[Automate-2942] Add missing "required" field constraints (#3197)

* Make proto fields required

These interservice protos now match the documented required fields
in the gateway protos.
Documentation for options is at https://github.com/envoyproxy/protoc-gen-validate

Signed-off-by: michael sorens <[email protected]>

* Standardize required string check with min_len

Signed-off-by: michael sorens <[email protected]>

* PR bonus

Fix error message

Signed-off-by: michael sorens <[email protected]>

* Revert checks for enum

The gateway has a check for this that occurs first,
and even with grpcurl there seems to be a built-in check,
so this is not needed.

Signed-off-by: michael sorens <[email protected]>

* Test fixes

Signed-off-by: michael sorens <[email protected]>

* Revert "Standardize required string check with min_len"

This reverts commit 9f33b09.

* Change empty string detection to non-whitespace

That way we are also disallowing just whitespace entries

Signed-off-by: michael sorens <[email protected]>

* Revert "Change empty string detection to non-whitespace"

This reverts commit 13bfc26.
Reason:
ugly message on the command line with `\\S`:
  "error": "invalid CreateTeamReq.Name: value does not match regex pattern \"\\\\S\"",

* Revert "Revert "Standardize required string check with min_len""

This reverts commit 59406ef.

* Regenerate from protos

Signed-off-by: michael sorens <[email protected]>

* Test correction

Moving whitespace check into service itself
due to ugly error at proto level:
 "error": "invalid CreateTeamReq.Name: value does not match regex pattern \"\\\\S\"",

Signed-off-by: michael sorens <[email protected]>

* Add field checking consistency

After gateway proto-level validation,
some errors (notably an all-whitespace value)
are now handled more consitently

Signed-off-by: michael sorens <[email protected]>

* Fix integration test

Name is now required on an update

Signed-off-by: michael sorens <[email protected]>

* Revert min_len checks

Want the services to handle this themselves
for a better error message.
Instead of:
value length must be at least 1 runes
will get this:
a team name is required and must contain at least one non-whitespace character"

Signed-off-by: michael sorens <[email protected]>

* Regenerate from protos

Signed-off-by: michael sorens <[email protected]>

* Complete validate*Input for authz, authn, teams

This actually covers:
tokens, policies, projects, roles, rules, and teams.

Signed-off-by: michael sorens <[email protected]>

* Standardize local user service

Signed-off-by: michael sorens <[email protected]>

* Regenerate from user protos

Signed-off-by: michael sorens <[email protected]>

* Fix unit test

Signed-off-by: michael sorens <[email protected]>

* Correct error codes

Set explicitly to InvalidArgument instead of
default InternalError.
(Authz calls already include InvalidArgument wrapper.)

