-
Notifications
You must be signed in to change notification settings - Fork 486
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return InvalidArgument for invalid input entries #5506
Conversation
pkg/server/api/entry/v1/service.go
Outdated
@@ -658,6 +755,13 @@ func (s *Service) updateEntry(ctx context.Context, e *types.Entry, inputMask *ty | |||
Hint: inputMask.Hint, | |||
} | |||
} | |||
|
|||
if err := validateRegistrationEntryForUpdate(convEntry, mask); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An alternative to this would be to add all the validations here in
Line 92 in 3d158ce
func ProtoToRegistrationEntryWithMask(ctx context.Context, td spiffeid.TrustDomain, e *types.Entry, mask *types.EntryMask) (_ *common.RegistrationEntry, err error) { |
That function already does some validations, but mostly as a necessity of handling errors. It would also simplify things a bit. Let me know if that's better and I can change this.
a88df74
to
4a907bb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @sorindumitru for this contribution and for the patience in the review.
As discussed in yesterday's sync, I think that having the validations in the datastore layer is probably better, so we make sure that any place in our codebase (as is today, or in the future) is covered by the validation before the data is stored. There shouldn't be a problem to return the proper grpc status code from the datastore layer (we already do that where is applicable).
fixes spiffe#5444 Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
4a907bb
to
0cf97bb
Compare
@@ -473,12 +474,11 @@ func (ds *Plugin) CreateOrReturnRegistrationEntry(ctx context.Context, | |||
func (ds *Plugin) createOrReturnRegistrationEntry(ctx context.Context, | |||
entry *common.RegistrationEntry, | |||
) (registrationEntry *common.RegistrationEntry, existing bool, err error) { | |||
// TODO: Validations should be done in the ProtoBuf level [https://github.com/spiffe/spire/issues/44] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we'll ever do this, so better to remove the TODO.
if err = validateRegistrationEntry(entry); err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've moved this here because errors withing a withTx
block get wrapped into a grpc.Status
(I don't know exactly why, maybe it's due to the plugin's history as an actual plugin). Having it in here makes it the handling for create and update be the same. Otherwise one would be wrapped in a grpc Status and one wouldn't so we'd need to handle them differently. I hope this doesn't change observed behaviour by clients too much.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @sorindumitru!
Affected functionality
Returned error codes for BatchCreateEntry/BatchUpdateEntry
Description of change
Return better error codes in case of invalid entries so users can differentiate between entries that can be retried and those that can't
Which issue this PR fixes
fixes #5444