Spike: adding/updating annotations via PUT/POST/PATCH

[john-odonnell]

Desired Outcome

Capture the current behavior of policy load operations to add new or update existing annotations on an existing resource.

From CNJR-2111:

POST should allow adding new annotations to an existing resource and PATCH should allow adding or modifying existing annotations on an existing resource.

Implemented Changes

Added Cucumber tests in cucumber/api/features/policy_load_annotations.feature that confirm whether a user with [create|update] privilege on a policy branch can [PUT|POST|PATCH] a policy file to [add a new|update an existing] annotation on an existing resource.

Outcome Summary

All these cases behave as we expect:

- create / add new         / PUT   :   EXPECTED FAIL
- create / add new         / POST  :   SUCCESS
- create / add new         / PATCH :   EXPECTED FAIL
- create / update existing / PUT   :   EXPECTED FAIL
- create / update existing / POST  :   EXPECTED FAIL*
- create / update existing / PATCH :   EXPECTED FAIL
- update / add new         / PUT   :   SUCCESS
- update / add new         / POST  :   EXPECTED FAIL
- update / add new         / PATCH :   SUCCESS
- update / update existing / PUT   :   SUCCESS
- update / update existing / POST  :   EXPECTED FAIL
- update / update existing / PATCH :   SUCCESS

The create / update existing / POST does not add a new annotation - as expected - but the policy load operation succeeds, which could be misleading to a user. This is caused by how the different policy loader classes - Loader::ReplacePolicy (PUT), Loader::CreatePolicy (POST), and Loader::ModifyPolicy (PATCH) - use the Loader::Orchastrate methods eliminate_duplicates_exact, eliminate_duplicates_pk and update_changed.

• eliminate_duplicates_exact is used to cull objects specified in the incoming policy file that already existing in the current policy. Incoming updated annotations are not culled by this method.
• update_changed is used to persist updated objects from the incoming policy into the current policy.
• eliminate_duplicates_pk is used to cull objects that exist in the current policy that may have been updated by the incoming policy. Incoming updated annotations are always culled by this method, regardless of whether they have been persisted.

The Loader::CreatePolicy (POST) loader is the only loader class that does not call update_changed - this means eliminate_duplicates_exact and eliminate_duplicates_pk are run in sequence, deleting all objects that appear in both the existing and incoming policy files, regardless of updates.

Commit 211e432 implements a 400 error condition when a policy load via POST attempts to update an existing resource.

Connected Issue/Story

CNJR-2111

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: [insert issue ID]
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[codeclimate]

Loader::Orchestrate#store_policy_in_db has boolean parameter 'reject_duplicates'

[codeclimate]

Loader::Orchestrate#store_policy_in_db is controlled by argument 'reject_duplicates'

[doodlesbykumbi]

Looking good. Left a comment about defining a local error type for rejecting duplicates to avoid coupling.

[doodlesbykumbi]

Curious about the motivation for this change ?

[john-odonnell]

This enabled running cucumber tests in the dev env, where you run them from the Conjur container. In that case, you need to use http://localhost:3000 instead of http://conjur.

[doodlesbykumbi]

It's better to raise a local exception to avoid coupling the loader to the somewhat global ApplicationController. Have a look at Exceptions::InvalidPolicyObject for inspiration, and see how it is rescued from in ApplicationController, see

conjur/app/controllers/application_controller.rb

Line 61 in 956e8b6

rescue_from Exceptions::InvalidPolicyObject, with: :policy_invalid

[john-odonnell]

Created Exceptions::DisallowedPolicyOperation

[codeclimate]

ApplicationController#disallowed_policy_operation has the parameter name 'e'

[codeclimate]

Loader::Orchestrate#store_policy_in_db is controlled by argument 'reject_duplicates'

[codeclimate]

Code Climate has analyzed commit b1028a1 and detected 3 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Complexity	3

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 88.4% (0.0% change).

View more on Code Climate.

[doodlesbykumbi]

LGTM! Left a comment about adding more context to errors

[doodlesbykumbi]

Thanks for addressing this. I was thinking it might be useful to provide any meaningful context around the error like how it's done here.

conjur/app/models/exceptions/invalid_policy_object.rb

Line 7 in 956e8b6

def initialize id, message: nil

Specifically I had in mind

1. Policy ID
2. Offending lines etc.