Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check a list of scopes when verifying tokens #1340

Merged
merged 1 commit into from
Jul 24, 2023
Merged

Check a list of scopes when verifying tokens #1340

merged 1 commit into from
Jul 24, 2023

Conversation

lubosmj
Copy link
Member

@lubosmj lubosmj commented Jul 20, 2023

Before this commit, the registry checked one scope, ignoring other scopes that could relate to blob mounting operations. Due to that, users without sufficient permissions could mount blobs from other users unauthorized.

closes #1286

@ipanova ipanova removed the prio-list label Jul 21, 2023
@lubosmj lubosmj force-pushed the 1286-fix-from-to-mount-permissions branch 3 times, most recently from 2a803c0 to c9fa709 Compare July 21, 2023 14:33
@lubosmj
Check a list of scopes when verifying tokens
d23b907 
Before this commit, the registry checked one scope, ignoring other
scopes that could relate to blob mounting operations. Due to that,
users without sufficient permissions could mount blobs from other
users unauthorized.

closes pulp#1286
@lubosmj lubosmj force-pushed the 1286-fix-from-to-mount-permissions branch from c9fa709 to d23b907 Compare July 21, 2023 15:38
@lubosmj lubosmj marked this pull request as ready for review July 21, 2023 16:06
ipanova
ipanova reviewed Jul 24, 2023
View reviewed changes
pulp_container/app/token_verification.py
for access in decoded_token["access"]:
if scope.resource_type == access["type"] and scope.name == access["name"]:
if scope.action in access["actions"]:
accessible_actions.append(True)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i might have used here a boolean instead, but list will work ok too.

@lubosmj lubosmj merged commit 6658b7e into pulp:main Jul 24, 2023
@patchback
Copy link

patchback bot commented Jul 24, 2023
edited
Loading

Backport to 2.14: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply 6658b7e on top of patchback/backports/2.14/6658b7e3d432cc426edf08892d38ed0d27b06692/pr-1340

Backporting merged PR #1340 into main

  1. Ensure you have a local repo clone of your fork. Unless you cloned it
    from the upstream, this would be your origin remote.
  2. Make sure you have an upstream repo added as a remote too. In these
    instructions you'll refer to it by the name upstream. If you don't
    have it, here's how you can add it: 
    $ git remote add upstream https://github.com/pulp/pulp_container.git
  3. Ensure you have the latest copy of upstream and prepare a branch
    that will hold the backported code: 
    $ git fetch upstream
$ git checkout -b patchback/backports/2.14/6658b7e3d432cc426edf08892d38ed0d27b06692/pr-1340 upstream/2.14
  4. Now, cherry-pick PR Check a list of scopes when verifying tokens #1340 contents into that branch: 
    $ git cherry-pick -x 6658b7e3d432cc426edf08892d38ed0d27b06692
    If it'll yell at you with something like fatal: Commit 6658b7e3d432cc426edf08892d38ed0d27b06692 is a merge but no -m option was given., add -m 1 as follows instead: 
    $ git cherry-pick -m1 -x 6658b7e3d432cc426edf08892d38ed0d27b06692
  5. At this point, you'll probably encounter some merge conflicts. You must
    resolve them in to preserve the patch from PR Check a list of scopes when verifying tokens #1340 as close to the
    original as possible.
  6. Push this branch to your fork on GitHub: 
    $ git push origin patchback/backports/2.14/6658b7e3d432cc426edf08892d38ed0d27b06692/pr-1340
  7. Create a PR, ensure that the CI is green. If it's not — update it so that
    the tests and any other checks pass. This is it!
    Now relax and wait for the maintainers to process your pull request
    when they have some cycles to do reviews. Don't worry — they'll tell you if
    any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

@patchback
Copy link

patchback bot commented Jul 24, 2023
edited
Loading

Backport to 2.15: 💚 backport PR created

✅ Backport PR branch: patchback/backports/2.15/6658b7e3d432cc426edf08892d38ed0d27b06692/pr-1340

Backported as #1344

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

@patchback patchback bot mentioned this pull request Jul 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ipanova ipanova ipanova approved these changes

Assignees
No one assigned
Labels
backport-2.14 backport-2.15
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Users can mount blobs without having read access to the from repository
2 participants
@lubosmj @ipanova