-
Notifications
You must be signed in to change notification settings - Fork 663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MG-1955 - Bootstrap service is not synced to the latest changes of access control #2199
base: main
Are you sure you want to change the base?
Conversation
955c48b
to
36871a7
Compare
a419da6
to
1fbba5b
Compare
1c41e02
to
d51ce36
Compare
26959ac
to
2080e0a
Compare
c43e6eb
to
87c7b95
Compare
bootstrap/service.go
Outdated
for _, channel := range cfg.Channels { | ||
if channel.ID == "" || channel.ID == "invalid" { | ||
return Config{}, svcerr.ErrMalformedEntity | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be moved to API layer
bootstrap/service.go
Outdated
return Config{}, errors.Wrap(svcerr.ErrViewEntity, err) | ||
} | ||
|
||
if thing.DomainID != user.GetDomainId() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How this case will be possible?
Is there way to add to a thing which is not belongs same domain of user?
bootstrap/service.go
Outdated
if err != nil { | ||
return errors.Wrap(svcerr.ErrAuthentication, err) | ||
} | ||
_, err = bs.authorize(ctx, "", auth.UserType, auth.UsersKind, user.GetId(), auth.EditPermission, auth.DomainType, user.GetDomainId()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JeffMboya Why we are checking the user have edit access to Domain ?
cf44a0a
to
7fb4b09
Compare
e691dd7
to
b4fc010
Compare
bootstrap/service.go
Outdated
if err != nil { | ||
return errors.Wrap(svcerr.ErrAuthentication, err) | ||
} | ||
|
||
cfg.Owner = owner | ||
cfg.DomainID = user.GetDomainId() | ||
_, err = bs.authorize(ctx, "", auth.TokenKind, token, auth.EditPermission, auth.DomainType, cfg.DomainID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we have userID
from identify we can user usersKind
and userID
bootstrap/service.go
Outdated
return bs.configs.RetrieveAll(ctx, user.GetDomainId(), "", filter, offset, limit), nil | ||
} | ||
|
||
// Check user is admin of domain, if yes then show listing on domain context. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove comment
bootstrap/service.go
Outdated
return bs.configs.RetrieveAll(ctx, user.GetDomainId(), "", filter, offset, limit), nil | ||
} | ||
|
||
rtids, err := bs.listClientIDs(ctx, user.GetId(), auth.ViewPermission) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rtids, err := bs.listClientIDs(ctx, user.GetId(), auth.ViewPermission) | |
rtids, err := bs.listClientIDs(ctx, user.GetId()) |
Since we are using it at one place
bootstrap/service.go
Outdated
return ConfigsPage{}, errors.Wrap(svcerr.ErrNotFound, err) | ||
} | ||
|
||
thingIDs, err := bs.filterAllowedThingIDs(ctx, user.GetId(), auth.ViewPermission, rtids) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add authorization to identify method Signed-off-by: JeffMboya <[email protected]> Add authorize method Signed-off-by: JeffMboya <[email protected]> Add authorize method Signed-off-by: JeffMboya <[email protected]> Add authorize method Signed-off-by: JeffMboya <[email protected]> Add policies Signed-off-by: JeffMboya <[email protected]> Remove policies Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorizaton Signed-off-by: JeffMboya <[email protected]> Fix: add error return value to identify function Signed-off-by: JeffMboya <[email protected]> Fix: add error return value to identify function Signed-off-by: JeffMboya <[email protected]> Refactor: replace domain_id with domainID Signed-off-by: JeffMboya <[email protected]> Refactor: replace domain_id with domainID Signed-off-by: JeffMboya <[email protected]> Refactor: replace domain_id with domainID Signed-off-by: JeffMboya <[email protected]> Refactor: replace 'Owner' with 'DomainID' Signed-off-by: JeffMboya <[email protected]> Refactor: replace 'Owner' with 'DomainID' Signed-off-by: JeffMboya <[email protected]> Fix (configs.go): remove unused context Signed-off-by: JeffMboya <[email protected]> Feature: add configs with same name in different domains Signed-off-by: JeffMboya <[email protected]> Feature: add configs with same name in different domains Signed-off-by: JeffMboya <[email protected]> Fix: failing test dues to renaming Signed-off-by: JeffMboya <[email protected]> Refactor: rename domainid to domain_id Signed-off-by: JeffMboya <[email protected]> fix: handle malformed channel in addEndpoint Signed-off-by: JeffMboya <[email protected]> refactor: update authorization method parameters Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> Fix: failing tests Signed-off-by: JeffMboya <[email protected]> Fix: failing tests Signed-off-by: JeffMboya <[email protected]> Fix: failing tests Signed-off-by: JeffMboya <[email protected]> refactor: add testsutil package for generating UUIDs in tests Signed-off-by: JeffMboya <[email protected]> refactor: add empty channel tests Signed-off-by: JeffMboya <[email protected]> refactor: add valid request Signed-off-by: JeffMboya <[email protected]> refactor: remove comment Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]> refactor: add authorization to view method Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, and UpdateConnections methods Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
… and Remove methods Signed-off-by: JeffMboya <[email protected]>
… and Remove methods Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
…rameter Signed-off-by: JeffMboya <[email protected]>
…rameter Signed-off-by: JeffMboya <[email protected]>
|
||
if domainID != "" { | ||
params = append(params, domainID) | ||
queries = append(queries, fmt.Sprintf("domain_id = $%d", len(params))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not?
queries = append(queries, fmt.Sprintf("domain_id = $%d", len(params))) | |
queries = append(queries, fmt.Sprintf("domain_id = %s", domainID)) |
if err != nil { | ||
return Config{}, errors.Wrap(svcerr.ErrAuthentication, err) | ||
} | ||
// If domain is disabled , then this authorization will fail for all non-admin domain users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove this comment
return bs.configs.RetrieveAll(ctx, user.GetDomainId(), []string{}, filter, offset, limit), nil | ||
} | ||
|
||
_, authErr := bs.authorize(ctx, "", auth.UsersKind, user.GetId(), auth.AdminPermission, auth.DomainType, user.GetDomainId()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_, authErr := bs.authorize(ctx, "", auth.UsersKind, user.GetId(), auth.AdminPermission, auth.DomainType, user.GetDomainId()) | |
if _, err := bs.authorize(ctx, "", auth.UsersKind, user.GetId(), auth.AdminPermission, auth.DomainType, user.GetDomainId()); err != nil { |
ctx, cancel := context.WithTimeout(ctx, time.Second) | ||
defer cancel() | ||
|
||
res, err := bs.auth.Identify(ctx, &magistrala.IdentityReq{Token: token}) | ||
if err != nil { | ||
return "", errors.Wrap(svcerr.ErrAuthentication, err) | ||
return nil, svcerr.ErrAuthentication |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wrap the error
return nil, svcerr.ErrAuthentication | |
return nil, errors.Wrap(svcerr.ErrAuthentication, err) |
} | ||
res, err := bs.auth.Authorize(ctx, req) | ||
if err != nil { | ||
return "", svcerr.ErrAuthorization |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
return "", svcerr.ErrAuthorization | |
return "", errors.Wrap(svcerr.ErrAuthorization, err) |
What type of PR is this?
This PR is a bug fix.
What does this do?
This PR ensures that users can only view bootstrap configurations of the things within their current domain. It also allows domain members with appropriate permissions to view configurations for things within the domain, regardless of who created the configuration.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Yes, tests have been included in this PR.
Did you document any new/modified feature?
No new features were documented in this PR.