add roles when using conjurctl policy load #1510
Conversation
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
3 times, most recently
from
11e21a2 to
83e7c29
Compare
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
from
ccd2313 to
d3147ed
Compare
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
from
a32b4ac to
67c40c5
Compare
lib/root_loader.rb
Outdated
| credentials = Credentials[role: role] || Credentials.create(role: role) | ||
| memo[role.id] = { id: role.id, api_key: credentials.api_key } | ||
| memo | ||
| end |
There was a problem hiding this comment.
I'd split this whole thing up into 2 statements, rather than chaining.
Also, see how the above has the awkward pattern
memo[blah] = stuff.....
memoeach_with_object is made for avoiding just this.
There was a problem hiding this comment.
So this is exactly what I meant.... buuuuuut
I don't get how it's working because each_with_object reverses the arguments relative to reduce, so that the memo is in the 2nd arg:
https://ruby-doc.org/core-2.7.1/Enumerable.html#method-i-each_with_object
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
from
67c40c5 to
933f74c
Compare
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
3 times, most recently
from
b491c48 to
238df9a
Compare
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
2 times, most recently
from
a0f0634 to
8f490bd
Compare
lib/root_loader.rb
Outdated
|
|
||
| created_roles = accepted_roles.each_with_object({}) do |role, memo| | ||
| credentials = Credentials[role: role] || Credentials.create(role: role) | ||
| memo[role.id] = { id: role.id, api_key: credentials.api_key } |
There was a problem hiding this comment.
RootLoader#create_roles calls 'role.id' 2 times
lib/root_loader.rb
Outdated
| end | ||
| end | ||
|
|
||
| def create_roles policy_version |
There was a problem hiding this comment.
RootLoader#create_roles has approx 8 statements
There was a problem hiding this comment.
I just noticed this after approving, but per CC you should extract this:
loader = Loader::Orchestrate.new policy_version
loader.load
accepted_roles = loader.new_roles.select do |role|
%w(user host).member?(role.kind)
endinto an accepted_roles(policy_version) method.
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
from
8f490bd to
ea9caf7
Compare
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
2 times, most recently
from
1b4de2e to
ae2c656
Compare
lib/root_loader.rb
Outdated
| policy_version = policy_version(role: admin, policy: root_policy_resource, filename: filename) | ||
|
|
||
| accepted_roles = accepted_roles(policy_version) | ||
| create_roles(accepted_roles) |
There was a problem hiding this comment.
To avoid confusion with the method name, we should use something diff for the local var name:
acc_roles = accepted_roles(policy_version)
create_roles(acc_roles)
lib/root_loader.rb
Outdated
| @@ -23,19 +25,45 @@ def load account, filename | |||
| end | |||
|
|
|||
| root_policy_resource = Loader::Types.find_or_create_root_policy(account) | |||
| policy_version = policy_version(role: admin, policy: root_policy_resource, filename: filename) | |||
There was a problem hiding this comment.
split long line:
policy_version = policy_version(
role: admin,
policy: root_policy_resource,
filename: filename
)and per other comment, use something different from local var name than the method name, policy_ver or something.
h-artzi
changed the title
h-artzi
changed the title
| policy_version.perform_automatic_deletion = | ||
| policy_version.delete_permitted = | ||
| policy_version.update_permitted = true | ||
| policy_version.save |
There was a problem hiding this comment.
What's happening here? It looks like something went wrong...
There was a problem hiding this comment.
Just being naughty and seeing if reek would complain. 🤭
Was trying a multiple assignment to get around the statement limit.
There was a problem hiding this comment.
And I would have gotten away with it too if it wasn't for that darn indentation warning! 🐕
There was a problem hiding this comment.
hahahahaha
This is a clear case where reek may be ignored. BUT.... the deeper reason it's throwing the warning is because the API for PolicyVersion.new uses the "create and configure" pattern, which is poor and should be avoided. Instead the constructor should take a hash and return an immutable object.
Also, what does the dog emoji mean?
There was a problem hiding this comment.
[true] * 3
😆 😆
I think it's time to admit defeat and just ignore the CC error.
There was a problem hiding this comment.
Hah yeah I jokingly suggested [true] * 3 to Hadar too. 😂
The dog emoji was a reference to Scooby Doo's "and I would have gotten away with it too if it wasn't for you darn kids!" 😄
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
2 times, most recently
from
0cd9b69 to
68a3d37
Compare
h-artzi
force-pushed
the
conjurctl_load_host_and_user
branch
from
68a3d37 to
497873f
Compare
|
Code Climate has analyzed commit 497873f and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 75.8% (50% is the threshold). This pull request will bring the total coverage in the repository to 85.4% (0.0% change). View more on Code Climate. |
What does this PR do?
When using conjurctl to load a policy, it failed to create role credentials. This PR allows the creation of roles.
What ticket does this PR close?
dap-support/#80
How to test?
Check the ticket and run it locally with the appropriate image. It is expected to successfully run and output the created roles.
Checklists
Change log
Test coverage
Note: I am not sure that this should be a supported feature in the future.
Follow-on issues