Userendpoints

[thquad]

The feature lets users create endpoints if they have the "stratos.endpointadmin" scope.

Description

General Behaviour

• Users need the "stratos.endpointadmin" scope to use this feature. From now on, when i say users, assume they have the "stratos.endpointadmin" scope unless otherwise stated.
• In the config USER_ENDPOINTS_ENABLED can be set to various
  • disabled: Disabled
  • admin_only: Admins will be able to see all endpoints, but users won't be able to see or create user endpoints.
  • enabled: Admins see all endpoints, users see all admin-endpoints and can create/edit/connect/see their own endpoints.
• Users can register endpoints, unless
  • An admin-endpoint with the same name / url already exists
  • A user-endpoint from the same user with the same name / url already exists
• Users will have access to stratos, when no endpoints have been registered yet (the no-endpoint screen will be skipped)
• Users can edit, unregister and connect to their own user-endpoints
• User can't see user-endpoints created by other users
• User-endpoints have the option for user-invites disabled. They can't be shared by users or admins
• Admins can edit and unregister user-endpoints, but won't be able to connect to them
• Admins can't create endpoints, if an endpoint with the same url / name already exists, unless
  • A checkbox has been added to the register screen to overwrite existing user-endpoints. When checked, user-endpoints with the same url will be unregistered

Back-End

• Added file 20210201110000_Creator.go
  • Adds a new row to the cnsis table with name "creator"
    • User registers an endpoint -> value: user-id
    • Admin registers an endpoint -> value: ""
• config
  • Added an enum "USER_ENDPOINTS_ENABLED"
• middleware.go
  • Added endpointMiddleware()
    • Checks if user is admin or endpointadmin
    • if its not a CREATE request, then it also checks the existing endpoint and user role according to how it's descriped in section General Behaviour
• cnsi.go
  • buildCNSIList()
    • Checks if user is admin
      • Admin -> return all endpoints
      • User -> return own endpoints and admin-endpoints
      • User & enum set to admin_only -> return admin-endpoints
      • Enum set to disabled -> return admin-endpoints
  • registerEndpoints()
    • looks up user-id from session user and passes it on to DoRegisterEndpoints()
  • DoRegisterEndpoints()
    • Now accepts a user-id as parameter too. If parameter is "", it assumes an anonymous user.
    • Also checks now for described behaviours in section General Behaviour
    • For user-endpoints, the guid will now be generated with url+userID as input, instead of just the url
  • unregisterCluster()
    • Split into two functions: unregisterCluster(c echo.Context) and doUnregisterCluster(cnsiGUID string), so that cnsi can be unregistered without the need of an echo.Context
  • Added ListAdminEndpoints(userID string)
    • returns all endpoints created by admins and given user-id
  • Added listCNSIByAPIEndpoint(apiEndpoint string)
    • returns all endpoints with the given APIEndpoint URL
  • Renamed GetCNSIRecordByEndpoint() and cnsiRecordExists() to GetAdminCNSIRecordByEndpoint() and adminCNSIRecordExists() to better reflect their function now
• authcnsi.go
  • DoLoginToCNSI()
    • Checks for described behaviour in section General Behaviour
• info.go
  • getInfo()
    • looks up saved id in column creator from cnsi and replaces it with interface.CreatorInfo
    • If no user can be found, the username will be set to just "user"
• main.go
  • set ENABLE_USER_ENDPOINTS to disabled as default
  • use different middleware if flag is enabled or not
• userinvite/admin.go
  • added a check for creator
• userinvite/auth.go
  • Added checkEndpointCreator()
    • Checks if admin-endpoint, otherwise don't allow invites
• plugins/desktop/*
  • Adjust several files to also include new functions added to store structs
• structs.go
  • Add Creator to several structs
  • Add UserEndpointsEnabled to PortalConfig and Info
  • Add OverwriteEndpoints to RegisterEndpointParams
• pgsql_cnsis.go
  • Added listCNSIsByCreator sql query and belonging functions
  • Added function to query a list using findCNSIByAPIEndpoint
  • Created a generic listBy() function because DRY
• pgsql_token.go
  • Added listAuthToken sql query and belonging functions
• Tests
  • Adjusted mock data for several tests so they don't break

