fix: adds sub and role into authorization context (#1503)

Author: filipecabaco

lib/realtime/tenants/authorization.ex

@@ -18,24 +18,27 @@ defmodule Realtime.Tenants.Authorization do
   alias Realtime.GenRpc
   alias Realtime.Tenants.Authorization.Policies
 
-  defstruct [:tenant_id, :topic, :headers, :jwt, :claims, :role]
+  defstruct [:tenant_id, :topic, :headers, :jwt, :claims, :role, :sub]
 
   @type t :: %__MODULE__{
           :tenant_id => binary | nil,
           :topic => binary | nil,
           :claims => map,
           :headers => list({binary, binary}),
-          :role => binary
+          :role => binary,
+          :sub => binary | nil
         }
 
   @doc """
   Builds a new authorization struct which will be used to retain the information required to check Policies.
 
   Requires a map with the following keys:
+  * tenant_id: The tenant id
   * topic: The name of the channel being accessed taken from the request
-  * headers: Request headers when the connection was made or WS was updated
+  * headers: Request headers when the connection was made or WS was upgraded
   * claims: JWT claims
-  * role: JWT role
+  * role: JWT role claim
+  * sub: JWT sub claim
   """
   @spec build_authorization_params(map()) :: t()
   def build_authorization_params(map) do
@@ -44,7 +47,8 @@ defmodule Realtime.Tenants.Authorization do
       topic: Map.get(map, :topic),
       headers: Map.get(map, :headers),
       claims: Map.get(map, :claims),
-      role: Map.get(map, :role)
+      role: Map.get(map, :role),
+      sub: Map.get(map, :sub)
     }
   end
 
@@ -123,29 +127,31 @@ defmodule Realtime.Tenants.Authorization do
   * request.jwt.claims: The claims of the JWT token
   * request.headers: The headers of the request
   """
-  @spec set_conn_config(DBConnection.t(), t()) ::
-          {:ok, Postgrex.Result.t()} | {:error, Exception.t()}
+  @spec set_conn_config(DBConnection.t(), t()) :: Postgrex.Result.t()
   def set_conn_config(conn, authorization_context) do
     %__MODULE__{
       topic: topic,
       headers: headers,
       claims: claims,
-      role: role
+      role: role,
+      sub: sub
     } = authorization_context
 
     claims = Jason.encode!(claims)
     headers = headers |> Map.new() |> Jason.encode!()
 
-    Postgrex.query(
+    Postgrex.query!(
       conn,
       """
       SELECT
-       set_config('role', $1, true),
-       set_config('realtime.topic', $2, true),
-       set_config('request.jwt.claims', $3, true),
-       set_config('request.headers', $4, true)
+        set_config('role', $1, true),
+        set_config('realtime.topic', $2, true),
+        set_config('request.jwt.claims', $3, true),
+        set_config('request.jwt.claim.sub', $4, true),
+        set_config('request.jwt.claim.role', $5, true),
+        set_config('request.headers', $6, true)
       """,
-      [role, topic, claims, headers]
+      [role, topic, claims, sub, role, headers]
     )
   end
 

lib/realtime/tenants/batch_broadcast.ex

@@ -39,7 +39,8 @@ defmodule Realtime.Tenants.BatchBroadcast do
       tenant_id: tenant.external_id,
       headers: conn.req_headers,
       claims: conn.assigns.claims,
-      role: conn.assigns.role
+      role: conn.assigns.role,
+      sub: conn.assigns.sub
     }
 
     broadcast(auth_params, %Tenant{} = tenant, messages, super_user)

lib/realtime_web/channels/realtime_channel.ex

@@ -715,7 +715,8 @@ defmodule RealtimeWeb.RealtimeChannel do
         topic: topic,
         headers: Map.get(socket.assigns, :headers, []),
         claims: claims,
-        role: claims["role"]
+        role: claims["role"],
+        sub: claims["sub"]
       })
 
     assign(socket, :authorization_context, authorization_context)

lib/realtime_web/plugs/auth_tenant.ex

@@ -25,6 +25,7 @@ defmodule RealtimeWeb.AuthTenant do
       |> assign(:claims, claims)
       |> assign(:jwt, token)
       |> assign(:role, claims["role"])
+      |> assign(:sub, claims["sub"])
     else
       _error -> unauthorized(conn)
     end

mix.exs

@@ -4,7 +4,7 @@ defmodule Realtime.MixProject do
   def project do
     [
       app: :realtime,
-      version: "2.43.0",
+      version: "2.43.1",
       elixir: "~> 1.17.3",
       elixirc_paths: elixirc_paths(Mix.env()),
       start_permanent: Mix.env() == :prod,

test/integration/rt_channel_test.exs

@@ -1864,6 +1864,45 @@ defmodule Realtime.Integration.RtChannelTest do
   describe "authorization handling" do
     setup [:rls_context]
 
