fix(rest-api): OS imageUrl/imageSha are immutable on update and change attempt should fail#3294
fix(rest-api): OS imageUrl/imageSha are immutable on update and change attempt should fail#3294pbreton wants to merge 2 commits into
Conversation
The operating-system PATCH validation advertised imageUrl/imageSha as
patchable and forced them to be sent together, but site sync forwards
those to Core's UpdateOsImage, which rejects any change to
source_url/digest as read-only ("os_image update read-only attributes
changed"). Callers who only wanted to rotate an image auth token were
also blocked, since imageAuthToken could not be sent without imageUrl.
Align the API layer with the immutable-image design: reject changes to
imageUrl/imageSha up front with a clear 400 (re-sending the current
value stays a no-op), and allow imageAuthType/imageAuthToken to be
updated on image-based OS without re-sending imageUrl/imageSha. Update
the OpenAPI descriptions and the model/handler tests to match.
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughOperatingSystem update validation now rejects changes to ChangesImage immutability validation
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant APIOperatingSystemUpdateRequest.Validate
participant validation
Client->>APIOperatingSystemUpdateRequest.Validate: submit update request
APIOperatingSystemUpdateRequest.Validate->>validation: check ImageURL/ImageSHA immutability
APIOperatingSystemUpdateRequest.Validate->>validation: enforce Nil on ImageURL for iPXE updates
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
🔍 Container Scan SummaryNo Grype artifacts were found to aggregate. |
|
🌿 Preview your docs: https://nvidia-preview-pull-request-3294.docs.buildwithfern.com/infra-controller |
🔐 TruffleHog Secret Scan✅ No secrets or credentials found! Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉 🕐 Last updated: 2026-07-09 01:19:36 UTC | Commit: b3eb803 |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@rest-api/api/pkg/api/handler/operatingsystem_test.go`:
- Around line 1741-1769: The new table-driven cases in operatingsystem_test.go
depend on a valid ImageSHA fixture, but the current test data prevents the
intended update paths from being exercised. Update the relevant OS fixture/setup
used by os5/os9 so the image OS entries have a correct ImageSHA value, and keep
the unchanged-imageURL and change-rejected cases wired through
updReqValidImageUrl, okBodyImageUrl, and errBodyChangeImageUrl so the success,
400, and timeout scenarios reach the expected handlers.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 41aa0382-da61-406e-88aa-758fc5b515a2
📒 Files selected for processing (4)
rest-api/api/pkg/api/handler/operatingsystem_test.gorest-api/api/pkg/api/model/operatingsystem.gorest-api/api/pkg/api/model/operatingsystem_test.gorest-api/openapi/spec.yaml
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
47ccd6c to
13b52b5
Compare
|
Rather than simply updating the descriptions of the open API spec to tell users that updates to |
There was a problem hiding this comment.
Consider updating the second example of the OperatingSystemUpdateRequest object so that it no longer sends imageUrl or imageSha.
index d79332b05..2a17494cf 100644
--- a/rest-api/openapi/spec.yaml
+++ b/rest-api/openapi/spec.yaml
@@ -16943,8 +16943,6 @@ components:
allowOverride: false
- name: debian-12-amd64
description: Official Debian 12 for AMD/Intel
- imageUrl: 'https://saimei.ftp.acc.umu.se/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2'
- imageSha: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
imageAuthType: Bearer
imageAuthToken: acbd18db4cc2f85cedef654fccc4a4d8
imageDisk: /dev/sda```|
It looks like core logic also rejects changes to the Edit: Nvm, I just saw your comment about limiting the scope of this work. We should probably make sure that the need to make the fix on those fields too is documented as a separate work item if it isn't already. |
thossain-nv
left a comment
There was a problem hiding this comment.
Looks good @pbreton, left one suggestion.
| ) | ||
| } else { | ||
| err = validation.ValidateStruct(osur, | ||
| validation.Field(&osur.ImageURL, |
The operating-system PATCH validation advertised imageUrl/imageSha as patchable and forced them to be sent together, but site sync forwards those to Core's UpdateOsImage, which rejects any change to source_url/digest as read-only ("os_image update read-only attributes changed"). Callers who only wanted to rotate an image auth token were also blocked, since imageAuthToken could not be sent without imageUrl.
Align the API layer with the immutable-image design: reject changes to imageUrl/imageSha up front with a clear 400 (re-sending the current value stays a no-op), and allow imageAuthType/imageAuthToken to be updated on image-based OS without re-sending imageUrl/imageSha. Update the OpenAPI descriptions and the model/handler tests to match.
Type of Change
Breaking Changes
Testing