Front-End

• endpoint.types.ts
  • added a CreatorInfo interface to hold creator user data for cnsi
• user-permission.directive.ts
  • Change so that it can have multiple permissions to check for, instead of just one. Results true if one permission return true.
• endpoint-list.helpers.ts
  • Show menu items according to described rules in section General Behaviour
• base-endpoints-data-source.ts
  • add default values for added parameters
• stratos-user-permissions.checker.ts
  • Add the stratos.endpointadmin as a scope that can be checked for
• session.service.ts
  • Add methods to return values of USER_ENDPOINTS_ENABLED
• auth.types.ts
  • add enableUserEndpoints to interface SessionDataConfig
• endpoint.actions.ts / endpoint.effects.ts / stratos-action-builders.ts
  • Add "overwriteEndpoints" variable
• endpoints.service.ts
  • Let endpointadmins see stratos gui when no endpoints are there yet
• user.service.ts
  • Also save if user is an endpointadmin
• user-invite.service.ts
  • check if user-endpoint and disable invites
• endpoints-page.component
  • Show the add endpoint for admins and endpointadmins
• endpoint-card.component
  • Show who created the endpoint.
• add create-endpoint-helper component
  • extended by endpoint creation components
  • stores information about current endpoints in Stratos and if userendpoints are enabled
• create-endpoint-cf-step-1.component / git-registration.component
  • Add "Overwrite User Endpoints" checkbox to gui and form
• add table-cell-endpoint-creator component (and changed endpoint-list-config.service.ts accordingly)
  • Show the creator in the table view

Motivation and Context

Issue #4753

How Has This Been Tested?

OS: macOS Big Sur

Adjusted all unit tests with new model of endpoints (mock endpoints) so they don't fail.
Added back-end unit tests with this feature enabled for middleware, registering endpoints, connecting to endpoints and pgsql changes.
Manually tested:

• Registering user-endpoint as user-A
• Editing user-endpoint as user-A
• Unregister user-endpoint as user-A
• Register same user-endpoint as user-A as user-B
• Overwrite user-endpoints as admin with checkbox "Automatically overwrite user endpoints"
• Unregister user-endpoint as admin
• Edit user-endpoint as admin
• Connect to admin-endpoint as user-A
• Connect to user-endpoint as user-A

Local minikube Kubernetes endpoints where used.
Docker image splatform/stratos-uaa used as UAA.
Added users and necessary scopes with uaac.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• Docs update
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have followed the guidelines in CONTRIBUTING.md, including the required formatting of the commit message

[linux-foundation-easycla]

The committers are authorized under a signed CLA.

• ✅ thquad (e545999, 0472e7e, 5d857b5, 849b0fa, 235c7fe, c9a4136, e41b7c0, 2fe0684, 0fecce1, 4c5aa9a, 7e30848, 7de8eac, dce832d, 98c769e, f461c86, 479e217, f11fdc0, f20c94e, 373f9ea, cf83412, fc6a400, ec30299, e2e5acb, cd0bf1c, 880a074, fb08792, 422171d, 416b2a6, ee44845, 5cdd0d9, e8e489c, 2cbe85a, 82c5cda, 371c640, ad69961, a87cb05, 5bd771f, 9ce45c0, 0a41500, 0eb152b, 565c267, f01fccf, 7407830, 9fa8e14, 366f339, 99ed921, e5138f0, 6f3567b, 49a1511, f704f5b, 2bb6f6c, 89f9146, fc8daa9, eb2d405, 6ae187a, 0d52ba2, a94f406, 142f045, 8fb2fc6, 166190a, 9e8cc02, b363e0d, 09364c2)
• ✅ Richard Cox (6fb5da4, 8779158, 7b17acf, f693c1b, 2063bb6, c43f9ac)

[richard-cox]

I've quickly run through the code and added some comments, haven't started testing though.

One question I had, which effects a couple of the comments, what was the reasoning for User-endpoints have the option for user-invites disabled. They can't be shared by users or admins?

I'm also actively started looking at the e2e failures, I believe these relate to the travis config or environment (they start to run fine locally)

[codecov-io]

Codecov Report

Merging #4876 (0f775c2) into master (3de685c) will decrease coverage by 23.83%.
The diff coverage is 60.08%.

@@             Coverage Diff             @@
##           master    #4876       +/-   ##
===========================================
- Coverage   52.91%   29.08%   -23.84%     
===========================================
  Files        1141       61     -1080     
  Lines       40149     4906    -35243     
  Branches     5122        0     -5122     
===========================================
- Hits        21246     1427    -19819     
+ Misses      18719     3264    -15455     
- Partials      184      215       +31