Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(rbac) include Negative when marshaling RBAC #32

Merged
merged 2 commits into from
Mar 31, 2021
Merged

fix(rbac) include Negative when marshaling RBAC #32

merged 2 commits into from
Mar 31, 2021

Conversation

rainest
Copy link
Contributor

@rainest rainest commented Mar 30, 2021

The custom JSON marshalers for these types omitted the Negative field, which prevented decK (or any other user of go-kong) from applying it. This was originally reported internally in FTI-2405. To recap/demonstrate, repeated syncs of negative.yaml.txt would not never actually sync a negative permission, since the PATCH omitted that field:

./deck sync -s negative.yaml --rbac-resources-only --verbose 2
{"next":null,"data":[{"endpoint":"\/acls","created_at":1617146918,"workspace":"default","actions":["delete","create","update","read"],"negative":false,"comment":null,"role":{"id":"bb1522dc-e323-456a-bb9d-1d5f3fd07f6d"}}]}
updating rbac-endpointpermission bb1522dc-e323-456a-bb9d-1d5f3fd07f6d-default-/acls  {
   "actions": "delete,create,update,read",
   "endpoint": "/acls",
   "workspace": "default"
 }

PATCH /rbac/roles/bb1522dc-e323-456a-bb9d-1d5f3fd07f6d/endpoints/default//acls HTTP/1.1
{"workspace":"default","endpoint":"/acls","actions":"delete,create,update,read"}
HTTP/1.1 200 OK

{"endpoint":"\/acls","created_at":1617146918,"workspace":"default","actions":["delete","create","update","read"],"negative":false,"role":{"id":"bb1522dc-e323-456a-bb9d-1d5f3fd07f6d"}}
Summary:
  Created: 0
  Updated: 1
  Deleted: 0

With this change to go-kong, the PATCH will include that field, and the permissions will honor the negative field in the state file.

@rainest rainest requested a review from a team as a code owner March 30, 2021 23:35
fix(rbac) include Negative when marshaling RBAC
146b85d 
Include the Negative field when marshaling RBAC types to JSON.

The RBAC entity and endpoint permissions types have custom JSON
marshalers to account for differences between Kong's GET output and the
expected inputs to PUT/PATCH/POST:
https://github.com/Kong/go-kong/pull/5/files#r495600736

Previously, these marshalers omitted the Negative fields, so requests
outbound from go-kong would never set Negative, and it would always be
the default (false).

Fix FTI-2405
shaneutt
shaneutt approved these changes Mar 31, 2021
View reviewed changes
Copy link
Contributor

@shaneutt shaneutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👏

mflendrich
mflendrich approved these changes Mar 31, 2021
View reviewed changes
Copy link
Contributor

@mflendrich mflendrich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

json:"..." tags on the definitions of structs that have a custom marshaler are very confusing, and pointless if there's a custom marshaler that defines its own representation unrelated to those tags.

The best (yet breaking) solution here to avoid this problem from happening in the future would be to make Actions a custom type with its own custom marshaler, and leaving the types including Actions with a default marshaler. But, as I said earlier, this is a breaking change so probably a no-go at this moment. Also I would rather not remove tags because of potential unexpected side effects.

The second best improvement I can think of is adding a warning comment on those types (that, despite tags, the default marshaler is not in use.

Therefore, here's my optional (yet strongly recommended) action item: on types that define a custom marshaler and have json tags defined, put a warning comment like:

// Note that this type implements a custom json.Marshaler and json.Unmarshaler!

@rainest rainest merged commit 0ef6803 into main Mar 31, 2021
@rainest rainest mentioned this pull request Mar 31, 2021
Closed
@hbagdi hbagdi deleted the fix/permission-negatives branch April 26, 2021 19:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mflendrich mflendrich mflendrich approved these changes

@shaneutt shaneutt shaneutt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rainest @mflendrich @shaneutt