. Like lack of proper test isolation.
There was a problem hiding this comment.
yes, I agree with you for the lack of test isolation, and this is annoying. I'll see if there's something we can do about it. For now, a good way to work-around this limitation is by making sure that test data do not conflict with each other...
controller/user_blackbox_test.go
Outdated
|
|
||
| t.Run("role on 1 space", func(t *testing.T) { | ||
| // given | ||
| g := s.NewTestGraph() |
design/account.go
Outdated
| // requirement and value will be handled by the controller method, | ||
| // in order to be able to return a proper JSON-API response to the client in case | ||
| // of a bad request | ||
| a.Param("type", d.String, "the type of resource to list") |
There was a problem hiding this comment.
How about adding sample values here? Currently, we are only supporting space. This way it will helpful to understand for consumer about what are supported types and they can use the same. Something like Enum("spaces")
There was a problem hiding this comment.
ok, let me see that
There was a problem hiding this comment.
actually, we could do that, but then Goa will immediately return an error while processing the request with an invalid or empty type parameter, without calling the controller, which prevents us from returning a JSON-API response. So we need to be permissive in the design and handle the type value in the controller.
There was a problem hiding this comment.
(and now I remember that I tried that but reverted the change as I could not test the case of invalid/empty type parameter as I needed to)
controller/user.go
Outdated
| resourceType = authorization.ResourceTypeSpace | ||
| } | ||
| if resourceType == "" { | ||
| return jsonapi.JSONErrorResponse(ctx, errors.NewBadParameterError("type", *ctx.Type)) |
There was a problem hiding this comment.
how about giving supported parameters in error to help cosumer of this api?
There was a problem hiding this comment.
ok, let me change the error to include the list of supported types (ie, spaces only for now)
Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@dipak-pawar thanks for your feedback and let me address your comments |
Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@dipak-pawar I addressed your comments in fffc4ab |
Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
@xcoulon snapshot fabric8-auth image is available for testing. |
| AND ir.deleted_at IS NULL | ||
| GROUP BY | ||
| role.role_id, role.name, res.resource_id | ||
| /* list the roles on resources of the given type when the user has a role inherited by an ancestor resource via default role mapping */ |
There was a problem hiding this comment.
oh, my bad. Thanks for spotting this grammar mistake!
design/user.go
Outdated
| a.Required("type") | ||
| }) | ||
| a.Description("List resources of a given type with a role for the current user") | ||
| // a.UseTrait("conditional") |
There was a problem hiding this comment.
sure, that was a left-over since support for conditional requests will be implemented in #606 - just opened, forgot about it before so thanks for reminding me about it! ;)
| assert.Len(t, roles, 0) | ||
| }) | ||
|
|
||
| t.Run("individual is contributor in the parent organization with default role mapping", func(t *testing.T) { |
There was a problem hiding this comment.
Nice tests, could you list these scenarios as a checklist in the PR description/commit message ?
|
@sbose78 thanks for the comments/review, I'll take you comments into account. I got caught in the design refactoring, but this should have probably been better in a separate PR. I'll try to keep the next ones more focused. |
The repository is tested under the following conditions: - a user has a role on a space - a user has a role in the parent org, and a default mapping provides . a role on the child space - a user belongs to team which has a role on a space - a user belongs to a team which has a role on an org, and a default . role mapping provides a role on the space Fixes #545 Signed-off-by: Xavier Coulon <[email protected]>
|
@xcoulon snapshot fabric8-auth image is available for testing. |
|
thanks for the reviews and approvals, @alexeykazakov, @dipak-pawar and @sbose78! |
The service has been tested under the following conditions:
. a role on the child space
. role mapping provides a role on the space
Fixes #545