feat(brokers/cache): Change user info validations to require at least one remote group #131
Conversation
|
Ok, I must be missing something. It can't be this simple, can it? |
There was a problem hiding this comment.
Ok, I must be missing something. It can't be this simple, can it?
To me yes, you are missing something out :)
I mentioned in the HO that our cache also had this logic and needs to be changed. Basically, it should fail too if no groups is provided and not handle special case (and so, tests should be changed too):
// No groups were specified for this request.
if userDB.GID == -1 {
Also, as part of the Jira card, it’s written: - always force the broker to cache and return everything, from group name to users. Here it seems you handle the group and link it to the card, what about the mandatory user information? It may already be the case that we enforce them to be here, but I think part of this card is to double check it, that we have tests for them and so on. Some of the fields like Gecos and avatars are optional, some other are mandatory. I think we should just mirror the mandatory info in adduser (+uid ofc).
denisonbarbosa
force-pushed
the
update-isauthenticated-policy
branch
2 times, most recently
from
b5c6ece to
aa6d35b
Compare
Our validation of the user info provided by the broker was already robust, only lacking the new group checking blocks that are being added in this PR. cc @didrocks |
There was a problem hiding this comment.
Ok, one finale thing with a suggestion and some double checking, and we should be good to go!
Do we have a test showing up the non mandatory values? Like no gecos and no avatar?
I think we should write the optional fields as comments in the struct next to them.
denisonbarbosa
force-pushed
the
update-isauthenticated-policy
branch
from
c7ddcbd to
c0e2876
Compare
denisonbarbosa
force-pushed
the
update-isauthenticated-policy
branch
from
c0e2876 to
a220678
Compare
denisonbarbosa
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #131 +/- ##
==========================================
- Coverage 88.28% 88.25% -0.04%
==========================================
Files 32 32
Lines 2433 2426 -7
==========================================
- Hits 2148 2141 -7
Misses 219 219
Partials 66 66 ☔ View full report in Codecov by Sentry. |
The brokers used to be able to provide the userinfo without any group associated to it. This creates difficulties when trying to manage the user presence in the local groups. Now, the broker must provide at least one group for the user and the first group must be a remote one (with UGID).
This follows the changes to the userinfo returned by IsAuthenticated. We have validation for the return before getting to the cache, but it's best to have multiple layers of protection.
denisonbarbosa
force-pushed
the
update-isauthenticated-policy
branch
from
a220678 to
9d8fa24
Compare
We used to allow the brokers to provide user information without any group. This creates problems when managing local groups. To prevent this, we now force the brokers to return at least one group for the user.
The user group list must contain at least one remote group (with UGID) to act as the default group for the user. This means that it must be the first group in the list.
UDENG-1865