Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security API enhancements #296

Closed
vicmosin opened this issue Jun 7, 2022 · 9 comments
Closed

Security API enhancements #296

vicmosin opened this issue Jun 7, 2022 · 9 comments
Labels
enhancement Auto-generates notes
Milestone
4.7.1

Comments

@vicmosin
Copy link

vicmosin commented Jun 7, 2022
edited
Loading

Hi there,
I wonder whether we could have something like

override fun configure(builder: GrpcSecurity) {
        builder.authorizeRequests()
            .services(SomeServiceGrpc.getServiceDescriptor()).hasAnyRole(user) // fallback
            .methods(SomeServiceGrpc.getMethod1()).hasAnyRole(admin, user)
            .methods(SomeServiceGrpc.getMethod2()).hasAnyRole(superAdmin, user)
}

Idea is to have a fallback restriction to service's methods if one forgot to define the method restriction in configuration. Right now such approach doesn't seem to work. For example, the snippet above will set all the methods of the SomeServiceGrpc to have at least user role even if it's not explicitly specified in the configuration

Thank you
@jvmlet
Copy link
Collaborator

jvmlet commented Jun 7, 2022

I'm not sure I understand

the snippet above will set all the methods of the SomeServiceGrpc to have at least user role even if it's not explicitly specified in the configuration

is exactly the fallback you are asking, no?

@vicmosin
Copy link
Author

vicmosin commented Jun 7, 2022
edited
Loading

@jvmlet
well, the problem is that .method(*) definition doesn't seem to override the .services(*), but technically yeah, fallback works

jvmlet pushed a commit that referenced this issue Jun 9, 2022
@afurer
ref #296
b0f9401
@jvmlet
Copy link
Collaborator

jvmlet commented Jun 9, 2022

@vicmosin , I think this is what you are after :

 builder.authorizeRequests()
            .services(SomeServiceGrpc.getServiceDescriptor()).hasAnyRole(admin)  
            .anyServiceExcluding(SomeServiceGrpc.getServiceDescriptor()).hasAnyRole(user)

Please try with latest 4.7.1-SNAPSHOT once build completes.
You also have similar API for methods

@jvmlet jvmlet changed the title Any known way to have inheritance while restricting access to methods/services Security API enhancements Jun 12, 2022
@jvmlet jvmlet added the enhancement Auto-generates notes label Jun 12, 2022
@jvmlet jvmlet added this to the 4.7.1 milestone Jun 12, 2022
@jvmlet jvmlet closed this as completed in 5c8e55d Jun 12, 2022
@jvmlet
Copy link
Collaborator

jvmlet commented Jun 14, 2022

4.7.1 is out

@vicmosin
Copy link
Author

@jvmlet thnx for quick solution but I think there is still something either wrong there or I do it wrong.. for example,

.methods(
   SomeServiceGrpc.getCreateXMethod(),
).hasAnyRole(admin)
.anyMethodExcluding(
   *SomeServiceGrpc.getServiceDescriptor().methods.toTypedArray()
).hasAnyRole(user)

now with such config if I call createX without providing auth details, the call goes through.. if I revert to 4.7.0 and define all the methods individually then it works as expected

@jvmlet
Copy link
Collaborator

jvmlet commented Jun 17, 2022
edited
Loading

Such config leaves all SomeServiceGrpc methods, except createXMethod, unprotected, right?
Are you sure the unauthorized user can invoke createXMethod?

@jvmlet jvmlet reopened this Jun 17, 2022
@vicmosin
Copy link
Author

@jvmlet

Such config leaves all SomeServiceGrpc methods, except createXMethod, unprotected, right?

yes

Are you sure the unauthorized user can invoke createXMethod?

No, it works as expected.. i.e. calls without auth details throw Status.UNAUTHENTICATED

So basically it seems like anyMethodExcluding and anyServiceExcluding override all the previous settings

@vicmosin
Copy link
Author

btw maybe it makes sense to rename them to be more self-explaining.. something like
fallback(serviceDescriptor..) and fallback(methodDescriptor..)

@jvmlet
Copy link
Collaborator

jvmlet commented Jun 20, 2022

They are not fallback. Each time you invoke hasAnyRole() method , the authority is (authorities are) added to the permission list of the MethodDescriptor.
At runtime, if the MethodDescriptor has the user role in it's authorities list - it's allowed.

@jvmlet jvmlet closed this as completed Jun 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Auto-generates notes
Projects
None yet
Milestone
4.7.1
Development

No branches or pull requests
2 participants
@vicmosin @jvmlet