Store ephemeral user group associations #1491
Conversation
slifty
force-pushed
the
1483-user-group-associations
branch
from
3e491f6 to
939d9e9
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1491 +/- ##
==========================================
+ Coverage 86.89% 86.90% +0.01%
==========================================
Files 235 238 +3
Lines 2931 2964 +33
Branches 402 407 +5
==========================================
+ Hits 2547 2576 +29
+ Misses 384 355 -29
- Partials 0 33 +33 ☔ View full report in Codecov by Sentry. |
|
I'm adding a test to ensure that the rows are properly inserted by the middlware |
One of my comments was going to be adding some amount of tests so I will wait for your updates to give final review! |
There was a problem hiding this comment.
Overall, as awkward as it is, I still strongly support leaving users and groups up to PDC Keycloak while managing PDC service object permissions within the PDC service.
The ephemeral table approach is a good starting point. I wonder, though, if we are going from JSON to SQL rows back to JSON again unnecessarily, and if we can do something more JSONy with postgres in the future. For example, if we ephemerally store (or not store but use) the whole validated JWT (maybe sans header, sans signature), then we have a single thing to pass to postgres queries instead of multiple things. This idea only occurred to me while reviewing here and I haven't tried writing anything that would make use of such a JWT in postgres. So it may not slay the complexity dragon but merely move it into the queries that make use of the JWT. Again, for now I think the approach here is what we should use. If it is slow to run a query or two on every request, I think we could increase the resources of the app and its database before we try calling the auth server instead (which in turn probably queries its own database and has the overhead of an HTTP request).
In any case, there are some plain old errors or typos that need to be fixed before this can be merged. See inline.
src/database/operations/ephemeralUserGroupAssociations/createEphemeralUserGroupAssociation.ts
Outdated
Show resolved
Hide resolved
src/database/queries/ephemeralUserGroupAssociations/insertOne.sql
Outdated
Show resolved
Hide resolved
src/database/queries/ephemeralUserGroupAssociations/insertOne.sql
Outdated
Show resolved
Hide resolved
|
I am kind of surprised that so many tests pass since not a single authenticated endpoint works on the Swagger UI. I guess that means we don't integrate our mandatory middleware into those tests. That cannot be true because we have to use auth headers to do anything in the software. |
I'm betting it's because I didn't update our tests to actually include an ephemeral organization association (and as you pointed out most of the code is broken) WHOOPS! |
slifty
force-pushed
the
1483-user-group-associations
branch
3 times, most recently
from
918bb05 to
1be5b07
Compare
src/database/operations/users/__tests__/loadUserByKeycloakUserId.int.test.ts
Show resolved
Hide resolved
slifty
force-pushed
the
1483-user-group-associations
branch
from
9b73c3f to
80bcff2
Compare
We set up our sql linter to use tabs, which aligns with the rest of the project. This tweaks the editorconfig to reflect that decision.
Our user entity has a natural key and so our insert operation can be an "insert or update" operation instead. This allows us to leverage the operation directly in the user context middleware, in addition to better aligning with other entity patterns.
Users are associated with user groups via the "organizations" attribute of their authentication JWT. We're going to want our queries and authentication checks to account for those group associations, but we don't want to have to constantly pass an unpredictably long list of associations every time we make a query. This entity, and the middleware that populates it, allows a given API call to have those associations accounted for in a given HTTP request context. The table is labeled "ephemeral" to try to convey the fact that the data it contains should not be considered accurate outside of that context. The implementation of the middleware right now is intentionally simple and does not attempt to be efficient. For example, it does not attempt to re-use any past data in the table (e.g. associations that may have existed from a past transaction and wouldn't necessarily have to be re-created). We may find that having O(n) insert queries for every authenticated API call is too slow; if that ends up becoming a problem we may determine that our model for using KeyCloak as the group management and JWTs as the communication mechanism isn't correct. These associations are not actually used when making auth decisions yet. This commit is, however, a prerequisite for that feature. Issue #Create user-group associations "cache" middleware
Now that we have user group permissions and the ability to associate a user with a given group we can incorporate those permissions in a user's roles. Issue #1483 Create user-group associations "cache" middleware
slifty
force-pushed
the
1483-user-group-associations
branch
from
80bcff2 to
fe75765
Compare
This PR expands our auth middleware to store a user's group associations as part of the process of establishing the authentication context.
It does not actually use those associations when populating a user's roles (This will be in a future PR).
Resolves #1483