if host does not exist raise RoleNotFound #2018
Conversation
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
|
|
||
| @host = @resource_class[host_id] | ||
| unless @host | ||
| raise Errors::Authentication::Security::RoleNotFound.new( |
There was a problem hiding this comment.
Provide an exception class and message as arguments to raise.
There was a problem hiding this comment.
If we're changing the functional behavior of the server, we should definitely have a CHANGELOG message for this change. You can see our guidelines for writing good changelog messages here. We try to write the changelog messages so they speak to the user-facing impact of the change - basically, try to explain, "If I am the user, why do I care?"
You should probably also try to write a simple test case for this change - something that would have failed before you implemented it, but would be passing now. The PR checklist is a good guide for the things to consider when submitting PRs.
Note: the PR will also need a rebase.
mbenita-Cyberark
force-pushed
the
k8s_hostId_not_exist_error_log_improvement
branch
from
6e0e956
to
020b26d
Compare
|
I'm not sure which file changed to require quality-architects as codeowner here, but my concerns are the same as those @izgeri brought up. I have no further changes to suggest.. |
CHANGELOG.md
Outdated
| @@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) | |||
| and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). | |||
|
|
|||
| ## [Unreleased] | |||
| ### Changed | |||
| - Conjur now Throw RoleNotFound error in k8s authenticator | |||
There was a problem hiding this comment.
Conjur now raises a RoleNotFound when trying to authenticate a non-existing host in authn-k8s
| @@ -170,16 +176,17 @@ def audit_success | |||
| end | |||
|
|
|||
| def audit_failure(err) | |||
| @audit_log.log( | |||
| Audit::Event::Authn::InjectClientCert.new( | |||
|
|
|||
There was a problem hiding this comment.
Extra empty line detected at method body beginning.
| client_ip: @client_ip, | ||
| success: false, | ||
| error_message: err.message | ||
| ) | ||
| ) | ||
|
|
There was a problem hiding this comment.
Extra empty line detected at method body end.
| authenticator_name: AUTHENTICATOR_NAME, | ||
| service: webservice, | ||
| role_id: host.id, | ||
| role_id: err.class == Errors::Authentication::Security::RoleNotFound ? "" : host.id, |
There was a problem hiding this comment.
Align the keys of a hash literal if they span more than one line.
| authenticator_name: AUTHENTICATOR_NAME, | ||
| service: webservice, | ||
| role_id: host.id, | ||
| role_id: err.class == Errors::Authentication::Security::RoleNotFound ? "" : host.id, |
There was a problem hiding this comment.
Use instance_of?(Errors::Authentication::Security::RoleNotFound) instead of comparing classes.
mbenita-Cyberark
force-pushed
the
k8s_hostId_not_exist_error_log_improvement
branch
3 times, most recently
from
bf82190
to
4428823
Compare
| @audit_log.log(Audit::Event::Authn::InjectClientCert.new( | ||
| authenticator_name: AUTHENTICATOR_NAME, | ||
| service: webservice, | ||
| role_id: err.instance_of?(Errors::Authentication::Security::RoleNotFound) ? "" : host.id, |
There was a problem hiding this comment.
Align the keys of a hash literal if they span more than one line.
mbenita-Cyberark
force-pushed
the
k8s_hostId_not_exist_error_log_improvement
branch
from
4428823
to
cdbbfaa
Compare
| @@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) | |||
| and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). | |||
|
|
|||
| ## [Unreleased] | |||
| ### Changed | |||
| - Conjur now raises a RoleNotFound when trying to authenticate a non-existing host in authn-k8s | |||
mbenita-Cyberark
force-pushed
the
k8s_hostId_not_exist_error_log_improvement
branch
from
cdbbfaa
to
d5ad4de
Compare
| # Masking role if it doesn't exist to avoid audit pollution | ||
| # Checking @success as well to save DB call on success | ||
| def sanitized_role_id | ||
| return "not-found" unless @resource_class[host_id] |
There was a problem hiding this comment.
Add empty line after guard clause.
| @@ -161,7 +167,7 @@ def audit_success | |||
| Audit::Event::Authn::InjectClientCert.new( | |||
| authenticator_name: AUTHENTICATOR_NAME, | |||
| service: webservice, | |||
| role_id: host.id, | |||
| role_id: sanitized_role_id, | |||
There was a problem hiding this comment.
Align the keys of a hash literal if they span more than one line.
| @@ -174,13 +180,22 @@ def audit_failure(err) | |||
| Audit::Event::Authn::InjectClientCert.new( | |||
| authenticator_name: AUTHENTICATOR_NAME, | |||
| service: webservice, | |||
| role_id: host.id, | |||
| role_id: sanitized_role_id, | |||
There was a problem hiding this comment.
Align the keys of a hash literal if they span more than one line.
| # TODO: this logic is taken from app/models/audit/event/authn.rb. | ||
| # We should use that logic here. | ||
| # Masking role if it doesn't exist to avoid audit pollution | ||
| # Checking @success as well to save DB call on success |
There was a problem hiding this comment.
you actually don't check @success here. Please fix comment.
- Added RoleNotFound error message in case host not exist for hostId - Fixed bug when creating InjectClientCert inside log write command - Added UT
mbenita-Cyberark
force-pushed
the
k8s_hostId_not_exist_error_log_improvement
branch
from
d5ad4de
to
4359d63
Compare
CHANGELOG.md
Outdated
| @@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) | |||
| and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). | |||
|
|
|||
| ## [Unreleased] | |||
| ### Changed | |||
| - Conjur now raises a RoleNotFound when trying to authenticate a non-existing host in authn-k8s | |||
| [conjurinc/appliance#1546]https://github.com/conjurinc/appliance/issues/1546 | |||
There was a problem hiding this comment.
this should be [conjurinc/appliance#1546](https://github.com/conjurinc/appliance/issues/1546)` so it is linkable in a MD file
There was a problem hiding this comment.
this is not the correct issue. The issue you are fixing is that we now raise a NilError instead of an informative one. please add an issue if it's not present
There was a problem hiding this comment.
why are we linking to an issue filed in a private repo?
There was a problem hiding this comment.
nm - looks like this was updated later, and the changelog is current now.
- Added RoleNotFound error message in case host not exist for hostId - Fixed bug when creating InjectClientCert inside log write command - Added UT
mbenita-Cyberark
force-pushed
the
k8s_hostId_not_exist_error_log_improvement
branch
from
4b966db
to
27193bb
Compare
|
Code Climate has analyzed commit 27193bb and detected 2 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.3% (0.0% change). View more on Code Climate. |
mbenita-Cyberark
dismissed
izgeri’s stale review
I implemented requested UTs and Changelog with Oren's PR approval
mbenita-Cyberark
deleted the
k8s_hostId_not_exist_error_log_improvement
branch
|
This is connected to #2046, yes? Please be sure to link PRs to issues, as it helps trace changes when building a release. Thank you! |
|
@mbenita-Cyberark @orenbm: Does this have user facing behavior change? How will users be affected? Thanks. |
the change is written in the CHANGELOG: |
|
@orenbm: Yup, I saw that entry. However, customers typically interact with authn-k8s through the client, not the API directly. How would this change manifest in the client? |
|
it won't. they will see it if they have a failure and will check the logs to find it. do instead of seeing an unhelpful nil pointer message they will see the new message. |
What does this PR do?
in k8s authenticator, raise RoleNotFound Exception if host does not exist
What ticket does this PR close?
Checklists
Change log
Test coverage
Documentation
READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or