-
Notifications
You must be signed in to change notification settings - Fork 825
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject IdZ deletion if an IdP with alias exists in the zone #2850
base: develop
Are you sure you want to change the base?
Reject IdZ deletion if an IdP with alias exists in the zone #2850
Conversation
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187492139 The labels on this github issue will be updated when the story is started. |
Sonar issues should be solved @adrianhoelzl-sap |
This appears to be a pretty major feature change. It looks like we are trying to merge this to develop, which would imply that it's going to be shipped in a new minor release in a few weeks. It seems to me like this should be in a major release. I am uncertain of the ramifications of this change. The code was clearly set to do the opposite of what you are trying to do. |
I had not checked the logic before only code style and sonar issues, but now I see the impact because @bruce-ricard comments. So I do not see a need for this PR. If you have the power to delete a zone , then we should not prevent it because some values in the zone are not as expected. I do not understand the relation to mentioned issue #2505 . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpointsTests.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Un-approving this following review of the comments. The change appears to break existing behavior. I thought it was a fix, not a change.
server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know #2505 but during the review process we defined that this new feature should come with extra options, but for all others UAA should not change.
We have an option for this, e.g. aliasEntitiesEnabled and therefore with this aliasEntitiesEnabled = false there should not be any differences to UAAs before
|
||
/* reject deletion if an IdP with alias exists in the zone - checking for users with alias is not required | ||
* here, since they can only exist if their origin IdP has an alias as well */ | ||
final List<IdentityProvider> idps = idpDao.retrieveAll(false, zone.getId()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked again and I think we should add here check for aliasEntitiesEnabled = true then you can do this extra check and return 422.
Btw. I search a while for aliasEntitiesEnabled in https://github.com/cloudfoundry/uaa-release , e.g. https://github.com/cloudfoundry/uaa-release/blob/develop/spec/input/all-properties-set.yml for this parameter and its documentation, but did not found it.
So we should add it to https://github.com/cloudfoundry/uaa-release/blob/develop/spec/input/all-properties-set.yml and with this parameter we can do some flows in UAA different ,
But for all CF usages without alias entry in IdP or User this SELECT is done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We must also perform this check when aliasEntitiesEnabled
is false
, since it is possible to enable it, create some entities with alias and then disable it again. At this point, there would still be entities with alias left in the DB which should block the deletion of the zone.
@@ -871,6 +871,7 @@ _Error Codes_ | |||
| 401 | Unauthorized - Invalid token | | |||
| 403 | Forbidden - Insufficient scope (zone admins can only delete their own zone) | | |||
| 404 | Not Found - Zone does not exist | | |||
| 422 | Unprocessable Entity - at least one IdP with alias exists in the zone | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unprocessable Entity (e.g., deleting IdP with alias while aliasEntitiesEnabled is true)
Found similar fragments in https://docs.cloudfoundry.org/api/uaa/version/77.8.0/index.html#delete
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see my comment above - here, the flag is not relevant
@@ -40,7 +40,7 @@ public class JdbcIdentityProviderProvisioning implements IdentityProviderProvisi | |||
|
|||
public static final String DELETE_IDENTITY_PROVIDER_BY_ORIGIN_SQL = "delete from identity_provider where identity_zone_id=? and origin_key = ?"; | |||
|
|||
public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=? or alias_zid=?"; | |||
public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=?"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see now that this is a fix but the issue was
https://github.com/cloudfoundry/uaa/pull/2637/files#diff-8e7d64a1881ae78ed33d745ed1fd3a922312b89e740a3e1c75d1284b6a041b31R43
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this concern from @strehle ever addressed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We revert the SQL back to the state it was in before the alias feature for identity providers was integrated. This means that during the deletion of a zone, we no longer delete all identity providers in other zones that have an alias to the deleted zone.
Instead, we reject the deletion of the zone if identity providers with an alias exist in the zone to be deleted and thereby force the administrator to delete these IdPs beforehand (which will then also delete the users associated to the original and alias IdPs).
@@ -40,7 +40,7 @@ public class JdbcIdentityProviderProvisioning implements IdentityProviderProvisi | |||
|
|||
public static final String DELETE_IDENTITY_PROVIDER_BY_ORIGIN_SQL = "delete from identity_provider where identity_zone_id=? and origin_key = ?"; | |||
|
|||
public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=? or alias_zid=?"; | |||
public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=?"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this concern from @strehle ever addressed?
} | ||
return numberOfIdpsWithAlias > 0; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you do count query instead of exists query here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to use exists
in two different ways:
VALUES (EXISTS (SELECT ...))
(see e19a904#diff-8e7d64a1881ae78ed33d745ed1fd3a922312b89e740a3e1c75d1284b6a041b31R39) → supported by PostgreSQL and HSQL, but not MySQLSELECT EXISTS (SELECT ...)
→ supported by PostgreSQL and MySQL, but not HSQL
Therefore, I decided to use the count
function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I add a database migration that creates an index for the alias_zid
column?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to use
exists
in two different ways:
...
Therefore, I decided to use thecount
function.
I see. HSQL is the hindrance here. In that case, how about using limit
clause as follows?
select 1 from identity_provider idp where idp.identity_zone_id = ? and idp.alias_zid is not null and idp.alias_zid <> '' limit 1
That would return 1 if the record exists or null otherwise. It should be better than select count(*)
.
Then you can change your Java code to return as follows (no need for additional check for null):
return 1 == idpWithAliasExists;
Taking over this PR review as Alicia is out of office
see issue #2505
Reject deletion if an IdP with alias exists in the zone to be deleted. With this restriction, we want to avoid that callers of the endpoint accidentally remove IdPs (and thereby the associated users) from the alias zone. Now the callers must actively delete the IdPs with alias beforehand (which will also remove all associated users, their alias users and the alias IdP in the "uaa" zone).