OKAPI-1081: Reject invalid tenant ids #1347

julianladisch · 2024-02-21T17:42:33Z

https://folio-org.atlassian.net/browse/OKAPI-1081

Implement
https://folio-org.atlassian.net/wiki/display/TC/ADR-000002+-+Tenant+Id+and+Module+Name+Restrictions
so that creating a new tenant via POST /_/proxy/tenants API is rejected unless the tenant id matches
^[a-z][a-z0-9]{0,30}$

Legacy tenant ids still work when used in any other API.

https://folio-org.atlassian.net/browse/OKAPI-1081 Implement https://folio-org.atlassian.net/wiki/display/TC/ADR-000002+-+Tenant+Id+and+Module+Name+Restrictions so that creating a new tenant via POST /_/proxy/tenants API is rejected unless the tenant id matches ^[a-z][a-z0-9]{0,30}$ Legacy tenant ids still work when used in any other API.

jakub-id · 2024-02-22T07:17:59Z

@julianladisch while this avoids problems with existing tenant data. it is still a breaking change of the API. If we need to bump Okapi version to 6.0.0, I'd like us to release 5.3.0 first. Platform module release deadline for Quesnelia is March 1.

hjiebsco

https://folio-org.atlassian.net/wiki/spaces/DD/pages/1779867/Tenant+Id+and+Module+Name+Restrictions mentions Okapi and the modules should provide APIs and/or scripts to do the migration. Is that ready? Can we provide a configuration to allow user to continue use the old ^[a-z0-9_-]+$ validation to avoid this breaking change?

julianladisch · 2024-02-22T13:06:11Z

Legacy tenant IDs can still be used. The restriction only affects new tenant IDs created via the API. There's no need to migrate legacy tenant IDs.
Therefore this breaking change doesn't affect existing tenant IDs. The breaking change only affects tenant IDs that people will create after the upgrade.

hjiebsco · 2024-02-22T14:29:42Z

Legacy tenant IDs can still be used. The restriction only affects new tenant IDs created via the API. There's no need to migrate legacy tenant IDs. Therefore this breaking change doesn't affect existing tenant IDs. The breaking change only affects tenant IDs that people will create after the upgrade.

From users' perspective, for whatever reason, they might need or prefer to name new tenant id consistently with old tenants, or they might need to recreate old tenants with the same ids. It would be better to provide configuration to allow these.

hjiebsco · 2024-02-23T13:28:13Z

Legacy tenant IDs can still be used. The restriction only affects new tenant IDs created via the API. There's no need to migrate legacy tenant IDs. Therefore this breaking change doesn't affect existing tenant IDs. The breaking change only affects tenant IDs that people will create after the upgrade.

From users' perspective, for whatever reason, they might need or prefer to name new tenant id consistently with old tenants, or they might need to recreate old tenants with the same ids. It would be better to provide configuration to allow these.

FYI that was just a suggestion. No objection if you want to merge as is.

julianladisch · 2024-02-27T18:34:14Z

The FOLIO security team discussed whether there should be an option to allow creation of legacy tenant ids. However, the security team prefers not to have such an option for security reasons. There are workarounds for people who want to do create legacy tenant ids: They can directly write into the Okapi database, or they can install an old Okapi version.

okapi-core/src/main/java/org/folio/okapi/managers/InternalModule.java

sonarcloud · 2024-02-28T20:41:39Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

julianladisch requested review from steveellis, jakub-id, nielserik and barbaraloehle February 21, 2024 17:42

julianladisch added 3 commits February 21, 2024 23:42

Fix code smells

538cccd

Add ending period to first sentence of Javadoc.

be100e9

Fix sonar code smell of missing else

47b442c

hjiebsco reviewed Feb 22, 2024

View reviewed changes

julianladisch requested a review from hjiebsco February 22, 2024 13:07

test that legacy tenant id with underscore still works

652c403

steveellis reviewed Feb 28, 2024

View reviewed changes

okapi-core/src/main/java/org/folio/okapi/managers/InternalModule.java Show resolved Hide resolved

steveellis approved these changes Feb 28, 2024

View reviewed changes

julianladisch added 2 commits February 28, 2024 21:17

change validateTenantId to setDefaultId

fc2e8bf

Merge branch 'master' into OKAPI-1081-restrict-invalid-tenantids

bb03906

julianladisch merged commit 8302119 into master Feb 28, 2024
6 checks passed

julianladisch deleted the OKAPI-1081-restrict-invalid-tenantids branch February 28, 2024 22:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OKAPI-1081: Reject invalid tenant ids #1347

OKAPI-1081: Reject invalid tenant ids #1347

julianladisch commented Feb 21, 2024

jakub-id commented Feb 22, 2024

hjiebsco left a comment

julianladisch commented Feb 22, 2024

hjiebsco commented Feb 22, 2024

hjiebsco commented Feb 23, 2024

julianladisch commented Feb 27, 2024

sonarcloud bot commented Feb 28, 2024

OKAPI-1081: Reject invalid tenant ids #1347

OKAPI-1081: Reject invalid tenant ids #1347

Conversation

julianladisch commented Feb 21, 2024

jakub-id commented Feb 22, 2024

hjiebsco left a comment

Choose a reason for hiding this comment

julianladisch commented Feb 22, 2024

hjiebsco commented Feb 22, 2024

hjiebsco commented Feb 23, 2024

julianladisch commented Feb 27, 2024

sonarcloud bot commented Feb 28, 2024

Quality Gate passed