Merge pull request #2888 from cyberark/CNJR-2102

Spike: adding/updating annotations via PUT/POST/PATCH
cyberark · Aug 21, 2023 · bf420cd · bf420cd
2 parents 956e8b6 + b1028a1
commit bf420cd
Show file tree

Hide file tree

Showing 17 changed files with 466 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,6 +33,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   mitigates the possibility of a web worker becoming starved while waiting for
   a connection to become available.
   [cyberark/conjur#2875](https://github.com/cyberark/conjur/pull/2875)
+- Additive policy requests submitted via POST are rejected with a 400 status if
+  they attempt to update an existing resource.
+  [cyberark/conjur#2888](https://github.com/cyberark/conjur/pull/2888)
 
 ### Fixed
 - Support Authn-IAM regional requests when host value is missing from signed headers.

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -59,6 +59,7 @@ class UnprocessableEntity < RuntimeError
   rescue_from Sequel::ForeignKeyConstraintViolation, with: :foreign_key_constraint_violation
   rescue_from Conjur::PolicyParser::Invalid, with: :policy_invalid
   rescue_from Exceptions::InvalidPolicyObject, with: :policy_invalid
+  rescue_from Exceptions::DisallowedPolicyOperation, with: :disallowed_policy_operation
   rescue_from ArgumentError, with: :argument_error
   rescue_from ActionController::ParameterMissing, with: :argument_error
   rescue_from UnprocessableEntity, with: :unprocessable_entity
@@ -193,6 +194,17 @@ def policy_invalid e
     render(json: { error: error }, status: :unprocessable_entity)
   end
 
+  def disallowed_policy_operation e
+    logger.debug("#{e}\n#{e.backtrace.join("\n")}")
+
+    render(json: {
+      error: {
+        code: "disallowed_policy_operation",
+        message: e.message
+      }
+    }, status: :unprocessable_entity)
+  end
+
   def argument_error e
     logger.debug("#{e}\n#{e.backtrace.join("\n")}")
 

diff --git a/app/models/exceptions/disallowed_policy_operation.rb b/app/models/exceptions/disallowed_policy_operation.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Exceptions
+  class DisallowedPolicyOperation < RuntimeError
+
+    def initialize
+      super("Updating existing resource disallowed in additive policy operation")
+    end
+
+  end
+end
diff --git a/app/models/loader/create_policy.rb b/app/models/loader/create_policy.rb
@@ -16,7 +16,7 @@ def call
 
       @loader.delete_shadowed_and_duplicate_rows
 
-      @loader.store_policy_in_db
+      @loader.store_policy_in_db(reject_duplicates: true)
 
       @loader.release_db_connection
     end

diff --git a/app/models/loader/orchestrate.rb b/app/models/loader/orchestrate.rb
@@ -120,8 +120,9 @@ def delete_shadowed_and_duplicate_rows
     end
 
     # TODO: consider renaming this method
-    def store_policy_in_db
-      eliminate_duplicates_pk
+    def store_policy_in_db(reject_duplicates: false)
+      removed_duplicates_count = eliminate_duplicates_pk
+      raise Exceptions::DisallowedPolicyOperation if removed_duplicates_count.positive? && reject_duplicates
 
       insert_new
 
@@ -243,8 +244,9 @@ def eliminate_duplicates_exact
     end
 
     # Delete rows from the new policy which have the same primary keys as existing rows.
+    # Returns the total number of deleted rows.
     def eliminate_duplicates_pk
-      TABLES.each do |table|
+      TABLES.sum do |table|
         eliminate_duplicates(table, Array(model_for_table(table).primary_key) + [ :policy_id ])
       end
     end

diff --git a/config/environments/test.rb b/config/environments/test.rb
@@ -4,7 +4,7 @@
 require 'test/audit_sink'
 
 parallel_cuke_vars = {}
-parallel_cuke_vars['CONJUR_APPLIANCE_URL'] = "http://conjur#{ENV['TEST_ENV_NUMBER']}"
+parallel_cuke_vars['CONJUR_APPLIANCE_URL'] = ENV.fetch('CONJUR_APPLIANCE_URL', "http://conjur#{ENV['TEST_ENV_NUMBER']}")
 parallel_cuke_vars['DATABASE_URL'] = "postgres://postgres@pg#{ENV['TEST_ENV_NUMBER']}/postgres"
 parallel_cuke_vars['CONJUR_AUTHN_API_KEY'] = ENV["CONJUR_AUTHN_API_KEY#{ENV['TEST_ENV_NUMBER']}"]
 parallel_cuke_vars['AUTHN_LOCAL_SOCKET'] = ENV["AUTHN_LOCAL_SOCKET#{ENV['TEST_ENV_NUMBER']}"]

diff --git a/cucumber/_authenticators_common/features/support/env.rb b/cucumber/_authenticators_common/features/support/env.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 parallel_cuke_vars = {}
-parallel_cuke_vars['CONJUR_APPLIANCE_URL'] = "http://conjur#{ENV['TEST_ENV_NUMBER']}"
+parallel_cuke_vars['CONJUR_APPLIANCE_URL'] = ENV.fetch('CONJUR_APPLIANCE_URL', "http://conjur#{ENV['TEST_ENV_NUMBER']}")
 parallel_cuke_vars['DATABASE_URL'] = "postgres://postgres@pg#{ENV['TEST_ENV_NUMBER']}/postgres"
 parallel_cuke_vars['CONJUR_AUTHN_API_KEY'] = ENV["CONJUR_AUTHN_API_KEY#{ENV['TEST_ENV_NUMBER']}"]
 

diff --git a/cucumber/_authenticators_common/features/support/hooks.rb b/cucumber/_authenticators_common/features/support/hooks.rb
@@ -10,7 +10,7 @@
 # run independently.
 Before do
   parallel_cuke_vars = {}
-  parallel_cuke_vars['CONJUR_APPLIANCE_URL'] = "http://conjur#{ENV['TEST_ENV_NUMBER']}"
+  parallel_cuke_vars['CONJUR_APPLIANCE_URL'] = ENV.fetch('CONJUR_APPLIANCE_URL', "http://conjur#{ENV['TEST_ENV_NUMBER']}")
   parallel_cuke_vars['DATABASE_URL'] = "postgres://postgres@pg#{ENV['TEST_ENV_NUMBER']}/postgres"
   parallel_cuke_vars['CONJUR_AUTHN_API_KEY'] = ENV["CONJUR_AUTHN_API_KEY#{ENV['TEST_ENV_NUMBER']}"]