-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TT-12897] Merge path based permissions when combining policies #6597
base: master
Are you sure you want to change the base?
Conversation
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
API Changes --- prev.txt 2024-10-01 15:03:36.900478815 +0000
+++ current.txt 2024-10-01 15:03:31.237459834 +0000
@@ -12736,6 +12736,12 @@
Clone returns a fresh copy of s
func (s *SessionState) CustomPolicies() (map[string]Policy, error)
+ CustomPolicies returns a map of custom policies on the session. To preserve
+ policy order, use GetCustomPolicies instead.
+
+func (s *SessionState) GetCustomPolicies() ([]Policy, error)
+ GetCustomPolicies is like CustomPolicies but returns the list, preserving
+ order.
func (s *SessionState) GetQuotaLimitByAPIID(apiID string) (int64, int64, int64, int64)
GetQuotaLimitByAPIID return quota max, quota remaining, quota renewal rate
@@ -12775,6 +12781,7 @@
Reset marks the session as not modified, skipping related updates.
func (s *SessionState) SetCustomPolicies(list []Policy)
+ SetCustomPolicies sets custom policies into session metadata.
func (s *SessionState) SetKeyHash(hash string)
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
Quality Gate failedFailed conditions See analysis details on SonarCloud Catch issues before they fail your Quality Gate with our IDE extension SonarLint |
// do not implement concurrency protections here. | ||
// Store is an in-memory policy storage object that implements the | ||
// repository for policy access. We do not implement concurrency | ||
// protections here. Where order is important, use this. | ||
type Store struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is this changed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Custom policies doesn't preserve order (map policyID => policy) and would fail tests due to the order changes. The PolicyIDs() doesn't return ids always in the same order, meaning Methods can be returned out of order failing the assertion(s), requiring a deeper assertion to account for the typical go range over map behaviour.
Store{} preserves order.
StoreMap{} doesn't.
-customPolicies, err := session.CustomPolicies() <--- used to be a map
+customPolicies, err := session.GetCustomPolicies() <--- provides a list of policies now
if err != nil {
policyIDs = session.PolicyIDs()
} else {
storage = NewStore(customPolicies)
policyIDs = storage.PolicyIDs() <--- maintains policy list order
}
This change ensures a deterministic order for applying policies, and in turn the merged access rights Methods
are sorted with the order the policies are applied in, simplifying the assertion in tests.
No other uses in gw. If the implementing ticket wasn't so bad with detail, I could easily consider custom policies functions internal scope. The underlying storage is a []any inside a map[string]any MetaData.
Considered but rejected a deeper assertion in tests for methods (ElementsEqual...). Not preserving custom policy order was a code smell, the added GetCustomPolicies works around the restriction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sidenote:
- This could have been a
CustomPolicies []Policy
on SessionState, not sure why it needs the API around a map[string]any; - I'm not sure why custom policies were stuck into metadata other than to piggyback on an accessible key/value store field. No public API changes ensure whatever is coupled to it continues to work.
User description
TT-12897
PR uses custom policies to combine several policies with access rights set.
Since a
map
was in the path, user API for custom policies needed an extension to preserve policy ID order. The existing function returning a map didn't handle json decode errors properly and go semantics when looping over maps don't preserve this order, but it's random so tests would fail. Verified withtask stress
.Issue: https://tyktech.atlassian.net/browse/TT-12897
PR Type
Bug fix, Enhancement, Tests
Description
MergeAllowedURLs
to merge allowed URLs efficiently.Store
to use a slice for policies, and introducedStoreMap
for unordered policy storage.GetCustomPolicies
to preserve policy order.MergeAllowedURLs
.stress
task for running stress tests.Changes walkthrough 📝
apply.go
Enhance policy application logic and logging
internal/policy/apply.go
MergeAllowedURLs
function to merge allowed URLs.Logger
function to return alogrus.Entry
.session.CustomPolicies()
tosession.GetCustomPolicies()
.store.go
Refactor Store to use slice for policies
internal/policy/store.go
Store
to use a slice for policies.store_map.go
Add StoreMap for unordered policy storage
internal/policy/store_map.go
StoreMap
for unordered policy storage.StoreMap
.util.go
Introduce MergeAllowedURLs and remove unused functions
internal/policy/util.go
MergeAllowedURLs
function for merging URL access specs.copyAllowedURLs
andcontains
functions.custom_policies.go
Enhance custom policies handling with order preservation
user/custom_policies.go
GetCustomPolicies
to preserve policy order.CustomPolicies
to useGetCustomPolicies
.apply_test.go
Update tests for policy application
internal/policy/apply_test.go
policy.Service
in tests.Apply
method is tested withassert.NoError
.util_test.go
Add tests for MergeAllowedURLs function
internal/policy/util_test.go
MergeAllowedURLs
function.Taskfile.yml
Update Taskfile with stress test task
internal/policy/Taskfile.yml
stress
task for running stress tests.default
task to includetest
.