+    @tag policies: [:read_matching_user_role, :write_matching_user_role], role: "anon"
+    test "role policies are respected when accessing the channel", %{tenant: tenant} do
+      {socket, _} = get_connection(tenant, "anon")
+      config = %{broadcast: %{self: true}, private: true, presence: %{enabled: false}}
+      topic = random_string()
+      realtime_topic = "realtime:#{topic}"
+
+      WebsocketClient.join(socket, realtime_topic, %{config: config})
+
+      assert_receive %Message{event: "phx_reply", payload: %{"status" => "ok"}, topic: ^realtime_topic}, 500
+
+      {socket, _} = get_connection(tenant, "potato")
+      topic = random_string()
+      realtime_topic = "realtime:#{topic}"
+
+      WebsocketClient.join(socket, realtime_topic, %{config: config})
+      refute_receive %Message{event: "phx_reply", payload: %{"status" => "ok"}, topic: ^realtime_topic}, 500
+    end
+
+    @tag policies: [:authenticated_read_matching_user_sub, :authenticated_write_matching_user_sub],
+         sub: Ecto.UUID.generate()
+    test "sub policies are respected when accessing the channel", %{tenant: tenant, sub: sub} do
+      {socket, _} = get_connection(tenant, "authenticated", %{sub: sub})
+      config = %{broadcast: %{self: true}, private: true, presence: %{enabled: false}}
+      topic = random_string()
+      realtime_topic = "realtime:#{topic}"
+
+      WebsocketClient.join(socket, realtime_topic, %{config: config})
+
+      assert_receive %Message{event: "phx_reply", payload: %{"status" => "ok"}, topic: ^realtime_topic}, 500
+
+      {socket, _} = get_connection(tenant, "authenticated", %{sub: Ecto.UUID.generate()})
+      topic = random_string()
+      realtime_topic = "realtime:#{topic}"
+
+      WebsocketClient.join(socket, realtime_topic, %{config: config})
+      refute_receive %Message{event: "phx_reply", payload: %{"status" => "ok"}, topic: ^realtime_topic}, 500
+    end
+
     @tag role: "authenticated",
          policies: [:broken_read_presence, :broken_write_presence]
 
@@ -2305,10 +2344,13 @@ defmodule Realtime.Integration.RtChannelTest do
     {:ok, db_conn} = Database.connect(tenant, "realtime_test", :stop)
     clean_table(db_conn, "realtime", "messages")
     topic = Map.get(context, :topic, random_string())
+    policies = Map.get(context, :policies, nil)
+    role = Map.get(context, :role, nil)
+    sub = Map.get(context, :sub, nil)
 
-    if policies = context[:policies], do: create_rls_policies(db_conn, policies, %{topic: topic})
+    if policies, do: create_rls_policies(db_conn, policies, %{topic: topic, role: role, sub: sub})
 
-    %{topic: topic}
+    %{topic: topic, role: role, sub: sub}
   end
 
   defp setup_trigger(%{tenant: tenant, topic: topic}) do

test/realtime/tenants/authorization_test.exs

@@ -23,44 +23,57 @@ defmodule Realtime.Tenants.AuthorizationTest do
          ]
     test "authenticated user has expected policies", context do
       {:ok, policies} =
-        Authorization.get_read_authorizations(
-          %Policies{},
-          context.db_conn,
-          context.authorization_context
-        )
+        Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       {:ok, policies} =
-        Authorization.get_write_authorizations(
-          policies,
-          context.db_conn,
-          context.authorization_context
-        )
+        Authorization.get_write_authorizations(policies, context.db_conn, context.authorization_context)
 
       assert %Policies{
                broadcast: %BroadcastPolicies{read: true, write: true},
                presence: %PresencePolicies{read: true, write: true}
              } == policies
     end
 
+    @tag role: "authenticated",
+         policies: [:authenticated_read_matching_user_sub],
+         sub: "ccbdfd51-c5aa-4d61-8c17-647664466a26"
+    test "authenticated user sub is available", context do
+      assert {:ok, %Policies{broadcast: %BroadcastPolicies{read: true, write: nil}}} =
+               Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
+
+      authorization_context = %{context.authorization_context | sub: "135f6d25-5840-4266-a8ca-b9a45960e424"}
+
+      assert {:ok, %Policies{broadcast: %BroadcastPolicies{read: false, write: nil}}} =
+               Authorization.get_read_authorizations(%Policies{}, context.db_conn, authorization_context)
+    end
+
+    @tag role: "authenticated",
+         policies: [:read_matching_user_role]
+    test "user role is exposed", context do
+      # policy role is checking for "authenticated"
+      # set_config is setting request.jwt.claim.role to authenticated as well
+      assert {:ok, %Policies{broadcast: %BroadcastPolicies{read: true, write: nil}}} =
+               Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
+
+      authorization_context = %{context.authorization_context | role: "anon"}
+
+      # policy role is checking for "authenticated"
+      # set_config is setting request.jwt.claim.role to anon
+      assert {:ok, %Policies{broadcast: %BroadcastPolicies{read: false, write: nil}}} =
+               Authorization.get_read_authorizations(%Policies{}, context.db_conn, authorization_context)
+    end
+
     @tag role: "anon",
          policies: [
            :authenticated_read_broadcast_and_presence,
            :authenticated_write_broadcast_and_presence
          ]
     test "anon user has no policies", context do
       {:ok, policies} =
-        Authorization.get_read_authorizations(
-          %Policies{},
-          context.db_conn,
-          context.authorization_context
-        )
+        Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       {:ok, policies} =
-        Authorization.get_write_authorizations(
-          policies,
-          context.db_conn,
-          context.authorization_context
-        )
+        Authorization.get_write_authorizations(policies, context.db_conn, context.authorization_context)
 
