🐛 Fixes catalog giving access rights to everyone (group 1) to new services 🚨

[pcrespov]

What do these changes do?

Fixes a bug where new services were incorrectly assigned to everyone (group=1) by default, introduced in #7025.

This PR restores the correct behavior:

• Only old services are assigned group=1.
• A service is considered old if:
  1. It has no build metadata, or
  2. Its build date is earlier than _OLD_SERVICES_CUTOFF_DATETIME (August 19, 2020).

Additional test coverage is included to ensure correctness of the access-rights logic.

Follow up

• Optimization and wrap-up of catalog services web-api #6201
  • Create a new http client for the director
  • Review logic and policies for service sync

Related issue/s

• Fixes bug introduced in ♻️ Move service extras to catalog #7025
• Fixes https://github.com/ITISFoundation/private-issues/issues/37

How to test

cd services/catalog
make install-dev
pytest -vv tests/unit/test_clients_director.py
pytest -vv tests/unit/test_utils_service_extras.py

Manual exploratory testing 🚨

• add a new service in registry (e.g. a patch update of some service. Check with @mguidon )
• wait for catalog to sync
• check in services_acces_rights that this service in this product does NOT has access rights to everyone 1

Dev-ops

None

[codecov]

Codecov Report

Attention: Patch coverage is 79.16667% with 5 lines in your changes missing coverage. Please review.

Project coverage is 87.91%. Comparing base (7d6abf5) to head (660e4c7).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7992      +/-   ##
==========================================
+ Coverage   87.88%   87.91%   +0.03%     
==========================================
  Files        1853     1846       -7     
  Lines       71478    71301     -177     
  Branches     1258     1258              
==========================================
- Hits        62819    62686     -133     
+ Misses       8295     8251      -44     
  Partials      364      364              

Flag	Coverage Δ
integrationtests	64.24% <75.00%> (-0.01%)	⬇️
unittests	86.52% <79.16%> (+0.02%)	⬆️

Components	Coverage Δ
api	∅ <ø> (∅)
pkg_aws_library	93.93% <ø> (ø)
pkg_celery_library	87.15% <ø> (ø)
pkg_dask_task_models_library	79.62% <ø> (ø)
pkg_models_library	93.27% <ø> (ø)
pkg_notifications_library	85.26% <ø> (ø)
pkg_postgres_database	88.19% <ø> (ø)
pkg_service_integration	69.92% <ø> (ø)
pkg_service_library	71.62% <0.00%> (-0.03%)	⬇️
pkg_settings_library	90.64% <ø> (ø)
pkg_simcore_sdk	85.05% <ø> (-0.06%)	⬇️
agent	96.29% <ø> (ø)
api_server	92.64% <ø> (ø)
autoscaling	96.03% <ø> (ø)
catalog	92.21% <78.57%> (-0.09%)	⬇️
clusters_keeper	99.13% <ø> (ø)
dask_sidecar	91.79% <ø> (ø)
datcore_adapter	97.94% <ø> (ø)
director	76.73% <ø> (ø)
director_v2	91.04% <100.00%> (+0.03%)	⬆️
dynamic_scheduler	96.69% <ø> (ø)
dynamic_sidecar	90.09% <ø> (ø)
efs_guardian	89.65% <ø> (ø)
invitations	93.60% <ø> (ø)
payments	92.57% <ø> (ø)
resource_usage_tracker	89.00% <ø> (ø)
storage	86.57% <ø> (+0.08%)	⬆️
webclient	∅ <ø> (∅)
webserver	87.67% <ø> (+<0.01%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7d6abf5...660e4c7. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR restores correct default access rights by ensuring only services without build metadata or built before August 19, 2020 are assigned to the public group. It also enriches the get_service_extras client API and adds tests to cover both scenarios.

• Refactors _is_old_service to first detect missing build details, then compare build dates against the cutoff.
• Updates get_service_extras to include service_build_details only when org labels are present.
• Introduces fixtures and unit tests for both director client and utilities, covering services with and without org labels.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/simcore_service_catalog/service/access_rights.py	Rewritten _is_old_service logic and renamed cutoff var.
src/simcore_service_catalog/clients/director.py	Conditional inclusion of service_build_details in result.
tests/unit/test_utils_service_extras.py	Reformatted import for ServiceExtras.
tests/unit/test_clients_director.py	Added service_key_and_version fixture and new tests.
tests/unit/conftest.py	Expanded label fixture and added mock_service_extras.

Comments suppressed due to low confidence (2)

services/catalog/src/simcore_service_catalog/service/access_rights.py:44

• [nitpick] This commented-out placeholder and the unused client = get_director_client(app) line can be removed to declutter the function and improve readability.

    #

services/catalog/src/simcore_service_catalog/clients/director.py:286

• [nitpick] Consider reintroducing a debug log statement here to record the exact build details being included, which can aid troubleshooting and understanding of the compiled result.

            result.update({"service_build_details": service_build_details})

[mguidon]

Thank you!

