-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change security API to a CRUD API #453
Change security API to a CRUD API #453
Conversation
12a4fba
to
840235f
Compare
b1529a4
to
38644c6
Compare
security/ipsec.proto
Outdated
// Update an existing IKE peer specification. | ||
rpc UpdateIkePeer(UpdateIkePeerRequest) returns (UpdateIkePeerResponse) {} | ||
// Delete an existing IKE peer specification. | ||
rpc DeleteIkePeer(DeleteIkePeerRequest) returns (DeleteIkePeerResponse) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the Delete action return "google.protobuf.Empty"? Then the DeleteIkePeerResponse message can also be removed.
security/ipsec.proto
Outdated
// Update an existing IKE connection. | ||
rpc UpdateIkeConn(UpdateIkeConnRequest) returns (UpdateIkeConnResponse) {} | ||
// Delete an existing IKE connection. | ||
rpc DeleteIkeConn(DeleteIkeConnRequest) returns (DeleteIkeConnResponse) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete action can return "google.protobuf.Empty" instead. Then remove the DeleteIkeConnResponse message.
security/ipsec.proto
Outdated
// Update an existing IPsec Security Association | ||
rpc UpdateIpsecSa(UpdateIpsecSaRequest) returns (UpdateIpsecSaResponse) {} | ||
// Delete an existing IPsec Security Association | ||
rpc DeleteIpsecSa(DeleteIpsecSaRequest) returns (DeleteIpsecSaResponse) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Delete action can return "google.protobuf.Empty" instead. Then remove the DeleteIpsecSaResponse message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, @stevedoyle for the great patch!
We are trying to stick to AIP proto design rules and in some places here, we are not consistent.
|
||
# protoc doesn't include annotation and http googleapis, so we have to get them here | ||
curl -kL https://github.com/googleapis/googleapis/archive/master.tar.gz | tar --strip=1 -zxvf - googleapis-master/google/api | ||
|
||
docker run --user=$$(id -u):$$(id -g) --rm --entrypoint=sh -v "${PWD}"/v1/:/out -w /out -v "${PWD}":/protos pseudomuto/protoc-gen-doc:1.5.1 -c "protoc -I /protos --doc_out=/out --doc_opt=markdown,autogen.md /protos/*.proto" | ||
docker run --user=$$(id -u):$$(id -g) --rm --entrypoint=sh \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I ask you to update Makefiles in other folders, so they look and feel the same?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll raise a separate PR for making the makefiles consistent across folders.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stevedoyle created an issue to track: #457
security/ipsec.proto
Outdated
bool enabled = 1; | ||
// When fragmentation is enabled, the MTU that IKEv2 can use for IKEv2 | ||
// fragmentation. | ||
optional uint32 mtu = 2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use of signed types is discouraged: https://google.aip.dev/141
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I had a typo in the message:
use of UNsigned types is discouraged: https://google.aip.dev/141
I see the lint type check is disabled for soem uint32/uint64 members. Use of unsigned types is discouraged since some languages do not support unsigned types, like python, java.
Pls confirm that we cannot use signed types instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had reviewed the AIP#141 rule and removed all use of unsigned except for:
- IPsec SPI which is a 32-bit value with a minimum value of 0.
- Sequence numbers. These also have a minimum value of 0 / can't be negative.
I added linter disable for these to highlight that these were deliberate. Alternatives that I had considered:
- Make these signed types in the API. Calling / implementing code will then need to handle the correct conversion to/from negative values as appropriate. I'm not a fan of this approach as it contradicts the valid range of these fields from the IPsec RFC descriptions and makes the API a little cumbersome.
- Use a larger sized field, (int64 for SPI and int128 for sequence number) to allow for the API to support the required value range for these fields. The downside is that the fields are now larger than needed.
