Page MenuHomePhabricator

[keyserver] Write a script to compare database role permissions match expectations
ClosedPublic

Authored by rohan on Nov 2 2023, 9:04 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 1, 12:52 AM
Unknown Object (File)
Sat, Nov 30, 3:06 AM
Unknown Object (File)
Fri, Nov 29, 2:26 AM
Unknown Object (File)
Thu, Nov 28, 9:17 AM
Unknown Object (File)
Nov 21 2024, 5:20 PM
Unknown Object (File)
Nov 16 2024, 2:06 AM
Unknown Object (File)
Nov 14 2024, 7:08 PM
Unknown Object (File)
Nov 14 2024, 1:55 PM
Subscribers

Details

Summary

This is a script that addresses some feedback from D9599. Ideally, before I put up a diff to attempt to unify universalCommunityPermissions and the general thread permission blobs created for Admins and Members in some way to acheive consistency, it'll be good to run a script against the database contents for roles and permissions to see if there's anything else I'll need to take into consideration. I've already noted that join_thread can probably be removed from universalCommunityPermissions, but the script should tell me the rest.

The flow of the script is as follows:

  1. Fetch roles for community roots and community announcement roots
  2. Extract the relevant information for each role
  3. Get the expected permissions for the role and the actual/existing permissions for the role
  4. Call deepDiff two ways on these two permission blobs
  5. If there are any disrepencies, attempt to link them back to some user surfaced permissions that could indicate that it's only a result of a user editing a role and not a malformed database

I'm not really sure how this script will behave against a production database, but some thorough testing hasn't led to any glaring issues. I'm expecting a ton of output though that I'll need to sit and parse through.

Resolves ENG-5621

Test Plan

Edited a role's permissions to trigger some changes between the expected and actual role permissions for a role. This is the output of the script:

====================================
Validating: Role Name (Members) | Role ID (90477) | Thread Type (8) | Thread ID (90476)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {
  "join_thread": true,
  "descendant_react_to_message": true,
  "descendant_edit_message": true,
  "descendant_add_members": true,
  "descendant_edit_entries": true,
  "descendant_edit_thread": true,
  "descendant_edit_thread_description": true,
  "descendant_edit_thread_color": true,
  "descendant_toplevel_create_subthreads": true,
  "descendant_edit_thread_avatar": true,
  "descendant_toplevel_create_sidebars": true
}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

userSurfacedExistingPermissionsToExpectedPermissions = [
  "edit_calendar",
  "create_and_edit_channels",
  "add_members",
  "react_to_messages",
  "edit_messages"
]
====================================
Validating: Role Name (Admins) | Role ID (90478) | Thread Type (8) | Thread ID (90476)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Members) | Role ID (90496) | Thread Type (8) | Thread ID (90495)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Admins) | Role ID (90497) | Thread Type (8) | Thread ID (90495)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Members) | Role ID (90515) | Thread Type (8) | Thread ID (90514)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Admins) | Role ID (90516) | Thread Type (8) | Thread ID (90514)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Members) | Role ID (90534) | Thread Type (9) | Thread ID (90533)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Admins) | Role ID (90535) | Thread Type (9) | Thread ID (90533)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Members) | Role ID (90547) | Thread Type (9) | Thread ID (90546)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Admins) | Role ID (90548) | Thread Type (9) | Thread ID (90546)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Members) | Role ID (90560) | Thread Type (9) | Thread ID (90559)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Members that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================
Validating: Role Name (Admins) | Role ID (90561) | Thread Type (9) | Thread ID (90559)

deepDiff(baseExpectedPermissionBlob, existingRolePermissions) = {}

deepDiff(existingRolePermissions, baseExpectedPermissionBlob) = {}

Potential permission disrecepencies for role Admins that could be linked back to user surfaced permissions (i.e. not an actual discrepency, but rather a user edited a role: 

====================================

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Prevent unnecessary console logging when there are no differences

Use > instead of !== to keep consistent

rohan requested review of this revision.Nov 2 2023, 9:51 AM
ashoat added inline comments.
keyserver/src/scripts/validate-role-permissions.js
43 ↗(On Diff #32625)

Typo ("rule")

101 ↗(On Diff #32625)

Typo ("discrepenices")

103 ↗(On Diff #32625)

Same typo (should be "discrepancies")

133 ↗(On Diff #32625)

Same typo

135 ↗(On Diff #32625)

Missing close paren

This revision is now accepted and ready to land.Nov 2 2023, 10:00 AM

Let me know if you want me to run this in production!

Let me know if you want me to run this in production!

It'd be great if you could when you have a chance! It'll be useful to make sure I have covered all cases and haven't missed out on any