SMQ-2627 - Align PATs with new architecture #3295
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3295 +/- ##
===========================================
+ Coverage 53.21% 74.50% +21.28%
===========================================
Files 312 179 -133
Lines 32706 19778 -12928
===========================================
- Hits 17405 14735 -2670
+ Misses 14234 4170 -10064
+ Partials 1067 873 -194 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
nyagamunene
force-pushed
the
SMQ-2627
branch
from
7aa84c3 to
8976860
Compare
| } | ||
|
|
||
| if strings.HasPrefix(token, patPrefix) { | ||
| tokenType := authn.TokenType(res.GetTokenType()) |
There was a problem hiding this comment.
This creates possible misconfiguration issue. I.e. what if token prefix here and tokenType returned from the service are not the same? While we are not able to validate token - we are able to parse it locally (even if only for prefix) and we can do this verification to prevent mismatch.
channels/middleware/authorization.go
Outdated
| } else { | ||
| req.Operation = auth.ListOp | ||
| } | ||
| req.Operation = auth.ChannelDisconnectClientOp |
There was a problem hiding this comment.
Let's stay consistent in naming, compare this to ClientConnectToChannelOp.
| UnshareOp | ||
| PublishOp | ||
| SubscribeOp | ||
| ClientCreateOp Operation = iota + 100 |
There was a problem hiding this comment.
Is it possible to reuse the existing service Operations ?
There was a problem hiding this comment.
we will have cyclic imports
nyagamunene
force-pushed
the
SMQ-2627
branch
from
d2f93f8 to
9632e74
Compare
dborovcanin
force-pushed
the
SMQ-2627
branch
from
81bc751 to
30bd274
Compare
| return err | ||
| } | ||
|
|
||
| var ValidOperationsForEntity = map[EntityType][]Operation{ |
There was a problem hiding this comment.
I noticed here that we have not included domains as an entity, does this mean that pats can not be used for actions on domains?
There was a problem hiding this comment.
From past discussion with @arvindh123, PATs are being used for entities like channels, clients, groups, dashboards and messages. It is not used to create users and domains. @dborovcanin can you confirm this?
There was a problem hiding this comment.
This is fine; we can limit PATS to this at the moment. I.e. PATS are used for users to manage entities within the domain.
auth/pat.go
Outdated
| } | ||
|
|
||
| if !IsValidOperationForEntity(s.EntityType, s.Operation) { | ||
| return errors.Wrap(apiutil.ErrInvalidQueryParams, errors.New("operation not valid for entity type")) |
There was a problem hiding this comment.
You can define this error, instead of calling new each time
internal/proto/auth/v1/auth.proto
Outdated
| string user_id = 2; // User id | ||
| string pat_id = 3; // Pat id | ||
| uint32 entity_type = 4; // Entity type | ||
| string optional_domain_id = 5; // Optional domain id |
There was a problem hiding this comment.
Why not optional string domain_id = 5?
There was a problem hiding this comment.
