Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POC for automated testing of correct autorization on endpoints #1461

Closed
baszoetekouw opened this issue Jun 5, 2024 · 11 comments
Closed

POC for automated testing of correct autorization on endpoints #1461

baszoetekouw opened this issue Jun 5, 2024 · 11 comments
Milestone
v38

Comments

@baszoetekouw
Copy link
Member

I would like to have automatic tests to prevent bugs like #1457.
Ideally there would be a test that iterates over all roles in the platform, tries to access all endpoints with all roles and checks that only the correct roles have access.

This is a huge piece of work, so I'm unsure on how to take this on. We should probably start with something like role definitions to see which role there are in the first place.

Or we could approach it from a different direction, and introduce a framework that helps with the mapping from user/token to role to access rights, and migrate all API authorisation to use a more structural framework like this.

@oharsta do you have an idea of there is a somewhat doable way to achieve this?
@baszoetekouw baszoetekouw added the discuss Needs to be discussed; do not implement as is. label Jun 5, 2024
@baszoetekouw
Copy link
Member Author

For example would a framework like these work for us?

@mrvanes
Copy link
Contributor

mrvanes commented Jun 5, 2024
edited
Loading

Of python -> Open Policy Agent
https://opa-python.readthedocs.io/en/latest/

@oharsta
Copy link
Collaborator

oharsta commented Jun 5, 2024

@baszoetekouw perhaps it is a good idea to have a whiteboard session about this? What do we want to achieve, which problems it will solve and what would a MVP look like? There is an inherent risk of over-engineering this.

@FlorisFokkinga FlorisFokkinga changed the title Autmated testing of correct autorization on endpoints Automated testing of correct autorization on endpoints Jun 28, 2024
@FlorisFokkinga FlorisFokkinga moved this from New to Todo in SRAM development Jun 28, 2024
@logan-life
Copy link
Contributor

@logan-life to plan a whiteboard session for this in October or November.

@logan-life logan-life self-assigned this Aug 23, 2024
@logan-life logan-life mentioned this issue Sep 6, 2024
Open
@logan-life
Copy link
Contributor

Scheduling request sent for the whiteboard session.

@baszoetekouw
Copy link
Member Author

Conclusion of whiteboarding session: authorization framework doesn't seem feasible and will be complex anyway (because the system itself if complex).
So we've decided to implement testing of all endpoints.

The tests should be automatically generated to iterate over all roles and all endpoints, and check if there is access.

Easy way to start: anonymous user, iterate over all endpoints, and test if we have access. Generate a seed specifically for these tests; define a yaml file that describes these desired results.

So, start a POC:

  1. enumerate all endpoints
  2. test all using an anonymous user
  3. yaml to specify expected results
  4. compare 2+3

After the poc, see what this brings us, and if we should expand this to iterate over other roles (OrgAPI user, logged in user, co admin, etc)

@baszoetekouw baszoetekouw assigned oharsta and unassigned logan-life Oct 7, 2024
@logan-life
Copy link
Contributor

Time-boxed effort for the POC = ~ 3-4 days

Potential benefits to realize:

  • Security of endpoints (natuurlijk)
  • Reviewing the JSON returns from endpoint tests may help us determine if/how we want to reduce the amount of data returned
  • Identify possibilities for simplification / de-duplication

@logan-life logan-life changed the title Automated testing of correct autorization on endpoints POC for automated testing of correct autorization on endpoints Oct 7, 2024
@logan-life logan-life removed the discuss Needs to be discussed; do not implement as is. label Oct 7, 2024
oharsta added a commit that referenced this issue Oct 7, 2024
@oharsta
WIP for #1461
5611f8d
oharsta added a commit that referenced this issue Oct 7, 2024
@oharsta
Finetuning status codes #1461
de3d9c0
oharsta added a commit that referenced this issue Oct 8, 2024
@oharsta
Concluded that #1461 is not the way to go IMO
d2b02bb
@oharsta
Copy link
Collaborator

oharsta commented Oct 16, 2024

Waiting for to be merged. https://github.com/SURFscz/SBS/tree/feature/automated-authz-testing-1461 is the branch with the automated end-points tests, and is created from the #1630 branch, which can not be merged until eduTeams fixes the refactored login flow.

@oharsta oharsta moved this from In progress to Blocked in SRAM development Oct 16, 2024
@oharsta
Copy link
Collaborator

oharsta commented Oct 31, 2024

Can be tested. Is merged to main branch.

@oharsta oharsta removed the on-hold label Oct 31, 2024
@mrvanes
Copy link
Contributor

mrvanes commented Oct 31, 2024

See https://github.com/SURFscz/SBS/tree/main/server/test/auth_endpoints

@mrvanes
Copy link
Contributor

mrvanes commented Nov 1, 2024

Ok

@logan-life logan-life added this to the v38 milestone Nov 11, 2024
@sram-project-automation sram-project-automation bot moved this from To be deployed to To be tested in SRAM development Nov 13, 2024
@baszoetekouw baszoetekouw moved this from To be tested to To be deployed in SRAM development Nov 13, 2024
@sram-deploy-tools-automation sram-deploy-tools-automation bot moved this from To be deployed to Done in SRAM development Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
SRAM development
Status: Done
Milestone
v38
Development

No branches or pull requests
4 participants
@oharsta @baszoetekouw @mrvanes @logan-life