-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DC-1206] Add endpoints to list, add, and delete members from Sam group associated with Snapshots byRequestId #1810
base: develop
Are you sure you want to change the base?
Conversation
deleteSnapshotAccessRequestGroupMember(UUID id, String memberEmail) { | ||
AuthenticatedUserRequest userRequest = getAuthenticatedInfo(); | ||
iamService.verifyAuthorization( | ||
userRequest, IamResourceType.SNAPSHOT_BUILDER_REQUEST, id.toString(), IamAction.APPROVE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These look good! I wonder if we need to make a new IAmAction for these actions or if its okay to extend the use of APPROVE for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, maybe create another ticket to add this action? Something like manage_collaborators
to handle both add and delete?
List<String> removeGroupPolicyEmail( | ||
String accessToken, String groupName, String policyName, String memberEmail) | ||
throws InterruptedException; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think some documentation on these would be great. I like that the add and remove email return the new list of emails in the group, I think that mirrors the other policy member methods, but some documentation explaining what is returned would be helpful.
public List<String> removeEmailFromGroup(String groupName, String policyName, String email) { | ||
String tdrSaAccessToken = googleCredentialsService.getApplicationDefaultAccessToken(SCOPES); | ||
return callProvider( | ||
() -> iamProvider.removeGroupPolicyEmail(tdrSaAccessToken, groupName, policyName, email)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe some javadoc for these as well
groupName, | ||
policyName, | ||
memberEmail, | ||
new Object()); // Not sure what should be here for object |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like addPolicyMemberInner passes in a null instead of a new Object maybe we could just follow that pattern
public SnapshotAccessRequestMembersResponse deleteGroupMember(UUID id, String memberEmail) { | ||
SnapshotAccessRequestModel model = snapshotRequestDao.getById(id); | ||
return new SnapshotAccessRequestMembersResponse() | ||
.members(iamService.removeEmailFromGroup(model.samGroupName(), "member", memberEmail)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For all of these, do we only want people with the member role? Is there a way to get people of any role?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should only ever add users as members to the sam group. Only the TDR service account will be an admin.
description: Get the members in the DAC group | ||
operationId: getSnapshotAccessRequestGroupMembers | ||
parameters: | ||
- $ref: '#/components/parameters/Id' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the reuse of an existing object is a good idea, but Id specifies that the format of the string is a UUID and this will not match that format because it will be an email. So if that type doesn't exist yet maybe adding a new email type would be good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the snapshot request ID, so isn't that a UUID?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think for the GET, it's passing in the UUID of the snapshot access request whose group members you want to get
schema: | ||
$ref: '#/components/schemas/ErrorModel' | ||
404: | ||
description: No dataset found that meets the request parameters. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for all error code descriptions, the language needs to be updated slightly so it matches the use case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great work! I would love to talk to you about unit testing these changes and finding examples!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with @rjohanek 's suggestions. I suppose the unit tests are a separate ticket or upcoming?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a few comments, also I'd expect to see unit tests of this code and possibly an integration or connected test too.
deleteSnapshotAccessRequestGroupMember(UUID id, String memberEmail) { | ||
AuthenticatedUserRequest userRequest = getAuthenticatedInfo(); | ||
iamService.verifyAuthorization( | ||
userRequest, IamResourceType.SNAPSHOT_BUILDER_REQUEST, id.toString(), IamAction.APPROVE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, maybe create another ticket to add this action? Something like manage_collaborators
to handle both add and delete?
public SnapshotAccessRequestMembersResponse getGroupMembers(UUID id) { | ||
SnapshotAccessRequestModel model = snapshotRequestDao.getById(id); | ||
return new SnapshotAccessRequestMembersResponse() | ||
.members(iamService.getGroupPolicyEmails(model.samGroupName(), "member")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of "member"
this should use a constant. I see we have IamRole.MEMBER
, could that work here?
description: Get the members in the DAC group | ||
operationId: getSnapshotAccessRequestGroupMembers | ||
parameters: | ||
- $ref: '#/components/parameters/Id' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the snapshot request ID, so isn't that a UUID?
- name: memberEmail | ||
in: query | ||
description: The email of the user to add | ||
required: true | ||
schema: | ||
type: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's confusing to me that this API takes both memberEmail
and PolicyMemberRequest
, I would expect the API to only accept one or the other. Is there a need for both in this API? If you only need one, I would use requestBody
, as that is more typical for POST
than query
.
operationId: deleteSnapshotAccessRequestGroupMember | ||
parameters: | ||
- $ref: '#/components/parameters/Id' | ||
- name: memberEmail |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we don't have an openapi type for email (e.g. we could define a type with a regex to match only emails) I think we need to validate the request. One way to do that is to use ValidationUtils.isValidEmail()
.
Quality Gate passedIssues Measures |
Jira ticket: https://broadworkbench.atlassian.net/browse/DC-1206
Summary of changes
[ROUGH DRAFT]
Added get, post, and delete endpoints for group members on snapshot access requests
I used examples I found around TDR to help me write all the code, so I don't have the greatest understanding of everything and I'm not sure if there are things that need adjusting to this specific ticket. I'm looking forward to everyone's feedback!
Testing Strategy
I'm not sure the appropriate way to test these changes. Guidance on that would be appreciated!