Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FUZ-22 - API Token improvements - Tool Segmentation #28

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

FUZ-22 - API Token improvements - Tool Segmentation #28

wants to merge 3 commits into from

Conversation

gitstart-app[bot]
Copy link

@gitstart-app gitstart-app bot commented Jan 31, 2025
edited
Loading

Description:

This PR adds tool-specific segmentation to API tokens to enhance security in FuzzManager. Currently, API tokens have unrestricted access across all tools, creating potential security risks if compromised.

The changes:

  • Restrict API tokens to specific tools
  • Add Django command add_tool_to_token remove_tool_from_token for token-tool management.
  • Implement user restrictions based on tool access
  • Prevent unauthorized tool access

This segmentation limits the impact of potential token leaks and provides better access control for crash/coverage reporting.

Demo
https://www.loom.com/share/bcde5c97bec54761a8a11b0f72a54850?sid=0b52a794-a0ad-478b-af24-5c254827e80b

Test Plan

  1. Assign Tool to Token:

    • Run the add_tool_to_token management command to assign a specific tool to a token.
    • Example:
      • python manage.py add_tool_to_token <token_string> <tool_name>

  2. Verify Token Restrictions:

    • Use curl to submit crash reports using the segmented token for the assigned tool.
      • Example:
        • curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "<tool_name>", "crash_data": "..." }'
    • Attempt to submit a crash report for a tool not assigned to the token and verify that the request is denied with an appropriate error message.
    • Example:
      • curl -H "Authorization: Token <token_string>" -X POST http://<server>/api/crashes/ -d '{"tool": "unauthorized_tool", "crash_data": "..." }'
    • Expected Response: 403 Forbidden with a message indicating lack of permission.

  3. Ensure User Restrictions:

    • Verify that the user associated with the token is marked as restricted after their token is assigned a tool.
    • Check that restricted users can only submit crash/coverage report for their assigned tools.
    • Attempt to access data for tools outside the user's permissions and confirm access is denied.

  4. Tool Assignment:

    • Use management command below to add tool to token:
      • python manage.py add_tool_to_token <token_string> <tool_name>
    • Use management command below to remove tool from token
      • python manage.py remove_tool_from_token <token_string> <tool_name>

@community-tc-integration Community-TC Integration
Copy link

No Taskcluster jobs started for this pull request

The allowPullRequests configuration for this repository (in .taskcluster.yml on the default branch) does not allow starting tasks for this pull request.

@gitstart-app GitStart App
Copy link
Author

gitstart-app bot commented Jan 31, 2025

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.

@gitstart-app gitstart-app bot force-pushed the FUZ-22-tool-segmentation branch from a5f071e to 7e0c984 Compare February 21, 2025 19:12
@gitstart-app GitStart App
Copy link
Author

gitstart-app bot commented Feb 21, 2025

This PR is estimated to cost 30 credits.
🟡 By merging this PR you agree to this estimate. If you disagree, click here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jschwartzentruber