Skip to content

Commit

Permalink
[CDF-23264] 🙊 Auth verify Warning (#1213)
Browse files Browse the repository at this point in the history 
* fix: ignore unknown capabilities

* build: changelog
  • Loading branch information
@doctrino
doctrino authored Nov 19, 2024
1 parent 3ac9159 commit 3387267
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 41 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.cdf-tk.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ Changes are grouped as follows:
specific, in the hierarchy over more general variables.
- [Alpha feature] `cdf build` will no longer copy content `YAML` files to the build directory.

### Improved

- The `cdf auth verify` no longer gives UserWarning is the user has unknown capabilities.

## [0.3.10] - 2024-11-14

### Fixed
Expand Down
101 changes: 60 additions & 41 deletions cognite_toolkit/_cdf_tk/commands/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
from __future__ import annotations

import time
import warnings
from collections import defaultdict
from time import sleep

Expand Down Expand Up @@ -260,11 +261,17 @@ def _check_missing_capabilities(
is_interactive: bool,
) -> list[Capability]:
print(f"\nChecking if the {existing_group.name} has the all required capabilities...")
missing_capabilities = ToolGlobals.toolkit_client.iam.compare_capabilities(
existing_group.capabilities or [],
toolkit_group.capabilities or [],
project=ToolGlobals.project,
)
with warnings.catch_warnings():
# If the user has unknown capabilities, we don't want the user to see the warning:
# "UserWarning: Unknown capability '<unknown warning>' will be ignored in comparison"
# This is irrelevant for the user as we are only checking the capabilities below
# (triggered by the verify_authorization calls)
warnings.simplefilter("ignore")
missing_capabilities = ToolGlobals.toolkit_client.iam.compare_capabilities(
existing_group.capabilities or [],
toolkit_group.capabilities or [],
project=ToolGlobals.project,
)
if not missing_capabilities:
print(f" [bold green]OK[/] - The {existing_group.name} has all the required capabilities.")
return []
Expand Down Expand Up @@ -302,11 +309,17 @@ def _update_missing_capabilities(
else:
updated_toolkit_group.capabilities.extend(missing_capabilities)

adding = ToolGlobals.toolkit_client.iam.compare_capabilities(
existing_group.capabilities or [],
updated_toolkit_group.capabilities or [],
project=ToolGlobals.project,
)
with warnings.catch_warnings():
# If the user has unknown capabilities, we don't want the user to see the warning:
# "UserWarning: Unknown capability '<unknown warning>' will be ignored in comparison"
# This is irrelevant for the user as we are only checking the capabilities below
# (triggered by the verify_authorization calls)
warnings.simplefilter("ignore")
adding = ToolGlobals.toolkit_client.iam.compare_capabilities(
existing_group.capabilities or [],
updated_toolkit_group.capabilities or [],
project=ToolGlobals.project,
)
adding = self._merge_capabilities(adding)
capability_str = "capabilities" if len(adding) > 1 else "capability"
if dry_run:
Expand Down Expand Up @@ -400,44 +413,50 @@ def check_has_group_access(self, ToolGlobals: CDFToolConfig) -> None:
"Checking basic project and group manipulation access rights "
"(projectsAcl: LIST, READ and groupsAcl: LIST, READ, CREATE, UPDATE, DELETE)..."
)
try:
ToolGlobals.verify_authorization(
[
ProjectsAcl([ProjectsAcl.Action.List, ProjectsAcl.Action.Read], ProjectsAcl.Scope.All()),
GroupsAcl(
[
GroupsAcl.Action.Read,
GroupsAcl.Action.List,
GroupsAcl.Action.Create,
GroupsAcl.Action.Update,
GroupsAcl.Action.Delete,
],
GroupsAcl.Scope.All(),
),
]
)
print(" [bold green]OK[/]")
except AuthorizationError:
self.warn(
HighSeverityWarning(
"The service principal/application configured for this client "
"does not have the basic group write access rights."
)
)
print("Checking basic group read access rights (projectsAcl: LIST, READ and groupsAcl: LIST, READ)...")
with warnings.catch_warnings():
# If the user has unknown capabilities, we don't want the user to see the warning:
# "UserWarning: Unknown capability '<unknown warning>' will be ignored in comparison"
# This is irrelevant for the user as we are only checking the capabilities below
# (triggered by the verify_authorization calls)
warnings.simplefilter("ignore")
try:
ToolGlobals.verify_authorization(
capabilities=[
[
ProjectsAcl([ProjectsAcl.Action.List, ProjectsAcl.Action.Read], ProjectsAcl.Scope.All()),
GroupsAcl([GroupsAcl.Action.Read, GroupsAcl.Action.List], GroupsAcl.Scope.All()),
GroupsAcl(
[
GroupsAcl.Action.Read,
GroupsAcl.Action.List,
GroupsAcl.Action.Create,
GroupsAcl.Action.Update,
GroupsAcl.Action.Delete,
],
GroupsAcl.Scope.All(),
),
]
)
print(" [bold green]OK[/] - can continue with checks.")
print(" [bold green]OK[/]")
except AuthorizationError:
raise AuthorizationError(
"Unable to continue, the service principal/application configured for this client does not"
" have the basic read group access rights."
self.warn(
HighSeverityWarning(
"The service principal/application configured for this client "
"does not have the basic group write access rights."
)
)
print("Checking basic group read access rights (projectsAcl: LIST, READ and groupsAcl: LIST, READ)...")
try:
ToolGlobals.verify_authorization(
capabilities=[
ProjectsAcl([ProjectsAcl.Action.List, ProjectsAcl.Action.Read], ProjectsAcl.Scope.All()),
GroupsAcl([GroupsAcl.Action.Read, GroupsAcl.Action.List], GroupsAcl.Scope.All()),
]
)
print(" [bold green]OK[/] - can continue with checks.")
except AuthorizationError:
raise AuthorizationError(
"Unable to continue, the service principal/application configured for this client does not"
" have the basic read group access rights."
)

def check_identity_provider(self, ToolGlobals: CDFToolConfig, cdf_project: str) -> None:
print("Checking identity provider settings...")
Expand Down

0 comments on commit 3387267

Please sign in to comment.