Reject IdZ deletion if an IdP with alias exists in the zone #2850
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187492139 The labels on this github issue will be updated when the story is started. |
|
Sonar issues should be solved @adrianhoelzl-sap |
|
This appears to be a pretty major feature change. It looks like we are trying to merge this to develop, which would imply that it's going to be shipped in a new minor release in a few weeks. It seems to me like this should be in a major release. I am uncertain of the ramifications of this change. The code was clearly set to do the opposite of what you are trying to do. |
|
I had not checked the logic before only code style and sonar issues, but now I see the impact because @bruce-ricard comments. So I do not see a need for this PR. If you have the power to delete a zone , then we should not prevent it because some values in the zone are not as expected. I do not understand the relation to mentioned issue #2505 . |
server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpointsTests.java
Show resolved
Hide resolved
Tallicia
added
in progress
clarification needed
server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I know #2505 but during the review process we defined that this new feature should come with extra options, but for all others UAA should not change.
We have an option for this, e.g. aliasEntitiesEnabled and therefore with this aliasEntitiesEnabled = false there should not be any differences to UAAs before
|
|
||
| /* reject deletion if an IdP with alias exists in the zone - checking for users with alias is not required | ||
| * here, since they can only exist if their origin IdP has an alias as well */ | ||
| final List<IdentityProvider> idps = idpDao.retrieveAll(false, zone.getId()); |
There was a problem hiding this comment.
Checked again and I think we should add here check for aliasEntitiesEnabled = true then you can do this extra check and return 422.
Btw. I search a while for aliasEntitiesEnabled in https://github.com/cloudfoundry/uaa-release , e.g. https://github.com/cloudfoundry/uaa-release/blob/develop/spec/input/all-properties-set.yml for this parameter and its documentation, but did not found it.
So we should add it to https://github.com/cloudfoundry/uaa-release/blob/develop/spec/input/all-properties-set.yml and with this parameter we can do some flows in UAA different ,
But for all CF usages without alias entry in IdP or User this SELECT is done
There was a problem hiding this comment.
We must also perform this check when aliasEntitiesEnabled is false, since it is possible to enable it, create some entities with alias and then disable it again. At this point, there would still be entities with alias left in the DB which should block the deletion of the zone.
| @@ -871,6 +871,7 @@ _Error Codes_ | |||
| | 401 | Unauthorized - Invalid token | | |||
| | 403 | Forbidden - Insufficient scope (zone admins can only delete their own zone) | | |||
| | 404 | Not Found - Zone does not exist | | |||
| | 422 | Unprocessable Entity - at least one IdP with alias exists in the zone | | |||
There was a problem hiding this comment.
Unprocessable Entity (e.g., deleting IdP with alias while aliasEntitiesEnabled is true)
Found similar fragments in https://docs.cloudfoundry.org/api/uaa/version/77.8.0/index.html#delete
There was a problem hiding this comment.
see my comment above - here, the flag is not relevant
| @@ -40,7 +40,7 @@ public class JdbcIdentityProviderProvisioning implements IdentityProviderProvisi | |||
|
|
|||
| public static final String DELETE_IDENTITY_PROVIDER_BY_ORIGIN_SQL = "delete from identity_provider where identity_zone_id=? and origin_key = ?"; | |||
|
|
|||
| public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=? or alias_zid=?"; | |||
| public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=?"; | |||
There was a problem hiding this comment.
see now that this is a fix but the issue was
https://github.com/cloudfoundry/uaa/pull/2637/files#diff-8e7d64a1881ae78ed33d745ed1fd3a922312b89e740a3e1c75d1284b6a041b31R43
There was a problem hiding this comment.
Was this concern from @strehle ever addressed?
There was a problem hiding this comment.
We revert the SQL back to the state it was in before the alias feature for identity providers was integrated. This means that during the deletion of a zone, we no longer delete all identity providers in other zones that have an alias to the deleted zone.
Instead, we reject the deletion of the zone if identity providers with an alias exist in the zone to be deleted and thereby force the administrator to delete these IdPs beforehand (which will then also delete the users associated to the original and alias IdPs).
| @@ -40,7 +40,7 @@ public class JdbcIdentityProviderProvisioning implements IdentityProviderProvisi | |||
|
|
|||
| public static final String DELETE_IDENTITY_PROVIDER_BY_ORIGIN_SQL = "delete from identity_provider where identity_zone_id=? and origin_key = ?"; | |||
|
|
|||
| public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=? or alias_zid=?"; | |||
| public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=?"; | |||
There was a problem hiding this comment.
Was this concern from @strehle ever addressed?
| } | ||
| return numberOfIdpsWithAlias > 0; | ||
| } | ||
|
|
There was a problem hiding this comment.
Why do you do count query instead of exists query here?
There was a problem hiding this comment.
I tried to use exists in two different ways:
VALUES (EXISTS (SELECT ...))(see e19a904#diff-8e7d64a1881ae78ed33d745ed1fd3a922312b89e740a3e1c75d1284b6a041b31R39) → supported by PostgreSQL and HSQL, but not MySQLSELECT EXISTS (SELECT ...)→ supported by PostgreSQL and MySQL, but not HSQL
Therefore, I decided to use the count function.
There was a problem hiding this comment.
Should I add a database migration that creates an index for the alias_zid column?
There was a problem hiding this comment.
I tried to use
existsin two different ways:
...
Therefore, I decided to use thecountfunction.
I see. HSQL is the hindrance here. In that case, how about using limit clause as follows?
select 1 from identity_provider idp where idp.identity_zone_id = ? and idp.alias_zid is not null and idp.alias_zid <> '' limit 1
That would return 1 if the record exists or null otherwise. It should be better than select count(*).
Then you can change your Java code to return as follows (no need for additional check for null):
return 1 == idpWithAliasExists;
hsinn0
dismissed
Tallicia’s stale review
Taking over this PR review as Alicia is out of office
hsinn0
removed
in progress
clarification needed
see issue #2505
Reject deletion if an IdP with alias exists in the zone to be deleted. With this restriction, we want to avoid that callers of the endpoint accidentally remove IdPs (and thereby the associated users) from the alias zone. Now the callers must actively delete the IdPs with alias beforehand (which will also remove all associated users, their alias users and the alias IdP in the "uaa" zone).