WIP Switch routes to new authorization #3899
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The cleanup of permissions in Keycloak when a repository is deleted is no longer needed for the new authorization component. The dependency to an `AuthorizationService` instance can be dropped. Signed-off-by: Oliver Heger <[email protected]>
The synchronization of permissions in Keycloak when a product is created or deleted is no longer needed for the new authorization component. The dependency to an `AuthorizationService` instance can be dropped. Signed-off-by: Oliver Heger <[email protected]>
The synchronization of permissions in Keycloak when an organization is created or deleted is no longer needed for the new authorization component. The dependency to an `AuthorizationService` instance can be dropped. Signed-off-by: Oliver Heger <[email protected]>
Extend the `Role` interface by properties and a companion object that support dealing with roles on different hierarchy levels in a generic way. This is going to be used to find out which role is assigned to a user for a specific element in the hierarchy. Signed-off-by: Oliver Heger <[email protected]>
Make sure that all roles define the full set of READ permissions on the next higher level, so that implicit roles inherited upwards in the hierarchy work correctly. Signed-off-by: Oliver Heger <[email protected]>
Change the signature to return only one role per user, since a user can only have a single role on a specific hierarchy element. Implement logic to determine the correct role. Signed-off-by: Oliver Heger <[email protected]>
For elements with many users assigned, this may speed up processing. While at, add some more log statements to better keep track on ongoing operations. Signed-off-by: Oliver Heger <[email protected]>
This is required for the endpoints dealing with user and role management. Signed-off-by: Oliver Heger <[email protected]>
Before assigning a role to a user, it needs to be checked whether the username is valid. The new function can be used for this purpose. Signed-off-by: Oliver Heger <[email protected]>
`KeycloakUserService.getUsersById()` failed for user IDs that could not be resolved, while the documentation of the function in the interface states that such users should be ignored. Fix this to be compliant with documentation. Signed-off-by: Oliver Heger <[email protected]>
This is a new exception class that is thrown by `DbAuthorizationService` when it cannot resolve a hierarchy ID. Throwing a special exception in this case allows handling this error condition differently from normal authorization errors. For instance, the REST API should return a 404 response if users provide non-existing IDs. Signed-off-by: Oliver Heger <[email protected]>
Exceptions that occur during authentication and the creation of a principal all caught by Ktor and mapped to responses with status code 401. To support different mappings, also based on the `StatusPages` plugin, record such exceptions in the `OrtServerPrincipal`, so that they can be evaluated in route handlers, where they are handled in the usual way. Signed-off-by: Oliver Heger <[email protected]>
Add an extension function to `OrtServerPrincipal` that allows checking whether an authenticated principal exists in the current routing context. This is needed for some routes that require an authenticated user, even if no specific permissions are checked. Signed-off-by: Oliver Heger <[email protected]>
Add overloaded versions for the authorized routing functions that support a path. This variant is used by some endpoints. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_clients
branch
2 times, most recently
from
c5fbc2d to
c8d02cb
Compare
Rework the routes defined in the `core` module to use the new `Authorization` component. Signed-off-by: Oliver Heger <[email protected]>
Rework the routes defined in component modules to use the new `Authorization` component. Signed-off-by: Oliver Heger <[email protected]>
852d41b added support for infrastructure services on product level, but no tests were added to check whether the new endpoints require appropriate permissions. Add such tests now. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_clients
branch
from
c8d02cb to
25b5aac
Compare
When installing the Keycloak extension, drop the `createRealmPerTest` flag per default. The additional isolation is no longer needed for most tests, since no roles or other data in Keycloak are manipulated during test execution, and an initial setup of test users used by the test cases is sufficient. For tests that do manipulate the state in Keycloak, support enabling this feature on demand. Avoiding the repeated setup of the realm saves a few seconds for every test case, which has a notable effect on the total test execution times. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_clients
branch
from
25b5aac to
b7f58df
Compare
The filter's `isWildcard` flag was always set to `true` for superusers. This prevented the `containedIn` filter to be applied correctly. Fix this by taking the presence of a `containedIn` filter into account. Signed-off-by: Oliver Heger <[email protected]>
In the endpoint to fetch the products of an organization, apply a `HierarchyFilter`. Extend `OrganizationService` accordingly. This makes sure that only products are listed that are visible to the user. If a user has only been granted access to specific repositories, he or she should only see the products these repositories belong to, even if there is an implicit READ right on the organization. Signed-off-by: Oliver Heger <[email protected]>
In the endpoint to fetch the repositories of a product, apply a `HierarchyFilter`. Extend `ProductService` accordingly. This makes sure that only repositories are listed that are visible to the user. By having access to some repositories, the user gets implicit READ permission on the owning products. However, in these products, not automatically all repositories are visible. Signed-off-by: Oliver Heger <[email protected]>
Contributor
Author
|
Closing in favor of #3908. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes the routes defined in the
coremodule and other components to use the new authorization component.