Userendpoints

[thquad]

The feature lets users create endpoints if they have the "stratos.endpointadmin" scope.

Description

General Behaviour

• Users need the "stratos.endpointadmin" scope to use this feature. From now on, when i say users, assume they have the "stratos.endpointadmin" scope unless otherwise stated.
• In the config USER_ENDPOINTS_ENABLED can be set to various
  • disabled: Disabled
  • admin_only: Admins will be able to see all endpoints, but users won't be able to see or create user endpoints.
  • enabled: Admins see all endpoints, users see all admin-endpoints and can create/edit/connect/see their own endpoints.
• Users can register endpoints, unless
  • An admin-endpoint with the same name / url already exists
  • A user-endpoint from the same user with the same name / url already exists
• Users will have access to stratos, when no endpoints have been registered yet (the no-endpoint screen will be skipped)
• Users can edit, unregister and connect to their own user-endpoints
• User can't see user-endpoints created by other users
• User-endpoints have the option for user-invites disabled. They can't be shared by users or admins
• Admins can edit and unregister user-endpoints, but won't be able to connect to them
• Admins can't create endpoints, if an endpoint with the same url / name already exists, unless
  • A checkbox has been added to the register screen to overwrite existing user-endpoints. When checked, user-endpoints with the same url will be unregistered

Back-End

• Added file 20210201110000_Creator.go
  • Adds a new row to the cnsis table with name "creator"
    • User registers an endpoint -> value: user-id
    • Admin registers an endpoint -> value: ""
• config
  • Added an enum "USER_ENDPOINTS_ENABLED"
• middleware.go
  • Added endpointMiddleware()
    • Checks if user is admin or endpointadmin
    • if its not a CREATE request, then it also checks the existing endpoint and user role according to how it's descriped in section General Behaviour
• cnsi.go
  • buildCNSIList()
    • Checks if user is admin
      • Admin -> return all endpoints
      • User -> return own endpoints and admin-endpoints
      • User & enum set to admin_only -> return admin-endpoints
      • Enum set to disabled -> return admin-endpoints
  • registerEndpoints()
    • looks up user-id from session user and passes it on to DoRegisterEndpoints()
  • DoRegisterEndpoints()
    • Now accepts a user-id as parameter too. If parameter is "", it assumes an anonymous user.
    • Also checks now for described behaviours in section General Behaviour
    • For user-endpoints, the guid will now be generated with url+userID as input, instead of just the url
  • unregisterCluster()
    • Split into two functions: unregisterCluster(c echo.Context) and doUnregisterCluster(cnsiGUID string), so that cnsi can be unregistered without the need of an echo.Context
  • Added ListAdminEndpoints(userID string)
    • returns all endpoints created by admins and given user-id
  • Added listCNSIByAPIEndpoint(apiEndpoint string)
    • returns all endpoints with the given APIEndpoint URL
  • Renamed GetCNSIRecordByEndpoint() and cnsiRecordExists() to GetAdminCNSIRecordByEndpoint() and adminCNSIRecordExists() to better reflect their function now
• authcnsi.go
  • DoLoginToCNSI()
    • Checks for described behaviour in section General Behaviour
• info.go
  • getInfo()
    • looks up saved id in column creator from cnsi and replaces it with interface.CreatorInfo
    • If no user can be found, the username will be set to just "user"
• main.go
  • set ENABLE_USER_ENDPOINTS to disabled as default
  • use different middleware if flag is enabled or not
• userinvite/admin.go
  • added a check for creator
• userinvite/auth.go
  • Added checkEndpointCreator()
    • Checks if admin-endpoint, otherwise don't allow invites
• plugins/desktop/*
  • Adjust several files to also include new functions added to store structs
• structs.go
  • Add Creator to several structs
  • Add UserEndpointsEnabled to PortalConfig and Info
  • Add OverwriteEndpoints to RegisterEndpointParams
• pgsql_cnsis.go
  • Added listCNSIsByCreator sql query and belonging functions
  • Added function to query a list using findCNSIByAPIEndpoint
  • Created a generic listBy() function because DRY
• pgsql_token.go
  • Added listAuthToken sql query and belonging functions
• Tests
  • Adjusted mock data for several tests so they don't break

