1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00
Commit Graph

1009 Commits

Author SHA1 Message Date
Thomas Heartman
a51b47e956
openapi: update tag description (#4178)
Tiny PR to update the admin UI tag description, including a disclaimer
that it may change at any time.
2023-07-07 11:14:19 +00:00
Mateusz Kwasniewski
23981407ef
fix: validate min constraint values in openapi (#4179) 2023-07-07 12:41:48 +02:00
Jaanus Sellin
3c52550474
fix: bulk tags will work now with project permissions (#4177) 2023-07-07 11:55:13 +03:00
Simon Hornby
79dd508485
fix: project tokens can now be created with the correct permissions (#4165) 2023-07-06 15:47:03 +02:00
Mateusz Kwasniewski
d7b7d93533
feat: user openapi spec (#4162) 2023-07-06 15:27:43 +02:00
Thomas Heartman
46b4030d47
bug: mark descriptions on strategies as nullable (#4156)
This was omitted by mistake.

Fixes 1-1086
2023-07-06 13:39:23 +02:00
Christopher Kolstad
e22662e140
fix: add change-edited event 2023-07-06 13:11:09 +02:00
Christopher Kolstad
7130270058
fix: added service-account events (#4164)
We're using this in enterprise as well, so we need to add events that
could happen there as well.
2023-07-06 10:51:32 +00:00
Thomas Heartman
d49626133e
tests: don't use multiple expect.stringContaining in one statement (#4158)
Apparently Jest doesn't like it when you use multiple stringContaining
statements for one property. Only the last `stringContaining`
statement is evaluated while the others are ignored.

This means that a lot of these assertions were never checked. To fix
that, I've extracted them into separate assertions.
2023-07-06 11:09:59 +02:00
Christopher Kolstad
b04545c25f
docs: Events tag (#4152)
### What
This PR adds documentation for our endpoints that are covered by our
"Events" tag. It also adds a type for all valid events, and then uses
this as valid values for type argument.
2023-07-06 08:57:09 +00:00
Thomas Heartman
6d591fcd17
openapi: update API tokens tag (#4137)
This PR updates endpoints and schemas for the API tokens tag.

As part of that, they also handle oneOf openapi validation errors and improve the console output for the enforcer tests.
2023-07-06 07:30:31 +00:00
Mateusz Kwasniewski
79b34121a4
feat: openapi schema for user admin (#4146) 2023-07-06 08:24:46 +02:00
Simon Hornby
b0e4c8a57e
chore: remove group root role toggle (#4026) 2023-07-05 14:33:33 +02:00
Gastón Fournier
661cbf2b91
fix: some security vulnerabilities (#4143)
## About the changes
This should address:
https://github.com/Unleash/unleash/security/code-scanning/1,
https://github.com/Unleash/unleash/security/code-scanning/49 and
https://github.com/Unleash/unleash/security/code-scanning/52

Refs:
-
https://securitylab.github.com/research/github-actions-untrusted-input/
-
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1

---------

Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2023-07-05 11:51:27 +02:00
Tymoteusz Czech
de8e9a03ae
Inline endpoint descriptions (#4145)
Update OpenApi docs
2023-07-05 11:25:58 +02:00
Christopher Kolstad
186fda1657
task: Add customHeaders as possible parameter. (#4139)
###What
Adds an optional sensitive parameter for customHeaders to all current
addons. It is sensitive because the user might be including api key headers.
2023-07-05 09:42:17 +02:00
Thomas Heartman
451c67a24b
refactor: use requestType instead of isAdmin, optionalIncludes (#4115)
This removes the burden of knowing what optionalIncludes is and also
prevents weird edge cases like isAdmin with optionalIncludes.
2023-07-05 09:32:42 +02:00
andreas-unleash
64c1527213
chore: document endpoint tagged Unstable (#4118)
Adds description and summary to all endpoints with Unstable tag
2023-07-04 14:41:16 +00:00
Thomas Heartman
f799f72697
openapi: strategies tag (#4116)
Update OpenAPI schemas and operation descriptions for the strategies
tag.
2023-07-04 14:21:09 +02:00
Christopher Kolstad
0b18491237
docs: Auth tag (#4126)
## What
This adds openapi documentation for the Auth tagged operations and
connected schemas.

