Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[server] Validate userID, teamID is a UUID on team operations #15651

Merged
merged 1 commit into from
Jan 10, 2023
Merged

[server] Validate userID, teamID is a UUID on team operations #15651

merged 1 commit into from
Jan 10, 2023

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Jan 10, 2023
edited by loujaybee
Loading

Description

To ensure we fail early on bogus values. This is also a necessary pre-cursor to use an authorization system as we need to guarantee consistency of records

Related Issue(s)

Fixes #

How to test

  1. Interact with teams in preview
  2. Make a request using the ws protocol with non-uuid values

Release Notes

NONE

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

@easyCZ easyCZ requested a review from a team January 10, 2023 07:56
@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-mp-server-teams-rpc-validate-uuid.1 because the annotations in the pull request description changed
(with .werft/ from main)

@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Jan 10, 2023
@geropl
Copy link
Member

geropl commented Jan 10, 2023

I think there's nothing wrong with testing more invariants on the IDs per-se.
But I'd like to understand where it's coming from: Does OpenFGA expect UUIDs as data type? Does it perform other operations on it then "identity"? 🤔

@easyCZ
Copy link
Member Author

easyCZ commented Jan 10, 2023

Today, I can supply arbitrary strings to the RPCs and we'll happily go ahead and search for these in the database. Not only is it wasteful, but we also end up having a harder time figuring out why the system is doing it.

For any authorization system, the object and subject identifiers are strings. And that means we really want to be sure they are at least conforming to a valid pattern before we execute those queries.

But in general, we've gotta check our inputs, no matter what we use downstream.

@roboquat roboquat merged commit 0789eda into main Jan 10, 2023
@roboquat roboquat deleted the mp/server-teams-rpc-validate-uuid branch January 10, 2023 11:58
@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels Jan 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@svenefftinge svenefftinge svenefftinge approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note-none size/S team: webapp Issue belongs to the WebApp team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@easyCZ @geropl @svenefftinge @roboquat