Front-End

• endpoint.types.ts
  • added a CreatorInfo interface to hold creator user data for cnsi
• user-permission.directive.ts
  • Change so that it can have multiple permissions to check for, instead of just one. Results true if one permission return true.
• endpoint-list.helpers.ts
  • Show menu items according to described rules in section General Behaviour
• base-endpoints-data-source.ts
  • add default values for added parameters
• stratos-user-permissions.checker.ts
  • Add the stratos.endpointadmin as a scope that can be checked for
• session.service.ts
  • Add methods to return values of USER_ENDPOINTS_ENABLED
• auth.types.ts
  • add enableUserEndpoints to interface SessionDataConfig
• endpoint.actions.ts / endpoint.effects.ts / stratos-action-builders.ts
  • Add "overwriteEndpoints" variable
• endpoints.service.ts
  • Let endpointadmins see stratos gui when no endpoints are there yet
• user.service.ts
  • Also save if user is an endpointadmin
• user-invite.service.ts
  • check if user-endpoint and disable invites
• endpoints-page.component
  • Show the add endpoint for admins and endpointadmins
• endpoint-card.component
  • Show who created the endpoint.
• create-endpoint-cf-step-1.component / git-registration.component
  • Add "Overwrite User Endpoints" checkbox to gui and form

Motivation and Context

Issue #4753

How Has This Been Tested?

OS: macOS Big Sur
go test passes
npm run test-backend fails without changes in #4874

e2e tests fail on local machine with following setup:

• PCF dev for CF endpoint
• PCF dev is set up with script described in docs
• Stratos uses docker container splatform/stratos-uaa
• Stratos runs directly with ./jetstream script

So far only adjusted mock data to mostly accommodate the new added column to the cnsi table, to check that everything behaves the same when the feature is disabled.

I will add more test functions later, as discussed with @richard-cox . This PR is for looking over the code while i continue to adjust the tests.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• Docs update
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have followed the guidelines in CONTRIBUTING.md, including the required formatting of the commit message

[linux-foundation-easycla]

• ❌ - thquad The commit (e545999 ,0472e7ef3956c311aa9868115e38d8891dcf2cbd ,5d857b54987e9de1cb44d6f2454cee59287ee1c8 ,849b0fa054e387b9caeeb4e059320f6e7f960acb ,235c7fe4ef4172fa9930836affdf5153a32411be ,c9a413622b784c9b19ea9d9083f48573bd8cf1da ,e41b7c0fea2f1a5d0087fe51c92cdf7a21abcd5a ,2fe0684a411099d7f7479430f2bafb6bb9f6dcec ,0fecce1197ea0d75cd285743ab9f62e3c5e302c0 ,4c5aa9a7a3a1ca0877930742d92f72191fbd1319 ,7e3084841065cdee446314735ee1c1a3bf2d00b8 ,7de8eac9f39171a9b02e265629b2e40ea5a8f68a ,dce832d44d9f1b2b4ad0c39b5c062c2f9a437dc1 ,98c769ee0324d72454220c8848ee6ea32eab95d1 ,f461c86b03929b33babe18ce47ed5fe00e019dff ,479e21765c5d7c6f3fa52696835499f9a175517a ,f11fdc0fb20022f9bbeb73f6e7f3655a71dac2ec ,f20c94e0184de4f05e5ae2ef7562a99b377fb005 ,373f9ea7e622dfdb533872e82b21c4c618708efd ,cf8341264ccbd2c34b8ea4175307f69beb2628c0 ,fc6a400c159fa2b5b01941e1906975d61d3ef0d6 ,ec30299b4876897fde4b12f056f7198ad5746800 ,e2e5acbe65a307e1060241a6437f0a1bbdbcbd92 ,cd0bf1c079b798993ce19056511e9b03ffbdda12 ,880a0746f65a1007408b340698f63f6021da0747 ,fb087922f7bb35a76bbf976172d75485ef75dc00 ,422171d9f7b1a82227884389c1f3f7347165df49 ,416b2a6c579fe3970ecadb7341b44701f797d9d5 ,ee44845b4551914f6fe2180ffc876939acceff17 ,5cdd0d9dd51d43854e73871e0e8126097c3bab19 ,e8e489c60762c9b422c6ca064c712ab903d4c60a ,2cbe85af1c052ff15e2bbbb9b9231cb2e7e2c056 ,82c5cdaed20ea82cfd9f1330e043694c8e28b09a ,371c6404449deec94bb49c82d0db50fcf8dc4105 ,ad69961f8a57c29b1e5610ccac3098ca74eb1366 ,a87cb058393f49dafb3a3f104cafbeb65fb4e909 ,5bd771f00ea8ca8bec3c7383bbbfb440f2599715 ,9ce45c08628ec79a3dc2c5e8b8d42c2bb2273944) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[codecov-io]

Codecov Report

Merging #4875 (2cbe85a) into master (54a0af2) will decrease coverage by 26.56%.
The diff coverage is 18.97%.

@@             Coverage Diff             @@
##           master    #4875       +/-   ##
===========================================
- Coverage   52.91%   26.35%   -26.57%     
===========================================
  Files        1141       61     -1080     
  Lines       40149     4925    -35224     
  Branches     5122        0     -5122     
===========================================
- Hits        21246     1298    -19948     
+ Misses      18719     3430    -15289     
- Partials      184      197       +13     

[richard-cox]

Closing in favour of #4876 (avoids travis issues)