Since users was remove I think it should be optional
|
|
||
| if pr.PatID != "" && pr.TokenType == authn.PersonalAccessToken { | ||
| pr.EntityID = pr.Object | ||
|
|
||
| switch ram.entityType { | ||
| case policies.ClientType: | ||
| pr.EntityType = auth.ClientsType | ||
| case policies.ChannelType: | ||
| pr.EntityType = auth.ChannelsType | ||
| case policies.GroupType: | ||
| pr.EntityType = auth.GroupsType | ||
| } | ||
|
|
||
| switch op { | ||
| case roles.OpAddRole: | ||
| pr.Operation = auth.RoleAddOp | ||
| case roles.OpRemoveRole: | ||
| pr.Operation = auth.RoleRemoveOp | ||
| case roles.OpUpdateRoleName: | ||
| pr.Operation = auth.RoleUpdateOp | ||
| case roles.OpRetrieveRole: | ||
| pr.Operation = auth.RoleRetrieveOp | ||
| case roles.OpRetrieveAllRoles: | ||
| pr.Operation = auth.RoleRetrieveAllOp | ||
| case roles.OpRoleAddActions: | ||
| pr.Operation = auth.RoleAddActionsOp | ||
| case roles.OpRoleListActions: | ||
| pr.Operation = auth.RoleListActionsOp | ||
| case roles.OpRoleCheckActionsExists: | ||
| pr.Operation = auth.RoleCheckActionsExistsOp | ||
| case roles.OpRoleRemoveActions: | ||
| pr.Operation = auth.RoleRemoveActionsOp | ||
| case roles.OpRoleRemoveAllActions: | ||
| pr.Operation = auth.RoleRemoveAllActionsOp | ||
| case roles.OpRoleAddMembers: | ||
| pr.Operation = auth.RoleAddMembersOp | ||
| case roles.OpRoleListMembers: | ||
| pr.Operation = auth.RoleListMembersOp | ||
| case roles.OpRoleCheckMembersExists: | ||
| pr.Operation = auth.RoleCheckMembersExistsOp | ||
| case roles.OpRoleRemoveMembers: | ||
| pr.Operation = auth.RoleRemoveMembersOp | ||
| case roles.OpRoleRemoveAllMembers: | ||
| pr.Operation = auth.RoleRemoveAllMembersOp | ||
| } | ||
| } |
There was a problem hiding this comment.
I suspect this code need , These should be passed from permissions.yaml file
internal/proto/auth/v1/auth.proto
Outdated
| message PolicyReq { | ||
| uint32 token_type = 1; // Token type | ||
| string domain = 2; // Domain | ||
| string subject_type = 3; // Client or User | ||
| string subject_kind = 4; // ID or Token | ||
| string subject_relation = 5; // Subject relation | ||
| string subject = 6; // Subject value | ||
| string relation = 7; // Relation to filter | ||
| string permission = 8; // Action | ||
| string object = 9; // Object ID | ||
| string object_type = 10; // Client, User, Group | ||
| uint32 token_type = 1; | ||
| string domain = 2; | ||
| string subject_type = 3; | ||
| string subject_kind = 4; | ||
| string subject_relation = 5; | ||
| string subject = 6; | ||
| string relation = 7; | ||
| string permission = 8; | ||
| string object = 9; | ||
| string object_type = 10; | ||
| } |
There was a problem hiding this comment.
Is it possible to fit the PATreq within here? Because we have token_type here
nyagamunene
force-pushed
the
SMQ-2627
branch
2 times, most recently
from
a7d4bd1 to
7a0353a
Compare
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
Signed-off-by: nyagamunene <[email protected]>
arvindh123
left a comment
arvindh123
left a comment
There was a problem hiding this comment.
I have idea now, no need to implement in this PR.
We can have the permission map in auth service only
And in policy request we can send only the operations
Since PAT also sends the operation , we can make the users authz to send the operation instead of permission and
In auth service we can convert operations to Permissions
What do you think?
internal/proto/auth/v1/auth.proto
Outdated
| string permission = 7; | ||
| string object = 8; | ||
| string object_type = 9; | ||
| string user_id = 10; |
There was a problem hiding this comment.
Is it possible to use the subject_type and subject instead of this user id ?
internal/proto/auth/v1/auth.proto
Outdated
| string object_type = 9; | ||
| string user_id = 10; | ||
| string pat_id = 11; | ||
| uint32 entity_type = 12; |
There was a problem hiding this comment.
Is it possible to use the object_type instead of entity_type ?
internal/proto/auth/v1/auth.proto
Outdated
| string pat_id = 11; | ||
| uint32 entity_type = 12; | ||
| uint32 operation = 13; | ||
| string entity_id = 14; |
There was a problem hiding this comment.
Is it possible to use the object instead of entity_id ?
Signed-off-by: nyagamunene <[email protected]>
4 participants
What type of PR is this?
What does this do?
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Did you document any new/modified feature?
Notes