diff --git a/adr/0000-use-adr-in-directory.md b/adr/0000-use-adr-in-directory.md deleted file mode 100644 index 9e1a8857..00000000 --- a/adr/0000-use-adr-in-directory.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -status: accepted -date: 2024-08-29 -decision: Use ADRs in the `adr` directory of the repo to document architectural decisions -author: '@jakedoublev' -deciders: ['@ryanulit', '@jrschumacher'] ---- - -# Use a ADR storage format that make diffs easier to read - -## Context and Problem Statement - -We've been using Github Issues to document ADR decisions, but it's hard to read the diffs when changes are made. We need a better way to store and manage ADRs. ADRs sometimes get updated and it's hard to track the changes and decision using the edit history dropdown or the comments section. - -## Decision Drivers - -- **Low barrier of entry**: A primary goal of our ADR process is to ensure decisions are captured. -- **Ease of management**: Make it easy to manage the ADRs. -- **Ensure appropriate tracking and review**: Make it easy to track and review the changes in the ADRs. - -## Considered Options - -1. Use Github Issues -2. Use Github Discussions -3. Use a shared ADR repository -4. Use an `adr` directory in the repo - -## Decision Outcome - -It was decided to use an `adr` directory in the repo to store ADRs. This approach provides a low barrier of entry for developers to document decisions and ensures that the decisions are tracked and reviewed appropriately. - -Additionally, this change does not impact other teams or repositories, and it is easy to manage and maintain. We can experiment with this decision and if it works promote it to other repositories. - -### Consequences - -- **Positive**: - - Low barrier of entry for developers to document decisions. - - Easy to manage and maintain. - - Ensures appropriate tracking and review of decisions via git history and code review. -- **Negative**: - - Requires developers to be aware of the ADR process and where to find the ADRs. - - May require additional tooling to manage and maintain the ADRs. - - May require additional training for developers to understand the ADR process and how to use it effectively. diff --git a/cmd/policy-attributes.go b/cmd/policy-attributes.go index 8de54501..5d63ab87 100644 --- a/cmd/policy-attributes.go +++ b/cmd/policy-attributes.go @@ -132,6 +132,7 @@ func policy_deactivateAttribute(cmd *cobra.Command, args []string) { defer h.Close() id := c.Flags.GetRequiredID("id") + force := c.Flags.GetOptionalBool("force") attr, err := h.GetAttribute(id) if err != nil { @@ -139,7 +140,9 @@ func policy_deactivateAttribute(cmd *cobra.Command, args []string) { cli.ExitWithError(errMsg, err) } - cli.ConfirmAction(cli.ActionDeactivate, "attribute", attr.GetName(), false) + if !force { + cli.ConfirmAction(cli.ActionDeactivate, "attribute", attr.GetName(), false) + } attr, err = h.DeactivateAttribute(id) if err != nil { @@ -371,6 +374,11 @@ func init() { deactivateDoc.GetDocFlag("id").Default, deactivateDoc.GetDocFlag("id").Description, ) + deactivateDoc.Flags().Bool( + deactivateDoc.GetDocFlag("force").Name, + false, + deactivateDoc.GetDocFlag("force").Description, + ) // unsafe actions on attributes unsafeCmd := man.Docs.GetCommand("policy/attributes/unsafe") diff --git a/docs/man/policy/attributes/deactivate.md b/docs/man/policy/attributes/deactivate.md index df8ac65e..cc2a5bf9 100644 --- a/docs/man/policy/attributes/deactivate.md +++ b/docs/man/policy/attributes/deactivate.md @@ -7,6 +7,8 @@ command: shorthand: i description: ID of the attribute required: true + - name: force + description: Force deactivation without interactive confirmation (dangerous) --- # Deactivate an attribute definition diff --git a/docs/man/policy/attributes/namespaces/deactivate.md b/docs/man/policy/attributes/namespaces/deactivate.md index b6237395..b173b034 100644 --- a/docs/man/policy/attributes/namespaces/deactivate.md +++ b/docs/man/policy/attributes/namespaces/deactivate.md @@ -8,7 +8,7 @@ command: description: ID of the attribute namespace required: true - name: force - description: Force deletion without interactive confirmation (dangerous) + description: Force deactivation without interactive confirmation (dangerous) --- # Deactivate an attribute namespace diff --git a/e2e/attributes.bats b/e2e/attributes.bats index b9d5e172..c7ee214a 100755 --- a/e2e/attributes.bats +++ b/e2e/attributes.bats @@ -2,18 +2,174 @@ # Tests for attributes -# Create attribute +setup_file() { + echo -n '{"clientId":"opentdf","clientSecret":"secret"}' > creds.json + export WITH_CREDS='--with-client-creds-file ./creds.json' + export HOST='--host http://localhost:8080' -# Get Attribute + # Create the namespace to be used by other tests -# Update attribute + export NS_NAME="testing-attr.co" + export NS_ID=$(./otdfctl $HOST $WITH_CREDS policy attributes namespaces create -n "$NS_NAME" --json | jq -r '.id') +} -# List attributes +# always create a randomly named attribute +setup() { + load "${BATS_LIB_PATH}/bats-support/load.bash" + load "${BATS_LIB_PATH}/bats-assert/load.bash" -# Deactivate Attribute + # invoke binary with credentials + run_otdfctl_attr () { + run