[JavierGOrdonnez]

Cool, thanks!

[sanderegg]

thanks

[matusdrobuliak66]

Q: But the long term vision is that we are getting rid of group everyone from the DB, is that correct?

[pcrespov]

@mergify queue

[mergify]

queue

🟠 Waiting for conditions to match

• any of: [🔀 queue conditions]
  • all of: [📌 queue conditions of queue default]
    • label=🤖-automerge
    • any of: [🛡 GitHub branch protection]
      • check-neutral = integration-tests
      • check-skipped = integration-tests
      • check-success = integration-tests
    • #approved-reviews-by >= 2 [🛡 GitHub branch protection]
    • #approved-reviews-by>=2
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
    • #review-threads-unresolved=0
    • -conflict
    • -draft
    • base=master
    • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
    • label!=🤖-do-not-merge
    • any of: [🛡 GitHub branch protection]
      • check-skipped = deploy to dockerhub
      • check-neutral = deploy to dockerhub
      • check-success = deploy to dockerhub
    • any of: [🛡 GitHub branch protection]
      • check-success = system-tests
      • check-neutral = system-tests
      • check-skipped = system-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = unit-tests
      • check-neutral = unit-tests
      • check-skipped = unit-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = check OAS' are up to date
      • check-neutral = check OAS' are up to date
      • check-skipped = check OAS' are up to date
    • any of: [🛡 GitHub branch protection]
      • check-success = build-test-images (frontend) / build-test-images
      • check-neutral = build-test-images (frontend) / build-test-images
      • check-skipped = build-test-images (frontend) / build-test-images
• -closed [📌 queue requirement]
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of: [📌 queue -> configuration change requirements]
  • -mergify-configuration-changed
  • check-success = Configuration changed

[pcrespov]

@mergify queue

[mergify]

queue

🟠 Waiting for conditions to match

• any of: [🔀 queue conditions]
  • all of: [📌 queue conditions of queue default]
    • any of: [🛡 GitHub branch protection]
      • check-neutral = integration-tests
      • check-skipped = integration-tests
      • check-success = integration-tests
    • #approved-reviews-by >= 2 [🛡 GitHub branch protection]
    • #approved-reviews-by>=2
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
    • #review-threads-unresolved=0
    • -conflict
    • -draft
    • base=master
    • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
    • label!=🤖-do-not-merge
    • label=🤖-automerge
    • any of: [🛡 GitHub branch protection]
      • check-skipped = deploy to dockerhub
      • check-neutral = deploy to dockerhub
      • check-success = deploy to dockerhub
    • any of: [🛡 GitHub branch protection]
      • check-success = system-tests
      • check-neutral = system-tests
      • check-skipped = system-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = unit-tests
      • check-neutral = unit-tests
      • check-skipped = unit-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = check OAS' are up to date
      • check-neutral = check OAS' are up to date
      • check-skipped = check OAS' are up to date
    • any of: [🛡 GitHub branch protection]
      • check-success = build-test-images (frontend) / build-test-images
      • check-neutral = build-test-images (frontend) / build-test-images
      • check-skipped = build-test-images (frontend) / build-test-images
• -closed [📌 queue requirement]
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of: [📌 queue -> configuration change requirements]
  • -mergify-configuration-changed
  • check-success = Configuration changed

[pcrespov]

Q: But the long term vision is that we are getting rid of group everyone from the DB, is that correct?

@matusdrobuliak66 i am not sure about it. The everyone group has its use. What I need to make sure is to understand why the "old" services needed this group. I need to check with @sanderegg

[pcrespov]

@mergify queue

[mergify]

queue

🟠 Waiting for conditions to match

• -closed [📌 queue requirement]
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of: [📌 queue -> configuration change requirements]
  • -mergify-configuration-changed
  • check-success = Configuration changed
• any of: [🔀 queue conditions]
  • all of: [📌 queue conditions of queue default]
    • #approved-reviews-by >= 2 [🛡 GitHub branch protection]
    • #approved-reviews-by>=2
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
    • #review-threads-unresolved=0
    • -conflict
    • -draft
    • base=master
    • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
    • label!=🤖-do-not-merge
    • label=🤖-automerge
    • any of: [🛡 GitHub branch protection]
      • check-skipped = deploy to dockerhub
      • check-neutral = deploy to dockerhub
      • check-success = deploy to dockerhub
    • any of: [🛡 GitHub branch protection]
      • check-success = system-tests
      • check-neutral = system-tests
      • check-skipped = system-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = unit-tests
      • check-neutral = unit-tests
      • check-skipped = unit-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = check OAS' are up to date
      • check-neutral = check OAS' are up to date
      • check-skipped = check OAS' are up to date
    • any of: [🛡 GitHub branch protection]
      • check-success = integration-tests
      • check-neutral = integration-tests
      • check-skipped = integration-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = build-test-images (frontend) / build-test-images
      • check-neutral = build-test-images (frontend) / build-test-images
      • check-skipped = build-test-images (frontend) / build-test-images

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud