Closed oburstein-hub closed 4 years ago
@oburstein-hub few comments before i can review this:
value
in the printed message. Please write a use-case in the description (with an example policy) and what will be printed when it will be loaded.Also - if this error is raised to the user we need the message to be reviewed by a TW.
Hi Yivon Can you please tell if the following error message is good enough for the test case above: The error message is: "Duplicate attribute on type member"
@oburstein-hub thanks for addressing my requests!
Small nit - can you change the word "fix" to "Fix" in the commit message? We want capital letters in the beginning of commits.
@yserota please provide a message that will be sent to the user in case of the error described here.
Please note that another use-case is the following policy:
- !host host1
- !host host2
- !variable secret
- !group secret-consumers
- !permit
role: !group secret-consumers
role: !variable secret
In this case the role
attribute is duplicated and thus the policy load would fail.
@oburstein-hub can you please elaborate on the parameters of the scalar
method:
def scalar value, tag, quoted, anchor
It will help us to know what we can output to the user.
I think that Duplicated attribute <attribute> in <section> section
(e.g Duplicated attribute "member" in "permit" section`) will be a good start.
Hi @oburstein-hub I think I need more context to comment.
@yserota is the issue description not enough? You can go to the link stated there if it can help. i think it will give enough context
Hi @oburstein-hub , I'm just not sure what you want me to review. As I am not working on this feature, I need more context. Sorry to be a big pain.
Regarding parameters is scalar function: 'value' is the name of parameter (like 'member' in our case) 'tag' is a type of simple parameter (like '!host'). In case of 'member' it is empty 'quoted' means that the parameter is quoted - irrelevant for us
There is no simple way to retrieve the hierarchy under which 'member' is placed. From the the other side the generic error handling of conjur issues the line number in file where the problem is - and I think its good enough
Regarding parameters is scalar function: 'value' is the name of parameter (like 'member' in our case) 'tag' is a type of simple parameter (like '!host'). In case of 'member' it is empty
Thanks @oburstein-hub . In this case I think we can have only the value
in the log message.
What does this PR do? Is there any background context you want to provide?
This PR added validation on policy yaml file upon loading it to conjur Now members with same name under each hierarchy level are disallowed
Reconstruction Steps:
!variable secret
!group secret-consumers
!permit role: !group secret-consumers resource: !variable secret privilege: [ read, execute ]
!grant role: !group secret-consumers member: !host host1 member: !host host2
Load policy to the system using the following command: conjur policy load root policy.yaml
The expected result should be failure of loading policy with an appropriate error message describing that there are duplicate entries in policy and mentioning which of them The error message is: "Duplicate attribute on type member"
What ticket does this PR close?
https://github.com/cyberark/conjur/issues/1263
Where should the reviewer start? How should this functionality be validated?
The reviewer should look on the changes in handler.rb file - they implement a new validation