Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adjust encoding for security management pages #83629

Merged
merged 3 commits into from
Nov 20, 2020
Merged

Adjust encoding for security management pages #83629

merged 3 commits into from
Nov 20, 2020

Conversation

legrego
Copy link
Member

@legrego legrego commented Nov 18, 2020
edited
Loading

Summary

This PR takes a different set of tradeoffs for encoding links to the User, Role, and Role Mapping management screens.

We perform an extra call to decodeURIComponent when resolving the username, role name, and role mapping name, so that we can correctly fetch these assets. This is to workaround a bug in the history module, which is used by react-router-dom (#82440). The history module has been fixed, but react-router-dom has not updated their dependencies. The fix resulted in a breaking change, and so forcefully resolving history to the fixed version is a non-starter for us.

This will not fix all use cases, and it will result in some UI inconsistencies.
For example, a username of foo%20user will render in the UI as foo user because of this additional decoding step.

Resolves #83541

@legrego legrego added release_note:fix Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.10.1 v7.11.0 v8.0.0 labels Nov 18, 2020
@legrego legrego marked this pull request as ready for review November 18, 2020 14:59
@legrego legrego requested a review from a team as a code owner November 18, 2020 14:59
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin
Copy link
Member

ACK: reviewing...

@azasypkin azasypkin self-requested a review November 20, 2020 09:31
azasypkin
azasypkin reviewed Nov 20, 2020
View reviewed changes
x-pack/plugins/security/public/management/users/users_management_app.tsx Outdated
@@ -66,10 +66,14 @@ export const usersManagementApp = Object.freeze({
const EditUserPageWithBreadcrumbs = () => {
const { username } = useParams<{ username?: string }>();

// Additional decoding is a workaround for a bug in react-router's version of the `history` module.
// See https://github.com/elastic/kibana/issues/82440
const decodedUsername = username ? decodeURIComponent(username) : undefined;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: hmm, it seems while we fixed issue for usernames with @, we introduced it for the ones with %. For example for user%not, decodeURIComponent will throw malformed URI sequence :/ Should we temporarily create tryDecodeURIComponent function with a try/catch block inside?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah good catch. I had tested with valid encoded entities (e.g. %20), but didn't think about the malformed sequences. Yeah I think a tryDecodeURIComponent makes the most sense here, at least for the time being. I'll make this change!

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
security 469 470 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
security 784.5KB 784.5KB +2.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
security 162.5KB 163.1KB +649.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

azasypkin
azasypkin approved these changes Nov 20, 2020
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! The fix is good enough for the time being and covers the most probable cases. To cover the rest we really need a proper fix in react-router-dom.

Do we also need a Release Note:-like comment in the issue description for our release note automation?

@legrego legrego merged commit d1e998f into elastic:master Nov 20, 2020
@legrego legrego deleted the security/route-encoding branch November 20, 2020 18:07
@legrego legrego mentioned this pull request Nov 20, 2020
Merged
legrego added a commit to legrego/kibana that referenced this pull request Nov 20, 2020
@legrego
Adjust encoding for security management pages (elastic#83629)
c65cf9a 
* Adjust encoding for security management pages

* introduce tryDecodeURIComponent
@legrego legrego mentioned this pull request Nov 20, 2020
Merged
legrego added a commit to legrego/kibana that referenced this pull request Nov 20, 2020
@legrego
Adjust encoding for security management pages (elastic#83629)
6beeba4 
* Adjust encoding for security management pages

* introduce tryDecodeURIComponent
legrego added a commit that referenced this pull request Nov 20, 2020
@legrego
[7.10] Adjust encoding for security management pages (#83629) (#83953)
8429d58 
* Adjust encoding for security management pages

* introduce tryDecodeURIComponent
legrego added a commit that referenced this pull request Nov 20, 2020
@legrego
[7.x] Adjust encoding for security management pages (#83629) (#83952)
692ac0f 
* Adjust encoding for security management pages

* introduce tryDecodeURIComponent
@azasypkin azasypkin mentioned this pull request Nov 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@azasypkin azasypkin azasypkin approved these changes

Assignees
No one assigned
Labels
release_note:fix Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.10.1 v7.11.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cannot edit user with @ in name
4 participants
@legrego @elasticmachine @azasypkin @kibanamachine