sh -c "./otdfctl $HOST $WITH_CREDS policy attributes $*" + } -# Unsafe Reactivate + export ATTR_NAME_RANDOM=$(LC_ALL=C tr -dc 'a-zA-Z' < /dev/urandom | head -c 16) + export ATTR_ID=$(./otdfctl $HOST $WITH_CREDS policy attributes create --namespace "$NS_ID" --name "$ATTR_NAME_RANDOM" --rule ANY_OF -l key=value --json | jq -r '.id') +} -# Unsafe Delete +# always unsafely delete the created attribute +teardown() { + ./otdfctl $HOST $WITH_CREDS policy attributes unsafe delete --force --id "$ATTR_ID" +} -# Cleanup -- delete everything created here \ No newline at end of file +teardown_file() { + # remove the namespace + ./otdfctl $HOST $WITH_CREDS policy attributes namespaces unsafe delete --id "$NS_ID" --force + + # clear out all test env vars + unset HOST WITH_CREDS NS_NAME NS_ID ATTR_NAME_RANDOM +} + +@test "Create an attribute - With Values" { + run_otdfctl_attr create --name attrWithValues --namespace "$NS_ID" --rule HIERARCHY -v val1 -v val2 --json + assert_success + [ "$( echo "$output" | jq -r '.values[0].value' )" = "val1" ] + [ "$( echo "$output" | jq -r '.values[1].value' )" = "val2" ] +} + +@test "Create an attribute - Bad" { + # bad rule + run_otdfctl_attr create --name attr1 --namespace "$NS_ID" --rule NONEXISTENT + assert_failure + assert_output --partial "invalid attribute rule: NONEXISTENT, must be one of [ALL_OF, ANY_OF, HIERARCHY]" + + # missing flags + run_otdfctl_attr create --name attr1 --rule ALL_OF + assert_failure + run_otdfctl_attr create --name attr1 --namespace "$NS_ID" + assert_failure + run_otdfctl_attr create --rule HIERARCHY --namespace "$NS_ID" + assert_failure +} + +@test "Get an attribute definition - Good" { + LOWERED=$(echo "$ATTR_NAME_RANDOM" | awk '{print tolower($0)}') + + run_otdfctl_attr get --id "$ATTR_ID" + assert_success + assert_output --regexp "Id.*$ATTR_ID" + assert_output --regexp "Name.*$LOWERED" + assert_output --partial "ANY_OF" + assert_output --regexp "Namespace.*$NS_NAME" + + run_otdfctl_attr get --id "$ATTR_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.id')" = "$ATTR_ID" ] + [ "$(echo "$output" | jq -r '.name')" = "$LOWERED" ] + [ "$(echo "$output" | jq -r '.rule')" = 2 ] + [ "$(echo "$output" | jq -r '.namespace.id')" = "$NS_ID" ] + [ "$(echo "$output" | jq -r '.namespace.name')" = "$NS_NAME" ] + [ "$(echo "$output" | jq -r '.metadata.labels.key')" = "value" ] +} + +@test "Get an attribute definition - Bad" { + # no id flag + run_otdfctl_attr get + assert_failure +} + +@test "Update an attribute definition (Safe) - Good" { + # replace labels + run_otdfctl_attr update --force-replace-labels -l key=somethingElse --id "$ATTR_ID" --json + assert_success + [ "$(echo $output | jq -r '.metadata.labels.key')" = "somethingElse" ] + + # extend labels + run_otdfctl_attr update -l other=testing --id "$ATTR_ID" --json + assert_success + [ "$(echo $output | jq -r '.metadata.labels.other')" = "testing" ] + [ "$(echo $output | jq -r '.metadata.labels.key')" = "somethingElse" ] +} + +@test "Update an attribute definition (Safe) - Bad" { + # no id + run_otdfctl_attr update + assert_failure +} + +@test "List attribute definitions" { + run_otdfctl_attr list + assert_success + assert_output --partial "$ATTR_ID" + + run_otdfctl_attr list --state active + assert_success + assert_output --partial "$ATTR_ID" + + run_otdfctl_attr list --state inactive + assert_success + refute_output --partial "$ATTR_ID" +} + +@test "Deactivate then unsafe reactivate an attribute definition" { + run_otdfctl_attr deactivate + assert_failure + + run_otdfctl_attr get --id "$ATTR_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.active.value')" = true ] + + run_otdfctl_attr deactivate --id "$ATTR_ID" --force + assert_success + + run_otdfctl_attr get --id "$ATTR_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.active')" = {} ] + + run_otdfctl_attr unsafe reactivate + assert_failure + + run_otdfctl_attr unsafe reactivate --id "$ATTR_ID" --force + assert_success + + run_otdfctl_attr get --id "$ATTR_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.active.value')" = true ] +} + +@test "Unsafe Update an attribute definition" { + # create with two values + run_otdfctl_attr create --name created --namespace "$NS_ID" --rule HIERARCHY -v val1 -v val2 --json + CREATED_ID=$(echo "$output" | jq -r '.id') + VAL1_ID=$(echo "$output" | jq -r '.values[0].id') + VAL2_ID=$(echo "$output" | jq -r '.values[1].id') + + run_otdfctl_attr unsafe update --name updated --id "$CREATED_ID" --json --force + assert_success + run_otdfctl_attr get --id "$CREATED_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.name')" = "updated" ] + + run_otdfctl_attr unsafe update --rule ALL_OF --id "$CREATED_ID" --json --force + assert_success + run_otdfctl_attr get --id "$CREATED_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.rule')" = 1 ] + + run_otdfctl_attr unsafe update --id "$CREATED_ID" --json --values-order "$VAL2_ID" --values-order "$VAL1_ID" --force + assert_success + run_otdfctl_attr get --id "$CREATED_ID" --json + assert_success + [ "$(echo "$output" | jq -r '.values[0].value')" = "val2" ] + [ "$(echo "$output" | jq -r '.values[1].value')" = "val1" ] +} \ No newline at end of file