Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[public-api] Validate Workspace IDs #15423

Merged
merged 1 commit into from
Dec 20, 2022
Merged

[public-api] Validate Workspace IDs #15423

merged 1 commit into from
Dec 20, 2022

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Dec 19, 2022

Description

Adds validation to Workspace IDs on the API level

Related Issue(s)

Fixes #

How to test

Unit tests

Release Notes

NONE

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@easyCZ easyCZ requested review from a team December 19, 2022 14:54
@github-actions github-actions bot added team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team labels Dec 19, 2022
easyCZ
easyCZ commented Dec 19, 2022
View reviewed changes
components/public-api-server/pkg/apiv1/workspace_test.go
},
},
}
t.Run("invalid argument when workspace ID is missing", func(t *testing.T) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing the tests into individual sub-tests made it much easier to follow the test and debug.

easyCZ
easyCZ commented Dec 19, 2022
View reviewed changes
components/public-api-server/pkg/apiv1/workspace.go
Comment on lines +147 to 164
switch req.Msg.GetPort().GetPolicy() {
case v1.PortPolicy_PORT_POLICY_PRIVATE:
_, err = conn.OpenPort(ctx, workspaceID, &protocol.WorkspaceInstancePort{
Port: float64(req.Msg.Port.Port),
Visibility: protocol.PortVisibilityPrivate,
})
} else if req.Msg.Port.Policy == v1.PortPolicy_PORT_POLICY_PUBLIC {
_, err = conn.OpenPort(ctx, req.Msg.GetWorkspaceId(), &protocol.WorkspaceInstancePort{
case v1.PortPolicy_PORT_POLICY_PUBLIC:
_, err = conn.OpenPort(ctx, workspaceID, &protocol.WorkspaceInstancePort{
Port: float64(req.Msg.Port.Port),
Visibility: protocol.PortVisibilityPublic,
})
default:
return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Unknown port policy specified."))
}
if err != nil {
log.WithField("workspace_id", workspaceID).Error("Failed to update port")
return nil, proxy.ConvertError(err)
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drive-by cleanup: this ensures that an unknown port policy fails on the API layer. Previously, it would skip both branches and return OK, without actually doing anything.

utam0k
utam0k reviewed Dec 19, 2022
View reviewed changes
components/common-go/namegen/workspaceid.go

func ValidateWorkspaceID(id string) error {
if !WorkspaceIDPattern.MatchString(id) {
return fmt.Errorf("id '%s' does not match workspace ID regex '%s': %w", id, WorkspaceIDPattern.String(), InvalidWorkspaceID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#10491 (comment)

Suggested change
return fmt.Errorf("id '%s' does not match workspace ID regex '%s': %w", id, WorkspaceIDPattern.String(), InvalidWorkspaceID)
return xerrors.Errorf("id '%s' does not match workspace ID regex '%s': %w", id, WorkspaceIDPattern.String(), InvalidWorkspaceID)

svenefftinge
svenefftinge approved these changes Dec 20, 2022
View reviewed changes
Copy link
Member

@svenefftinge svenefftinge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@easyCZ easyCZ force-pushed the mp/papi-validate-workspace-id branch from 3e53270 to fca202c Compare December 20, 2022 15:52
@easyCZ easyCZ requested a review from a team as a code owner December 20, 2022 15:52
@easyCZ
Copy link
Member Author

easyCZ commented Dec 20, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-mp-papi-validate-workspace-id.4
(with .werft/ from main)

@kylos101
Copy link
Contributor

/hold

this appears to be blocking tide

@kylos101
Copy link
Contributor

/unhold

tide is no longer blocked, see https://prow.gitpod-dev.com/tide

@easyCZ
Copy link
Member Author

easyCZ commented Dec 20, 2022
edited by werft-gitpod-dev-com bot
Loading

/werft run

👍 started the job as gitpod-build-mp-papi-validate-workspace-id.5
(with .werft/ from main)

@easyCZ
Copy link
Member Author

easyCZ commented Dec 20, 2022

Thanks @kylos101, there are some flaky supervisor tests which caused the build to fail

@roboquat roboquat merged commit 874a6b5 into main Dec 20, 2022
@roboquat roboquat deleted the mp/papi-validate-workspace-id branch December 20, 2022 16:34
@roboquat roboquat added the deployed: webapp Meta team change is running in production label Dec 21, 2022
@roboquat roboquat added the deployed: workspace Workspace team change is running in production label Jan 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@utam0k utam0k utam0k left review comments

@svenefftinge svenefftinge svenefftinge approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed: workspace Workspace team change is running in production release-note-none size/L team: staff-engineers team: webapp Issue belongs to the WebApp team team: workspace Issue belongs to the Workspace team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@easyCZ @kylos101 @svenefftinge @utam0k @roboquat