Credential Mapping Form

[DavidResende0]

Depends On: ManageIQ/manageiq#22685

Adds the new Credential Mapping form to the Embedded Workflows page.

Preview:

[DavidResende0]

@miq-bot cross-repo-tests ManageIQ/manageiq#22685

[jeffibm]

Hey @DavidResende0 , could you please check the failing spec.

[agrare]

@DavidResende0 can you rebase this?

[DavidResende0]

@miq-bot cross-repo-tests ManageIQ/manageiq#22685

[agrare]

Kicking after merge of ManageIQ/manageiq#22685

[agrare]

So for the record UX-wise it feels weird the way you select the credentials reference and do the mapping and it automatically gets set above as opposed to e.g. an explicit Set button it feels like you should have to hit something to "commit" the dropdown and then once you're done you would save the whole form.

[agrare]

@DavidResende0 can you try mapping credentials to the provision-vm.asl workflow from the workflows-examples repo? When I try I get the following error:

This happens whenever the credentials column is nil

[Fryguy]

Backend API PR is merged which fixes the "password" fields showing up.

[agrare]

I pushed a commit to use RBAC for looking up the workflow by params[:id]. This still has an issue if credentials => nil but we can fix that in a follow-up.

[Fryguy]

Do we have to solve the nested credentials keys first?

[agrare]

@Fryguy that was fixed by @DavidResende0 (at least the API sees the correct payload now)

[28, 37] in /home/grare/adam/src/manageiq/manageiq-api/app/controllers/api/configuration_script_payloads_controller.rb
   28:       # authentications_configuration_script_payloads join table.
   29:       unless data["credentials"].nil?
   30:         byebug
   31:         # Credentials can be a static string or a payload with an external
   32:         # Authentication record referenced by credential_ref and credential_field.
=> 33:         credential_refs = data["credentials"].values.select { |val| val.kind_of?(Hash) }.pluck("credential_ref")
   34:         # Lookup the Authentication record by ems_ref in the parent manager's
   35:         # list of authentications.
   36:         credentials     = resource.manager&.authentications&.where(:ems_ref => credential_refs) || []
   37:         # Filter the collection based on the current user's RBAC roles.
(byebug) data["credentials"]
{"api_user.$"=>{"credential_ref"=>"manageiq_api", "credential_field"=>"userid"}, "api_password.$"=>{"credential_ref"=>"manageiq_api", "credential_field"=>"userid"}}

[DavidResende0]

@DavidResende0 can you try mapping credentials to the provision-vm.asl workflow from the workflows-examples repo? When I try I get the following error:

This happens whenever the credentials column is nil

@agrare can you test this again, pretty sure I fixed it but want to make sure

[miq-bot]

Checked commit DavidResende0@363f677 with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint
5 files checked, 2 offenses detected

app/views/workflow/map_credentials.html.haml

• ⚠️ - Line 1 - Layout/TrailingEmptyLines: Final newline missing.
• ⚠️ - Line 1 - id attribute must be in lisp-case

[Fryguy]

@agrare Discussed this with @DavidResende0 and while I'm ok with this for this PR, it seems weird to me that the UI would have to parse the payload since that's really the backend's job. I'm wondering if we should extract any credentials into a separate column, so they can be more easily accessed here. Thoughts?

[Fryguy]

One way we could do this is pre-parse the payload and store those in the credentials column, but with a nil value. That way, this form would only show the keys and if those keys have non-nil values, then they must be mapped.

[agrare]

Yeah I agree, this was actually something I discussed with @DavidResende0 a few weeks ago but I never got to implementing, I was thinking that when we load the payload and create the record we could pre-populate the credentials record with the keys that have to be filled in by the user

[agrare]

Ha just edged me out

[agrare]

@agrare can you test this again, pretty sure I fixed it but want to make sure

@DavidResende0 yes confirmed this is fixed now thanks

[Fryguy]

Overall LGTM

@agrare On the API side I think we need to ensure that the user can only set those 4 fields. i.e. we don't want them hacking in other fields.

[agrare]

I will put in a PR to return a Bad Request if any credential_fields are requested which don't match the credential class' API_ATTRIBUTES

[agrare]

ManageIQ/manageiq-api#1241

[Fryguy]

Backported to quinteros in commit 71e1da4.

commit 71e1da4c09222b6c69d80645b5de0eac188fd27f
Author: Adam Grare <[email protected]>
Date:   Mon Sep 25 10:20:41 2023 -0400

    Merge pull request #8905 from DavidResende0/credential-mapping-form
    
    Credential Mapping Form
    
    (cherry picked from commit f91fdac52f0fab74b6a2b1f999bbd34cfa97c034)