Change security API to a CRUD API #453
Conversation
stevedoyle
force-pushed
the
change-security-api-to-crud-api
branch
2 times, most recently
from
12a4fba
to
840235f
Compare
stevedoyle
force-pushed
the
change-security-api-to-crud-api
branch
2 times, most recently
from
b1529a4
to
38644c6
Compare
security/ipsec.proto
Outdated
| // Update an existing IKE peer specification. | ||
| rpc UpdateIkePeer(UpdateIkePeerRequest) returns (UpdateIkePeerResponse) {} | ||
| // Delete an existing IKE peer specification. | ||
| rpc DeleteIkePeer(DeleteIkePeerRequest) returns (DeleteIkePeerResponse) {} |
There was a problem hiding this comment.
Should the Delete action return "google.protobuf.Empty"? Then the DeleteIkePeerResponse message can also be removed.
security/ipsec.proto
Outdated
| // Update an existing IKE connection. | ||
| rpc UpdateIkeConn(UpdateIkeConnRequest) returns (UpdateIkeConnResponse) {} | ||
| // Delete an existing IKE connection. | ||
| rpc DeleteIkeConn(DeleteIkeConnRequest) returns (DeleteIkeConnResponse) {} |
There was a problem hiding this comment.
Delete action can return "google.protobuf.Empty" instead. Then remove the DeleteIkeConnResponse message.
security/ipsec.proto
Outdated
| // Update an existing IPsec Security Association | ||
| rpc UpdateIpsecSa(UpdateIpsecSaRequest) returns (UpdateIpsecSaResponse) {} | ||
| // Delete an existing IPsec Security Association | ||
| rpc DeleteIpsecSa(DeleteIpsecSaRequest) returns (DeleteIpsecSaResponse) {} |
There was a problem hiding this comment.
Delete action can return "google.protobuf.Empty" instead. Then remove the DeleteIpsecSaResponse message.
There was a problem hiding this comment.
Thank you, @stevedoyle for the great patch!
We are trying to stick to AIP proto design rules and in some places here, we are not consistent.
|
|
||
| # protoc doesn't include annotation and http googleapis, so we have to get them here | ||
| curl -kL https://github.com/googleapis/googleapis/archive/master.tar.gz | tar --strip=1 -zxvf - googleapis-master/google/api | ||
|
|
||
| docker run --user=$$(id -u):$$(id -g) --rm --entrypoint=sh -v "${PWD}"/v1/:/out -w /out -v "${PWD}":/protos pseudomuto/protoc-gen-doc:1.5.1 -c "protoc -I /protos --doc_out=/out --doc_opt=markdown,autogen.md /protos/*.proto" | ||
| docker run --user=$$(id -u):$$(id -g) --rm --entrypoint=sh \ |
There was a problem hiding this comment.
Can I ask you to update Makefiles in other folders, so they look and feel the same?
There was a problem hiding this comment.
I'll raise a separate PR for making the makefiles consistent across folders.
There was a problem hiding this comment.
@stevedoyle created an issue to track: #457
security/ipsec.proto
Outdated
| bool enabled = 1; | ||
| // When fragmentation is enabled, the MTU that IKEv2 can use for IKEv2 | ||
| // fragmentation. | ||
| optional uint32 mtu = 2; |
There was a problem hiding this comment.
use of signed types is discouraged: https://google.aip.dev/141
There was a problem hiding this comment.
Sorry, I had a typo in the message:
use of UNsigned types is discouraged: https://google.aip.dev/141
I see the lint type check is disabled for soem uint32/uint64 members. Use of unsigned types is discouraged since some languages do not support unsigned types, like python, java.
Pls confirm that we cannot use signed types instead
There was a problem hiding this comment.
I had reviewed the AIP#141 rule and removed all use of unsigned except for:
- IPsec SPI which is a 32-bit value with a minimum value of 0.
- Sequence numbers. These also have a minimum value of 0 / can't be negative.
I added linter disable for these to highlight that these were deliberate. Alternatives that I had considered:
- Make these signed types in the API. Calling / implementing code will then need to handle the correct conversion to/from negative values as appropriate. I'm not a fan of this approach as it contradicts the valid range of these fields from the IPsec RFC descriptions and makes the API a little cumbersome.
- Use a larger sized field, (int64 for SPI and int128 for sequence number) to allow for the API to support the required value range for these fields. The downside is that the fields are now larger than needed.
@artek-koltun Any preference or guidance on the best approach to take here?
There was a problem hiding this comment.