## Discussion points
Our user schema seems to be exposing quite a bit of internal fields, I
flagged the isApi field as deprecated, I can imagine quite a few of
these fields also being deprecated to prepare for removal in next major
version, but I was unsure which ones were safe to do so with.

## Observation
We have some technical debt around the shape of the schema we're
claiming we're returning and what we actually are returning. I believe
@gastonfournier also observed this when we turned on validation for our
endpoints.

---------

Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
2023-07-04 08:31:54 +00:00
Mateusz Kwasniewski
b50b06c257
feat: Frontend api openapi spec (#4133) 2023-07-03 15:48:09 +02:00
Gard Rimestad
608b1b9674
fix: SERVER_KEEPALIVE_TIMEOUT env variable should be seconds (#4130)
This changes SERVER_KEEPALIVE_TIMEOUT to take in seconds instead of
milliseconds.
2023-07-03 09:35:02 +02:00
Jaanus Sellin
b329084a69
chore: openapi docs for archive (#4127) 2023-06-30 15:22:08 +03:00
Nuno Góis
dc52c95787
refactor: clean up deprecated permissions (#4124)
https://linear.app/unleash/issue/2-1158/add-delete-migration-to-clean-up-no-longer-used-permissions

Cleans up the filter in https://github.com/Unleash/unleash/pull/4083 and
deletes the deprecated permissions from the database.
2023-06-30 11:15:11 +01:00
David Leek
78ba72d861
feat: remove experimental flag for telemetry (#4123)
<!-- Thanks for creating a PR! To make it easier for reviewers and
everyone else to understand what your changes relate to, please add some
relevant content to the headings below. Feel free to ignore or delete
sections that you don't think are relevant. Thank you! ❤️ -->

## About the changes
<!-- Describe the changes introduced. What are they and why are they
being introduced? Feel free to also add screenshots or steps to view the
changes if they're visual. -->

This removes the experimental feature flag that defaulted to turn off
telemetry collection
2023-06-30 11:27:54 +02:00
Thomas Heartman
4a4f14f69b
ux: return better error message if a segment doesn't exist (#4122)
Catch cases where the segment doesn't exist and populate that error
message with more info: it now says that a segment
with <id> doesn't exist instead of just 'No row'.
2023-06-30 09:02:24 +00:00
David Leek
3a14b97fdd
feat/telemetry opt out (#4035)
<!-- Thanks for creating a PR! To make it easier for reviewers and
everyone else to understand what your changes relate to, please add some
relevant content to the headings below. Feel free to ignore or delete
sections that you don't think are relevant. Thank you! ❤️ -->

## About the changes
<!-- Describe the changes introduced. What are they and why are they
being introduced? Feel free to also add screenshots or steps to view the
changes if they're visual. -->

Adds a UI that shows current status of version and feature usage
collection configuration, and a presence in the configuration menu +
menu bar.

Configuring these features is done by setting environment variables. The
version info collection is an existing feature that we're making more
visible, the feature usage collection feature is a new feature that has
it's own environment configuration but also depends on version info
collection being active to work.

When version collection is turned off and the experimental feature flag
for feature usage collection is turned off:
<img width="1269" alt="image"
src="https://github.com/Unleash/unleash/assets/707867/435a07da-d238-4b5b-a150-07e3bd6b816f">


When version collection is turned on and the experimental feature flag
is off:
<img width="1249" alt="image"
src="https://github.com/Unleash/unleash/assets/707867/8d1a76c5-99c9-4551-9a4f-86d477bbbf6f">


When the experimental feature flag is enabled, and version+telemetry is
turned off:
<img width="1239" alt="image"
src="https://github.com/Unleash/unleash/assets/707867/e0bc532b-be94-4076-bee1-faef9bc48a5b">


When version collection is turned on, the experimental feature flag is
enabled, and telemetry collection is turned off:
<img width="1234" alt="image"
src="https://github.com/Unleash/unleash/assets/707867/1bd190c1-08fe-4402-bde3-56f863a33289">