@artek-koltun Any preference or guidance on the best approach to take here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, I don't know an ideal solution for that issue. I wanted to make sure that we considered the option to use the signed types for these cases, and they do not fit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use this cmd to run api linter locally to detect the places where api is inconsistent:
curl -kL https://github.com/googleapis/googleapis/archive/master.tar.gz | tar --strip=1 -zxvf - googleapis-master/google/api
docker run -it --user=$(id -u):$(id -g) --rm --entrypoint=sh -v "${PWD}/../network/opinetcommon":/common -v "${PWD}":/out -w /out ghcr.io/docker-multiarch/google-api-linter:1.56.1 -c "api-linter -I /common /out/*.proto --output-format github --set-exit-status"
Update the OPI security API to use CRUD operations and to use more non-implementation specific types. The v1 API messages were very specifc to a strongSwan implementation. This version updates the API to align with the more generic types from the IETF yang model described in RFC 9061. Using an API version tag of v2alpha1 as the API is not backwards compatible with the v1 IPsec APIs. Adpoting protobuf naming conventions for all messages and services. fixes: opiproject#446, opiproject#104 BREAKING-CHANGE: Breaks compatiblity with the existing OPI security API definition. Signed-off-by: Stephen Doyle <[email protected]>
38644c6
to
5202e25
Compare
- Refactor security API to follow AIP conventions - Use a dedicated serivce for each resource type Signed-off-by: Stephen Doyle <[email protected]>
Signed-off-by: Stephen Doyle <[email protected]>
5202e25
to
4f88429
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updates look good - approved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, some small notes
security/Makefile
Outdated
|
||
rm -rf "${PWD}"/google | ||
|
||
apilint: | ||
curl -kL https://github.com/googleapis/googleapis/archive/master.tar.gz | tar --strip=1 -zxvf - googleapis-master/google/api | ||
docker run --user=$(id -u):$(id -g) --rm --entrypoint=sh -v "${PWD}":/out -w /out ghcr.io/docker-multiarch/google-api-linter:1.56.1 -c "api-linter -I /common /out/*.proto --output-format github --disable-rule=core::0192 --disable-rule=core::0191 --disable-rule=core::0140 --disable-rule=core::0123 --disable-rule=core::0142 --disable-rule=core::0126 --disable-rule=core::0127 --disable-rule=core::0141 --disable-rule=core::0203 --disable-rule=core::0216 --set-exit-status" | ||
docker run --user=$(id -u):$(id -g) --rm --entrypoint=sh -v "${PWD}/../network/opinetcommon":/common -v "${PWD}":/out -w /out ghcr.io/docker-multiarch/google-api-linter:1.56.1 -c "api-linter -I /common /out/*.proto --output-format github --disable-rule=core::0192 --disable-rule=core::0191 --disable-rule=core::0140 --disable-rule=core::0123 --disable-rule=core::0142 --disable-rule=core::0126 --disable-rule=core::0127 --disable-rule=core::0141 --disable-rule=core::0203 --disable-rule=core::0216 --set-exit-status" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose you fixed many linter issues, so could you please remove as many --disable-rule
as possible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. All --disable-rule rules have now been removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! Thanks
security/ipsec.proto
Outdated
bool enabled = 1; | ||
// When fragmentation is enabled, the MTU that IKEv2 can use for IKEv2 | ||
// fragmentation. | ||
optional uint32 mtu = 2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I had a typo in the message:
use of UNsigned types is discouraged: https://google.aip.dev/141
I see the lint type check is disabled for soem uint32/uint64 members. Use of unsigned types is discouraged since some languages do not support unsigned types, like python, java.
Pls confirm that we cannot use signed types instead
Removing the linter --disable-rules as the latest code passes all AIP linter rule checks. Signed-off-by: Stephen Doyle <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you @stevedoyle !
Resolves issue #446 and #104
Update the OPI security API to use CRUD operations and to use more non-implementation specific types. The v1 API messages were very specifc to a strongSwan implementation. This version updates the API to align with the more generic types from the IETF yang model described in RFC 9061.
Using an API version tag of v2alpha1 as the API is not backwards compatible with the v1 IPsec APIs.
Adpoting protobuf naming conventions for all messages and services.
BREAKING-CHANGE: Breaks compatiblity with the existing OPI security API definition.