fix(admin-panel): Fix remote group resolution #12871
Conversation
dschom
force-pushed
the
FXA-5027-fix-remote-group-resolution
branch
3 times, most recently
from
380d4cc to
2f363eb
Compare
| @@ -15,8 +21,8 @@ describe('ClientConfig', () => { | |||
| user, | |||
| }); | |||
| const injectedHtml = ClientConfig.injectIntoHtml(html, { | |||
| 'REMOTE-GROUP': remoteHeader, | |||
| 'oidc-claim-id-token-email': user.email, | |||
| [USER_GROUP_HEADER]: remoteHeader, | |||
There was a problem hiding this comment.
cleanup - avoid magic strings
| }); | ||
| }); | ||
|
|
||
| it('handles multiple remote group headers', () => { |
There was a problem hiding this comment.
This is a more realistic test. Turns out a large number of ldap groups can be passed on this header.
|
|
||
| it('renders without imploding', () => { | ||
| const guard = new AdminPanelGuard(AdminPanelEnv.Prod); |
There was a problem hiding this comment.
Guards are now aware of the environment. This is needed to determine the case when a user might be in a stage ldap group but not in a prod ldap group (or vice versa).
|
|
||
| const App = ({ config }: { config: IClientConfig }) => { | ||
| const [guard, setGuard] = useState<AdminPanelGuard>(config.guard); |
There was a problem hiding this comment.
Since guards are now aware of the environment, they technically need to be part of the context.
| @@ -8,12 +8,12 @@ The [GraphQL playground](https://www.apollographql.com/docs/apollo-server/testin | |||
|
|
|||
| The playground requires an `oidc-claim-id-token-email` authorization header. In production this is supplied through an nginx header after LDAP credentials, which have been verified but in development, a dummy email should be supplied in the bottom left-hand corner of the GQL playground labeled "HTTP Headers": | |||
|
|
|||
| In addition a `REMOTE-GROUP` header must also be set to indicate the user's LDAP group membership. Again, in production this will be set by nginx, but in development, a dummy value must be supplied. | |||
| In addition a `remote-groups` header must also be set to indicate the user's LDAP group membership. Again, in production this will be set by nginx, but in development, a dummy value must be supplied. | |||
There was a problem hiding this comment.
Yep, we were targeting the wrong header. This was the main source of the issue.
| @@ -26,7 +26,9 @@ it('renders each field as expected', () => { | |||
|
|
|||
| screen.getByText(subscription.productName); | |||
| screen.getByText(subscription.status); | |||
| expect(screen.getAllByText('1970-01-19 @', { exact: false })).toHaveLength(4); | |||
| expect(screen.getAllByText(/1970-01-1[89] @/, { exact: false })).toHaveLength( | |||
There was a problem hiding this comment.
This was tricky. The test was failing and I thought I was going crazy cause clearly it passed at some point. Turns out the issue is that dateFormat is taking the users timezone into account. So depending on where you are you might get a different result. For example:
> const dateFormat = require('dateformat')
undefined
> dateFormat(new Date(1583259953), 'UTC:yyyy-mm-dd @ HH:MM:ss Z')
'1970-01-19 @ 07:47:39 UTC'
> dateFormat(new Date(1583259953), 'yyyy-mm-dd @ HH:MM:ss Z')
'1970-01-18 @ 23:47:39 PST'
In a PST timezone, 1583259953, would have renders with 1970-01-18 date and the subsequent test would pass. This makes the check a bit more flexible. Alternatively we could render everything in UTC. Not sure what's best.
There was a problem hiding this comment.
I've never used dateFormat. moment is used in fxa-auth-server though (and in fxa-shared), could be worth looking into/switching as an alternative?
There was a problem hiding this comment.
Agree that'd be nice to consistent about this. @LZoog any thoughts here?
There was a problem hiding this comment.
If we're only using dateFormat in the admin-panel, agreed, we could follow a follow up to replace it with moment; less dependencies WFM.
|
You pre-seeded this PR with a few good notes here. If you'll indulge me a drive-by comment: Your comments are what I'd like to see if I were modifying this file 6 months down the road. Eg. figuring out why a test regex is Thanks for the patch! |
dschom
force-pushed
the
FXA-5027-fix-remote-group-resolution
branch
from
2f363eb to
f1e91d7
Compare
| @@ -26,7 +26,9 @@ it('renders each field as expected', () => { | |||
|
|
|||
| screen.getByText(subscription.productName); | |||
| screen.getByText(subscription.status); | |||
| expect(screen.getAllByText('1970-01-19 @', { exact: false })).toHaveLength(4); | |||
| expect(screen.getAllByText(/1970-01-1[89] @/, { exact: false })).toHaveLength( | |||
There was a problem hiding this comment.
I've never used dateFormat. moment is used in fxa-auth-server though (and in fxa-shared), could be worth looking into/switching as an alternative?
Because: - The remote group was not resolved correctly which rendered the admin panel useless. This Commit: - Targets the correct remote group header, 'remote-groups', which was previously 'REMOTE-GROUP'. - Does some clean up and removes magic starings. - Makes the guard aware of the current environment. This ended up being the bulk of the changes, and was necessary nice certain - Handles edge case where both stage and ldap groups are provided in remote-groups header. AdminPanelGuard is now aware of the current environment. - Introduces a hook for GuardContext. This hook provides a guard instance, which is aware of the current environment.
dschom
force-pushed
the
FXA-5027-fix-remote-group-resolution
branch
from
f1e91d7 to
6339b0b
Compare
Because
This pull request
Issue that this pull request solves
Closes: #12744
Checklist
Put an
xin the boxes that apply