Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add access token scope checks to improve authorization #17

Merged
merged 5 commits into from
Mar 21, 2024
Merged

Add access token scope checks to improve authorization #17

merged 5 commits into from
Mar 21, 2024

Conversation

davidallendj
Copy link
Collaborator

@davidallendj davidallendj commented Mar 19, 2024
edited
Loading

This PR adds the ability for SMD to check for scopes and implements two related functions: VerifyClaims and VerifyScope. It also moves dedicated OAuth functionality to a separate, dedicated file in cmd/smd/auth.go.

The VerifyClaims function is needed to make sure that the scope claim is included in the incoming access token. It can also be used later for checking for inclusion of other claims such as partition-id required for accessing specific resources.

The VerifyScope function is used to check the incoming access token for specific scopes for each endpoint. Currently, this has only been implemented for /State/Components and /Inventory/RedfishEndpoints with each requiring the smd_read scope. Submitting a valid token without the smd_read scope will return the following error:

curl http://127.0.0.1:27779/hsm/v2/Inventory/RedfishEndpoints -H "Authorization: Bearer eyJhbGciOi..."
{"type":"about:blank","title":"Unauthorized","detail":"failed to verify scope: invalid or missing scope","status":401}

However, for any other endpoint that is not checking for scopes, any valid access token is sufficient to use like before.

@davidallendj davidallendj added the enhancement New feature or request label Mar 19, 2024
@davidallendj davidallendj self-assigned this Mar 19, 2024
@davidallendj davidallendj mentioned this pull request Mar 21, 2024
Closed
synackd
synackd requested changes Mar 21, 2024
View reviewed changes
Copy link
Contributor

@synackd synackd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and tests are passing.

go.mod Outdated Show resolved Hide resolved
@synackd
Copy link
Contributor

synackd commented Mar 21, 2024

Once go-chi/jwtauth#85 is merged, 06b7790 should be reverted.

@synackd
Copy link
Contributor

synackd commented Mar 21, 2024

Runner tests passing.

@davidallendj davidallendj merged commit 03d1444 into OpenCHAMI:main Mar 21, 2024
@synackd synackd mentioned this pull request Mar 22, 2024
Merged
@davidallendj davidallendj deleted the auth-improvements branch March 27, 2024 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@synackd synackd synackd approved these changes

@alexlovelltroy alexlovelltroy Awaiting requested review from alexlovelltroy

Assignees

@davidallendj davidallendj

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davidallendj @synackd