1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-28 00:06:53 +01:00
Commit Graph

799 Commits

Author SHA1 Message Date
Jaanus Sellin
a4a604aebb
feat: application environment level warnings (#6407)
![image](https://github.com/Unleash/unleash/assets/964450/5e93dfd6-e1c0-48dd-a3c6-587889096510)
2024-03-01 14:09:55 +02:00
Mateusz Kwasniewski
1acb4bbb36
feat: outdated sdk detection (#6381) 2024-02-29 11:30:56 +01:00
Christopher Kolstad
0887999dd0
fix: setRolesForUser and setRolesForGroup role check (#6380)
In order to stop privilege escalation via
`/api/admin/projects/:project/users/:userId/roles` and
`/api/admin/projects/:project/groups/:groupId/roles` this PR adds the
same check we added to setAccess methods to the methods updating access
for these two methods.

Also adds tests that verify that we throw an exception if you try to
assign roles you do not have.

Thank you @nunogois for spotting this during testing.
2024-02-29 09:38:32 +01:00
Mateusz Kwasniewski
b82a650dab
feat: connected instances support query param for env (#6362) 2024-02-28 08:57:34 +01:00
Gastón Fournier
70499dc1d4
feat: allow api token middleware to fetch from db (#6344)
## About the changes
When edge is configured to automatically generate tokens, it requires
the token to be present in all unleash instances.
It's behind a flag which enables us to turn it on on a case by case
scenario.

The risk of this implementation is that we'd be adding load to the
database in the middleware that evaluates tokens (which are present in
mostly all our API calls. We only query when the token is missing but
because the /client and /frontend endpoints which will be the affected
ones are high throughput, we want to be extra careful to avoid DDoSing
ourselves

## Alternatives:
One alternative would be that we merge the two endpoints into one.
Currently, Edge does the following:
If the token is not valid, it tries to create a token using a service
account token and /api/admin/create-token endpoint. Then it uses the
token generated (which is returned from the prior endpoint) to query
/api/frontend. What if we could call /api/frontend with the same service
account we use to create the token? It may sound risky but if the same
application holding the service account token with permission to create
a token, can call /api/frontend via the generated token, shouldn't it be
able to call the endpoint directly?

The purpose of the token is authentication and authorization. With the
two tokens we are authenticating the same app with 2 different
authorization scopes, but because it's the same app we are
authenticating, can't we just use one token and assume that the app has
both scopes?

If the service account already has permissions to create a token and
then use that token for further actions, allowing it to directly call
/api/frontend does not necessarily introduce new security risks. The
only risk is allowing the app to generate new tokens. Which leads to the
third alternative: should we just remove this option from edge?
2024-02-27 16:08:44 +01:00
Mateusz Kwasniewski
91c08593a6
feat: app env instances api (#6339) 2024-02-26 14:27:44 +01:00
Jaanus Sellin
3b7b816b44
feat: application missing strategies (#6334)
Now also showing missing strategies, that SDK sends, but do not exist in
Unleash.
2024-02-26 12:59:50 +02:00
Jaanus Sellin
89d113f1ff
feat: application missing features backend (#6330)
This PR adds a property issues to application schema, and also adds all
the missing features that have been reported by SDK, but do not exist in
Unleash.
2024-02-26 12:26:01 +02:00
Jaanus Sellin
1633722877
feat: updating last seen now will create instance if does not exist (#6328) 2024-02-26 10:08:28 +02:00
Jaanus Sellin
fb63f21d8a
feat: project applications paging backend (#6312) 2024-02-22 15:35:16 +02:00
David Leek
adb6f61015
chore: proxy repository load features metrics (#6314)
## About the changes

- Adds createHistogram
- Adds histogram metrics for proxy-repositorys loading features
2024-02-22 14:29:21 +01:00
Jaanus Sellin
3c4457af00
feat: application overview backend (#6303) 2024-02-22 08:20:57 +02:00
Christopher Kolstad
e9d9db17fe
feat: Adding Project access requires same role (#6270)
In order to prevent users from being able to assign roles/permissions
they don't have, this PR adds a check that the user performing the
action either is Admin, Project owner or has the same role they are
trying to grant/add.

This addAccess method is only used from Enterprise, so there will be a
separate PR there, updating how we return the roles list for a user, so
that our frontend can only present the roles a user is actually allowed
to grant.

