MG-1955 - Bootstrap service is not synced to the latest changes of access control #2199
+1,637
−968
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JeffMboya
changed the title
JeffMboya
force-pushed
the
MG-1955
branch
2 times, most recently
from
955c48b
to
36871a7
Compare
rodneyosodo
requested changes
Apr 30, 2024
JeffMboya
force-pushed
the
MG-1955
branch
3 times, most recently
from
a419da6
to
1fbba5b
Compare
JeffMboya
force-pushed
the
MG-1955
branch
2 times, most recently
from
1c41e02
to
d51ce36
Compare
rodneyosodo
requested changes
May 8, 2024
JeffMboya
force-pushed
the
MG-1955
branch
5 times, most recently
from
26959ac
to
2080e0a
Compare
JeffMboya
force-pushed
the
MG-1955
branch
2 times, most recently
from
c43e6eb
to
87c7b95
Compare
arvindh123
requested changes
May 20, 2024
bootstrap/service.go
Outdated
Comment on lines
141
to
145
| for _, channel := range cfg.Channels { | ||
| if channel.ID == "" || channel.ID == "invalid" { | ||
| return Config{}, svcerr.ErrMalformedEntity | ||
| } | ||
| } |
There was a problem hiding this comment.
This can be moved to API layer
bootstrap/service.go
Outdated
| return Config{}, errors.Wrap(svcerr.ErrViewEntity, err) | ||
| } | ||
|
|
||
| if thing.DomainID != user.GetDomainId() { |
There was a problem hiding this comment.
How this case will be possible?
Is there way to add to a thing which is not belongs same domain of user?
bootstrap/service.go
Outdated
| if err != nil { | ||
| return errors.Wrap(svcerr.ErrAuthentication, err) | ||
| } | ||
| _, err = bs.authorize(ctx, "", auth.UserType, auth.UsersKind, user.GetId(), auth.EditPermission, auth.DomainType, user.GetDomainId()) |
There was a problem hiding this comment.
@JeffMboya Why we are checking the user have edit access to Domain ?
rodneyosodo
requested changes
May 21, 2024
JeffMboya
force-pushed
the
MG-1955
branch
3 times, most recently
from
cf44a0a
to
7fb4b09
Compare
rodneyosodo
requested changes
May 23, 2024
JeffMboya
force-pushed
the
MG-1955
branch
5 times, most recently
from
e691dd7
to
b4fc010
Compare
rodneyosodo
requested changes
May 27, 2024
bootstrap/service.go
Outdated
| if err != nil { | ||
| return errors.Wrap(svcerr.ErrAuthentication, err) | ||
| } | ||
|
|
||
| cfg.Owner = owner | ||
| cfg.DomainID = user.GetDomainId() | ||
| _, err = bs.authorize(ctx, "", auth.TokenKind, token, auth.EditPermission, auth.DomainType, cfg.DomainID) |
There was a problem hiding this comment.
Since we have userID from identify we can user usersKind and userID
rodneyosodo
requested changes
May 28, 2024
arvindh123
requested changes
May 29, 2024
rodneyosodo
requested changes
Jun 5, 2024
bootstrap/service.go
Outdated
| return bs.configs.RetrieveAll(ctx, user.GetDomainId(), "", filter, offset, limit), nil | ||
| } | ||
|
|
||
| // Check user is admin of domain, if yes then show listing on domain context. |
bootstrap/service.go
Outdated
| return bs.configs.RetrieveAll(ctx, user.GetDomainId(), "", filter, offset, limit), nil | ||
| } | ||
|
|
||
| rtids, err := bs.listClientIDs(ctx, user.GetId(), auth.ViewPermission) |
There was a problem hiding this comment.
