Skip to content

Add authentication/authorization related PoCs #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Apr 9, 2024
Merged

Add authentication/authorization related PoCs #107

merged 19 commits into from
Apr 9, 2024

Conversation

jeongsoolee09
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 commented Mar 26, 2024
edited
Loading

What this PR contributes

This PR adds several PoCs pertaining to authentication or authorization issues, as well as model tests to make sure that the model classes correctly capture the relevant portions of code.

nonprod-authn-strategy

Level: Error, Precision: High.

This category is about mistakes due to using development-only authentication strategies, assuming code-scanning is called before the application goes into production.

basic/mocked/dummy-authentication

Level: Error, Precision: High.

  • Basic authentication is used in a production environment, with hardcoded username and password entries of mocked users in the application's package.json.
  • Mocked / Dummy authentication is used in a production environment without hardcoded username and password entries.

misused-privileged-user

This category pertains to the mistakes caused by misusing the cds.User.Privileged class in a couple of ways. Since this class bypasses all means of authorization, developers should be prudent in ways it is used.

default-is-privileged

Level: Error, Precision: High.

The cds.User.default property, initially cds.User.Anonymous, is overwritten to cds.User.Privileged at some execution point of the application. This models the scenario where the developer overwrote the property for convenience during development but forgot to put it back to the default class.

dynamically-generated-privileged

Level: Error, Precision: Low.

A user of cds.User.Privileged is created and used somewhere in the application in an inappropriate manner. Particularly, its misuse allows for elevated access rights of a user to its maximum.

  • privileged-user.js contains a custom authentication strategy that creates a privileged user on login.
  • service1.js contains five transactions that reads from various entities with a privileged user:
    • this.on("send1", ...): Not an error. It SELECTs from its own entity that does not require authorization.
    • this.on("send2", ...): Is an error. It SELECTs from its own entity that requires authorization.
    • this.on("send3", ...): Not an error. It SELECTs from a locally available entity that does not require authorization.
    • this.on("send4", ...): Is an error. It SELECTs from a locally available entity that requires authorization.
    • this.on("send5", ...): Is eligible for a warning. It SELECTs from a remote entity of which authorization strategy is unknown. Treating this as an error may result in many false positives, so we overapproximate that the remote entity does restrict access rights in some way and issue a warning instead.

entities-with-no-authn

Level: Warning, Precision: High.

When a CAP application chooses to use a production-level authentication strategy, all of its entities, services, actions, and functions are "locked down" to require 'authenticated-user' as its access control. Therefore, a warning should be issued whenever a CAP declaration without an access control is encountered.

Alternatively, if the aformentioned issue is present but cds.env.requires.auth.restrict_all_services is set to false in the application's package.json, then an error should be raised.

entities-exposed-with-no-authz

All entities, services, actions, and functions are not secured. Every occurrences of such should raise an alarm.

entities-exposed-with-cds-authz

All entities, services, actions, and functions require authentication via @restrict or @requires annotations on the CDS file that declares them (Note that event declarations cannot be qualified with neither of both). As a result, no alerts should be produced on this application.

entities-exposed-with-js-authz

All entities, services, actions, and functions require authentication either via:

  • Service.before handler registration that checks access rights and rejects the request, or
  • Service.on handler registration that checks access rights and executes business logic or rejects the request on the result of the authorization.

Hence, for similar reasons for entities-exposed-with-cds-authz, no alerts should be produced on this application.

Model tests

privilegeduser

privilegeduser.js contains true-positive cases where a privileged user is created to access an entity, with three variations in how it is configured:

  1. A user is created using directly using a custom middleware that configures a req.user as a privileged user. The user is initialized by a constructor call to CustomPrivilegedUser1, which is equivalent to cds.User.Privileged since it has a constant true function as its is instance method used for authorization.
  2. A user is created by a direct constructor call to cds.User.Privileged.
  3. A user is created by a direct constructor call to the above CustomPrivilegedUser1.

req-user-authz

Extensive collection of all combinations involving this.before and this.on handler registrations written for authentization and authorization, which is similar to those appearing in the example dynamically-generated-privileged said above.

Future work

Implement queries that correctly finds all true positive cases but avoids all false positive ones.

@jeongsoolee09
Add four pocs
155886f 
1. Authentication strategy is `dummy`
2. Authentication strategy is `basic` with hardcoded credentials
3. Authentication strategy is `mocked` with hardcoded credentials
4. `cds.User.default = cds.User.Privileged;`
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/auth-pocs
2680192
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/auth-pocs
5ca4f4e
@jeongsoolee09
gitignore
1f52792
@jeongsoolee09
Add poc dynamically-generated-privileged
992c0c8
@jeongsoolee09
Add two pocs
0d9d768
@jeongsoolee09
Remove { grant: 'READ' }; it's trivial
7505f53
@jeongsoolee09
Alter some on cds-authz and add js-authz
42f9c9d
@jeongsoolee09
Add model test of request authn/authz
e8a3ded
@jeongsoolee09
Debug cds files of entities-exposed-with-cds-authz
aef5db4
@jeongsoolee09
Update dynamically-generated-privileged
8539e0d
@jeongsoolee09
Add model test of privilegeduser
4bf435a
@jeongsoolee09
update
9ae2efb
@jeongsoolee09
Debug cds
c6cf1b2
@jeongsoolee09
Categorize pocs into three groups
9eded4a
@jeongsoolee09 jeongsoolee09 self-assigned this Apr 4, 2024
@jeongsoolee09 jeongsoolee09 requested a review from mbaluda April 4, 2024 00:47
@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review April 4, 2024 01:10
mbaluda
mbaluda approved these changes Apr 9, 2024
View reviewed changes
Copy link
Contributor

@mbaluda mbaluda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a good set of tests!

@jeongsoolee09 jeongsoolee09 merged commit 5f2d430 into main Apr 9, 2024
@jeongsoolee09 jeongsoolee09 deleted the jeongsoolee09/auth-pocs branch April 9, 2024 20:49
@jeongsoolee09 jeongsoolee09 mentioned this pull request Jul 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbaluda mbaluda mbaluda approved these changes

Assignees

@jeongsoolee09 jeongsoolee09

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeongsoolee09 @mbaluda