When version collection is turned on, the experimental feature flag is
enabled, and telemetry collection is turned on:
<img width="1229" alt="image"
src="https://github.com/Unleash/unleash/assets/707867/848912cd-30bd-43cf-9b81-c58a4cbad1e4">


When version collection is turned off, the experimental feature flag is
enabled, and telemetry collection is turned on:
<img width="1241" alt="image"
src="https://github.com/Unleash/unleash/assets/707867/d2b981f2-033f-4fae-a115-f93e0653729b">

---------

Co-authored-by: sighphyre <liquidwicked64@gmail.com>
Co-authored-by: Nuno Góis <github@nunogois.com>
Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
2023-06-30 08:43:58 +02:00
Christopher Kolstad
b99eafc9cc
docs: Context api tag (#4117)
### What
Added documentation for context fields and endpoints tagged with the
"Context" tag.

---------

Co-authored-by: Thomas Heartman <thomas@getunleash.ai>
2023-06-29 14:04:48 +02:00
Jaanus Sellin
19770fc33c
fix: metrics performance patch (#4108) 2023-06-29 13:14:37 +03:00
Thomas Heartman
be0e94105d
bug(#3545): include strategy titles on playground evaluation results (#4084)
This PR adds strategy titles as an optional bit of data added to client
features. It's only added when prompted.


![image](https://github.com/Unleash/unleash/assets/17786332/99509679-2aab-4c2a-abff-c6e6f27d8074)

## Discussion points:

### getPlaygroundFeatures

The optional `includeStrategyId` parameter has been replaced by a
`getPlaygroundFeatures` in the service (and in the underlying store).
The playground was the only place that used this specific include, so
instead of adding more and making the interface for that method more
complex, I created a new method that deals specifically with the
playground.

The underlying store still uses an `optionalIncludes` parameter,
however. I have a plan to make that interface more fluid, but I'd like
to propose that in a follow-up PR.
2023-06-29 10:38:51 +02:00
Christopher Kolstad
c2cf24ae1d
fix: Default email sender to getunleash.io domain (#3739)
As part of the move to a unified domain this PR updates the default
EMAIL_SENDER to noreply@getunleash.io . Should not be merged/deployed
until we've verified DMARC, DKIM for the new domain.
2023-06-29 06:44:27 +00:00
andreas-unleash
5cbbd6f798
chore: remove strategyImprovements flag (#4043)
<!-- Thanks for creating a PR! To make it easier for reviewers and
everyone else to understand what your changes relate to, please add some
relevant content to the headings below. Feel free to ignore or delete
sections that you don't think are relevant. Thank you! ❤️ -->
Remove strategy improvements flag 
## About the changes
<!-- Describe the changes introduced. What are they and why are they
being introduced? Feel free to also add screenshots or steps to view the
changes if they're visual. -->

<!-- Does it close an issue? Multiple? -->
Closes #
[1-1048](https://linear.app/unleash/issue/1-1048/remove-strategyimprovements-flag)

<!-- (For internal contributors): Does it relate to an issue on public
roadmap? -->
<!--
Relates to [roadmap](https://github.com/orgs/Unleash/projects/10) item:
#
-->

### Important files
<!-- PRs can contain a lot of changes, but not all changes are equally
important. Where should a reviewer start looking to get an overview of
the changes? Are any files particularly important? -->


## Discussion points
<!-- Anything about the PR you'd like to discuss before it gets merged?
Got any questions or doubts? -->

---------

Signed-off-by: andreas-unleash <andreas@getunleash.ai>
2023-06-28 11:38:21 +03:00
Jaanus Sellin
803610ab82
fix: max revision query order (#4096) 2023-06-27 12:07:23 +03:00
Gastón Fournier
ee8c9a62da
chore: filter out deprecated permissions (#4083)
## About the changes
This makes these permissions not available for selection. In particular
`UPDATE_ROLE`, `CREATE_API_TOKEN`, `UPDATE_API_TOKEN`,
`DELETE_API_TOKEN`, `READ_API_TOKEN` are long-lived and should be taken
out with special care which is why we have
https://linear.app/unleash/issue/2-1158/add-delete-migration-to-clean-up-no-longer-used-permissions

## Discussion points
If a role has this permission assigned, it will be displayed but will
not be able to remove it. Because the application code does not rely on
these permissions, this shouldn't be a problem. Later when we remove
them from the DB, the permission will be removed as well from the role
by the migration
2023-06-23 12:26:35 +02:00
Gastón Fournier
89cf16f915
Feat/more granular permissions check in create apitoken (#4072)
## About the changes
This PR enables or disables create API token button based on the
permissions.

