Skip to content

Commit

Permalink
Implement API resource action access checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@webprofusion-chrisc
webprofusion-chrisc committed Jan 2, 2025
1 parent 541c3cc commit b2ed48a
Show file tree
Hide file tree
Showing 8 changed files with 229 additions and 69 deletions.
2 changes: 1 addition & 1 deletion src/Certify.Core/Management/Access/AccessControl.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,7 +223,7 @@ public async Task<bool> IsAuthorised(string contextUserId, string principleId, s
{
// if any of the service principles assigned roles are restricted by the type of resource type,
// check for identifier matches (e.g. role assignment restricted on domains )
if (spSpecificAssignedRoles.Any(a => a.IncludedResources.Any(r => r.ResourceType == resourceType)))
if (spSpecificAssignedRoles.Any(a => a.IncludedResources?.Any(r => r.ResourceType == resourceType) == true))
{
var allIncludedResources = spSpecificAssignedRoles.SelectMany(a => a.IncludedResources).Distinct();

Expand Down
159 changes: 94 additions & 65 deletions src/Certify.Models/Hub/AccessControlConfig.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ public class StandardRoles
{
public static Role Administrator { get; } = new Role("sysadmin", "Administrator", "Certify Server Administrator",
policies: new List<string> {
StandardPolicies.ManagementHubAdmin,
StandardPolicies.ManagedItemAdmin,
StandardPolicies.CertificateAuthorityAdmin,
StandardPolicies.AcmeAccountAdmin,
Expand All @@ -29,8 +30,9 @@ public class StandardRoles

public static Role CertificateManager { get; } = new Role("cert_manager", "Certificate Manager", "Can manage and administer all certificates",
policies: new List<string> {
StandardPolicies.ManagedItemAdmin,
StandardPolicies.StoredCredentialAdmin
StandardPolicies.ManagementHubReader,
StandardPolicies.ManagedItemAdmin,
StandardPolicies.StoredCredentialAdmin
});

public static Role CertificateConsumer { get; } = new Role("cert_consumer", "Certificate Consumer", "User of a given certificate", policies: new List<string> { StandardPolicies.CertificateConsumer });
Expand Down Expand Up @@ -74,6 +76,7 @@ public class ResourceTypes
public static string CertificateAuthority { get; } = "ca";
public static string AcmeAccount { get; } = "acmeaccount";
public static string ManagedChallenge { get; } = "managedchallenge";
public static string ManagedInstance { get; } = "managedinstance";
}

public static class StandardResourceActions
Expand Down Expand Up @@ -120,6 +123,8 @@ public static class StandardResourceActions
public const string ManagedChallengeDelete = "managedchallenge_update";
public const string ManagedChallengeRequest = "managedchallenge_request";

public const string ManagementHubInstancesList = "managementhub_instances_list";

}

public class StandardPolicies
Expand All @@ -133,6 +138,8 @@ public class StandardPolicies
public const string StoredCredentialConsumer = "storedcredential_consumer";
public const string ManagedChallengeConsumer = "managedchallenge_consumer";
public const string ManagedChallengeAdmin = "managedchallenge_admin";
public const string ManagementHubAdmin = "managementhub_admin";
public const string ManagementHubReader = "managementhub_reader";
}

public static class Policies
Expand All @@ -145,7 +152,7 @@ public static List<Role> GetStandardRoles()
StandardRoles.CertificateManager,
StandardRoles.CertificateConsumer,
StandardRoles.StoredCredentialConsumer,
StandardRoles.ManagedChallengeConsumer
StandardRoles.ManagedChallengeConsumer,
};
}

Expand Down Expand Up @@ -199,17 +206,19 @@ public static List<ResourceAction> GetStandardResourceActions()
new(StandardResourceActions.ManagedChallengeUpdate, "Update managed challenge", ResourceTypes.ManagedChallenge),
new(StandardResourceActions.ManagedChallengeDelete, "Delete managed challenge", ResourceTypes.ManagedChallenge),
new(StandardResourceActions.ManagedChallengeRequest, "Request to perform a managed challenge response", ResourceTypes.ManagedChallenge),

new(StandardResourceActions.ManagementHubInstancesList, "List managed instances", ResourceTypes.ManagedInstance),
};
}