This adds the validation to the backend to ensure that even if the
frontend thinks we're allowed to add any role to any user here, the
backend can be smart enough to stop it.

We should still update frontend as well, so that it doesn't look like we
can add roles we won't be allowed to.
2024-02-20 15:56:53 +01:00
Ivar Conradi Østhus
4a81f0932f
fix: Allow AuthType None to use valid API tokens (#6247)
Fixes ##5799 and #5785

When you do not provide a token we should resolve to the "default"
environment to maintain backward compatibility. If you actually provide
a token we should prefer that and even block the request if it is not
valid.

An interesting fact is that "default" environment is not available on a
fresh installation of Unleash. This means that you need to provide a
token to actually get access to toggle configurations.


---------

Co-authored-by: Thomas Heartman <thomas@getunleash.io>
2024-02-16 08:24:56 +00:00
Jaanus Sellin
3d77825493
feat: project applications server side paging and sorting and filtering (#6236)
Uses exactly same pattern as search-store. Nothing too crazy here.
Most code is in tests.
2024-02-14 13:03:44 +02:00
Jaanus Sellin
5a75093cbc
feat: project applications e2e PoC (#6189)
1. Adding store layer
2. Updating schemas
3. Refactoring project files that I touched into feature oriented
architecture

Next steps E2E tests.
2024-02-12 16:00:59 +02:00
David Leek
ccd2fee4ee
feat: implement a store for stat_traffic_data (#6190)
## About the changes

Implements a new store for collected traffic data usage that connects to
the new table `stat_traffic_data` primary key'd on [day, trafficGroup,
status_code_series].

Day being a date
Traffic group being which endpoint is being counted for, ie /api/admin,
/api/frontend etc
Status code series grouping 2xx status responses and 304 into their
respective 200 / 300 series.

No service here, this is for pro/enterprise
2024-02-12 08:39:51 +01:00
Jaanus Sellin
4972b9686c
feat: project applications controller/service layer (#6184)
Just adding controller/service layer, connecting with schema.
Next PR will implement store and e2e tests.
2024-02-09 13:18:26 +02:00
Nuno Góis
4c1dfbefa7
chore: clean up customRootRolesKillSwitch (#6173)
https://linear.app/unleash/issue/2-1308/remove-customrootroleskillswitch-flag

Cleans up the `customRootRolesKillSwitch` flag.
2024-02-09 08:41:40 +00:00
Gastón Fournier
fa3352786a
chore: reimplementation of app stats (#6155)
## About the changes
App stats is mainly used to cap the number of applications reported to
Unleash based on the last 7 days information:
cc2ccb1134/src/lib/middleware/response-time-metrics.ts (L24-L28)

Instead of getting all stats, just calculate appCount statistics

Use scheduler service instead of setInterval
2024-02-08 17:15:42 +01:00
Gastón Fournier
067d130a8b
chore: memoizee active tokens (#6135)
## About the changes
getAllActive from api-tokens store is the second most frequent query

![image](https://github.com/Unleash/unleash/assets/455064/63c5ae76-bb62-41b2-95b4-82aca59a7c16)

To prevent starving our db connections, we can cache this data that
rarely changes and clear the cache when we see changes. Because we will
only clear changes in the node receiving the change we're only caching
the data for 1 minute.

This should give us some room to test if this solution will work

---------

Co-authored-by: Nuno Góis <github@nunogois.com>
2024-02-06 15:14:08 +01:00
Christopher Kolstad
3bea6bbd20
fix: filter out service and system users from inactive users list (#6134) 2024-02-05 16:41:51 +01:00
Christopher Kolstad
1da59abb2d
fix: inactive users query was too wide (#6133)
Knex wasn't formatting the query like I expected. This changes the query
to use more AND, less ORs
2024-02-05 14:31:04 +00:00
Christopher Kolstad
ea38877b0c
feat: List and delete inactive users
Adds a new Inactive Users list component to admin/users for easier cleanup of users that are counted as inactive: No sign of activity (logins or api token usage) in the last 180 days.

---------

Co-authored-by: David Leek <david@getunleash.io>
2024-02-05 14:07:38 +01:00
Nuno Góis
db0a0d7097
refactor: PATs (#6101)
https://linear.app/unleash/issue/SR-379/refactor-pats

This PR refactors PATs.

