Feature #23210
closed
Stricter validation of credential_class and scopes on credentials
Description
There are two things we could do with external credentials to make them more useful that are in tension:
- Add validations to help users understand if they've made a mistake entering credentials supported by other Arvados components (e.g., S3 access keys).
- Allow users to experiment with storing their own credentials in the system.
We're going to resolve this similarly to the way we handle properties: we are going to reserve the arv: namespace of credential classes which are strictly validated, then allow anything goes with other credential classes.
On create and update, credentials should follow this validation flowchart:
- If
credential_classequalsarv:aws_access_key, validate thatscopescontains one or more strings that all match the case-insensitive regexp^s3://(\*|[a-z0-9][-.a-z0-9]{1,61}[a-z0-9])$(see S3 bucket naming rules use the special bucket name*to mean "all buckets") - Otherwise, if
credential_classstarts witharv:, fail validation with a message like"credential_class #{name} is not implemented" - Otherwise, if
credential_classequalsaws_access_key, fail validation with a message like"credential_class #{name} conflicts with reserved credential class arv:#{name}" - Otherwise,
credential_classis not reserved, and we only validate thatscopeshas the correct type, an array of strings.
Today we only have a single reserved credential class, but we may add other arv: credential classes in the future. If practical, write code that can handle an arbitrary set of reserved class names, where today that set has a single element.
Update the credential API reference to explain that arv: credential classes are reserved, that the name of the AWS access key class is arv:aws_access_key, and to explain the stricter validation on scopes for those credentials, and the meaning of the special scope s3://*.
Everywhere the old credential_class literal aws_access_key appears, update it to the new arv:aws_access_key:
- source:doc/api/methods/credentials.html.textile.liquid
- source:doc/user/topics/external-inputs.html.textile.liquid
- source:sdk/cwl/arvados_cwl/arvcontainer.py
- source:sdk/cwl/arvados_cwl/pathmapper.py
- source:sdk/cwl/tests/test_submit.py
- source:services/workbench2/cypress/e2e/external-credentials.cy.js
- source:services/workbench2/src/views-components/form-fields/external-credential-form-fields.tsx
Updated by Brett Smith 5 months ago
- Related to Bug #23211: Refine a-c-r search logic for "all buckets" credential added
Updated by Lisa Knox 5 months ago
- Related to Bug #23230: Workbench should validate scopes when creating/updating an external credential added
Updated by Lisa Knox 5 months ago
23210-stricter-scope-validation @ 55d21a856d5a43df2f5564757db55b9754139da2
- ✅ All agreed upon points are implemented / addressed.
- Credentials are validated on create and update according to the given flowchart.
- There is a { credential_class: [regexp] } hash in the credential model that can be updated when we add support for more credential classes. Something like this can be moved to the discovery document (or somewhere else widely accessible) so that workbench and other components can use it in the future if we want.
- ✅ Anything not implemented (discovered or discussed during work) has a follow-up story.
- ✅ Code is tested and passing, both automated and manual, what manual testing was done is described
- ✅ The tested code incorporates recent main branch changes.
- n/a New or changed UX/UX and has gotten feedback from stakeholders.
- ✅ Documentation has been updated.
- ✅ Behaves appropriately at the intended scale (describe intended scale).
- ✅ Considered backwards and forwards compatibility issues between client and server.
- ✅ Follows our coding standards and GUI style guidelines.
Updated by Brett Smith 5 months ago
Lisa Knox wrote in #note-8:
23210-stricter-scope-validation @ 55d21a856d5a43df2f5564757db55b9754139da2
Implementation-wise this is all good. These comments are all about maintainability and style.
The validation error message seem to be inconsistent describing the subject. Some use "Credential class" while others use "Credential_class". Scopes errors start with the repetitive "Scopes Scopes". Does Rails automatically add the field name to the start of the error message? If so, our provided message should not repeat it. If not, then we should discuss and agree how we want to stylize field names, and use that consistently. I am wondering if Tom established a style when he did the big validation branch.
The new tests cover a great set of cases. It would be nicer if the list of cases was at the top level, and then test was called inside that each loop. The advantage of doing it this way is all the test cases will run regardless of how many of them fail, and the information you get about which succeeded vs. which failed can help you hone in on the bug in any future development. For illustration, consider something like this:
test_credential = {
description: "the credential for test",
external_id: "my_username",
secret: "my_password",
expires_at: Time.now + 2.weeks,
credential_class: "arv:aws_access_key",
scopes: nil,
}
[
{
body: {
name: "with valid scopes",
scopes: ["s3://my-bucket", "s3://*"],
},
error_msg: nil
},
{
body: {
name: "with no scopes",
},
error_msg: /Scopes Scopes cannot be blank for credential class arv:aws_access_key/
},
# … more test cases…
].each do |tc|
test "validation for credential #{tc[:body][:name]}" do
post "/arvados/v1/credentials",
params: {:format => :json,
credential: test_credential.merge(tc[:body]),
},
headers: auth(:active),
as: :json
if tc[:error_msg].nil?
assert_response :success
else
assert_response 422
assert_match(tc[:error_msg], json_response["errors"][0])
end
end
end
Note that body can still override the fields in test_credential as needed, so you can test other credential_class values, etc.
validate_credential_class_and_scopes has inconsistent indentation, and validate_scopes_for_implemented_credential_class has a blank line with extra whitespace. Please fix both.
Thanks.
Updated by Lisa Knox 5 months ago
23210-stricter-scope-validation @ 1b994233a8df046411b9cb246d9a38de9933b05b
So Rails does add the field name to the start of the error message in certain cases, and in some cases it will detect if the error message starts with the field name and, if not, prepend it. I am not 100% clear on how to either enforce or disallow this behavior, but as doing either would affect all of our other tests, it's probably not worth pursuing. The rule that we appear to be following every where else is to not put the field name in the error message, so I've removed it in the tests I wrote. The "Credential class" string misalignment is therefore moot.
The new tests cover a great set of cases. It would be nicer if the list of cases was at the top level...
Tom actually mentioned this in his feedback for #23181 but it completely slipped my mind. I've made the adjustment as suggested.
validate_credential_class_and_scopes has inconsistent indentation, and validate_scopes_for_implemented_credential_class has a blank line
Fixed
Updated by Brett Smith 5 months ago
Lisa Knox wrote in #note-10:
23210-stricter-scope-validation @ 1b994233a8df046411b9cb246d9a38de9933b05b
LGTM, thank you.
Updated by Lisa Knox 5 months ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|417c2b46095f2ed3e9ceea906630915d5e014124.