Integrate the new authorization component #3908
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The cleanup of permissions in Keycloak when a repository is deleted is no longer needed for the new authorization component. The dependency to an `AuthorizationService` instance can be dropped. Signed-off-by: Oliver Heger <[email protected]>
The synchronization of permissions in Keycloak when a product is created or deleted is no longer needed for the new authorization component. The dependency to an `AuthorizationService` instance can be dropped. Signed-off-by: Oliver Heger <[email protected]>
The synchronization of permissions in Keycloak when an organization is created or deleted is no longer needed for the new authorization component. The dependency to an `AuthorizationService` instance can be dropped. Signed-off-by: Oliver Heger <[email protected]>
Rework the routes defined in the `core` module to use the new `Authorization` component. Signed-off-by: Oliver Heger <[email protected]>
Rework the routes defined in component modules to use the new `Authorization` component. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_integration
branch
from
c1615e5 to
1ad8cfa
Compare
When configuring the Ktor application, activate the new authorization component instead of the old one. Signed-off-by: Oliver Heger <[email protected]>
852d41b added support for infrastructure services on product level, but no tests were added to check whether the new endpoints require appropriate permissions. Add such tests now. Signed-off-by: Oliver Heger <[email protected]>
When installing the Keycloak extension, drop the `createRealmPerTest` flag per default. The additional isolation is no longer needed for most tests, since no roles or other data in Keycloak are manipulated during test execution, and an initial setup of test users used by the test cases is sufficient. For tests that do manipulate the state in Keycloak, support enabling this feature on demand. Avoiding the repeated setup of the realm saves a few seconds for every test case, which has a notable effect on the total test execution times. Signed-off-by: Oliver Heger <[email protected]>
The filter's `isWildcard` flag was always set to `true` for superusers. This prevented the `containedIn` filter to be applied correctly. Fix this by taking the presence of a `containedIn` filter into account. Signed-off-by: Oliver Heger <[email protected]>
In the endpoint to fetch the products of an organization, apply a `HierarchyFilter`. Extend `OrganizationService` accordingly. This makes sure that only products are listed that are visible to the user. If a user has only been granted access to specific repositories, he or she should only see the products these repositories belong to, even if there is an implicit READ right on the organization. Signed-off-by: Oliver Heger <[email protected]>
In the endpoint to fetch the repositories of a product, apply a `HierarchyFilter`. Extend `ProductService` accordingly. This makes sure that only repositories are listed that are visible to the user. By having access to some repositories, the user gets implicit READ permission on the owning products. However, in these products, not automatically all repositories are visible. Signed-off-by: Oliver Heger <[email protected]>
Create a new `RolesToDbMigration` class offering a function that can create structures in the database that correspond to the roles and permissions currently kept in Keycloak. The function is going to be called on startup of ORT Server to perform a one-time migration. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_integration
branch
from
1ad8cfa to
68767bf
Compare
Instead of doing a synchronization of roles in Keycloak, trigger a migration to new access rights structures on startup of the core component. Signed-off-by: Oliver Heger <[email protected]>
This endpoint is going to be used by the UI to adapt itself according to the status of the current user. Make a function of AbstractAuthorizationTest public which can be reused here to access the authorization infrastructure. Signed-off-by: Oliver Heger <[email protected]>
oheger-bosch
force-pushed
the
oheger-bosch/db_authorization_integration
branch
from
68767bf to
4215152
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR should contain everything that is needed to switch to the new authorization component:
This is still WIP.