Skip to content

Feature/#1059 Enable RBAC Checks for Authenticated Users After JWT Validation#1277

Merged
jpgough-ms merged 15 commits intofinos:mainfrom
challamani-ms:feature/#1059
May 28, 2025
Merged

Feature/#1059 Enable RBAC Checks for Authenticated Users After JWT Validation#1277
jpgough-ms merged 15 commits intofinos:mainfrom
challamani-ms:feature/#1059

Conversation

@challamani-ms
Copy link
Contributor

@challamani-ms challamani-ms commented May 15, 2025
edited
Loading

PR contains the following changes:

  • Rest endpoints to create/get user-access details, these endpoints are only accessible with namespace:admin scopes.
  • UserAccessvalidatorService to perform RBAC check for the incoming request.
  • Introduced a calm-hub-admin-app (a ClientId in KeyCloak) to be able to create user-access records for CalmUI/CalmCLI users.
  • Unit and Integration tests
  • For integration tests with authorization code flow grant type, we require a headless browser container to be able to generate an access token that is encoded with the authorized username, but currently, in one of the integration tests, I have used the password grant to enrich the username in the JWT.

Pending:

  • How to perform RBAC for those endpoints that are not tied to a namespace, e.g, /calm/namespaces
  • UserAccess audit service to insert entries into UserAccessAudit collection on any changes to existing UserAccess records.

THIS SOFTWARE IS CONTRIBUTED SUBJECT TO THE TERMS OF THE FINOS Corporate Contributor License Agreement.

THIS SOFTWARE IS LICENSED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THIS SOFTWARE MAY BE REDISTRIBUTED TO OTHERS ONLY BY EFFECTIVELY USING THIS OR ANOTHER EQUIVALENT DISCLAIMER IN ADDITION TO ANY OTHER REQUIRED LICENSE TERMS.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented May 15, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@github-actions github-actions bot added the calm-hub The Calm Hub Product label May 15, 2025
@challamani-ms challamani-ms marked this pull request as ready for review May 15, 2025 17:21
jpgough-ms
jpgough-ms requested changes May 21, 2025
View reviewed changes
@challamani-ms challamani-ms requested a review from jpgough-ms May 27, 2025 17:08
@jpgough-ms jpgough-ms merged commit 8fb5291 into finos:main May 28, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willosborne willosborne willosborne approved these changes

@jpgough-ms jpgough-ms jpgough-ms approved these changes

@rocketstack-matt rocketstack-matt Awaiting requested review from rocketstack-matt rocketstack-matt is a code owner

@grahampacker-ms grahampacker-ms Awaiting requested review from grahampacker-ms grahampacker-ms is a code owner

@Thels Thels Awaiting requested review from Thels Thels is a code owner

Assignees

No one assigned

Labels

calm-hub The Calm Hub Product

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@challamani-ms @willosborne @jpgough-ms