-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[uss_qualifier/netrid] fix #244; rename server_id to participant_id; some refactorings and fixes #247
Conversation
@@ -167,7 +167,7 @@ def _evaluate_and_test_authentication( | |||
no flights were yet returned by the authenticated queries. | |||
""" | |||
|
|||
with self.check("Missing credentials") as check: | |||
with self.check("Missing credentials", [self._dss.participant_id]) as check: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When we query all_flights below, that operation first queries the DSS to identify which Service Providers need to be queried, and then it queries all the Service Providers. The unauthenticated session is then used to repeat the uss_flight_queries (the queries to all the Service Providers). If one of the Service Providers incorrectly allows an unauthenticated request, the provider of the DSS (self._dss.participant_id
) isn't the participant that failed the requirement. Likewise, if the unauthenticated queries to each Service Provider are all correctly rejected, we haven't shown the DSS provider's compliance to the requirement. The participants identified in a check should correspond to the participants we are verifying comply (or rather, don't fail to comply) with a requirement. In this case, we're checking whether each Service Provider complies with the requirement to only allow authenticated requests.
The with
syntax for the check is just an abbreviation for "if I didn't record_failed
in this block, then record_passed
when I exit the block". So, when the block exits, we will currently record that the DSS provider passed this check if no USSs failed the check. If any USSs failed the check, we will not record that the DSS provided passed this check. I don't think that's what we want.
I think we want to keep the with
check blocks as small as practical in general -- ideally just a single if
statement. It's not necessarily bad to perform a lot of actions in the check block, but I think it does make it more challenging to reason about what will be indicated in the report under various circumstances.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, I went over this a bit too quickly.
I updated the PR so the check is now within the for-loop. The check is now also attached to the server_id
with which the request was tagged.
I was considering adding a separate check stating "DSS can successfully be queried", but the misbheavior.py
test is actually about testing SP's so I figured I'd rather not add a check mentioning the DSS?
edit: though I just noticed that the query is not properly tagged anyway, and that there's a bit more work required to map queries back to the relevant USS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was considering adding a separate check stating "DSS can successfully be queried", but the misbheavior.py test is actually about testing SP's so I figured I'd rather not add a check mentioning the DSS?
Whenever someone might fail to meet a requirement, especially one that would affect the behavior of the test, it's probably worth making a check for that. In this case, the DSS provider is important to the test and we probably want fail something if we can't get information from the DSS. So, I think it's worth having an explicit check that applies to the DSS provider which fails if we can't get the information (and therefore can't proceed with the test), even though the DSS provider is not the primary focus of this test.
8f53270
to
cbe7e08
Compare
Taking this back to |
f721f83
to
9e27793
Compare
@BenjaminPelletier this is ready for another pass of review. This PR grew a little bit: I found out that quite a few queries were getting attributed to the wrong participants in The suggested change is to solve this with some additional configuration information. The test suite might fail because there are some unattributed queries that are detected in the aggregated checks, and I still need to check if these can be ignored or not (they involve |
monitoring/monitorlib/fetch/rid.py
Outdated
@@ -1163,7 +1164,7 @@ def all_flights( | |||
session: UTMClientSession, | |||
dss_base_url: str = "", | |||
enhanced_details: bool = False, | |||
server_id: Optional[str] = None, | |||
dss_server_id: Optional[str] = None, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: did a few renames here and there to make certain things clearer.
@@ -41,25 +41,27 @@ class NetRIDServiceProvidersSpecification(ImplicitDict): | |||
|
|||
class NetRIDServiceProvider(object): | |||
participant_id: str | |||
base_url: str | |||
client: infrastructure.UTMClientSession | |||
injection_base_url: str |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here the rename is to indicate that this is the URL used to inject flights, nothing more.
(Any place I found where this is set, this was the case, but please correct me if I got the intent wrong).
The rename should reduce the chances that anyone gets tempted by using this to match queries to SP's :)
base_url: str | ||
client: infrastructure.UTMClientSession | ||
injection_base_url: str | ||
flights_injection_client: infrastructure.UTMClientSession |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same for the client/session: I guess it might work to query other endpoints on an SP but it does not seem to be its purpose.
I made a pass on this PR to in order to finalize it. I ended up doing a bit more though:
There is actually more I wanted to do because I find that |
injected_flights, observed_flights | ||
) | ||
|
||
# TODO: a better approach here would be to separately map flights URL to participant IDs based on all TelemetryMapping encountered, and set retroactively the participant ID on all queries |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
…some refactorings and fixes (#247) * [uss_qualifier] attach participant id to net0210 check, fix Issue #244 * rename server_id -> participant_id * factor out polling; refactor some parts of scenarios * add aud override in NoAuth * fix participant_id setter * fix several issues * fix small issues * add TODO --------- Co-authored-by: Mickaël Misbach <[email protected]> Co-authored-by: Mickaël Misbach <[email protected]> 9753ad1
This should address Issue #244.
It also updates the markdown doc for this check, which was erroneously referencing NET0500 instead of NET0210