fix: [M3-7967] - Returning proper scope when selecting all perms

[jaalah-akamai]

Description 📝

The Cloud Manager isn't working right when making tokens that should have access to everything. Even when you choose 'all' for the token's access level, it's mistakenly giving limited access (even though the scopes are all included). Also, when making tokens using the API and setting access to * (which should mean everything), it should reply with * to show that. But, it's listing out each access area one by one instead of just using *, which is not what's supposed to happen.

Changes 🔄

• No longer need to filter out child account access since API is in prod
• We're still only visually showing the "child account access" perm for accounts that have access to it from a user experience point of view (even though the perm will be part of the token). This is ok since features are still blocked from a grants perspective.

Target release date 🗓️

4/8-9/2024 (Hotfix)

Preview 📷

Before:

{
  "id": 123,
  "scopes": "account:read_write child_account:read_write databases:read_write domains:read_write events:read_write firewall:read_write images:read_write ips:read_write linodes:read_write lke:read_write longview:read_write nodebalancers:read_write object_storage:read_write stackscripts:read_write vpc:read_write volumes: read_write",
  "created": "2024-04-08T13:26:24",
  "label": "all-scopes-but-not-star",
  "token": "abcd",
  "expiry": "2024-10-08T00:00:00"
}

After:

{
  "id": 123,
  "scopes": "*",
  "created": "2024-04-08T13:26:24",
  "label": "this-has-star-indicating-all-scopes",
  "token": "abcd",
  "expiry": "2024-10-08T00:00:00"
}

How to test 🧪

Prerequisites

• Log into normal development account
• Log into Parent account using developer credentials
  • Test as Parent User - Unrestricted Access
  • Test as Parent User - Restricted Access with no child account access grant

Reproduction steps

• Currently, selected "All" for any new PAT in any account will generate an enumerated scope list, not scopes: "*"

Verification steps

• In a normal development account (non-parent/child), create a PAT with all scopes, and observe response has scopes: "*"
  • Further, observe that child account access is NOT visible
• In a parent user account (unrestricted access), create a PAT with all scopes, and observe response has scopes: "*"
  • Further, observe that child account access is visible.
• In a parent user account (restricted access with no child account access grant), create a PAT with all scopes, and observe response has scopes: "*"
  • Further, observe that child account access is NOT visible.

As an Author I have considered 🤔

Check all that apply

• 👀 Doing a self review
• ❔ Our contribution guidelines
• 🤏 Splitting feature into small PRs
• ➕ Adding a changeset
• 🧪 Providing/Improving test coverage
• 🔐 Removing all sensitive information from the code and PR description
• 🚩 Using a feature flag to protect the release
• 👣 Providing comprehensive reproduction steps
• 📑 Providing or updating our documentation
• 🕛 Scheduling a pair reviewing session
• 📱 Providing mobile support
• ♿ Providing accessibility support

[abailly-akamai]

scopeTup - was wondering what it meant at first EDIT: This is whole thing is a bit hard to read because of naming conventions. naming it a tuple is ok-ish wondering if we can come up with something better.

also:
const something = renamedScopeTup[0]
const somethingElse = renamedScopeTup[1]

or similar to improve readability?

[dwiley-akamai]

I believe it means "scope tuple", but agreed that this section of the code base isn't the most readable

[abailly-akamai]

could be a follow up since this is a hotfix

[jaalah-akamai]

Noted for followup ✏️

[abailly-akamai]

same logic as CreateAPITokenDrawer https://github.com/linode/manager/pull/10359/files#diff-d179f0d0f9fc3644a265f97bc10ba57f5e177c4c96b9960e7b9f779bb7c724aeR204-R207

can we keep things dry and util this logic?

[github-actions]

Coverage Report: ✅
Base Coverage: 81.7%
Current Coverage: 81.7%

[abailly-akamai]

Confirmed the steps outlined in the PR description and got the proper answer (I think) when using a parent account

[bnussman-akamai]

Tested on my normal personal account, a parent account, and a restricted parent account. Everything worked as expected! ✅

[mjac0bs]

✅ In a normal development account (non-parent/child), create a PAT with all scopes, and observed response has scopes: "*"
✅ Observed that child account access is NOT visible

✅ In a parent user account (unrestricted access), create a PAT with all scopes, and observed response has scopes: "*"
✅ Observe that child account access is visible.

✅ In a parent user account (restricted access with no child account access grant), create a PAT with all scopes, and observe response has scopes: "*"
✅ Observe that child account access is NOT visible.

Confirmed that child_account_access is showing up in the View Account Access drawer as expected, as well.