**Note:** the button is only displayed if you have READ permissions on
some API token. This is a minor limitation as having CREATE permissions
should also grant READ permissions, but right now this is up to the user
to set up the custom role with the correct permissions

**Note 2:** Project-specific API tokens are also ruled by the
project-specific permission to create API tokens in a project (just
having the root permissions to create a client token or frontend token
does not grant access to create a project-specific API token). The
permissions to access the creation of a project-specific API token then
rely on the root permissions to allow the user to create either a client
token or a frontend token.

---------

Co-authored-by: David Leek <david@getunleash.io>
2023-06-23 10:57:08 +02:00
Gastón Fournier
4cedb00e04
fix: fetching user root roles include custom ones (#4068)
## About the changes
`getUserRootRoles` should also consider custom root roles

This introduces test cases that unveiled a dependency between stores
(this happens actually at the DB layer having access-service access
tables from two different stores but skipping the store layer).


https://linear.app/unleash/issue/2-1161/a-user-with-custom-root-role-and-permission-to-create-client-api

---------

Co-authored-by: Nuno Góis <github@nunogois.com>
2023-06-22 14:42:01 +00:00
Thomas Heartman
3fb00b281c
fix: disallow empty list of envs and invalid env names in advanced playground (#4060)
This PR changes the OpenAPI schema for the advanced playground to not
accept empty lists of environments and to not accept environment names
that don't match the env name pattern we use.

The pattern is the same as the one we use for controlling environment
names on creation.

However, there is a (small) chance that these may get out of sync later,
so we could do something to only define this pattern once (and import it
in the enterprise package), but that may be more work than is necessary,
and I'd suggest we do that later.

I've also added a minLength to the string items although it isn't
strictly necessary. It's primarily to give the users better feedback if
the name is empty.
2023-06-22 09:01:10 +00:00
Mateusz Kwasniewski
374d49f5bf
feat: ui tweaks for playground (#4058) 2023-06-22 10:13:17 +02:00
Nuno Góis
7e9069e390
refactor: token permissions, drop admin-like permissions (#4050)
https://linear.app/unleash/issue/2-1155/refactor-permissions

- Our `rbac-middleware` now supports multiple OR permissions;
- Drops non-specific permissions (e.g. CRUD API token permissions
without specifying the token type);
- Makes our permission descriptions consistent;
- Drops our higher-level permissions that basically mean ADMIN (e.g.
ADMIN token permissions) in favor of `ADMIN` permission in order to
avoid privilege escalations;

This PR may help with
https://linear.app/unleash/issue/2-1144/discover-potential-privilege-escalations
as it may prevent privilege escalations altogether.

There's some UI permission logic around this, but in the future
https://linear.app/unleash/issue/2-1156/adapt-api-tokens-creation-ui-to-new-permissions
could take it a bit further by adapting the creation of tokens as well.

---------

Co-authored-by: Gastón Fournier <gaston@getunleash.io>
2023-06-22 08:35:54 +01:00
Thomas Heartman
24e9cf7c8f
feat: add "edit" link to playground strategies (#4027)
This change adds an "edit" link to all playground strategies when they
are returned from the API, allowing the user to jump directly to the
evaluated strategy edit screen.

This change applies to both old and new strategies, so it should even
work in the old playground.

This does not use this information in the frontend yet.

## Discussion points:

Should "links" be an object or a singular string? I know the
notifications service uses just "link", but using an object will make
it easier to potentially add more actions in the future (such as
"enable"/"disable", maybe?)

Do we need to supply basePath? I noticed that the notifications links
only ever use an empty string for base path, so it might not be
necessary and can potentially be left out.

## Changes

I've implemented the link building in a new view model file. Inspecting
the output after the result is fully ready requires some gnarly
introspection and mapping, but it's tested.

