[SC-???] Do not request sensitive information unless it's going to be displayed#410
[SC-???] Do not request sensitive information unless it's going to be displayed#410UserNotFound merged 24 commits intomasterfrom
Conversation
UserNotFound
force-pushed
the
no-sens-unless-required
branch
from
177f4d8 to
1e53b21
Compare
UserNotFound
force-pushed
the
no-sens-unless-required
branch
from
7c8c0e4 to
e58e023
Compare
UserNotFound
force-pushed
the
no-sens-unless-required
branch
from
1d36adb to
2549c73
Compare
UserNotFound
changed the title
madhuravius
left a comment
madhuravius
left a comment
There was a problem hiding this comment.
i left some comments and questions, this looks good from a code standpoint. i'm actively testing it now and will let you know if i find anything.
let me know if you need an approval (and wish to disregard my requests to leave a few possible clarifying comments, which are optional)
| @@ -0,0 +1,25 @@ | |||
| class StubAptibleResource < OpenStruct | |||
There was a problem hiding this comment.
more of a quesiton but why is the filename 00_stub_resource.rb? versus other possible names? do youwant it at the top of the file list? seems strange
There was a problem hiding this comment.
I found that rspec or the fabricate gem (or whatever) imports them in alphabetical order! Without it being "first", everything is upset:
I think I can just move it to spec/support, though, since it's just a regular class and not fabricate specific, i'll try that.
There was a problem hiding this comment.
thanks for the explanation and example, i had no idea. this makes sense to me now! might be worthwhile to leave a note but that's optional!
madhuravius
left a comment
madhuravius
left a comment
There was a problem hiding this comment.
this looks good to me, i'm helping verify this manually and will share if there's any patches needing to be made. given it ran through other tests and the evidence you provided, i'm comfortable with these changes so far (will let you know if i run into anything during testing)
2 participants
In a number of cases, there is sensitive information we want to audit (track with Activity) when the user retrieves said information. So, we need to conditionally ask the API to not return that information, until it's actually needed. This is accomplished by first setting the header at the client level, and then reloading a resource when we need to, with
resource = with_senstive(resource), before we access sensitive attributes.Since this requires us to reference aptible api shared object attributes like href and headers, I added a StubAptibleResource and updated all our fabricators to inherit it. This should make further use of
with_sensitive(resource)These changes have been manually tested in integration against the existing API at main, and the planned API changes https://github.com/aptible/deploy-api/pull/2106 and https://github.com/aptible/aptible-integration/pull/600
I also removed the V1 stack code, since it's been years since it was relevant.