8000 feat(api, ui): consumer access limit to some routes for scopes (#4960) · ovh/cds@5832d7b · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Commit 5832d7b

Browse files
richardltrichardlt
authored
feat(api, ui): consumer access limit to some routes for scopes (#4960)
* feat(ui,api): extract scope details from router * wip(api): update data model for scopes * feat(ui,api): save consumer with scope details * test(api): fix usage of scopes * refactor: do not migrate signature for now * test(api): add tests for auth middleware on scopes * fix(migrate): do not insert null JSONB value * feat(api): add new signer for auth consumer
1 parent d13c40c commit 5832d7b

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

45 files changed

+1492
-233
lines changed

cli/cdsctl/consumer.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -152,10 +152,10 @@ func authConsumerNewRun(v cli.Values) error {
152152
}
153153

154154
res, err := client.AuthConsumerCreateForUser(username, sdk.AuthConsumer{
155-
Name: name,
156-
Description: description,
157-
GroupIDs: groupIDs,
158-
Scopes: scopes,
155+
Name: name,
156+
Description: description,
157+
GroupIDs: groupIDs,
158+
ScopeDetails: sdk.NewAuthConsumerScopeDetails(scopes...),
159159
})
160160
if err != nil {
161161
return err

cli/cdsctl/login.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -371,9 +371,9 @@ func createOrRegenConsumer(apiURL, username, sessionToken string) (string, strin
371371
// consumer not found, create it
372372
if signinToken == "" {
373373
resCreate, err := client.AuthConsumerCreateForUser(username, sdk.AuthConsumer{
374-
Name: consumerName,
375-
Description: "Consumer created with cdsctl login",
376-
Scopes: sdk.AuthConsumerScopes,
374+
Name: consumerName,
375+
Description: "Consumer created with cdsctl login",
376+
ScopeDetails: sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopes...),
377377
})
378378
if err != nil {
379379
return "", "", fmt.Errorf("cdsctl: failed to create consumer: %v", err)

engine/api/api_routes.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010

1111
type HandlerScope []sdk.AuthConsumerScope
1212

13+
// Scope set for handler. If multiple scopes are given, one should match consumer scopes.
1314
func Scope(s ...sdk.AuthConsumerScope) HandlerScope {
1415
return HandlerScope(s)
1516
}
@@ -429,4 +430,6 @@ func (api *API) InitRouter() {
429430

430431
//Not Found handler
431432
r.Mux.NotFoundHandler = http.HandlerFunc(NotFoundHandler)
433+
434+
r.computeScopeDetails()
432435
}

engine/api/application_deployment_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -302,7 +302,8 @@ func Test_postApplicationDeploymentStrategyConfigHandlerAsProvider(t *testing.T)
302302
localConsumer, err := authentication.LoadConsumerByTypeAndUserID(context.TODO(), api.mustDB(), sdk.ConsumerLocal, u.ID, authentication.LoadConsumerOptions.WithAuthentifiedUser)
303303
require.NoError(t, err)
304304

305-
_, jws, err := builtin.NewConsumer(context.TODO(), api.mustDB(), sdk.RandomString(10), sdk.RandomString(10), localConsumer, u.GetGroupIDs(), Scope(sdk.AuthConsumerScopeProject))
305+
_, jws, err := builtin.NewConsumer(context.TODO(), api.mustDB(), sdk.RandomString(10), sdk.RandomString(10), localConsumer, u.GetGroupIDs(),
306+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeProject))
306307

307308
pkey := sdk.RandomString(10)
308309
proj := assets.InsertTestProject(t, api.mustDB(), api.Cache, pkey, pkey)

engine/api/application_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ func Test_postApplicationMetadataHandler_AsProvider(t *testing.T) {
3131
u, _ := assets.InsertAdminUser(t, api.mustDB())
3232
localConsumer, err := authentication.LoadConsumerByTypeAndUserID(context.TODO(), api.mustDB(), sdk.ConsumerLocal, u.ID, authentication.LoadConsumerOptions.WithAuthentifiedUser)
3333
require.NoError(t, err)
34-
_, jws, err := builtin.NewConsumer(context.TODO(), api.mustDB(), sdk.RandomString(10), sdk.RandomString(10), localConsumer, u.GetGroupIDs(), Scope(sdk.AuthConsumerScopeProject))
34+
_, jws, err := builtin.NewConsumer(context.TODO(), api.mustDB(), sdk.RandomString(10), sdk.RandomString(10), localConsumer, u.GetGroupIDs(),
35+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeProject))
3536