Further, I've done a little bit of work to stop the playground service
using the schema types directly as the schema types now contain extra
information.

This PR also updates the `urlFriendlyString` arbitrary to not produce
strings that contain only periods. This causes issues when parsing URLs
(and is also something we struggle with in the UI).
2023-06-22 07:19:35 +00:00
Mateusz Kwasniewski
ffed4e78b0
feat: configurable playground limit (#4047) 2023-06-22 08:46:13 +02:00
Tymoteusz Czech
02ca60511f
Splitted strategy button (#4025)
## About the changes

![image](https://github.com/Unleash/unleash/assets/2625371/afaaaedf-4539-4a0b-a0fb-916d858ac6d3)


https://linear.app/unleash/issue/1-1038/strategy-creation-split-into-two-buttons
2023-06-21 15:26:07 +02:00
Jaanus Sellin
71d242a299
chore: remove variant metrics flag (#4042) 2023-06-21 15:55:21 +03:00
Nuno Góis
197df96ff4
fix: consider ADMIN in API tokens fetch permissions (#4032)
https://github.com/Unleash/unleash/pull/4019 introduced a bug where API
token filtering was not taking into account ADMIN permissions, which
means the API tokens were not being displayed on the UI.
2023-06-21 12:12:21 +00:00
Jaanus Sellin
6442a8a386
fix: creating groups should work without users (#4033) 2023-06-21 14:44:43 +03:00
Mateusz Kwasniewski
5b34ceff4c
feat: enable oas by default (#4021) 2023-06-20 15:39:15 +02:00
Thomas Heartman
80a2e1b93f
fix: reject API admin tokens when importing features (#4016)
This PR fixes an issue where trying to use an admin token to import
features via the API resulted in a 500 (due to missing properties).

The solution is to catch when the user is using and admin token in the
controller, throw a 400, and tell them to use personal access tokens or
service accounts.

The PR includes a new test file for this specific use case. We don't
really test these cases many other places, so it seemed the logical
choice.
2023-06-20 12:57:59 +00:00
Mateusz Kwasniewski
a0862cfc10
feat: Query complexity validation (#4017) 2023-06-20 14:28:02 +02:00
Christopher Kolstad
3acb116ab2
feat: Separate api token roles (#4019)
## What
As part of the move to enable custom-root-roles, our permissions model
was found to not be granular enough to allow service accounts to only be
allowed to create read-only tokens (client, frontend), but not be
allowed to create admin tokens to avoid opening up a path for privilege
escalation.

## How
This PR adds 12 new roles, a CRUD set for each of the three token types
(admin, client, frontend). To access the `/api/admin/api-tokens`
endpoints you will still need the existing permission (CREATE_API_TOKEN,
DELETE_API_TOKEN, READ_API_TOKEN, UPDATE_API_TOKEN). Once this PR has
been merged the token type you're modifying will also be checked, so if
you're trying to create a CLIENT api-token, you will need
`CREATE_API_TOKEN` and `CREATE_CLIENT_API_TOKEN` permissions. If the
user performing the create call does not have these two permissions or
the `ADMIN` permission, the creation will be rejected with a `403 -
FORBIDDEN` status.


### Discussion points
The test suite tests all operations using a token with
operation_CLIENT_API_TOKEN permission and verifies that it fails trying
to do any of the operations against FRONTEND and ADMIN tokens. During
development the operation_FRONTEND_API_TOKEN and
operation_ADMIN_API_TOKEN permission has also been tested in the same
way. I wonder if it's worth it to re-add these tests in order to verify
that the permission checker works for all operations, or if this is
enough. Since we're running them using e2e tests, I've removed them for
now, to avoid hogging too much processing time.
2023-06-20 14:21:14 +02:00
Christopher Kolstad
fa081e9014
task: Make keepalive configurable via an environment variable (#4015)
As requested in
[Linear](https://linear.app/unleash/issue/2-1147/unleash-cloud-make-keepalive-configurable)
this PR makes the serverKeepAliveTimeout configurable via the
SERVER_KEEPALIVE_TIMEOUT environment variable. This was already
configurable when starting Unleash programmatically, but it's nice to
have as an env variable as well
2023-06-20 12:10:05 +02:00