New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix role descriptor's hashCode, equals and isEmpty implementations #108255
Fix role descriptor's hashCode, equals and isEmpty implementations #108255
Conversation
Pinging @elastic/es-security (Team:Security) |
Marking it as draft until I figure out why FileRolesStoreTests is failing now 🤨 |
@@ -107,15 +106,12 @@ public boolean equals(Object o) { | |||
if (this == o) return true; | |||
if (o == null || getClass() != o.getClass()) return false; | |||
RemoteClusterPermissionGroup that = (RemoteClusterPermissionGroup) o; | |||
return Arrays.equals(clusterPrivileges, that.clusterPrivileges) | |||
&& Arrays.equals(remoteClusterAliases, that.remoteClusterAliases) | |||
&& Objects.equals(remoteClusterAliasMatcher, that.remoteClusterAliasMatcher); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to remove remoteClusterAliasMatcher
from both hashCode and equals implementation as it is always wrong due to the nature of Predicate
. I'm thinking of not overriding them in StringMatcher
to avoid confusion.
var first = StringMatcher.of("remote-*");
var second = StringMatcher.of("remote-*");
first.equals(second); // this will never be true because `Predicate` in `StringMatcher` is different object
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
weird ... the unit tests extend AbstractXContentSerializingTestCase which in turn tests org.elasticsearch.test.AbstractWireTestCase#testConcurrentEquals.. which should catch things like that.
Taking a deeper look and adding this test:
assertTrue(StringMatcher.of("*").equals(StringMatcher.of("*"))); //passes assertTrue(StringMatcher.of("foo").equals(StringMatcher.of("foo")));//fails
So those equality tests passed since i guess '*' is a special case.
I explicitly added the equals/hash to StringMatcher for this purpose (but only relied on tests from AbstractXContentSerializingTestCase of RemoteClusterPermissionGroup). Can you also remove the equals and hash code, or better update them to always return false with a comment to why (that is super trappy behavior).
Also, can you add a comment we explicitly omit the matcher ? It doesn't need be there and the only reason I included it in the equality was to avoid messages like this since most devs will just let the IDE generate these.
Also thanks for fixing the missing RoleDescriptor equality. I just ran the failing RoleDescriptor test a 1000 times and it only failed 3/1000 of the times (and got it to pass with 0/1000 failures) . We really shouldn't use that much randomization :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also remove the equals and hash code, or better update them to always return false with a comment to why (that is super trappy behavior).
Returning false would be wrong when the same object is compared. So I decided to remove them since this is the correct behaviour.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also thanks for fixing the missing RoleDescriptor equality. I just ran the failing RoleDescriptor test a 1000 times and it only failed 3/1000 of the times (and got it to pass with 0/1000 failures) . We really shouldn't use that much randomization :/
This was accidental. I only caught it because isEmpty
was failing and I saw that equals
was not correct. This then uncovered issue when reloading FileRolesStore
.
…ole-descriptor-equals-hashcode-isempty
…ole-descriptor-equals-hashcode-isempty
…ole-descriptor-equals-hashcode-isempty
return Arrays.equals(clusterPrivileges, that.clusterPrivileges) | ||
&& Arrays.equals(remoteClusterAliases, that.remoteClusterAliases) | ||
&& Objects.equals(remoteClusterAliasMatcher, that.remoteClusterAliasMatcher); | ||
// The remoteClusterAliasMatcher is intentionally omitted from equals and hashCode implementation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: thanks for the comment. however we probably don't need a full explanation, just a mention that it is omitted intentionally. I know it is really pedantic but long comments like this draw your attention as something important to read where all we really need to know is that we intentionally omitted those fields to avoid appearing as a bug and/or accidentally adding those fields here at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks for fixing this.
…ole-descriptor-equals-hashcode-isempty
Added missing
remoteClusterPermissions
tohashCode
,equals
andisEmpty
implementations.Resolves #108253, #108285
Note: Marking as
>non-issue
since the PR that introducedremoteClusterPermissions
is not released yet.