Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Separate api token roles #4019

Merged
merged 4 commits into from
Jun 20, 2023
Merged

feat: Separate api token roles #4019

merged 4 commits into from
Jun 20, 2023

Conversation

chriswk
Copy link
Contributor

@chriswk chriswk commented Jun 20, 2023
edited

What

As part of the move to enable custom-root-roles, our permissions model was found to not be granular enough to allow service accounts to only be allowed to create read-only tokens (client, frontend), but not be allowed to create admin tokens to avoid opening up a path for privilege escalation.

How

This PR adds 12 new roles, a CRUD set for each of the three token types (admin, client, frontend). To access the /api/admin/api-tokens endpoints you will still need the existing permission (CREATE_API_TOKEN, DELETE_API_TOKEN, READ_API_TOKEN, UPDATE_API_TOKEN). Once this PR has been merged the token type you're modifying will also be checked, so if you're trying to create a CLIENT api-token, you will need CREATE_API_TOKEN and CREATE_CLIENT_API_TOKEN permissions. If the user performing the create call does not have these two permissions or the ADMIN permission, the creation will be rejected with a 403 - FORBIDDEN status.

Discussion points

The test suite tests all operations using a token with operation_CLIENT_API_TOKEN permission and verifies that it fails trying to do any of the operations against FRONTEND and ADMIN tokens. During development the operation_FRONTEND_API_TOKEN and operation_ADMIN_API_TOKEN permission has also been tested in the same way. I wonder if it's worth it to re-add these tests in order to verify that the permission checker works for all operations, or if this is enough. Since we're running them using e2e tests, I've removed them for now, to avoid hogging too much processing time.

@chriswk chriswk self-assigned this Jun 20, 2023
@vercel
Copy link

vercel bot commented Jun 20, 2023
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Ignored Deployments
Name Status Preview Comments Updated (UTC)
unleash-docs ⬜️ Ignored (Inspect) Jun 20, 2023 11:36am
unleash-monorepo-frontend ⬜️ Ignored (Inspect) Jun 20, 2023 11:36am

sighphyre
sighphyre approved these changes Jun 20, 2023
View reviewed changes
Copy link
Member

@sighphyre sighphyre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, this is pretty clean

@chriswk chriswk merged commit 3acb116 into main Jun 20, 2023
10 checks passed
@chriswk chriswk deleted the separateApiTokenRoles branch June 20, 2023 12:21
@nunogois nunogois mentioned this pull request Jun 21, 2023
Merged
nunogois added a commit that referenced this pull request Jun 21, 2023
@nunogois
fix: consider ADMIN in API tokens fetch permissions (#4032)
197df96 
#4019 introduced a bug where API
token filtering was not taking into account ADMIN permissions, which
means the API tokens were not being displayed on the UI.
@nunogois nunogois mentioned this pull request Jun 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sighphyre sighphyre sighphyre approved these changes

@gastonfournier gastonfournier Awaiting requested review from gastonfournier

@nunogois nunogois Awaiting requested review from nunogois

Assignees

@chriswk chriswk

Labels
enhancement
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chriswk @sighphyre