8224 report required permissions when authorization fails #8314
Conversation
ItamarYuran
added
the
exclude-changelog
E2E Test Results - Quickstart |
E2E Test Results - DynamoDB Local - Local Block Adapter |
pkg/auth/service.go
Outdated
| deniedStr := "denied from:\n" | ||
| for _, statement := range n.Denied { | ||
| deniedStr += strings.Join(statement.Action, "\n") | ||
| } | ||
| return deniedStr |
There was a problem hiding this comment.
- Not sure how this code can successfully format deniedStr if
len(n.Denied) > 0. There will be no newline after the last row of the Action list on each statement. - It will probably be easier to use strings.Builder. This is actually an io.Writer, so you can just write to it using the normal operations. Here's a playground.
pkg/auth/service.go
Outdated
| allowed := CheckNeutral | ||
| hasPermission := false |
There was a problem hiding this comment.
This var is used only in case permissions.NoteTypeNode. So please keep it in scope there: you could just put that entire case inside curly brackets, and that var in there. Or extract it to another func, or even go full OO and make each of these a method. Right now the code confuses me about what might happen with this variable in other cases.
pkg/auth/service.go
Outdated
| @@ -1165,23 +1189,28 @@ func CheckPermissions(ctx context.Context, node permissions.Node, username strin | |||
|
|
|||
| if stmt.Effect == model.StatementEffectDeny { | |||
| // this is a "Deny" and it takes precedence | |||
| return CheckDeny | |||
| perm.Denied = append(perm.Denied, stmt) | |||
There was a problem hiding this comment.
This is confusing: I take perm as an input, now I modify it and return it. So I've changed my input, but also returned it as an output.
I think either make perm into an object, pass it by pointer, and keep state on it, or explicitly handle the lists.
There was a problem hiding this comment.
Was thinking the same, agree with @arielshaqed 100%
|
The current code returns:
|
There was a problem hiding this comment.
Thanks!
Final stretch: the actual message. The current message is too detailed and as a result needs too many lines. Let's start by playing safely and never report anything other than action names. Reporting an entire statement gives a wealth of information that might not visible to the user - such as permissions of other users.
| @@ -234,7 +235,7 @@ func TestCreateRepo_Unauthorized(t *testing.T) { | |||
| }) | |||
| require.NoError(t, err) | |||
| require.NotNil(t, resp.JSON401) | |||
| if resp.JSON401.Message != auth.ErrInsufficientPermissions.Error() { | |||
| if !strings.Contains(resp.JSON401.Message, auth.ErrInsufficientPermissions.Error()) { | |||
There was a problem hiding this comment.
Can we test here (and below) that we got an expected value? Obviously doing so makes sense only after we finalize the message contents. So it is fine to open an issue to improve these checks in this test file.
pkg/api/controller_test.go
Outdated
| }, | ||
| }, | ||
| username: "user1", | ||
| expected: "lacking permissions for:\nfs:CreateRepository", |
There was a problem hiding this comment.
I would expect it to report both missing permissions. Reporting only one is fine, but then the message is surprising - it says "permissions" when it only ever means a single permissions.
pkg/auth/service.go
Outdated
|
|
||
| if allowed != CheckAllow { | ||
| return &AuthorizationResponse{ | ||
| Allowed: false, | ||
| Error: ErrInsufficientPermissions, | ||
| Error: fmt.Errorf("%w\n%s", ErrInsufficientPermissions, perm.String()), |
There was a problem hiding this comment.
Looking at the results in the tests, I prefer without the newline, error messages are rarely >1 line.
| Error: fmt.Errorf("%w\n%s", ErrInsufficientPermissions, perm.String()), | |
| Error: fmt.Errorf("%w: %s", ErrInsufficientPermissions, perm.String()), |
pkg/auth/service.go
Outdated
| fmt.Fprintln(w, action) | ||
| } | ||
| } | ||
| return strings.TrimSpace(w.String()) |
There was a problem hiding this comment.