Signed-off-by: michael sorens <[email protected]>

Author: msorens

api/interservice/authn/auth_test.go

@@ -16,73 +16,90 @@ func TestGeneratedProtobufUpToDate(t *testing.T) {
 func TestValidationCreateTokenID(t *testing.T) {
 	negativeCases := map[string]*authn.CreateTokenReq{
 		"with uppercase characters": &authn.CreateTokenReq{
-			Id:       "TestID",
-			Projects: []string{"project1", "project2"},
+			Id:          "TestID",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with non-dash characters": &authn.CreateTokenReq{
-			Id:       "test#space",
-			Projects: []string{"project1", "project2"},
+			Id:          "test#space",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with spaces": &authn.CreateTokenReq{
-			Id:       "test space",
-			Projects: []string{"project1", "project2"},
+			Id:          "test space",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"whitespace projects list": &authn.CreateTokenReq{
-			Id:       "valid-id",
-			Projects: []string{"     ", "test"},
+			Id:          "valid-id",
+			Description: "description",
+			Projects:    []string{"     ", "test"},
 		},
 		"repeated projects in list": &authn.CreateTokenReq{
-			Id:       "valid-id",
-			Projects: []string{"repeat", "repeat"},
+			Id:          "valid-id",
+			Description: "description",
+			Projects:    []string{"repeat", "repeat"},
 		},
 		"project has invalid characters": &authn.CreateTokenReq{
-			Id:       "valid-id",
-			Projects: []string{"valid", "wrong~"},
+			Id:          "valid-id",
+			Description: "description",
+			Projects:    []string{"valid", "wrong~"},
 		},
 		"project has spaces": &authn.CreateTokenReq{
-			Id:       "valid-id",
-			Projects: []string{"valid", "wrong space"},
+			Id:          "valid-id",
+			Description: "description",
+			Projects:    []string{"valid", "wrong space"},
 		},
 		"project is too long": &authn.CreateTokenReq{
-			Id:       "valid-id",
-			Projects: []string{"much-too-long-longest-word-in-english-pneumonoultramicroscopicsilicovolcanoconiosis", "valid"},
+			Id:          "valid-id",
+			Description: "description",
+			Projects:    []string{"much-too-long-longest-word-in-english-pneumonoultramicroscopicsilicovolcanoconiosis", "valid"},
 		},
 	}
 	positiveCases := map[string]*authn.CreateTokenReq{
 		"projects are missing": &authn.CreateTokenReq{
-			Id: "valid-id",
+			Id:          "valid-id",
+			Description: "description",
 		},
 		"underscore in IDs": &authn.CreateTokenReq{
-			Id:       "valid_id",
-			Projects: []string{"project_1", "project_2"},
+			Id:          "valid_id",
+			Description: "description",
+			Projects:    []string{"project_1", "project_2"},
 		},
 		"with no characters": &authn.CreateTokenReq{
-			Id:       "",
-			Projects: []string{"project1", "project2"},
+			Id:          "",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with ID all lowercase": &authn.CreateTokenReq{
-			Id:       "test",
-			Projects: []string{"project1", "project2"},
+			Id:          "test",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with ID that has dashes": &authn.CreateTokenReq{
-			Id:       "-test-with-dashes-",
-			Projects: []string{"project1", "project2"},
+			Id:          "-test-with-dashes-",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with ID that has dashes and numbers": &authn.CreateTokenReq{
-			Id:       "1-test-with-1-and-dashes-0",
-			Projects: []string{"project1", "project2"},
+			Id:          "1-test-with-1-and-dashes-0",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with ID that has only numbers": &authn.CreateTokenReq{
-			Id:       "1235",
-			Projects: []string{"project1", "project2"},
+			Id:          "1235",
+			Description: "description",
+			Projects:    []string{"project1", "project2"},
 		},
 		"with a single project": &authn.CreateTokenReq{
-			Id:       "1235",
-			Projects: []string{"project1"},
+			Id:          "1235",
+			Description: "description",
+			Projects:    []string{"project1"},
 		},
 		"projects are empty": &authn.CreateTokenReq{
-			Id:       "valid-id",
-			Projects: []string{},
+			Id:          "valid-id",
+			Description: "description",
+			Projects:    []string{},
 		},
 	}
 

api/interservice/authz/v2/policy.pb.go

@@ -25,7 +25,7 @@ message Role {
 
 message CreatePolicyReq {
     string id = 1 [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
-    string name = 2 [(validate.rules).string.min_len = 1];
+    string name = 2;
     repeated string members = 3 [(validate.rules).repeated = {
         unique: true,
         items: {
@@ -133,6 +133,7 @@ message ReplacePolicyMembersResp {
 message AddPolicyMembersReq {
     string id = 1 [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
     repeated string members = 2 [(validate.rules).repeated = {
+        min_items: 1,
         unique: true,
         items: {
             string: {
@@ -168,16 +169,16 @@ message ListRolesResp {
 }
 
 message DeleteRoleReq {
-    string id = 1
-    [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
+    string id = 1 [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
 }
 message DeleteRoleResp {}
 
 message UpdateRoleReq {
     string id = 1 [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
-    string name = 2 [(validate.rules).string.pattern = "\\S"];
+    string name = 2;
     repeated string actions = 3
     [(validate.rules).repeated = {
+      min_items: 1,
       unique: true,
       // this RE means:  * OR *:verb OR svc:type:verb OR svc:* OR svc:*:verb OR svc:type:*
       items: {
@@ -206,6 +207,7 @@ message ListPolicyMembersResp {
 message RemovePolicyMembersReq {
     string id = 1 [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
     repeated string members = 2 [(validate.rules).repeated = {
+        min_items: 1,
         unique: true,
         items: {
             string: {
@@ -239,12 +241,11 @@ message GetRoleReq {
 }
 