3637
pkey := sdk.RandomString(10)
3738
proj := assets.InsertTestProject(t, api.mustDB(), api.Cache, pkey, pkey)

engine/api/auth.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ func (api *API) getAuthDriversHandler() service.Handler {
3737

3838
func (api *API) getAuthScopesHandler() service.Handler {
3939
return func(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
40-
return service.WriteJSON(w, sdk.AuthConsumerScopes, http.StatusOK)
40+
return service.WriteJSON(w, api.Router.scopeDetails, http.StatusOK)
4141
}
4242
}
4343

engine/api/auth_builtin_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,8 @@ func Test_postAuthBuiltinSigninHandler(t *testing.T) {
5353
localConsumer, err := authentication.LoadConsumerByTypeAndUserID(context.TODO(), api.mustDB(), sdk.ConsumerLocal, usr.ID, authentication.LoadConsumerOptions.WithAuthentifiedUser)
5454
require.NoError(t, err)
5555

56-
_, jws, err := builtin.NewConsumer(context.TODO(), api.mustDB(), sdk.RandomString(10), sdk.RandomString(10), localConsumer, usr.GetGroupIDs(), Scope(sdk.AuthConsumerScopeProject))
56+
_, jws, err := builtin.NewConsumer(context.TODO(), api.mustDB(), sdk.RandomString(10), sdk.RandomString(10), localConsumer, usr.GetGroupIDs(),
57+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeProject))
5758
require.NoError(t, err)
5859
AuthentififyBuiltinConsumer(t, api, jws)
5960
}

engine/api/auth_consumer.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,13 +68,13 @@ func (api *API) postConsumerByUserHandler() service.Handler {
6868
if err := service.UnmarshalBody(r, &reqData); err != nil {
6969
return err
7070
}
71-
if err := reqData.IsValid(); err != nil {
71+
if err := reqData.IsValid(api.Router.scopeDetails); err != nil {
7272
return err
7373
}
7474

7575
// Create the new built in consumer from request data
7676
newConsumer, token, err := builtin.NewConsumer(ctx, api.mustDB(), reqData.Name, reqData.Description,
77-
consumer, reqData.GroupIDs, reqData.Scopes)
77+
consumer, reqData.GroupIDs, reqData.ScopeDetails)
7878
if err != nil {
7979
return err
8080
}

engine/api/auth_consumer_test.go

Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,8 @@ func Test_getConsumersByUserHandler(t *testing.T) {
2626
authentication.LoadConsumerOptions.WithAuthentifiedUser)
2727
require.NoError(t, err)
2828

29-
consumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil, []sdk.AuthConsumerScope{sdk.AuthConsumerScopeUser})
29+
consumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil,
30+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeUser))
3031
require.NoError(t, err)
3132

3233
uri := api.Router.GetRoute(http.MethodGet, api.getConsumersByUserHandler, map[string]string{
@@ -70,10 +71,10 @@ func Test_postConsumerByUserHandler(t *testing.T) {
7071
_, jwtRawAdmin := assets.InsertAdminUser(t, db)
7172

7273
data := sdk.AuthConsumer{
73-
Name: sdk.RandomString(10),
74-
GroupIDs: []int64{g.ID},
75-
Scopes: []sdk.AuthConsumerScope{sdk.AuthConsumerScopeAccessToken},
76-
IssuedAt: time.Now(),
74+
Name: sdk.RandomString(10),
75+
GroupIDs: []int64{g.ID},
76+
ScopeDetails: sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeAccessToken),
77+
IssuedAt: time.Now(),
7778
}
7879

7980
uri := api.Router.GetRoute(http.MethodPost, api.postConsumerByUserHandler, map[string]string{
@@ -100,8 +101,8 @@ func Test_postConsumerByUserHandler(t *testing.T) {
100101
assert.Equal(t, data.Name, created.Consumer.Name)
101102
require.Equal(t, 1, len(created.Consumer.GroupIDs))
102103
assert.Equal(t, g.ID, created.Consumer.GroupIDs[0])
103-
require.Equal(t, 1, len(created.Consumer.Scopes))
104-
assert.Equal(t, sdk.AuthConsumerScopeAccessToken, created.Consumer.Scopes[0])
104+
require.Equal(t, 1, len(created.Consumer.ScopeDetails))
105+
assert.Equal(t, sdk.AuthConsumerScopeAccessToken, created.Consumer.ScopeDetails[0].Scope)
105106
assert.Equal(t, localConsumer.ID, *created.Consumer.ParentID)
106107
}
107108

