Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Workspace] add validation for data source in get and bulk_get methods #7596

Merged
merged 7 commits into from
Aug 2, 2024

Conversation

raintygao
Copy link
Contributor

Description

Add validation for data source in get and bulk get

Screenshot

No UX updates

Testing the changes

In workspace, when getting a data source that doesn't belong to this workspace, this request will be forbidden. Before we didn't do this validation.

Changelog

  • fix: add validation for data source in get and bulk_get methods

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Copy link

codecov bot commented Jul 31, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.65%. Comparing base (61d5c49) to head (07fddb0).
Report is 229 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #7596   +/-   ##
=======================================
  Coverage   63.64%   63.65%           
=======================================
  Files        3634     3634           
  Lines       80099    80112   +13     
  Branches    12682    12687    +5     
=======================================
+ Hits        50977    50992   +15     
+ Misses      26015    26014    -1     
+ Partials     3107     3106    -1     
Flag Coverage Δ
Linux_1 30.57% <100.00%> (+0.01%) ⬆️
Linux_2 55.58% <ø> (ø)
Linux_3 40.58% <ø> (ø)
Linux_4 31.32% <ø> (ø)
Windows_1 30.59% <100.00%> (+0.01%) ⬆️
Windows_2 55.53% <ø> (ø)
Windows_3 40.58% <ø> (ø)
Windows_4 31.32% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

request: OpenSearchDashboardsRequest
) => {
const requestWorkspaceId = getWorkspaceState(request).requestWorkspaceId;
if (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Shall we rewrite to below code?

return !requestWorkspaceId || !!object.workspaces?.includes(requestWorkspaceId)

This looks more clearable to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean we use this code to replace requestWorkspaceId && !(object.workspaces && object.workspaces?.includes(requestWorkspaceId))? I suppose their effect would not be the same.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not replace the if condition. We can replace the whole if statement.

if (
      requestWorkspaceId &&
      !(object.workspaces && object.workspaces?.includes(requestWorkspaceId))
    ) {
      return false;
    } else {
      return true;
    }

can be refactor to

return !requestWorkspaceId || !!object.workspaces?.includes(requestWorkspaceId)

It has better readability to me. The method will return true when request workspace id is empty or object's workspaces attributes includes request workspace id.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

!! is used for converting undefined to false, right? This looks more clear, thanks.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a big concern, but I do like your original implementation, it's more readable to me, when I read the code, I can easily get that we only disallow the access to data source when request with workspace but the data source is not associated with the workspace. ;D

@@ -179,6 +189,15 @@ export class WorkspaceSavedObjectsClientWrapper {
return hasPermission;
}

// Data source is a workspace level object, validate if data source has the permission to the given `workspaceIds`
Copy link
Member

@ruanyl ruanyl Jul 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validate if data source has the permission to the given `workspaceIds`

what do you mean by this? should it be

validate if the request has access to the data source within the requested workspace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, updated.

request: OpenSearchDashboardsRequest
) => {
const requestWorkspaceId = getWorkspaceState(request).requestWorkspaceId;
return !requestWorkspaceId || !!object.workspaces?.includes(requestWorkspaceId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

!requestWorkspaceId this covers the case when outside of a workspace?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, in WorkspaceState type, requestWorkspaceId could be undefined. Here just want to ensure that the workspaceId to be compared is existing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The requestWorkspaceId should be exists if user in a workspace. In another words, user should be out of workspace if requestWorkspaceId is undefined right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to care whether is in or out of workspace especially here.

Copy link
Member

@SuZhou-Joe SuZhou-Joe Jul 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imaging user is in global(requestWorkspaceId is undefined) and try to get a datasource(without workspaces) by id, we should prevent user from getting the datasource detail.

I think the !requestWorkspaceId should be removed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this may be a common case in OSD, this doesn't belong to the concept of workspace/assign/unassign, we should not do extra limitation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, agreed. There may be some use cases that users may access data source detail in global.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But can we add a unit test to cover the case when requestWorkspaceId is empty?

Signed-off-by: tygao <[email protected]>
@SuZhou-Joe SuZhou-Joe merged commit 424e241 into opensearch-project:main Aug 2, 2024
67 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Aug 8, 2024
#7596)

* add data source validation in get and bulk get

Signed-off-by: tygao <[email protected]>

* Changeset file for PR #7596 created/updated

* update wrapper validate implementation

Signed-off-by: tygao <[email protected]>

* update comments

Signed-off-by: tygao <[email protected]>

* test: add cases when not in workspace

Signed-off-by: tygao <[email protected]>

---------

Signed-off-by: tygao <[email protected]>
Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com>
(cherry picked from commit 424e241)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
SuZhou-Joe pushed a commit that referenced this pull request Aug 9, 2024
#7596) (#7649)

* add data source validation in get and bulk get



* Changeset file for PR #7596 created/updated

* update wrapper validate implementation



* update comments



* test: add cases when not in workspace



---------



(cherry picked from commit 424e241)

Signed-off-by: tygao <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants