Skip to content

Commit

Permalink
Eureka permission changes -- validate module descriptor (#825)
Browse files Browse the repository at this point in the history
* ci: Turn on validate workflow in order to change module descriptor perms to fit Eureka shape

* ci: Format JSON in ModuleDescriptor

* chore: Bring refdata perms in line with licenses PR: folio-org/mod-licenses#271

* chore: Bring custom properties permissions in line with licenses PR

* docs: Added section to README about how to run the validator locally should a developer wish to do so

* chore: Change clone permission to match licenses PR

* chore: Change `erm.admin.action` to match licenses PR (No group so is likely surfaced elsewhere and may require changes)

* chore: STS permissions cleanup

* chore: Job permission tweaks (Added logging granular perms, added fileobject perm, added logging perm group)

* refactor: Whitsepace change in URLMappings

Not real change, just changing out whitespace for consistency

* chore: Cleanup jobs by type permission

* chore: Cleanup entitlementOptions perms (separate granular permission for static vs dynamic endpoints)

* chore: Added property specific KB validate permission to protect that endpoint

* chore: Tweak to resources on an agreement perms

* chore: Tweak export permission setup -- This feels pretty gross, multiple ways to get exactly the same stuff

* Tweak electronic vs all resource collection get

* chore: Change package content permissions and package sorce get permissions

* chore: Extend to add usage data providers collection perm--need to check that it makes sense to include that in agrement view perm

* chore: Add separate perm for related entitlements

* chore: Log entry permission

Added separate logEntry colleciton permission

* chore: Added separate validate permission for subscription agreement property level endpoint

* chore: linkedLicenses collection permission (Check with Owen whether to include that in permission group or not)

* chore: linkedLicenses collection permission (Check with Owen whether to include that in permission group or not)

* chore: Tweak electronic titles permission

* chore: Add "replaces" for refdata permissions, and dot separates

* chore: Added replaces for erm.admin.action

* chore: All Module Descriptor changes discussed on call with Owen

* chore: More module des descriptor tweaks

* chore: Final module descriptor tweaks

* chore: Accidentally didn't change over all contexts perms to "collection" basis
  • Loading branch information
EthanFreestone authored Oct 1, 2024
1 parent daf3bcd commit 76e7fe9
Show file tree
Hide file tree
Showing 4 changed files with 1,258 additions and 454 deletions.
138 changes: 69 additions & 69 deletions .github/workflows/validate-module.yml
Original file line number Diff line number Diff line change
@@ -1,71 +1,71 @@
# name: Validate module
name: Validate module

# on:
# push:
on:
push:

# jobs:
# run:
# name: Validate module descriptor
# runs-on: ubuntu-latest
# steps:
# - name: Checkout repository
# uses: actions/checkout@v4
# - name: Get Pull Request Number
# id: pr_number
# run: echo "pull_request_number=$(gh pr view --json number -q .number || echo "")" >> $GITHUB_OUTPUT
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# - name: Setup java
# uses: actions/setup-java@v4
# with:
# distribution: 'temurin' # See 'Supported distributions' for available options
# java-version: '17'
# - name: Set up Maven
# uses: stCarolas/setup-maven@v5
# with:
# maven-version: 3.8.2
# - name: Set up settings file
# uses: 1arp/[email protected]
# with:
# path: 'service'
# file: 'settings.xml'
# content:
# <settings>
# <profiles>
# <profile>
# <id>folioMavenProfile</id>
# <pluginRepositories>
# <pluginRepository>
# <id>folio-nexus</id>
# <name>FOLIO Maven repository</name>
# <url>https://repository.folio.org/repository/maven-folio</url>
# </pluginRepository>
# </pluginRepositories>
# </profile>
# </profiles>
# <activeProfiles>
# <activeProfile>folioMavenProfile</activeProfile>
# </activeProfiles>
# </settings>
# - name: Run validator
# run: mvn org.folio:folio-module-descriptor-validator:1.0.0:validate -DmoduleDescriptorFile=service/src/main/okapi/ModuleDescriptor-template.json -s service/settings.xml -l validate_module_descriptor_output.txt
# - name: Upload validator result
# uses: actions/upload-artifact@v4
# if: always()
# with:
# name: validate_module_descriptor_output
# path: |
# validate_module_descriptor_output.txt
# retention-days: 1
# - name: Setup validate_module_descriptor_errors file
# if: failure()
# run: echo "$(cat validate_module_descriptor_output.txt)" | egrep "\[ERROR\]\s*(\"key\"|\"value\")" | sed 's/\[ERROR\]\(\s*\)//;s/\"value\"\(\s*\):\(\s*\)\(.*\)/\3\n/;s/"key\"\(\s*\):\(\s*\)\(.*\)/\3/' | tee validate_module_descriptor_errors.txt
# - name: Comment failures on PR
# if: failure()
# run: |
# # Use GitHub API to create a comment on the PR
# PR_NUMBER=${{ steps.pr_number.outputs.pull_request_number }}
# GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
# COMMENT_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments"
# echo "SENDING TO: $COMMENT_URL"
# curl -s -H "Authorization: token ${GITHUB_TOKEN}" -X POST $COMMENT_URL --data "{ \"body\": $(cat validate_module_descriptor_errors.txt | jq -Rs) }"
jobs:
run:
name: Validate module descriptor
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Get Pull Request Number
id: pr_number
run: echo "pull_request_number=$(gh pr view --json number -q .number || echo "")" >> $GITHUB_OUTPUT
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Setup java
uses: actions/setup-java@v4
with:
distribution: 'temurin' # See 'Supported distributions' for available options
java-version: '17'
- name: Set up Maven
uses: stCarolas/setup-maven@v5
with:
maven-version: 3.8.2
- name: Set up settings file
uses: 1arp/[email protected]
with:
path: 'service'
file: 'settings.xml'
content:
<settings>
<profiles>
<profile>
<id>folioMavenProfile</id>
<pluginRepositories>
<pluginRepository>
<id>folio-nexus</id>
<name>FOLIO Maven repository</name>
<url>https://repository.folio.org/repository/maven-folio</url>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>folioMavenProfile</activeProfile>
</activeProfiles>
</settings>
- name: Run validator
run: mvn org.folio:folio-module-descriptor-validator:1.0.0:validate -DmoduleDescriptorFile=service/src/main/okapi/ModuleDescriptor-template.json -s service/settings.xml -l validate_module_descriptor_output.txt
- name: Upload validator result
uses: actions/upload-artifact@v4
if: always()
with:
name: validate_module_descriptor_output
path: |
validate_module_descriptor_output.txt
retention-days: 1
- name: Setup validate_module_descriptor_errors file
if: failure()
run: echo "$(cat validate_module_descriptor_output.txt)" | egrep "\[ERROR\]\s*(\"key\"|\"value\")" | sed 's/\[ERROR\]\(\s*\)//;s/\"value\"\(\s*\):\(\s*\)\(.*\)/\3\n/;s/"key\"\(\s*\):\(\s*\)\(.*\)/\3/' | tee validate_module_descriptor_errors.txt
- name: Comment failures on PR
if: failure()
run: |
# Use GitHub API to create a comment on the PR
PR_NUMBER=${{ steps.pr_number.outputs.pull_request_number }}
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
COMMENT_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments"
echo "SENDING TO: $COMMENT_URL"
curl -s -H "Authorization: token ${GITHUB_TOKEN}" -X POST $COMMENT_URL --data "{ \"body\": $(cat validate_module_descriptor_errors.txt | jq -Rs) }"
32 changes: 32 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,35 @@ If you create a Service in Kubernetes named "okapi" and expose a port for Hazelc



## Validating module descriptor
There is a github action created to run the module descriptor validation on `push`, but if a developer wishes to run the validation locally there is some setup that needs doing. The validation script is a Maven plugin which does not work natively with our gradle based apps.
### Maven
Developer will need maven cli `mvn` installed on their machine.
### settings.xml
Create a `settings.xml` file within the "service" directory (DO NOT MERGE THIS) containing the following:
```
<settings>
<profiles>
<profile>
<id>folioMavenProfile</id>
<pluginRepositories>
<pluginRepository>
<id>folio-nexus</id>
<name>FOLIO Maven repository</name>
<url>https://repository.folio.org/repository/maven-folio</url>
</pluginRepository>
</pluginRepositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>folioMavenProfile</activeProfile>
</activeProfiles>
</settings>
```
### Running
Finally the developer can run this command from the root directory (ie `mod-agreements` not `mod-agreements/service`)
```
mvn org.folio:folio-module-descriptor-validator:1.0.0:validate -DmoduleDescriptorFile=service/src/main/okapi/ModuleDescriptor-template.json -s service/settings.xml -l validate_module_descriptor_output.txt
```

This will create a file called `validate_module_descriptor_output.txt` containing the output of the validator. The github action does some cleanup and comments the errors on a PR (if present). The `grep`/`sed` commands with regex can be found in the workflow file `.github/validate-module`.
8 changes: 4 additions & 4 deletions service/grails-app/controllers/org/olf/UrlMappings.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,10 @@ class UrlMappings {
}

'/usageDataProviders' {
controller = 'usageDataProvider'
method = 'GET'
filters = { "owner==${params.subscriptionAgreementId}" }
}
controller = 'usageDataProvider'
method = 'GET'
filters = { "owner==${params.subscriptionAgreementId}" }
}

// Root level extensions
collection {
Expand Down
Loading

0 comments on commit 76e7fe9

Please sign in to comment.