- Adds a new `createPatSchema`, which better aligns with
https://docs.getunleash.io/contributing/ADRs/overarching/separation-request-response-schemas
- Drops the model type and class in favor of using the schema types
directly, which is more consistent with the rest of the codebase and
easier to maintain
 - Misc scouting, improvement and fixes

This breaks Enterprise temporarily, but it's faster to move forward this
way.
2024-02-01 14:28:46 +00:00
David Leek
fcb8bf6918
chore: scheduled created-by migrations metrics (#6089)
## About the changes

the created_by_user_id data migration from resolving events.created_by
(for both events and features) now emits events on how many rows were
updated.

Adds listeners for these events that records these metrics with
prometheus


![image](https://github.com/Unleash/unleash/assets/707867/3bb02645-0919-4a9a-83fe-a07383ac0be1)
2024-01-31 12:30:42 +01:00
Thomas Heartman
73322f12f7
chore: remove detectSegmentUsageInChangeRequests flag (#6080)
What it says on the tin. Removes all uses of the
detectSegmentUsageInChangeRequests flag.
2024-01-31 17:24:35 +09:00
Mateusz Kwasniewski
55b2bb4813
feat: expose project time to production for project flag trends (#6068) 2024-01-30 13:28:20 +01:00
David Leek
9d2c65c9c0
chore: events created by userid migration (#6027)
## About the changes

Schedules a best-effort task setting the value of
events.created_by_user_id based on what is found in the created_by
column and if it's capable of resolving that to a userid/a system id.
The process is executed in the events-store, it takes a chunk of events
that haven't been processed yet, attempts to join users and api_tokens
tables on created_by = username/email, loops through and tries to figure
out an id to set. Then updates the record.

---------

Co-authored-by: Gastón Fournier <gaston@getunleash.io>
2024-01-30 08:22:53 +01:00
David Leek
e652af49af
chore: default the data migration flag for createdbyuserid to false (#6048)
## About the changes

Sets data migration of features and events created_by_user_id to
disabled by default

Map to promise and await all in created by user id migration for features
2024-01-29 08:07:33 +01:00
Mateusz Kwasniewski
9b281ca508
feat: stale flags count per project (#6043) 2024-01-26 12:04:43 +01:00
David Leek
c7f13aec0b
chore: implement created_by_user_id in features (#5994)
## About the changes

Adds a scheduled task that every 5 seconds updates 500 entries in the
features table setting `created_by_user_id`.
It does this by looking at the related event, checks created_by and
joins users table for match on username or email, and joins api_tokens
table on username matches. Then picks either a users id if set, or uses
-42 (admin token user)
2024-01-25 13:09:30 +01:00
andreas-unleash
89bea0d532
fix: clone variants (featureEnv and strategy) when cloning an env (#6026)
Fixes 2 bugs
- Strategy variants
- Feature env variants 
not being cloned when cloning an environment

Closes #
[SR-350](https://linear.app/unleash/issue/SR-350/cloning-environment-does-not-clone-variants-or-strategy-variants)

Manual test verifies the fix
<img width="1659" alt="Screenshot 2024-01-24 at 16 48 28"
src="https://github.com/Unleash/unleash/assets/104830839/ba9fc9b8-e792-47bb-b6e8-660350384ea8">
<img width="1408" alt="Screenshot 2024-01-24 at 16 48 10"
src="https://github.com/Unleash/unleash/assets/104830839/1e2d5287-35d0-42d2-9ab2-8caa313bd5a8">

---------

Signed-off-by: andreas-unleash <andreas@getunleash.ai>
2024-01-25 10:53:43 +02:00
Mateusz Kwasniewski
41351a694e
refactor: Instance stats service composition root (#6029) 2024-01-25 09:11:26 +01:00
Christopher Kolstad
17d826ddf4
task: Add banner encouraging edge upgrade (#6018)
Only triggers if there is any rows in client instances that have

    sdk_version: unleash-edge with version < 17.0.0

The function that checks this memoizes the check for 10 minutes to avoid
scanning the client instances table too often.
2024-01-24 14:22:48 +00:00
Tymoteusz Czech
68eb3dec07
fix: upgrade unleash-client to v5.3.0 (#5800) 2024-01-24 09:12:07 +01:00
Gastón Fournier
9f550331ce
chore: validate all tables have primary keys (#6005)
## About the changes
This is a helpful reminder to have primary keys in all our tables.

