Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mint scope-based access tokens for RBAC #1669

Merged
merged 13 commits into from
May 7, 2021
Merged

Mint scope-based access tokens for RBAC #1669

merged 13 commits into from
May 7, 2021

Conversation

ishank011
Copy link
Contributor

@ishank011 ishank011 commented Apr 28, 2021
edited
Loading

Primarily, this PR is meant to introduce the concept of scopes into our tokens. At the moment, it addresses those cases where we impersonate other users without allowing the full scope of what the actual user has access to.

Going by owncloud/ocis#1971, it serves a similar purpose. We can modify the current design to incorporate both the things. I wanted to finish coding it so that I could verify its correctness.

Here's a diagram detailing how the tokens are minted and additional scopes added https://codimd.web.cern.ch/XTib-1TzTyqx2IZJJOq5pA (you might have to zoom in a bit). Also a short explanation:

  • We get the public share using the token provided by the client.
  • In the public share, we know the resource ID, so we can add this to the allowed scope, but not the path.
  • However, later OCDav tries to access by path as well. Now this is not allowed at the moment. However, from the allowed scope, we have the resource ID and we're allowed to stat that. We stat the resource ID, get the path and if the path matches the one passed by OCDav, we add it to the scope as well.

Serves as a better approach to #1549, closes #1549.

Depends on cs3org/cs3apis#123

@ishank011 ishank011 requested a review from labkode as a code owner April 28, 2021 16:01
@ishank011 ishank011 marked this pull request as draft April 28, 2021 16:01
@ishank011 ishank011 marked this pull request as ready for review April 30, 2021 08:14
@ishank011 ishank011 force-pushed the auth-scope branch 2 times, most recently from 328cc3f to a78b089 Compare April 30, 2021 09:53
@ishank011
Copy link
Contributor Author

One caveat is that whenever we try to access a resource by an attribute that is not added to the token scope, we'll have to resolve it (resource ID -> path or vice versa). Even if we append the scope by adding the missing attribute, we can't pass the new token back to the caller.

@refs refs mentioned this pull request May 3, 2021
Closed
@labkode labkode merged commit 28500a8 into cs3org:master May 7, 2021
@ishank011 ishank011 mentioned this pull request May 7, 2021
Closed
@ishank011 ishank011 deleted the auth-scope branch May 7, 2021 09:33
@ishank011 ishank011 mentioned this pull request May 7, 2021
Closed
@wkloucek wkloucek mentioned this pull request May 11, 2021
Closed
23 tasks
@renovate renovate bot mentioned this pull request Jun 7, 2021
Merged
1 task
@ishank011 ishank011 mentioned this pull request Jul 7, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@labkode labkode labkode approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Revamp public shares authentication model
2 participants
@ishank011 @labkode