       assert %Policies{
                broadcast: %BroadcastPolicies{read: false, write: false},
@@ -119,39 +132,19 @@ defmodule Realtime.Tenants.AuthorizationTest do
          policies: [:broken_read_presence, :broken_write_presence]
     test "broken RLS policy sets policies to false and shows error to user", context do
       assert {:error, :rls_policy_error, %Postgrex.Error{}} =
-               Authorization.get_read_authorizations(
-                 %Policies{},
-                 context.db_conn,
-                 context.authorization_context
-               )
+               Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       assert {:error, :rls_policy_error, %Postgrex.Error{}} =
-               Authorization.get_write_authorizations(
-                 %Policies{},
-                 context.db_conn,
-                 context.authorization_context
-               )
+               Authorization.get_write_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       assert {:error, :rls_policy_error, %Postgrex.Error{}} =
-               Authorization.get_read_authorizations(
-                 %Policies{},
-                 context.db_conn,
-                 context.authorization_context
-               )
+               Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       assert {:error, :rls_policy_error, %Postgrex.Error{}} =
-               Authorization.get_write_authorizations(
-                 %Policies{},
-                 context.db_conn,
-                 context.authorization_context
-               )
+               Authorization.get_write_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       assert {:error, :rls_policy_error, %Postgrex.Error{}} =
-               Authorization.get_write_authorizations(
-                 %Policies{},
-                 context.db_conn,
-                 context.authorization_context
-               )
+               Authorization.get_write_authorizations(%Policies{}, context.db_conn, context.authorization_context)
     end
   end
 
@@ -162,19 +155,8 @@ defmodule Realtime.Tenants.AuthorizationTest do
            :authenticated_write_broadcast_and_presence
          ]
     test "authenticated user has expected policies", context do
-      {:ok, _} =
-        Authorization.get_read_authorizations(
-          %Policies{},
-          context.db_conn,
-          context.authorization_context
-        )
-
-      {:ok, _} =
-        Authorization.get_write_authorizations(
-          %Policies{},
-          context.db_conn,
-          context.authorization_context
-        )
+      {:ok, _} = Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
+      {:ok, _} = Authorization.get_write_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       {:ok, db_conn} = Database.connect(context.tenant, "realtime_test")
       assert {:ok, []} = Repo.all(db_conn, Message, Message)
@@ -205,19 +187,8 @@ defmodule Realtime.Tenants.AuthorizationTest do
         %{}
       )
 
-      {:ok, _} =
-        Authorization.get_read_authorizations(
-          %Policies{},
-          context.db_conn,
-          context.authorization_context
-        )
-
-      {:ok, _} =
-        Authorization.get_write_authorizations(
-          %Policies{},
-          context.db_conn,
-          context.authorization_context
-        )
+      {:ok, _} = Authorization.get_read_authorizations(%Policies{}, context.db_conn, context.authorization_context)
+      {:ok, _} = Authorization.get_write_authorizations(%Policies{}, context.db_conn, context.authorization_context)
 
       external_id = context.authorization_context.tenant_id
 
@@ -232,19 +203,20 @@ defmodule Realtime.Tenants.AuthorizationTest do
   def rls_context(context) do
     tenant = Containers.checkout_tenant(run_migrations: true)
     {:ok, db_conn} = Database.connect(tenant, "realtime_test", :stop)
-    topic = random_string()
+    topic = context[:topic] || random_string()
 
-    create_rls_policies(db_conn, context.policies, %{topic: topic})
+    create_rls_policies(db_conn, context.policies, %{topic: topic, sub: context[:sub], role: context.role})
 
-    claims = %{sub: random_string(), role: context.role, exp: Joken.current_time() + 1_000}
+    claims = %{"sub" => context[:sub] || random_string(), "role" => context.role, "exp" => Joken.current_time() + 1_000}
 
     authorization_context =
       Authorization.build_authorization_params(%{
         tenant_id: tenant.external_id,
         topic: topic,
         claims: claims,
         headers: [{"header-1", "value-1"}],
-        role: claims.role
+        role: claims["role"],
+        sub: claims["sub"]
       })
 
     Realtime.Tenants.Migrations.create_partitions(db_conn)