More scalable and manageable autorisation method in SBS

[baszoetekouw]

Uit het rapport van de audit:

While reviewing the SBS codebase, the observation was made that authorization was primarily dependent on a series of if statements and functions. While this remains a common approach, it appears susceptible to erroneous behaviors in an SBS context. Several tickets documented in this report indicated the ease with which the misplacement of a single if statement can result in authorization issues. In light of this, [the audit team] strongly recommends researching and implementing maintainable methods for authorization enforcement on API endpoints.

Hier moeten we iets structureels op bedenken

[baszoetekouw]

@oharsta Heb jij suggesties hoe we de autorisatie in SBS structureel kunnen verbeteren?
Bij voorkeur zou ik iets willen waarmee API-endpoints bij default dicht staan, tenzij we expliciet toegang geven tot bepaalde groepen. Bij voorkeur zou ik dat laatste dan ook graag op een gestandaardiseerde manier doen (maar wellicht moeten we dan eerst het autorisatiemodel van SBS versimpelen).

[oharsta]

@baszoetekouw If we first can simplify the authorization model, then I do have ideas how to re-structure the code. Which simplifications are feasible on short-term?

[logan-life]

• Automated testing of the endpoint authorization tracked in POC for automated testing of correct autorization on endpoints #1461 should happen first.
• 2024 external sec audit will focus on org and SBS internal API, so findings from that will also be helpful in understanding what we can do here w/r/t simplification.
• After testing is in place, we can think about how to do this better and what the best time to do this is (during or after SURF access)