Related to [#4303](https://github.com/Unleash/unleash/issues/4303)
2024-01-23 16:38:16 +01:00
Gastón Fournier
b91df61994
chore: re use extract user methods (#5947)
## About the changes
1. Re-use existing methods in extract-user.ts:
70f6a07f2c/src/lib/features/events/event-service.ts (L93-L101)
2. Move event-service and event-store to features/event
3. Add export default in previous paths for backward compatibility:
70f6a07f2c/src/lib/services/event-service.ts (L1-L4)
and
70f6a07f2c/src/lib/db/event-store.ts (L1-L4)
2024-01-18 13:15:21 +01:00
Gastón Fournier
ceaaf3d0f3
feat: admin token calls get an admin token user (#5924)
## About the changes
Whenever we get a call from an admin token we want to associate it with
the [admin token
user](4d42093a07/src/lib/types/core.ts (L34-L41)).
This should give us the needed audit for this type of calls that
currently were lacking a user id (we only stored a string with the token
name in the event log).

We consciously decided not to use `id` as the property to prevent any
unforeseen side effects. The reason is that only `IUser` type has an id
and adding an id to `IApiUser` might lead to confusion.
2024-01-17 16:55:59 +01:00
Daniel Brooks
1392b10727
fix(import): making all imports relative and removing baseUrl (#5847)
Co-authored-by: Simon Hornby <liquidwicked64@gmail.com>
2024-01-17 15:33:03 +02:00
Jaanus Sellin
ee08bd8d42
chore(deps): update dependency @types/supertest to v6 (#5926)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-01-17 13:36:17 +02:00
Mateusz Kwasniewski
16691d72d7
refactor: metrics in feature oriented architecture (#5919) 2024-01-17 09:14:31 +01:00
Mateusz Kwasniewski
f6c0624869
feat: prevent double daily metrics insert (#5906) 2024-01-16 13:52:56 +01:00
Mateusz Kwasniewski
65eb8956e1
feat: Prometheus last day metrics (#5878) 2024-01-15 15:31:38 +01:00
Nuno Góis
1c84a81178
fix: include custom root roles in user access overview (#5898)
https://linear.app/unleash/issue/2-1844/fix-add-custom-root-roles-to-user-access-overview

I noticed our user access overview method did not take into account
custom root roles, which meant only users with default root roles were
being returned.

This changes the query to check for `IN ('root', 'root-custom')`
instead, including both "root" and "custom root" roles.


![image](https://github.com/Unleash/unleash/assets/14320932/aa808e8f-edc0-4a94-b59f-a8b619ae54ca)
2024-01-15 13:38:31 +00:00
Nuno Góis
0ba37e8622
feat: list all root roles in SSO config (#5887)
Lists all root roles in SSO config, including custom root roles.


![image](https://github.com/Unleash/unleash/assets/14320932/30114169-4184-4a22-9671-c7041b750d1c)
2024-01-15 13:13:29 +00:00
Mateusz Kwasniewski
8eb5a53ad9
feat: metrics calculation limit (#5853) 2024-01-12 12:32:31 +01:00
Christopher Kolstad
5a3bb1ffc3
Biome1.5.1 (#5867)
Lots of work here, mostly because I didn't want to turn off the
`noImplicitAnyLet` lint. This PR tries its best to type all the untyped
lets biome complained about (Don't ask me how many hours that took or
how many lints that was >200...), which in the future will force test
authors to actually type their global variables setup in `beforeAll`.

---------

Co-authored-by: Gastón Fournier <gaston@getunleash.io>
2024-01-12 09:25:59 +00:00
Nuno Góis
b496990f79
chore: add no unused imports biome rule (#5855)
Adds a Biome rule for "no unused imports", which is something we
sometimes have trouble catching.

We're adding this as a warning for now. It is safely and easily fixable
with `yarn lint:fix`.


![image](https://github.com/Unleash/unleash/assets/14320932/fd84dea8-6b20-4ba5-bfd8-047b9dcf2bff)

![image](https://github.com/Unleash/unleash/assets/14320932/990bb0b0-760a-4c5e-8136-d957e902bf0b)
2024-01-11 12:44:05 +00:00
Mateusz Kwasniewski
ca3b4c5057
feat: Metrics api returning daily data (#5830) 2024-01-11 10:39:41 +01:00