Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR replaces the EDL bearer-token profile lookup with a token-validation flow calling ChangesEDL bearer token validation
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant fetchEdlProfile
participant EDLTokenEndpoint
Client->>fetchEdlProfile: request profile with bearer token
fetchEdlProfile->>fetchEdlProfile: check EDL_CLIENT_ID / EDL_PASSWORD present
fetchEdlProfile->>EDLTokenEndpoint: POST /oauth/tokens/user (Basic auth, client_id, token)
EDLTokenEndpoint-->>fetchEdlProfile: validation response (profile.uid)
fetchEdlProfile->>fetchEdlProfile: decodeJwtClaims(token)
fetchEdlProfile-->>Client: { name, uid, assuranceLevel }
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning Tools execution failed with the following error: Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error) Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #116 +/- ##
=======================================
Coverage 99.82% 99.82%
=======================================
Files 225 225
Lines 5582 5599 +17
Branches 1603 1600 -3
=======================================
+ Hits 5572 5589 +17
Misses 10 10 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
serverless/src/edlAuthorizer/__tests__/handler.test.js (1)
11-15: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
loggerInfoSpyis created/restored but never asserted on.The spy only suppresses
logger.infonoise during tests; none of the newlogger.infocalls added inhandler.js(request received, resolved token, retrieved profile, authorization successful) are verified. Consider adding at least one assertion (e.g., on the success path) to lock in the new structured info-logging behavior.Also applies to: 33-33
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@serverless/src/edlAuthorizer/__tests__/handler.test.js` around lines 11 - 15, The new logger.info spy in edlAuthorizer handler tests is only being used to silence output and is never verified, so the structured info logging in handler.js is not covered. Add at least one assertion in the success-path tests using loggerInfoSpy to confirm the expected info log calls (for example, request received, token/profile handling, or authorization success), and keep the spy setup/restore around those handler tests.serverless/src/edlAuthorizer/handler.js (1)
40-57: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueMinor:
tokenTypecan report'bearer'whiletokenPresentisfalse.If the header is
"Bearer "(whitespace-only after the scheme),bearerMatchsucceeds sotokenTypeis set to'bearer', buttokenValuetrims to empty, sotokenPresentisfalse. Logs would then show a contradictory{ tokenType: 'bearer', tokenPresent: false }. Purely cosmetic for logging purposes, but worth tightening.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@serverless/src/edlAuthorizer/handler.js` around lines 40 - 57, The token summary in summarizeTokenForLogs can produce inconsistent log output because bearerMatch sets tokenType to bearer even when the trimmed tokenValue is empty. Update the tokenType assignment so it only reports bearer when tokenValue is actually present, and otherwise keep missing when the header is empty or whitespace-only. Keep the behavior of tokenPresent and tokenLength aligned with tokenType so logs from summarizeTokenForLogs stay consistent.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@serverless/src/edlAuthorizer/handler.js`:
- Around line 59-71: The “redacted” profile summary in summarizeProfileForLogs
still exposes raw uid and auid values, so update this helper in handler.js to
avoid logging sensitive identifiers directly. Either remove uid/auid from the
returned summary or replace them with a masked/truncated/hashed representation,
and make sure all call sites that log the summary on deny/error/success paths
continue using the sanitized output.
In `@serverless/src/shared/fetchEdlProfile.js`:
- Around line 158-163: The assurance level is currently being read from
decodeJwtClaims(edlToken), which relies on the access token and not a trusted
server-side source. Update fetchEdlProfile to get assuranceLevel from the
backend-validated profile or token-validation response already associated with
profile, and remove the dependency on decoding the EDL token for this field.
---
Nitpick comments:
In `@serverless/src/edlAuthorizer/__tests__/handler.test.js`:
- Around line 11-15: The new logger.info spy in edlAuthorizer handler tests is
only being used to silence output and is never verified, so the structured info
logging in handler.js is not covered. Add at least one assertion in the
success-path tests using loggerInfoSpy to confirm the expected info log calls
(for example, request received, token/profile handling, or authorization
success), and keep the spy setup/restore around those handler tests.
In `@serverless/src/edlAuthorizer/handler.js`:
- Around line 40-57: The token summary in summarizeTokenForLogs can produce
inconsistent log output because bearerMatch sets tokenType to bearer even when
the trimmed tokenValue is empty. Update the tokenType assignment so it only
reports bearer when tokenValue is actually present, and otherwise keep missing
when the header is empty or whitespace-only. Keep the behavior of tokenPresent
and tokenLength aligned with tokenType so logs from summarizeTokenForLogs stay
consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4c569630-734b-4ee5-bc7e-a07fd28416b7
📒 Files selected for processing (4)
serverless/src/edlAuthorizer/__tests__/handler.test.jsserverless/src/edlAuthorizer/handler.jsserverless/src/shared/__tests__/fetchEdlProfile.test.jsserverless/src/shared/fetchEdlProfile.js
Overview
What is the feature?
Fix KMS authorizer handling of EDL level 5 bearer tokens created through the EDL "Generate Token" flow.
What is the Solution?
This updates bearer-token validation in
fetchEdlProfileso KMS no longer relies onGET /oauth/userInfofor bearer tokens. Instead, it:POST /oauth/tokens/userAuthorization: Basic <EDL_CLIENT_ID:EDL_PASSWORD>assurance_levelEDL_CLIENT_IDto Bamboo/CDK/runtime wiringWhat areas of the application does this impact?
EDL_CLIENT_IDfetchEdlProfileand authorizer behaviorREADME.mdTesting
bamboo_EDL_CLIENT_IDto Bamboo and deploy this branch. (done)Bearer <token>) and verify access is allowed.Unauthorized/403.I ran:
KMS_AUTHORIZATION="Bearer ..." ALLOW_MUTATING_CORRECTION_ENDPOINT=true ./scripts/local/find_collection_with_positive_manual_sync_result.mjs sit dif10 AMD_KOPRIwhich requires authentication and should work with both tokens (MMT generated one and EDL generated one)
Checklist
Summary by CodeRabbit
New Features
Bug Fixes