-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
changes to onboarding token api to include role in body #2669
base: main
Are you sure you want to change the base?
Conversation
/cc @nb-ohad |
252d888
to
e768114
Compare
PR looks good to me. |
d7a8e4e
to
f9750a0
Compare
/retest-required |
f9750a0
to
a3b7ebd
Compare
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
services/types.go
Outdated
|
||
const ( | ||
ClientRole Role = "client" | ||
MirroringPeerRole Role = "mirroring-peer" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule is not related to mirroring.
As for the agreed architecture, there are 2 rules: ocs-client
and ocs-peer
,
Please align everything with the given terminology
services/types.go
Outdated
type OnboardingTicket struct { | ||
ID string `json:"id"` | ||
ExpirationDate int64 `json:"expirationDate,string"` | ||
StorageQuotaInGiB uint `json:"storageQuotaInGiB,omitempty"` | ||
// Role can be either client or mirroring-peer | ||
Role Role `json:"role,string"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rule is not for the token, it is for the subject.
Role Role `json:"role,string"` | |
SubjectRole Role `json:"subjectRole,string"` |
services/types.go
Outdated
@@ -1,7 +1,16 @@ | |||
package services | |||
|
|||
type Role string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a very generic name and might create collision or confusion.
Please rename to something more meaningful and more specific.
type Role string | |
type OnboardingSubjectRole string |
if strings.ToLower(body.Role) == string(services.MirroringPeerRole) { | ||
role = services.MirroringPeerRole | ||
} else if strings.ToLower(body.Role) == string(services.ClientRole) || body.Role == "" { | ||
// to ensure backward compatibility, if the role is empty, we assume it to be client | ||
role = services.ClientRole | ||
if body.Value == 0 || body.Value > math.MaxInt { | ||
http.Error(w, fmt.Sprintf("invalid value sent in request body, value should be greater than 0 and less than %v: %v", math.MaxInt, body.Value), http.StatusBadRequest) | ||
return | ||
} | ||
unitAsGiB, ok := unitToGib[body.Unit] | ||
if !ok { | ||
http.Error(w, fmt.Sprintf("invalid Unit type sent in request body, Valid types are [Gi,Ti,Pi]: %v", body.Unit), http.StatusBadRequest) | ||
return | ||
} | ||
storageQuotaInGiB = ptr.To(unitAsGiB * body.Value) | ||
} else { | ||
http.Error(w, fmt.Sprintf("invalid Role sent in request body, Valid roles are [mirroring-peer,client]: %v", body.Role), http.StatusBadRequest) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not do that. This will allow anyone to generate a peer onboarding token.
a3b7ebd
to
d9a8fbe
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rewantsoni The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
d9a8fbe
to
61456e7
Compare
services/types.go
Outdated
type OnboardingTicket struct { | ||
ID string `json:"id"` | ||
ExpirationDate int64 `json:"expirationDate,string"` | ||
StorageQuotaInGiB uint `json:"storageQuotaInGiB,omitempty"` | ||
// OnboardingSubjectRole can be either ocs-client or ocs-peer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you are adding a comment please separate using a blank line
// OnboardingSubjectRole can be either ocs-client or ocs-peer | |
// OnboardingSubjectRole can be either ocs-client or ocs-peer |
SubjectRole string `json:"subjectRole"` | ||
Value uint `json:"value"` | ||
Unit string `json:"unit"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These does not belong on the same level
var body = struct { | ||
SubjectRole string `json:"subjectRole"` | ||
Value uint `json:"value"` | ||
Unit string `json:"unit"` | ||
}{} | ||
if err = json.NewDecoder(r.Body).Decode("a); err != nil { | ||
if err = json.NewDecoder(r.Body).Decode(&body); err != nil { | ||
http.Error(w, err.Error(), http.StatusBadRequest) | ||
return | ||
} | ||
|
||
if quota.Value == 0 || quota.Value > math.MaxInt { | ||
http.Error(w, fmt.Sprintf("invalid value sent in request body, value should be greater than 0 and less than %v: %v", math.MaxInt, quota.Value), http.StatusBadRequest) | ||
if strings.ToLower(body.SubjectRole) == string(services.PeerRole) { | ||
role = services.PeerRole | ||
} else if strings.ToLower(body.SubjectRole) == string(services.ClientRole) || body.SubjectRole == "" { | ||
// to ensure backward compatibility, if the role is empty, we assume it to be client | ||
role = services.ClientRole | ||
if body.Value == 0 || body.Value > math.MaxInt { | ||
http.Error(w, fmt.Sprintf("invalid value sent in request body, value should be greater than 0 and less than %v: %v", math.MaxInt, body.Value), http.StatusBadRequest) | ||
return | ||
} | ||
unitAsGiB, ok := unitToGib[body.Unit] | ||
if !ok { | ||
http.Error(w, fmt.Sprintf("invalid Unit type sent in request body, Valid types are [Gi,Ti,Pi]: %v", body.Unit), http.StatusBadRequest) | ||
return | ||
} | ||
storageQuotaInGiB = ptr.To(unitAsGiB * body.Value) | ||
} else { | ||
http.Error(w, fmt.Sprintf("invalid OnboardingSubjectRole sent in request body, Valid roles are [mirroring-peer,client]: %v", body.SubjectRole), http.StatusBadRequest) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The flow is structured incorrectly. The current structure allows sending peer role with quota fields and the quota fields are just ignored. This is the wrong behavior. I would expect a bad request response instead.
I would suggest using a switch case based on the role and delegate each of the 2 cases into separate functions. In addition, you could use the "default" case to return an error for an unsupported role
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
0b57dbe
to
1c07f07
Compare
/retest-required |
3852dd1
to
8942fc3
Compare
The PR does the following: 1. add role to the onboarding ticket 2. add a new endpoint for peer-onboarding-tokens Signed-off-by: Rewant Soni <resoni@redhat.com>
8942fc3
to
a73be38
Compare
Update the onboarding Ticket to include an OnboardingSubjectRole - ocs-client, ocs-peer
Add a new endpoint to generate the peer onboarding token.
Part of RHSTOR-4886