@@ -114,7 +115,8 @@ func Test_deleteConsumerByUserHandler(t *testing.T) {
114115
localConsumer, err := authentication.LoadConsumerByTypeAndUserID(context.TODO(), db, sdk.ConsumerLocal, u.ID,
115116
authentication.LoadConsumerOptions.WithAuthentifiedUser)
116117
require.NoError(t, err)
117-
newConsumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil, []sdk.AuthConsumerScope{sdk.AuthConsumerScopeAccessToken})
118+
newConsumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil,
119+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeAccessToken))
118120
require.NoError(t, err)
119121
cs, err := authentication.LoadConsumersByUserID(context.TODO(), db, u.ID)
120122
require.NoError(t, err)
@@ -154,7 +156,8 @@ func Test_postConsumerRegenByUserHandler(t *testing.T) {
154156
api.Router.Mux.ServeHTTP(rec, req)
155157
require.Equal(t, http.StatusForbidden, rec.Code)
156158

157-
builtinConsumer, signinToken1, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil, []sdk.AuthConsumerScope{sdk.AuthConsumerScopeUser, sdk.AuthConsumerScopeAccessToken})
159+
builtinConsumer, signinToken1, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil,
160+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeUser, sdk.AuthConsumerScopeAccessToken))
158161
require.NoError(t, err)
159162
session, err := authentication.NewSession(context.TODO(), db, builtinConsumer, 5*time.Minute, false)
160163
require.NoError(t, err, "cannot create session")
@@ -243,7 +246,8 @@ func Test_getSessionsByUserHandler(t *testing.T) {
243246
authentication.LoadConsumerOptions.WithAuthentifiedUser)
244247
require.NoError(t, err)
245248

246-
consumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil, []sdk.AuthConsumerScope{sdk.AuthConsumerScopeUser})
249+
consumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil,
250+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeUser))
247251
require.NoError(t, err)
248252
s2, err := authentication.NewSession(context.TODO(), db, consumer, time.Second, false)
249253
require.NoError(t, err)
@@ -276,7 +280,8 @@ func Test_deleteSessionByUserHandler(t *testing.T) {
276280
authentication.LoadConsumerOptions.WithAuthentifiedUser)
277281
require.NoError(t, err)
278282

279-
consumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil, []sdk.AuthConsumerScope{sdk.AuthConsumerScopeUser})
283+
consumer, _, err := builtin.NewConsumer(context.TODO(), db, sdk.RandomString(10), "", localConsumer, nil,
284+
sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeUser))
280285
require.NoError(t, err)
281286
s2, err := authentication.NewSession(context.TODO(), db, consumer, time.Second, false)
282287
require.NoError(t, err)

engine/api/auth_local.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -122,15 +122,15 @@ func initBuiltinConsumersFromStartupConfig(ctx context.Context, tx gorp.SqlExecu
122122

123123
// Create the consumers provided by the startup configuration
124124
for _, cfg := range startupConfig.Consumers {
125-
var scopes sdk.AuthConsumerScopeSlice
125+
var scopes sdk.AuthConsumerScopeDetails
126126

127127
switch cfg.ServiceType {
128128
case services.TypeHatchery:
129-
scopes = []sdk.AuthConsumerScope{sdk.AuthConsumerScopeService, sdk.AuthConsumerScopeHatchery, sdk.AuthConsumerScopeRunExecution, sdk.AuthConsumerScopeWorkerModel}
129+
scopes = sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeService, sdk.AuthConsumerScopeHatchery, sdk.AuthConsumerScopeRunExecution, sdk.AuthConsumerScopeWorkerModel)
130130
case services.TypeHooks:
131-
scopes = []sdk.AuthConsumerScope{sdk.AuthConsumerScopeService, sdk.AuthConsumerScopeHooks, sdk.AuthConsumerScopeProject, sdk.AuthConsumerScopeRun}
131+
scopes = sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeService, sdk.AuthConsumerScopeHooks, sdk.AuthConsumerScopeProject, sdk.AuthConsumerScopeRun)
132132
default:
133-
scopes = []sdk.AuthConsumerScope{sdk.AuthConsumerScopeService}
133+
scopes = sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeService)
134134
}
135135

136136
var c = sdk.AuthConsumer{
@@ -142,7 +142,7 @@ func initBuiltinConsumersFromStartupConfig(ctx context.Context, tx gorp.SqlExecu
142142
Type: sdk.ConsumerBuiltin,
143143
Data: map[string]string{},
144144
GroupIDs: []int64{group.SharedInfraGroup.ID},
145-
Scopes: scopes,
145+
ScopeDetails: scopes,
146146
IssuedAt: time.Unix(startupConfig.IAT, 0),
147147
}
148148

0 commit comments

Comments
 (0)
0