fix: Authz fixes #3132
Merged
fix: Authz fixes #3132
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mark Phelps <[email protected]>
* 'authz' of https://github.com/flipt-io/flipt: chore: set raw claims if they exist in authz metadata (#3125)
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
GeorgeMac
reviewed
May 29, 2024
GeorgeMac
approved these changes
May 29, 2024
There was a problem hiding this comment.
Changes look good. Just one outstanding question around whether or not SkipsAuthorization check is needed in the skipped function.
Also, I wonder, if we do this skips authorization thing at all, if it should come separately after authentication has happened, so that we support authn without authz. Which I think is a likely case for some things.
That only applies if we have entire services though that skip authz.
kodiakhq bot
added a commit
that referenced
this pull request
May 30, 2024
* feat(wip): authz/rbac feat: impl authz middleware feat: impl authz middleware chore: fix panic and bad redux selector chore: fmt ui chore: refactor chore: fix build, change to single role, default role chore: fix build, change to single role, default role chore: rm unneeded files feat: configurable roles/policies chore: config schema and tests chore: mv back events to audit package chore: reset ui folder chore: revert ui back to main chore: policy schema, visibility of errors chore: add policy schema test chore: rebase on main Signed-off-by: Mark Phelps <[email protected]> * chore: start adding role attribute path/jmes * chore: mod tidy * Authz OIDC tests (#3098) * chore: fix tests, add role attribute path / role mapping to oidc server tests Signed-off-by: Mark Phelps <[email protected]> * chore: authz middleware tests Signed-off-by: Mark Phelps <[email protected]> * chore: fix audit tests Signed-off-by: Mark Phelps <[email protected]> * chore: proto regen Signed-off-by: Mark Phelps <[email protected]> * chore: try to fix marshal audit events behaviour Signed-off-by: Mark Phelps <[email protected]> * chore: fix failing test Signed-off-by: Mark Phelps <[email protected]> --------- Signed-off-by: Mark Phelps <[email protected]> * chore: refactor request models to include scope Signed-off-by: Mark Phelps <[email protected]> * chore: fix engine_test * chore: make scope optional and use subject if not provided * chore: fix executor_test Signed-off-by: Mark Phelps <[email protected]> * chore: fix log sink test Signed-off-by: Mark Phelps <[email protected]> * chore: consolidate some auth metadata to make creating policies simpler (#3106) * refactor(server/authz): make policy and data external dependencies (#3108) * refactor(server/authz): rename scope to resource Signed-off-by: George MacRorie <[email protected]> * feat(config/authz): add policy and data source configuration Signed-off-by: George MacRorie <[email protected]> * refactor(server/authz): make policy and data external dependencies Signed-off-by: George MacRorie <[email protected]> * refactor(cmd/grpc): integrate new authz Engine changes Signed-off-by: George MacRorie <[email protected]> * fix(server/authz): ensure error is captured in return Signed-off-by: George MacRorie <[email protected]> * fix(config): allow policy and data sources to be empty Signed-off-by: George MacRorie <[email protected]> * refactor(server/authz): support separate poll durations for policy and data Signed-off-by: George MacRorie <[email protected]> * fix(config): validate non zero poll duration for authz sources Signed-off-by: George MacRorie <[email protected]> * fix(cmd/grpc): calls to authz engine with changes to polling Signed-off-by: George MacRorie <[email protected]> --------- Signed-off-by: George MacRorie <[email protected]> * refactor(authz): pass entire request and authentication to IsAllowed (#3126) Signed-off-by: George MacRorie <[email protected]> * chore: set raw claims if they exist in authz metadata (#3125) * chore: go mod tidy Signed-off-by: Mark Phelps <[email protected]> * chore: set raw claims if they exist in authz metadata Signed-off-by: Mark Phelps <[email protected]> * chore: fix authn oidc server test Signed-off-by: Mark Phelps <[email protected]> * chore: skip authz on auth public server Signed-off-by: Mark Phelps <[email protected]> * chore: log for debugging Signed-off-by: Mark Phelps <[email protected]> --------- Signed-off-by: Mark Phelps <[email protected]> * fix: Authz fixes (#3132) * chore: go mod tidy Signed-off-by: Mark Phelps <[email protected]> * fix: authz endpoint skip for getauthself/deleteauthself Signed-off-by: Mark Phelps <[email protected]> * chore: rm claims unmarshal for now * chore: make authorization experimental Signed-off-by: Mark Phelps <[email protected]> * chore: add request methods to auth requests Signed-off-by: Mark Phelps <[email protected]> * chore: add schema * chore: set package name to flipt.authz.v1 * chore: fix telemetry test Signed-off-by: Mark Phelps <[email protected]> --------- Signed-off-by: Mark Phelps <[email protected]> * chore: rename poll duration to poll interval Signed-off-by: Mark Phelps <[email protected]> * chore: mod/work sync Signed-off-by: Mark Phelps <[email protected]> * chore: fix config test Signed-off-by: Mark Phelps <[email protected]> * chore: rm unused supports authz config; fmt cache config --------- Signed-off-by: Mark Phelps <[email protected]> Signed-off-by: George MacRorie <[email protected]> Co-authored-by: George <[email protected]> Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GetAuthenticationSelfandExpireAuthenticationSelf) required for UI and logoutpackage flipt.authz.v1