Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SO-4113: authorization improvements #880

Merged
merged 7 commits into from
Aug 18, 2021
Merged

SO-4113: authorization improvements #880

merged 7 commits into from
Aug 18, 2021

Conversation

cmark
Copy link
Member

@cmark cmark commented Aug 17, 2021

This PR introduces new authorization options to allow/restrict access to server resources.
Access tokens describe the necessary scopes to give access to certain resources, either by:

  • directly denoting the resource ID in the scope
  • denoting the containing bundle ID in the scope (direct bundleId parent for now)
  • or by allowing access to all resources (*)

@cmark
feat(auth): refactor permission model and authorization to support...
0af462b 
...multiple resources per permission (all or anyof matching)
@cmark
chore: fix references to changed/removed classes/constants
462b42b
@cmark
feat(auth): refactor permission model and authorization to support...
a6a6a93 
...multiple resources per permission (all or anyof matching)

Fix remaining compile errors and test failures.
@cmark
feat(auth): support oath2 style bearer token headers in rest tests
0a4382e 
Support security filter when searching for resource documents
(CodeSystems, Bundles, etc.) which restricts the result set to the
allowed resources.
Users require either direct access by ID, or transitive access via
permission to a container bundle ID otherwise they will receive HTTP 404
messages that the resource is not found (or empty lists if it was a
search request).
@cmark
fix(auth): missing User object when evaluating access control
1049bb3
@cmark cmark requested a review from apeteri August 17, 2021 15:05
@cmark cmark self-assigned this Aug 17, 2021
apeteri
apeteri requested changes Aug 17, 2021
View reviewed changes
Copy link
Member

@apeteri apeteri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GetResourceRequest should also implement AccessControl, the same way as UpdateRequest does; I think I saw some sub-classes in the other repository where the implements keyword was removed entirely.

...nal.snowowl.core/src/com/b2international/snowowl/core/request/BaseResourceSearchRequest.java
*/
protected final void addSecurityFilter(ExpressionBuilder queryBuilder, User user) {
if (!user.isAdministrator() && !user.hasPermission(Permission.requireAll(Permission.OPERATION_BROWSE, Permission.ALL))) {
Set<String> permittedResourceIds = user.getPermissions().stream().flatMap(p -> p.getResources().stream()).collect(Collectors.toSet());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does having any sort of permission on a resource imply BROWSE rights? With the currently used operations (edit, import, export, version, promote task, classify), it feels so.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, if you have at least one permission with other than the browse scope that includes the browse scope as well. For example, you would not be able to edit a resource without reading it first if this wasn't true.

...international.snowowl.core/src/com/b2international/snowowl/core/identity/BasePermission.java Outdated

@Override
public final String getPermission() {
if (permission == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For thread safety reasons, this should be put into a memoizing Supplier instead.

core/com.b2international.snowowl.core/src/com/b2international/snowowl/core/identity/User.java Outdated
@@ -50,7 +54,10 @@ public String getUsername() {

@JsonIgnore
public List<Permission> getPermissions() {
return getRoles().stream().flatMap(role -> role.getPermissions().stream()).distinct().collect(Collectors.toList());
if (permissions == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

@cmark
Copy link
Member Author

cmark commented Aug 17, 2021
edited
Loading

GetResourceRequest should also implement AccessControl, the same way as UpdateRequest does; I think I saw some sub-classes in the other repository where the implements keyword was removed entirely.

Unfortunately, we cannot apply the same pattern there because certain subclasses (like CodeSystemGetRequest) should NOT check for access control. Scenarios where the token only states that the user has access to a bundle (and implicitly all its contained resources) would fail early because the permissions only describe the bundle and getting the nested resource requires evaluation of the described permissions, so this becomes a post-check as opposed to a pre-check.
What I could do instead is to introduce a new subclass that implements the same logic as the UpgradeRequest, but with the browse scope, but certain get requests require other scopes like ClassificationGetRequest, which require a non-default scope, which would further increase the complexity of that hierarchy, so I have decided to ditch the idea.

@cmark
Copy link
Member Author

cmark commented Aug 17, 2021

@apeteri fixed (or answered) all requested changes (comments).

@codecov-commenter
Copy link

Codecov Report

Merging #880 (8a8f89d) into 8.x (5900031) will increase coverage by 0.14%.
The diff coverage is 50.00%.

Impacted file tree graph

@@             Coverage Diff              @@
##                8.x     #880      +/-   ##
============================================
+ Coverage     62.46%   62.61%   +0.14%     
- Complexity    11465    11520      +55     
============================================
  Files          1709     1712       +3     
  Lines         55001    55072      +71     
  Branches       5267     5274       +7     
============================================
+ Hits          34359    34485     +126     
+ Misses        18467    18401      -66     
- Partials       2175     2186      +11
Impacted Files Coverage Δ
...onal/snowowl/core/authorization/AccessControl.java 0.00% <0.00%> (-100.00%) ⬇️
...owowl/core/branch/AbstractBranchChangeRequest.java 88.75% <ø> (ø)
...ional/snowowl/core/branch/BranchCreateRequest.java 92.85% <ø> (ø)
...ional/snowowl/core/branch/BranchDeleteRequest.java 100.00% <ø> (ø)
...national/snowowl/core/branch/BranchGetRequest.java 100.00% <ø> (ø)
...ional/snowowl/core/branch/BranchReopenRequest.java 0.00% <ø> (ø)
...ional/snowowl/core/branch/BranchSearchRequest.java 83.72% <ø> (ø)
...ional/snowowl/core/branch/BranchUpdateRequest.java 77.77% <ø> (ø)
...tional/snowowl/core/branch/DeleteMergeRequest.java 0.00% <ø> (ø)
...rnational/snowowl/core/branch/GetMergeRequest.java 75.00% <ø> (ø)
... and 92 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5900031...8a8f89d. Read the comment docs.

@apeteri
Copy link
Member

apeteri commented Aug 18, 2021

EclSerializerTest failed in a previous CI build (NullPointerException was thrown in a Promise instead of concepts being returned), but it does not seem to be related to authorization changes. The concept search request invoked has a User instance registered with permissions in its context.

@apeteri apeteri merged commit f548e3c into 8.x Aug 18, 2021
@apeteri apeteri deleted the feature/SO-4113-authorization-improvements branch August 18, 2021 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apeteri apeteri apeteri approved these changes

Assignees

@cmark cmark

Labels
enhancement feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cmark @codecov-commenter @apeteri