Suggested change
| rtids, err := bs.listClientIDs(ctx, user.GetId(), auth.ViewPermission) | |
| rtids, err := bs.listClientIDs(ctx, user.GetId()) |
Since we are using it at one place
bootstrap/service.go
Outdated
| return ConfigsPage{}, errors.Wrap(svcerr.ErrNotFound, err) | ||
| } | ||
|
|
||
| thingIDs, err := bs.filterAllowedThingIDs(ctx, user.GetId(), auth.ViewPermission, rtids) |
Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add domain access control Signed-off-by: JeffMboya <[email protected]> Add authorization to identify method Signed-off-by: JeffMboya <[email protected]> Add authorize method Signed-off-by: JeffMboya <[email protected]> Add authorize method Signed-off-by: JeffMboya <[email protected]> Add authorize method Signed-off-by: JeffMboya <[email protected]> Add policies Signed-off-by: JeffMboya <[email protected]> Remove policies Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorization Signed-off-by: JeffMboya <[email protected]> Add domain level authorizaton Signed-off-by: JeffMboya <[email protected]> Fix: add error return value to identify function Signed-off-by: JeffMboya <[email protected]> Fix: add error return value to identify function Signed-off-by: JeffMboya <[email protected]> Refactor: replace domain_id with domainID Signed-off-by: JeffMboya <[email protected]> Refactor: replace domain_id with domainID Signed-off-by: JeffMboya <[email protected]> Refactor: replace domain_id with domainID Signed-off-by: JeffMboya <[email protected]> Refactor: replace 'Owner' with 'DomainID' Signed-off-by: JeffMboya <[email protected]> Refactor: replace 'Owner' with 'DomainID' Signed-off-by: JeffMboya <[email protected]> Fix (configs.go): remove unused context Signed-off-by: JeffMboya <[email protected]> Feature: add configs with same name in different domains Signed-off-by: JeffMboya <[email protected]> Feature: add configs with same name in different domains Signed-off-by: JeffMboya <[email protected]> Fix: failing test dues to renaming Signed-off-by: JeffMboya <[email protected]> Refactor: rename domainid to domain_id Signed-off-by: JeffMboya <[email protected]> fix: handle malformed channel in addEndpoint Signed-off-by: JeffMboya <[email protected]> refactor: update authorization method parameters Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> refactor: remove unnecessary authorization checks Signed-off-by: JeffMboya <[email protected]> Fix: failing tests Signed-off-by: JeffMboya <[email protected]> Fix: failing tests Signed-off-by: JeffMboya <[email protected]> Fix: failing tests Signed-off-by: JeffMboya <[email protected]> refactor: add testsutil package for generating UUIDs in tests Signed-off-by: JeffMboya <[email protected]> refactor: add empty channel tests Signed-off-by: JeffMboya <[email protected]> refactor: add valid request Signed-off-by: JeffMboya <[email protected]> refactor: remove comment Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]> refactor: add authorization to view method Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, UpdateConnections, and Remove methods Signed-off-by: JeffMboya <[email protected]> refactor: add authorization checks to UpdateCert, and UpdateConnections methods Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
… and Remove methods Signed-off-by: JeffMboya <[email protected]>
… and Remove methods Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
…meter Signed-off-by: JeffMboya <[email protected]>
Signed-off-by: JeffMboya <[email protected]>
…rameter Signed-off-by: JeffMboya <[email protected]>
…rameter Signed-off-by: JeffMboya <[email protected]>
rodneyosodo
requested changes
Jun 6, 2024
|
|
||
| if domainID != "" { | ||
| params = append(params, domainID) | ||
| queries = append(queries, fmt.Sprintf("domain_id = $%d", len(params))) |
There was a problem hiding this comment.
Why not?
Suggested change
| queries = append(queries, fmt.Sprintf("domain_id = $%d", len(params))) | |
| queries = append(queries, fmt.Sprintf("domain_id = %s", domainID)) |
| if err != nil { | ||
| return Config{}, errors.Wrap(svcerr.ErrAuthentication, err) | ||
| } | ||
| // If domain is disabled , then this authorization will fail for all non-admin domain users. |
| return bs.configs.RetrieveAll(ctx, user.GetDomainId(), []string{}, filter, offset, limit), nil | ||
| } | ||
|
|
||
| _, authErr := bs.authorize(ctx, "", auth.UsersKind, user.GetId(), auth.AdminPermission, auth.DomainType, user.GetDomainId()) |
There was a problem hiding this comment.
Suggested change
| _, authErr := bs.authorize(ctx, "", auth.UsersKind, user.GetId(), auth.AdminPermission, auth.DomainType, user.GetDomainId()) | |
| if _, err := bs.authorize(ctx, "", auth.UsersKind, user.GetId(), auth.AdminPermission, auth.DomainType, user.GetDomainId()); err != nil { |
| ctx, cancel := context.WithTimeout(ctx, time.Second) | ||
| defer cancel() | ||
|
|
||
| res, err := bs.auth.Identify(ctx, &magistrala.IdentityReq{Token: token}) | ||
| if err != nil { | ||
| return "", errors.Wrap(svcerr.ErrAuthentication, err) | ||
| return nil, svcerr.ErrAuthentication |
There was a problem hiding this comment.
wrap the error
Suggested change
| return nil, svcerr.ErrAuthentication | |
| return nil, errors.Wrap(svcerr.ErrAuthentication, err) |
| } | ||
| res, err := bs.auth.Authorize(ctx, req) | ||
| if err != nil { | ||
| return "", svcerr.ErrAuthorization |
There was a problem hiding this comment.
same
Suggested change
| return "", svcerr.ErrAuthorization | |
| return "", errors.Wrap(svcerr.ErrAuthorization, err) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
This PR is a bug fix.
What does this do?
This PR ensures that users can only view bootstrap configurations of the things within their current domain. It also allows domain members with appropriate permissions to view configurations for things within the domain, regardless of who created the configuration.
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Yes, tests have been included in this PR.
Did you document any new/modified feature?
No new features were documented in this PR.