Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Return InvalidArgument for invalid input entries #5506

Merged
merged 2 commits into from
Oct 17, 2024

Conversation

sorindumitru
Copy link
Contributor

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality
Returned error codes for BatchCreateEntry/BatchUpdateEntry

Description of change
Return better error codes in case of invalid entries so users can differentiate between entries that can be retried and those that can't

Which issue this PR fixes
fixes #5444

@@ -658,6 +755,13 @@ func (s *Service) updateEntry(ctx context.Context, e *types.Entry, inputMask *ty
Hint: inputMask.Hint,
}
}

if err := validateRegistrationEntryForUpdate(convEntry, mask); err != nil {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An alternative to this would be to add all the validations here in

func ProtoToRegistrationEntryWithMask(ctx context.Context, td spiffeid.TrustDomain, e *types.Entry, mask *types.EntryMask) (_ *common.RegistrationEntry, err error) {
but I wasn't sure that's where the maintainers would want to add these checks.

That function already does some validations, but mostly as a necessity of handling errors. It would also simplify things a bit. Let me know if that's better and I can change this.

@sorindumitru sorindumitru force-pushed the entry-errors branch 3 times, most recently from a88df74 to 4a907bb Compare September 20, 2024 08:52
@amartinezfayo amartinezfayo self-assigned this Sep 24, 2024
Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @sorindumitru for this contribution and for the patience in the review.
As discussed in yesterday's sync, I think that having the validations in the datastore layer is probably better, so we make sure that any place in our codebase (as is today, or in the future) is covered by the validation before the data is stored. There shouldn't be a problem to return the proper grpc status code from the datastore layer (we already do that where is applicable).

fixes spiffe#5444

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
@@ -473,12 +474,11 @@ func (ds *Plugin) CreateOrReturnRegistrationEntry(ctx context.Context,
func (ds *Plugin) createOrReturnRegistrationEntry(ctx context.Context,
entry *common.RegistrationEntry,
) (registrationEntry *common.RegistrationEntry, existing bool, err error) {
// TODO: Validations should be done in the ProtoBuf level [https://github.com/spiffe/spire/issues/44]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we'll ever do this, so better to remove the TODO.

Comment on lines +478 to +480
if err = validateRegistrationEntry(entry); err != nil {
return err
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've moved this here because errors withing a withTx block get wrapped into a grpc.Status (I don't know exactly why, maybe it's due to the plugin's history as an actual plugin). Having it in here makes it the handling for create and update be the same. Otherwise one would be wrapped in a grpc Status and one wouldn't so we'd need to handle them differently. I hope this doesn't change observed behaviour by clients too much.

Copy link
Member

@amartinezfayo amartinezfayo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @sorindumitru!

@azdagron azdagron added this to the 1.11.0 milestone Oct 17, 2024
@amartinezfayo amartinezfayo merged commit d7d1ccd into spiffe:main Oct 17, 2024
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

spire-server: Better status codes from BatchCreateEntry API
3 participants