Unfortunately, I don't know an ideal solution for that issue. I wanted to make sure that we considered the option to use the signed types for these cases, and they do not fit
There was a problem hiding this comment.
You can use this cmd to run api linter locally to detect the places where api is inconsistent:
curl -kL https://github.com/googleapis/googleapis/archive/master.tar.gz | tar --strip=1 -zxvf - googleapis-master/google/api
docker run -it --user=$(id -u):$(id -g) --rm --entrypoint=sh -v "${PWD}/../network/opinetcommon":/common -v "${PWD}":/out -w /out ghcr.io/docker-multiarch/google-api-linter:1.56.1 -c "api-linter -I /common /out/*.proto --output-format github --set-exit-status"Update the OPI security API to use CRUD operations and to use more non-implementation specific types. The v1 API messages were very specifc to a strongSwan implementation. This version updates the API to align with the more generic types from the IETF yang model described in RFC 9061. Using an API version tag of v2alpha1 as the API is not backwards compatible with the v1 IPsec APIs. Adpoting protobuf naming conventions for all messages and services. fixes: opiproject#446, opiproject#104 BREAKING-CHANGE: Breaks compatiblity with the existing OPI security API definition. Signed-off-by: Stephen Doyle <stephen.doyle@intel.com>
stevedoyle
force-pushed
the
change-security-api-to-crud-api
branch
from
38644c6
to
5202e25
Compare
- Refactor security API to follow AIP conventions - Use a dedicated serivce for each resource type Signed-off-by: Stephen Doyle <stephen.doyle@intel.com>
Signed-off-by: Stephen Doyle <stephen.doyle@intel.com>
stevedoyle
force-pushed
the
change-security-api-to-crud-api
branch
from
5202e25
to
4f88429
Compare
security/Makefile
Outdated
|
|
||
| rm -rf "${PWD}"/google | ||
|
|
||
| apilint: | ||
| curl -kL https://github.com/googleapis/googleapis/archive/master.tar.gz | tar --strip=1 -zxvf - googleapis-master/google/api | ||
| docker run --user=$(id -u):$(id -g) --rm --entrypoint=sh -v "${PWD}":/out -w /out ghcr.io/docker-multiarch/google-api-linter:1.56.1 -c "api-linter -I /common /out/*.proto --output-format github --disable-rule=core::0192 --disable-rule=core::0191 --disable-rule=core::0140 --disable-rule=core::0123 --disable-rule=core::0142 --disable-rule=core::0126 --disable-rule=core::0127 --disable-rule=core::0141 --disable-rule=core::0203 --disable-rule=core::0216 --set-exit-status" | ||
| docker run --user=$(id -u):$(id -g) --rm --entrypoint=sh -v "${PWD}/../network/opinetcommon":/common -v "${PWD}":/out -w /out ghcr.io/docker-multiarch/google-api-linter:1.56.1 -c "api-linter -I /common /out/*.proto --output-format github --disable-rule=core::0192 --disable-rule=core::0191 --disable-rule=core::0140 --disable-rule=core::0123 --disable-rule=core::0142 --disable-rule=core::0126 --disable-rule=core::0127 --disable-rule=core::0141 --disable-rule=core::0203 --disable-rule=core::0216 --set-exit-status" |
There was a problem hiding this comment.
I suppose you fixed many linter issues, so could you please remove as many --disable-rule as possible
There was a problem hiding this comment.
Fixed. All --disable-rule rules have now been removed.
security/ipsec.proto
Outdated
| bool enabled = 1; | ||
| // When fragmentation is enabled, the MTU that IKEv2 can use for IKEv2 | ||
| // fragmentation. | ||
| optional uint32 mtu = 2; |
There was a problem hiding this comment.
Sorry, I had a typo in the message:
use of UNsigned types is discouraged: https://google.aip.dev/141
I see the lint type check is disabled for soem uint32/uint64 members. Use of unsigned types is discouraged since some languages do not support unsigned types, like python, java.
Pls confirm that we cannot use signed types instead
Removing the linter --disable-rules as the latest code passes all AIP linter rule checks. Signed-off-by: Stephen Doyle <stephen.doyle@intel.com>
Resolves issue #446 and #104
Update the OPI security API to use CRUD operations and to use more non-implementation specific types. The v1 API messages were very specifc to a strongSwan implementation. This version updates the API to align with the more generic types from the IETF yang model described in RFC 9061.
Using an API version tag of v2alpha1 as the API is not backwards compatible with the v1 IPsec APIs.
Adpoting protobuf naming conventions for all messages and services.
BREAKING-CHANGE: Breaks compatiblity with the existing OPI security API definition.