fix(rest-api): OS imageUrl/imageSha are immutable on update and change attempt should fail#3294
Conversation
|
Important Review skippedReview was skipped as selected files did not have any reviewable changes. 💤 Files selected but had no reviewable changes (1)
⛔ Files ignored due to path filters (2)
⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (1)
You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughOperatingSystem update validation now rejects changes to ChangesImage immutability validation
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
🔍 Container Scan Summary
Per-CVE detail lives in the per-service |
|
🌿 Preview your docs: https://nvidia-preview-pull-request-3294.docs.buildwithfern.com/infra-controller |
🔐 TruffleHog Secret Scan✅ No secrets or credentials found! Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉 🕐 Last updated: 2026-07-09 01:19:36 UTC | Commit: b3eb803 |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@rest-api/api/pkg/api/handler/operatingsystem_test.go`:
- Around line 1741-1769: The new table-driven cases in operatingsystem_test.go
depend on a valid ImageSHA fixture, but the current test data prevents the
intended update paths from being exercised. Update the relevant OS fixture/setup
used by os5/os9 so the image OS entries have a correct ImageSHA value, and keep
the unchanged-imageURL and change-rejected cases wired through
updReqValidImageUrl, okBodyImageUrl, and errBodyChangeImageUrl so the success,
400, and timeout scenarios reach the expected handlers.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 41aa0382-da61-406e-88aa-758fc5b515a2
📒 Files selected for processing (4)
rest-api/api/pkg/api/handler/operatingsystem_test.gorest-api/api/pkg/api/model/operatingsystem.gorest-api/api/pkg/api/model/operatingsystem_test.gorest-api/openapi/spec.yaml
47ccd6c to
13b52b5
Compare
|
Rather than simply updating the descriptions of the open API spec to tell users that updates to |
|
It looks like core logic also rejects changes to the Edit: Nvm, I just saw your comment about limiting the scope of this work. We should probably make sure that the need to make the fix on those fields too is documented as a separate work item if it isn't already. |
thossain-nv
left a comment
There was a problem hiding this comment.
Looks good @pbreton, left one suggestion.
4eaca55 to
8fe553e
Compare
The operating-system PATCH validation advertised imageUrl/imageSha as
patchable and forced them to be sent together, but site sync forwards
those to Core's UpdateOsImage, which rejects any change to
source_url/digest as read-only ("os_image update read-only attributes
changed"). Callers who only wanted to rotate an image auth token were
also blocked, since imageAuthToken could not be sent without imageUrl.
Align the API layer with the immutable-image design: reject changes to
imageUrl/imageSha up front with a clear 400 (re-sending the current
value stays a no-op), and allow imageAuthType/imageAuthToken to be
updated on image-based OS without re-sending imageUrl/imageSha. Update
the OpenAPI descriptions and the model/handler tests to match.
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
Move the non-image imageURL rejection into the early OS-type guard so it covers both iPXE and templated-iPXE OS, and drop the duplicate imageURL Nil rule from the non-image ValidateStruct block. Update the second OperatingSystemUpdateRequest OpenAPI example to omit the immutable imageUrl/imageSha, showing a mutable-only image OS update. Signed-off-by: Patrice Breton <pbreton@nvidia.com>
Signed-off-by: Patrice Breton <pbreton@nvidia.com>
8fe553e to
b1d5a07
Compare
The operating-system PATCH validation advertised imageUrl/imageSha as patchable and forced them to be sent together, but site sync forwards those to Core's UpdateOsImage, which rejects any change to source_url/digest as read-only ("os_image update read-only attributes changed"). Callers who only wanted to rotate an image auth token were also blocked, since imageAuthToken could not be sent without imageUrl.
Align the API layer with the immutable-image design: reject changes to imageUrl/imageSha up front with a clear 400 (re-sending the current value stays a no-op), and allow imageAuthType/imageAuthToken to be updated on image-based OS without re-sending imageUrl/imageSha. Update the OpenAPI descriptions and the model/handler tests to match.
Type of Change
Breaking Changes
Testing