ROX-33014: store generated internal user role in issued token#19157
ROX-33014: store generated internal user role in issued token#19157rhybrillou wants to merge 9 commits intomaster-yann/ROX-33014/base_test_coveragefrom
Conversation
|
Skipping CI for Draft Pull Request. |
|
Images are ready for the commit at 5a57d7f. To use with deploy scripts, first |
127c969 to
84762a7
Compare
There was a problem hiding this comment.
Hey - I've found 2 issues
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location path="pkg/auth/tokens/internal_role.go" line_range="23-27" />
<code_context>
ClusterScopes []*ClusterScope `json:"cluster_scopes"`
}
func (r *InternalRole) GetRoleName() string {
- return internalRoleName
+ if r == nil {
+ return ""
+ }
+ return r.RoleName
}
</code_context>
<issue_to_address>
**issue (bug_risk):** Consider defaulting to a non-empty role name for older tokens where RoleName may be unset
Previously this always returned `internalRoleName`, but now older tokens (which won’t have `RoleName` set) will deserialize with `RoleName == ""`, causing identities from those tokens to get an empty role name. That’s a behavior change that may break code or logging expecting the legacy name. Consider mapping an empty `RoleName` to the legacy default (e.g., `internalRoleName`), while still respecting non-empty values on newer tokens.
</issue_to_address>
### Comment 2
<location path="central/auth/internaltokens/service/service_impl_test.go" line_range="164" />
<code_context>
svc := createService(mockIssuer, mockClusterStore, mockRoleStore)
setClusterStoreExpectations(input, mockClusterStore)
- setNormalRoleStoreExpectations(deploymentPS, singleNSScope, expectedRole, nil, mockRoleStore)
expectedClaims := tokens.RoxClaims{
- RoleNames: []string{expectedRole.GetName()},
+ RoleNames: []string{internalRoleName},
</code_context>
<issue_to_address>
**suggestion (testing):** Extend GenerateTokenForPermissionsAndScope tests to cover additional InternalRole shapes
The new assertions cover the main case well. To strengthen coverage, please also add:
- A request with no permissions and/or no cluster scopes, confirming the token’s `InternalRole` has empty `Permissions` / `ClusterScopes` and is still accepted by the issuer.
- A request with multiple permissions and mixed full-cluster and namespace-limited scopes across multiple clusters, confirming all are correctly represented in `InternalRole.ClusterScopes` and `Permissions`.
These would replace some of the removed role/access-scope tests and validate behavior for more complex inputs.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| func (r *InternalRole) GetRoleName() string { | ||
| return internalRoleName | ||
| if r == nil { | ||
| return "" | ||
| } | ||
| return r.RoleName |
There was a problem hiding this comment.
issue (bug_risk): Consider defaulting to a non-empty role name for older tokens where RoleName may be unset
Previously this always returned internalRoleName, but now older tokens (which won’t have RoleName set) will deserialize with RoleName == "", causing identities from those tokens to get an empty role name. That’s a behavior change that may break code or logging expecting the legacy name. Consider mapping an empty RoleName to the legacy default (e.g., internalRoleName), while still respecting non-empty values on newer tokens.
| svc := createService(mockIssuer, mockClusterStore, mockRoleStore) | ||
| setClusterStoreExpectations(input, mockClusterStore) | ||
| setNormalRoleStoreExpectations(deploymentPS, singleNSScope, expectedRole, nil, mockRoleStore) | ||
| expectedClaims := tokens.RoxClaims{ |
There was a problem hiding this comment.
suggestion (testing): Extend GenerateTokenForPermissionsAndScope tests to cover additional InternalRole shapes
The new assertions cover the main case well. To strengthen coverage, please also add:
- A request with no permissions and/or no cluster scopes, confirming the token’s
InternalRolehas emptyPermissions/ClusterScopesand is still accepted by the issuer. - A request with multiple permissions and mixed full-cluster and namespace-limited scopes across multiple clusters, confirming all are correctly represented in
InternalRole.ClusterScopesandPermissions.
These would replace some of the removed role/access-scope tests and validate behavior for more complex inputs.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master-yann/ROX-33014/base_test_coverage #19157 +/- ##
============================================================================
- Coverage 49.49% 49.44% -0.05%
============================================================================
Files 2683 2680 -3
Lines 202076 201813 -263
============================================================================
- Hits 100013 99786 -227
+ Misses 94603 94573 -30
+ Partials 7460 7454 -6
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Description
change me!
User-facing documentation
Testing and quality
Automated testing
How I validated my change
change me!