public static List<ResourcePolicy> GetStandardPolicies()
{
return new List<ResourcePolicy> {
new() {
Id=StandardPolicies.ManagedItemAdmin,
Title="Managed Item Administration",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
Id = StandardPolicies.ManagedItemAdmin,
Title = "Managed Item Administration",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.ManagedItemList,
StandardResourceActions.ManagedItemAdd,
StandardResourceActions.ManagedItemUpdate,
Expand All @@ -224,87 +233,107 @@ public static List<ResourcePolicy> GetStandardPolicies()
}
},
new() {
Id=StandardPolicies.AccessAdmin,
Title="Access Control Administration",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
StandardResourceActions.SecurityPrincipleList,
StandardResourceActions.SecurityPrincipleAdd,
StandardResourceActions.SecurityPrincipleUpdate,
StandardResourceActions.SecurityPrincipleDelete,
StandardResourceActions.SecurityPrinciplePasswordUpdate
Id = StandardPolicies.AccessAdmin,
Title = "Access Control Administration",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.SecurityPrincipleList,
StandardResourceActions.SecurityPrincipleAdd,
StandardResourceActions.SecurityPrincipleUpdate,
StandardResourceActions.SecurityPrincipleDelete,
StandardResourceActions.SecurityPrinciplePasswordUpdate
}
},
new() {
Id=StandardPolicies.CertificateConsumer,
Title="Consume Certificates",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
Id = StandardPolicies.CertificateConsumer,
Title = "Consume Certificates",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.CertificateDownload,
StandardResourceActions.CertificateKeyDownload
}
},
new() {
Id=StandardPolicies.CertificateAuthorityAdmin,
Title="Certificate Authority Administration",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
StandardResourceActions.CertificateAuthorityAdd,
StandardResourceActions.CertificateAuthorityUpdate,
StandardResourceActions.CertificateAuthorityDelete,
StandardResourceActions.CertificateAuthorityList
}
},
new() {
Id=StandardPolicies.AcmeAccountAdmin,
Title="ACME Account Administration",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
Id = StandardPolicies.CertificateAuthorityAdmin,
Title = "Certificate Authority Administration",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.CertificateAuthorityAdd,
StandardResourceActions.CertificateAuthorityUpdate,
StandardResourceActions.CertificateAuthorityDelete,
StandardResourceActions.CertificateAuthorityList
}
},
new() {
Id = StandardPolicies.AcmeAccountAdmin,
Title = "ACME Account Administration",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.AcmeAccountList,
StandardResourceActions.AcmeAccountAdd,
StandardResourceActions.AcmeAccountUpdate,
StandardResourceActions.AcmeAccountDelete
}
},
}
},
new() {
Id=StandardPolicies.StoredCredentialAdmin,
Title="Stored Credential Administration",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
StandardResourceActions.StoredCredentialList,
StandardResourceActions.StoredCredentialAdd,
StandardResourceActions.StoredCredentialUpdate,
StandardResourceActions.StoredCredentialDelete
Id = StandardPolicies.StoredCredentialAdmin,
Title = "Stored Credential Administration",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.StoredCredentialList,
StandardResourceActions.StoredCredentialAdd,
StandardResourceActions.StoredCredentialUpdate,
StandardResourceActions.StoredCredentialDelete
}
},
new() {
Id=StandardPolicies.StoredCredentialConsumer,
Title="Stored Credential Consumer",
Description="Provides access to fetch a decrypted stored credential.",
SecurityPermissionType= SecurityPermissionType.ALLOW,
IsResourceSpecific=true,
ResourceActions= new List<string>{
StandardResourceActions.StoredCredentialDownload
Id = StandardPolicies.StoredCredentialConsumer,
Title = "Stored Credential Consumer",
Description = "Provides access to fetch a decrypted stored credential.",
SecurityPermissionType = SecurityPermissionType.ALLOW,
IsResourceSpecific = true,
ResourceActions = new List<string> {
StandardResourceActions.StoredCredentialDownload
}
},
new() {
Id=StandardPolicies.ManagedChallengeAdmin,
Title="Managed Challenge Administration",
SecurityPermissionType= SecurityPermissionType.ALLOW,
ResourceActions= new List<string>{
new() {
Id = StandardPolicies.ManagedChallengeAdmin,
Title = "Managed Challenge Administration",
SecurityPermissionType = SecurityPermissionType.ALLOW,
ResourceActions = new List<string> {
StandardResourceActions.ManagedChallengeList,
StandardResourceActions.ManagedChallengeUpdate,
StandardResourceActions.ManagedChallengeDelete
}
},
new() {
Id=StandardPolicies.ManagedChallengeConsumer,
Title="Managed Challenge Consumer",
Description="Allows consumer to request that a managed challenge be performed.",
SecurityPermissionType= SecurityPermissionType.ALLOW,
IsResourceSpecific=true,
ResourceActions= new List<string>{
StandardResourceActions.ManagedChallengeRequest
new() {
Id = StandardPolicies.ManagedChallengeConsumer,
Title = "Managed Challenge Consumer",
Description = "Allows consumer to request that a managed challenge be performed.",
SecurityPermissionType = SecurityPermissionType.ALLOW,
IsResourceSpecific = true,
ResourceActions = new List<string> {
StandardResourceActions.ManagedChallengeRequest
}
},
new() {
Id = StandardPolicies.ManagementHubAdmin,
Title = "Management Hub Admin",
Description = "Administer management hub.",
SecurityPermissionType = SecurityPermissionType.ALLOW,
IsResourceSpecific = true,
ResourceActions = new List<string> {
StandardResourceActions.ManagementHubInstancesList
}
},
new() {
Id = StandardPolicies.ManagementHubAdmin,
Title = "Management Hub Reader",
Description = "View management hub.",
SecurityPermissionType = SecurityPermissionType.ALLOW,
IsResourceSpecific = true,
ResourceActions = new List<string> {
StandardResourceActions.ManagementHubInstancesList
}
}
};
Expand Down
Loading

0 comments on commit b2ed48a

Please sign in to comment.