 message CreateRoleReq {
-    string id = 1
-      [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
-    string name = 2
-      [(validate.rules).string.pattern = "\\S"];;
+    string id = 1 [(validate.rules).string.pattern = "^[a-z0-9-_]{1,64}$"];
+    string name = 2;
     repeated string actions = 3
       [(validate.rules).repeated = {
+        min_items: 1,
         unique: true,
         // this RE means:  * OR *:verb OR svc:type:verb OR svc:* OR svc:*:verb OR svc:type:*
         items: {

api/interservice/authz/v2/policy.pb.validate.go

@@ -650,69 +650,66 @@ func TestValidationCreateRole(t *testing.T) {
 		"empty ID": &v2.CreateRoleReq{
 			Id:       "",
 			Name:     "name of my team",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test"},
 		},
 		"invalid ID": &v2.CreateRoleReq{
 			Id:       "i d !",
 			Name:     "name of my team",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test"},
 		},
 		"whitespace ID": &v2.CreateRoleReq{
 			Id:       "      ",
 			Name:     "name of my team",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test"},
 		},
 		"missing ID": &v2.CreateRoleReq{
 			Name:     "name of my team",
-			Projects: []string{"test"},
-		},
-		"empty Name": &v2.CreateRoleReq{
-			Id:       "test",
-			Name:     "",
-			Projects: []string{"test"},
-		},
-		"whitespace Name": &v2.CreateRoleReq{
-			Id:       "test",
-			Name:     "          ",
-			Projects: []string{"test"},
-		},
-		"missing Name": &v2.CreateRoleReq{
-			Id:       "test",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test"},
 		},
 		"ID contains invalid characters": &v2.CreateRoleReq{
 			Id:       "invalid~~~",
 			Name:     "this is valid ~ fun characters",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test", "test-2"},
 		},
 		"ID contains whitespace": &v2.CreateRoleReq{
 			Id:       "invalid id",
 			Name:     "this is valid ~ fun characters",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test", "test-2"},
 		},
 		"whitespace projects list": &v2.CreateRoleReq{
 			Id:       "this-is-valid-1",
 			Name:     "name of my team ~ fun characters 1 %",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"     ", "test"},
 		},
 		"repeated projects in list": &v2.CreateRoleReq{
 			Id:       "this-is-valid-1",
 			Name:     "name of my team ~ fun characters 1 %",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"repeat", "repeat"},
 		},
 		"Project has invalid characters": &v2.CreateRoleReq{
 			Id:       "this-is-valid-1",
 			Name:     "name of my team ~ fun characters 1 %",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"valid", "wrong~"},
 		},
 		"Project has spaces": &v2.CreateRoleReq{
 			Id:       "this-is-valid-1",
 			Name:     "name of my team ~ fun characters 1 %",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"valid", "wrong space"},
 		},
 		"project has uppercase characters": &v2.CreateRoleReq{
 			Id:       "this-is-valid-1",
 			Name:     "name of my team ~ fun characters 1 %",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"valid", "PROJECT1"},
 		},
 	}
@@ -721,16 +718,19 @@ func TestValidationCreateRole(t *testing.T) {
 		"alphanumeric IDs allowed": &v2.CreateRoleReq{
 			Id:       "asdf-123-fun",
 			Name:     "this is valid ~ fun characters",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{"test", "test-2"},
 		},
 		"empty projects list": &v2.CreateRoleReq{
 			Id:       "this-is-valid-1",
 			Name:     "name of my team ~ fun characters 1 %",
+			Actions:  []string{"cfgmgmt:nodes:*"},
 			Projects: []string{},
 		},
 		"missing projects list": &v2.CreateRoleReq{
-			Id:   "this-is-valid-1",
-			Name: "name of my team ~ fun characters 1 %",
+			Id:      "this-is-valid-1",
+			Name:    "name of my team ~ fun characters 1 %",
+			Actions: []string{"cfgmgmt:nodes:*"},
 		},
 	}