Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MODELIX-1042 authorization for workspaces #1190

Merged
merged 20 commits into from
Dec 12, 2024
Merged

MODELIX-1042 authorization for workspaces #1190

merged 20 commits into from
Dec 12, 2024

Conversation

slisson
Copy link
Member

@slisson slisson commented Nov 20, 2024
edited
Loading

This is the result of replacing the keycloak based authorization in modelix.workspaces with our own authorization library.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 20, 2024
edited
Loading

Test Results

  188 files    188 suites   31m 42s ⏱️
1 052 tests 1 045 ✅ 7 💤 0 ❌
1 062 runs  1 055 ✅ 7 💤 0 ❌

Results for commit 817f454.

♻️ This comment has been updated with latest results.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 20, 2024
edited
Loading

JVM coverage report

Overall Project 54.54% -1.63%
Files changed 57.57%

File Coverage
ModelServerPermissionSchema.kt 100% 🍏
CompositeJWSKeySelector.kt 100% 🍏
KeycloakTokenConstants.kt 100% 🍏
ModelixTokenConstants.kt 100% 🍏
AccessTokenPrincipal.kt 96.3% 🍏
PermissionEvaluator.kt 95.97% 🍏
DiffView.kt 89.77% -3.46% 🍏
NonWrittenEntry.kt 89.55% -2.99%
KeyValueLikeModelServer.kt 87.21% -0.33%
ModelixJWTUtil.kt 85.09% -14.91% 🍏
SchemaBuilder.kt 84.33% 🍏
AuthorizationConfig.kt 82.9% -13.47%
SchemaInstance.kt 80.6% -12.46%
PermissionSchemaBase.kt 73.27% -26.73%
WrittenEntry.kt 71.7% 🍏
AuthorizationPlugin.kt 67.69% -10.22%
KtorAuthUtils.kt 67.49% -9.36%
ContentExplorer.kt 66.77% -23.29%
IAccessControlDataProvider.kt 50% -50%
AccessControlData.kt 38.31% -61.69%
PermissionManagementPage.kt 26.65% -73.35%
Main.kt 19.36% -0.32%
RepositoryOverview.kt 18.13% -23.23%
HistoryHandler.kt 0% -30.52%

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 20, 2024
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

detekt found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@slisson slisson force-pushed the MODELIX-927-VNC branch 9 times, most recently from f63e3ef to c6ab4b7 Compare November 25, 2024 12:11
@slisson slisson marked this pull request as ready for review December 5, 2024 17:58
@slisson slisson requested a review from a team as a code owner December 5, 2024 17:58
@slisson slisson enabled auto-merge December 5, 2024 18:16
odzhychko
odzhychko requested changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@odzhychko odzhychko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am troubled with the decision that "a user can grant his own permission to other users".
To me, it seems unconventional and not a good security practice.
But maybe I am missing some crucial step in reasoning about this decision, that you could explain.

Their other annotations are minor and mostly concerned with clean up and resource usage.

authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/PermissionManagementPage.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/PermissionManagementPage.kt Outdated Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/PermissionManagementPage.kt Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/PermissionManagementPage.kt Outdated Show resolved Hide resolved
authorization/src/main/kotlin/org/modelix/authorization/PermissionManagementPage.kt Show resolved Hide resolved
@slisson slisson force-pushed the MODELIX-927-VNC branch 3 times, most recently from 87a047a to 74ef1d4 Compare December 10, 2024 16:48
slisson added 10 commits December 11, 2024 11:32
@slisson
feat(authorization): built-in permission management
5aeb53b 
At `/permissions/manage` users can grant permissions to other users based on the user ID from the
JWT identity token. The data is persisted to the file specified in the environment variable
`MODELIX_ACCESS_CONTROL_FILE`.
@slisson
fix(model-server): /history /content /diff and /repos always returned…
693f3bd 
… 401
@slisson
fix(model-server): RestWebModelClient couldn't request a clientId
ff08972
@slisson
fix(authorization)!: remove unused keycloak based authorization
71dc994
@slisson
fix(model-server): make modelix-admin also model-server admin
dd1fe1d 
When a user is assigned the role modelix-admin in keycloak then he should have admin permissions on
the model-server.
@slisson
fix(model-datastructure): implement IKVEntryReference.toString
01812f5
@slisson
fix(authorization): also install status page handler for Throwable
ce06948
@slisson
docs(authorization): some more documentation after review
a6bf536
@slisson
chore(authorization): deduplicate constant strings
2201fa0
@slisson
fix(authorization): cache remote keys
64053df 
RemoteJWKSet already caches keys from remote URLs, but all instances of key sources weren't reused.
@slisson slisson force-pushed the MODELIX-927-VNC branch 2 times, most recently from f2d2afb to 85a72b3 Compare December 11, 2024 19:35
@slisson
fix(authorization): allow only resource owners/admins to manage permi…
817f454 
…ssions

The previous behavior of allowing to grant your own permission to others might be too risky.
It's hardcoded to
@slisson slisson disabled auto-merge December 12, 2024 07:44
@slisson slisson merged commit 9d36c70 into main Dec 12, 2024
22 checks passed
@slisson slisson deleted the MODELIX-927-VNC branch December 12, 2024 07:44
@slisson
Copy link
Member Author

slisson commented Dec 12, 2024

🎉 This PR is included in version 10.2.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@odzhychko odzhychko odzhychko requested changes

@languitar languitar languitar left review comments

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@slisson @languitar @odzhychko