Skip to content

Refactor validate token create #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
majst01 merged 19 commits into from
Dec 8, 2025
Merged

Refactor validate token create #97

majst01 merged 19 commits into from
Dec 8, 2025

Conversation

@majst01
Copy link
Contributor

@majst01 majst01 commented Dec 2, 2025
edited
Loading

Description

Use tokenpermissions to validate the token create/update/refresh call.

@metal-robot metal-robot bot added the area: control-plane Affects the metal-stack control-plane area. label Dec 2, 2025
@metal-robot metal-robot bot added this to Development Dec 2, 2025
@majst01 majst01 force-pushed the refactor-validate-token-create branch from 4fb2f1e to 2e0f8a7 Compare December 2, 2025 08:24
majst01
majst01 commented Dec 2, 2025
View reviewed changes
@majst01 majst01 self-assigned this Dec 2, 2025
@majst01 majst01 force-pushed the refactor-validate-token-create branch 2 times, most recently from a528a98 to 513a287 Compare December 2, 2025 08:53
@codecov
Copy link

codecov bot commented Dec 2, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 86.66667% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.86%. Comparing base (a9bb726) to head (0df3e61).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/service/token/token-service.go 84.61% 7 Missing and 5 partials ⚠️
pkg/request/tokenpermissions.go 90.47% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #97      +/-   ##
==========================================
- Coverage   69.20%   68.86%   -0.35%     
==========================================
  Files         113      113              
  Lines        9629     9626       -3     
==========================================
- Hits         6664     6629      -35     
- Misses       2259     2297      +38     
+ Partials      706      700       -6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@majst01 majst01 force-pushed the refactor-validate-token-create branch from 513a287 to b71fa70 Compare December 2, 2025 09:09
@majst01 majst01 marked this pull request as ready for review December 2, 2025 09:10
@majst01 majst01 requested a review from a team as a code owner December 2, 2025 09:10
@majst01 majst01 force-pushed the refactor-validate-token-create branch from b71fa70 to bdb3139 Compare December 2, 2025 09:24
@majst01 majst01 force-pushed the refactor-validate-token-create branch from bdb3139 to 897e95e Compare December 2, 2025 09:38
iljarotar
iljarotar reviewed Dec 4, 2025
View reviewed changes
iljarotar
iljarotar reviewed Dec 4, 2025
View reviewed changes
iljarotar
iljarotar reviewed Dec 4, 2025
View reviewed changes
vknabel
vknabel reviewed Dec 5, 2025
View reviewed changes
iljarotar
iljarotar reviewed Dec 8, 2025
View reviewed changes
iljarotar
iljarotar reviewed Dec 8, 2025
View reviewed changes
iljarotar
iljarotar reviewed Dec 8, 2025
View reviewed changes
@iljarotar
Copy link
Contributor

iljarotar commented Dec 8, 2025

Error messages look good. One thing I'm still missing is the information which tenant or project some requested role is not allowed for. E.g. if I request editor role for two projects and it's denied for one of them, I'd like to know which one.

@majst01
Copy link
Contributor Author

majst01 commented Dec 8, 2025

Error messages look good. One thing I'm still missing is the information which tenant or project some requested role is not allowed for. E.g. if I request editor role for two projects and it's denied for one of them, I'd like to know which one.

This would be possible if we also add the deniedSubjects to the list of errors instead of returning early after the deniedRoles are found.

@iljarotar
Copy link
Contributor

iljarotar commented Dec 8, 2025

Error messages look good. One thing I'm still missing is the information which tenant or project some requested role is not allowed for. E.g. if I request editor role for two projects and it's denied for one of them, I'd like to know which one.

This would be possible if we also add the deniedSubjects to the list of errors instead of returning early after the deniedRoles are found.

Yes, maybe as a map role -> project/tenant.

@iljarotar iljarotar mentioned this pull request Dec 8, 2025
Closed
@majst01
Copy link
Contributor Author

majst01 commented Dec 8, 2025

Error messages look good. One thing I'm still missing is the information which tenant or project some requested role is not allowed for. E.g. if I request editor role for two projects and it's denied for one of them, I'd like to know which one.

This would be possible if we also add the deniedSubjects to the list of errors instead of returning early after the deniedRoles are found.

Yes, maybe as a map role -> project/tenant.

Will try

Gerrit91
Gerrit91 reviewed Dec 8, 2025
View reviewed changes
pkg/service/token/token-service_test.go Outdated
},
wantErr: true,
wantErrMessage: `permission_denied: requested project: "00000000-0000-0000-0000-000000000000" is not allowed`,
wantErrMessage: `permission_denied: requested roles: [PROJECT_ROLE_EDITOR] are not allowed with your current token`,
Copy link
Contributor

@Gerrit91 Gerrit91 Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe to make it clearer that the permissions are actually compared with the permissions from the database and not the contents of the requesting token?

Suggested change
wantErrMessage: `permission_denied: requested roles: [PROJECT_ROLE_EDITOR] are not allowed with your current token`,
wantErrMessage: `permission_denied: requested roles: [PROJECT_ROLE_EDITOR] are not allowed with your current user permissions`,

Gerrit91
Gerrit91 reviewed Dec 8, 2025
View reviewed changes
pkg/service/token/token-service.go Outdated
}
// Now calculate meaningful error messages.
// First map the denied methods to roles which could access these methods.
for _, method := range deniedMethods {
Copy link
Contributor

@Gerrit91 Gerrit91 Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if we should attempt to map permissions back to roles. 😅

  1. This function would look really simple without the "reverse lookup". For this package I think it's beneficial that the code strives to be as simple as it gets.
  2. An early return with the first found problem is resource-efficient and it should be enough for a user to figure out the problem with his request quite quickly. I assume 90% of the use-cases are not as complex and people want to create an API token for a specific project for example. When you have a UI, this will not even show invalid input parameters for the requests. For CLI or CI scenarios, when it says "MachineCreate is not allowed on project-a with your current user permissions" it should be pretty clear what needs to be done by the user. Having the correct role probably resolves all the other problems that this function would return. Of course, there can be more complex scenarios but I don't think it will be incredibly time-consuming for a user to identify and resolve the problems even if you do not present him with the complete information.
  3. I hope that at some point we have dynamic roles (e.g. a role that's called "metal-core" and has a set of methods that comes with it). The static roles that come from the API definitions are not enough in this case and this introduces another place that needs to be adapted when implementing this feature.

Copy link
Contributor

@iljarotar iljarotar Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed.

Copy link
Contributor Author

@majst01 majst01 Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simplified, shift responsibility back to the user which wants to create/update a token for the sake of much simpler validation logic.

@majst01 majst01 merged commit 5a57b8f into main Dec 8, 2025
5 checks passed
@majst01 majst01 deleted the refactor-validate-token-create branch December 8, 2025 14:46
@majst01 majst01 mentioned this pull request Dec 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vknabel vknabel vknabel left review comments

@Gerrit91 Gerrit91 Gerrit91 left review comments

@iljarotar iljarotar iljarotar approved these changes

Assignees

@majst01 majst01

Labels

area: control-plane Affects the metal-stack control-plane area.

Projects

Development
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@majst01 @iljarotar @vknabel @Gerrit91