Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-22332: route: Improve errors for missing custom-host permissions #1677

Merged
merged 1 commit into from
May 28, 2024
Merged

OCPBUGS-22332: route: Improve errors for missing custom-host permissions #1677

merged 1 commit into from
May 28, 2024

Conversation

Miciah
Copy link
Contributor

@Miciah Miciah commented Feb 15, 2024

Return "you do not have permission" error messages instead of "field is immutable" error messages when the user tries to update a route's spec.host, spec.subdomain, or spec.tls field without the required "custom-host" permission.

Note that this change does not affect the HTTP status code for these errors, which will continue to be HTTP 422, "Unprocessable Entity", as both the openshift-apiserver admission and the kube-apiserver admission wrap errors from the route validation's ValidateHostUpdate function using "k8s.io/apimachinery/pkg/api/errors".NewInvalid.

  • pkg/route/hostassignment/assignment.go (routeHostPermissionErrMsg, routeSubdomainPermissionErrMsg, routeTLSPermissionErrMsg): New consts.
    (AllocateHost): Use routeHostPermissionErrMsg and routeTLSPermissionErrMsg instead of string literals.
    (validateImmutableField): New helper function, based on ValidateImmutableField from apimachinery but using a custom error message.
    (ValidateHostUpdate): Use the new consts and helper function instead of ValidateImmutableField from apimachinery.

@openshift-ci-robot openshift-ci-robot added jira/severity-low Referenced Jira bug's severity is low for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 15, 2024
@openshift-ci-robot
Copy link

@Miciah: This pull request references Jira Issue OCPBUGS-22332, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Return "you do not have permission" error messages instead of "field is immutable" error messages when the user tries to update a route's spec.host, spec.subdomain, or spec.tls field without the required "custom-host" permission.

Note that this change does not affect the HTTP status code for these errors, which will continue to be HTTP 422, "Unprocessable Entity", as both the openshift-apiserver admission and the kube-apiserver admission wrap errors from the route validation's ValidateHostUpdate function using "k8s.io/apimachinery/pkg/api/errors".NewInvalid.

  • pkg/route/hostassignment/assignment.go (routeHostPermissionErrMsg, routeSubdomainPermissionErrMsg, routeTLSPermissionErrMsg): New consts.
    (AllocateHost): Use routeHostPermissionErrMsg and routeTLSPermissionErrMsg instead of string literals.
    (validateImmutableField): New helper function, based on ValidateImmutableField from apimachinery but using a custom error message.
    (ValidateHostUpdate): Use the new consts and helper function instead of ValidateImmutableField from apimachinery.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from frobware and knobunc February 15, 2024 04:49
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 15, 2024
@Miciah
route: Improve errors for missing custom-host perm
46855ec 
Return "you do not have permission" error messages instead of "field is
immutable" error messages when the user tries to update a route's
spec.host, spec.subdomain, or spec.tls field without the required
"custom-host" permission.

Note that this change does not affect the HTTP status code for these
errors, which will continue to be HTTP 422, "Unprocessable Entity", as both
the openshift-apiserver admission[1] and the kube-apiserver admission[2]
wrap errors from the route validation's ValidateHostUpdate function using
"k8s.io/apimachinery/pkg/api/errors".NewInvalid[3].

1. https://github.com/openshift/openshift-apiserver/blob/c5ba848e78463f9c73e1d2daec9e565daa4a6f4a/vendor/k8s.io/apiserver/pkg/registry/rest/update.go#L154-L156
2. https://github.com/openshift/kubernetes/blob/5a4819c6048e42515c3c5538b723ba6272440eee/openshift-kube-apiserver/admission/route/hostassignment/admission.go#L135-L137
3. https://github.com/openshift/kubernetes/blob/5a4819c6048e42515c3c5538b723ba6272440eee/staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go#L281-L310

This commit is related to OCPBUGS-22332.

https://issues.redhat.com/browse/OCPBUGS-22332

* pkg/route/hostassignment/assignment.go (routeHostPermissionErrMsg)
(routeSubdomainPermissionErrMsg, routeTLSPermissionErrMsg): New consts.
(AllocateHost): Use routeHostPermissionErrMsg and routeTLSPermissionErrMsg
instead of string literals.
(validateImmutableField): New helper function, based on
ValidateImmutableField from apimachinery but using a custom error message.
(ValidateHostUpdate): Use the new consts and helper function instead of
ValidateImmutableField from apimachinery.
@Miciah Miciah force-pushed the OCPBUGS-22332-route-improve-errors-for-missing-custom-host-permission branch from 0c62e25 to 46855ec Compare April 23, 2024 20:23
@Miciah
Copy link
Contributor Author

Miciah commented Apr 23, 2024
edited
Loading

https://github.com/openshift/library-go/compare/0c62e2597c52a1093f3a42a4e729f11dd453a304..46855ec7e21d0f7014518272b1f165e6c2ae04ed rebases for changes in #1625.

@candita
Copy link
Contributor

candita commented Apr 24, 2024

/assign @gcs278
/assign @alebedev87

@Miciah
Copy link
Contributor Author

Miciah commented May 20, 2024

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 20, 2024
@openshift-ci-robot
Copy link

@Miciah: This pull request references Jira Issue OCPBUGS-22332, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.0) matches configured target version for branch (4.17.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278
Copy link

gcs278 commented May 23, 2024

Reviewed. Usually I like to test out PRs that I review, but since this also needs vendoring elsewhere, I'll just provide LGTM based on my assessment that the code updates are only impacting error messages, which feels low-risk to me.
/lgtm

/hold
@alebedev87 did you want a quick review? Let's give 1 more week, but if you don't have time, let's send this through as it's low risk.

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels May 23, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 23, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278, Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@alebedev87
Copy link
Contributor

LGTM
/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 28, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 28, 2024

@Miciah: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 354b673 into openshift:master May 28, 2024
4 checks passed
@openshift-ci-robot
Copy link

@Miciah: Jira Issue OCPBUGS-22332: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-22332 has been moved to the MODIFIED state.

In response to this:

Return "you do not have permission" error messages instead of "field is immutable" error messages when the user tries to update a route's spec.host, spec.subdomain, or spec.tls field without the required "custom-host" permission.

Note that this change does not affect the HTTP status code for these errors, which will continue to be HTTP 422, "Unprocessable Entity", as both the openshift-apiserver admission and the kube-apiserver admission wrap errors from the route validation's ValidateHostUpdate function using "k8s.io/apimachinery/pkg/api/errors".NewInvalid.

  • pkg/route/hostassignment/assignment.go (routeHostPermissionErrMsg, routeSubdomainPermissionErrMsg, routeTLSPermissionErrMsg): New consts.
    (AllocateHost): Use routeHostPermissionErrMsg and routeTLSPermissionErrMsg instead of string literals.
    (validateImmutableField): New helper function, based on ValidateImmutableField from apimachinery but using a custom error message.
    (ValidateHostUpdate): Use the new consts and helper function instead of ValidateImmutableField from apimachinery.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Miciah Miciah mentioned this pull request Sep 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frobware frobware Awaiting requested review from frobware

@knobunc knobunc Awaiting requested review from knobunc

Assignees

@gcs278 gcs278

@alebedev87 alebedev87

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-low Referenced Jira bug's severity is low for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Miciah @openshift-ci-robot @candita @gcs278 @alebedev87