It is quite rare to need to TrimSpace on a string you created.
pkg/auth/service.go
Outdated
| fmt.Fprintln(w, "denied from:") | ||
| for _, statement := range n.Denied { | ||
| for _, action := range statement.Action { | ||
| fmt.Fprintln(w, action) | ||
| } | ||
| } | ||
| return strings.TrimSpace(w.String()) |
There was a problem hiding this comment.
I think you don't even need a strings.Builder here:
| fmt.Fprintln(w, "denied from:") | |
| for _, statement := range n.Denied { | |
| for _, action := range statement.Action { | |
| fmt.Fprintln(w, action) | |
| } | |
| } | |
| return strings.TrimSpace(w.String()) | |
| return fmt.Sprintf("denied permission to %s", strings.Join(n.Denied, ", ")) |
The same of course in the next section.
pkg/auth/service.go
Outdated
| } | ||
| return strings.TrimSpace(w.String()) | ||
| } | ||
| return strings.TrimSpace(w.String()) |
There was a problem hiding this comment.
This returns "". If that is not helpful, please return some constant string like "not allowed".
pkg/auth/service.go
Outdated
| Denied []model.Statement | ||
| Unauthorized []permissions.Node |
There was a problem hiding this comment.
These are a bit too informative IMO. Let's just keep the action name here? Otherwise I learn details of the policy including denied paths that I might not have known existed!
| Denied []model.Statement | |
| Unauthorized []permissions.Node | |
| // Denied is a list of actions the user was denied for the attempt. | |
| Denied []string | |
| // Unauthorized is a list of actions the user did not have for the attempt. | |
| Unauthorized []string |
pkg/auth/service.go
Outdated
| return strings.TrimSpace(w.String()) | ||
| } | ||
|
|
||
| func CheckPermissions(ctx context.Context, node permissions.Node, username string, policies []*model.Policy, perm *NeededPermissions) CheckResult { |
There was a problem hiding this comment.
nit: variable name perm is too generic.
Can you use something more explicit?
for example: audit, denyAudit, permAudit, history etc...
So that in the future when extending, debugging or just reading the code we can immediately understand what it is used for.
pkg/auth/service.go
Outdated
| @@ -1165,23 +1189,28 @@ func CheckPermissions(ctx context.Context, node permissions.Node, username strin | |||
|
|
|||
| if stmt.Effect == model.StatementEffectDeny { | |||
| // this is a "Deny" and it takes precedence | |||
| return CheckDeny | |||
| perm.Denied = append(perm.Denied, stmt) | |||
There was a problem hiding this comment.
Was thinking the same, agree with @arielshaqed 100%
pkg/auth/service.go
Outdated
| @@ -44,6 +44,11 @@ type AuthorizationResponse struct { | |||
| Error error | |||
| } | |||
|
|
|||
| type NeededPermissions struct { | |||
There was a problem hiding this comment.
rename, MissingPermissions or PermissionsAudit or DenyHistory w/e would be more appropriate?
contrib/auth/acl/service.go
Outdated
| @@ -895,8 +895,8 @@ func (s *AuthService) Authorize(ctx context.Context, req *auth.AuthorizationRequ | |||
| if err != nil { | |||
| return nil, err | |||
| } | |||
|
|
|||
| allowed := auth.CheckPermissions(ctx, req.RequiredPermissions, req.Username, policies) | |||
| perm := &auth.NeededPermissions{} | |||
There was a problem hiding this comment.
sorry, Im confused what are you doing with this variable?
ItamarYuran
force-pushed
the
8224-report-required-permissions-when-authorization-fails
branch
from
539918d
to
704af7d
Compare
|
Thank you for your reviews! |
ItamarYuran
force-pushed
the
8224-report-required-permissions-when-authorization-fails
branch
from
972dc58
to
758d910
Compare
Closes #(8224)
Change Description
The added code helps the user understand why they are not authorized to perform a certain action.
Background
Up until now in case a user had no permissions or was denied of some action, they would only get a
401 unauthorizedmessage, making it hard to understand what is missing in order to perform that action.The enhancement will report all denied actions in case there are any, or if there aren't any - report missing permissions.
Testing Details
Changes were not tested yet, no existing test got broken
Additional info