New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Filter out identities, groups and, IdP groups that the requestor cannot view #13047
Auth: Filter out identities, groups and, IdP groups that the requestor cannot view #13047
Conversation
56414e8
to
e184165
Compare
@markylaing does this have the fix to allow partial idp group match? Or is it in a different PR? |
No, that will be in the |
905873a
to
74b98f2
Compare
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
Signed-off-by: Mark Laing <mark.laing@canonical.com>
74b98f2
to
f6e0545
Compare
@tomponline this is now rebased and ready for review. |
@@ -290,15 +292,17 @@ func (i Identity) Subject() (string, error) { | |||
} | |||
|
|||
// ToAPI converts an Identity to an api.Identity, executing database queries as necessary. | |||
func (i *Identity) ToAPI(ctx context.Context, tx *sql.Tx) (*api.Identity, error) { | |||
func (i *Identity) ToAPI(ctx context.Context, tx *sql.Tx, canViewGroup auth.PermissionChecker) (*api.Identity, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@markylaing the note for the forthcoming openga server, but can auth.PermissionChecker remain returning only a bool when each call to it could fail with an error (e.g. when consulting the DB)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The permission checker will still only return a boolean. Getting the permission checker can fail, but we're not getting one here, just passing one in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok cool - so this remains true even with openfga?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah the OpenFGA does a ListObjects
to get the entities of a given type that the identity is related to via a given entitlement. When calling the permission checker, we just check if the given URL is in the list. Getting the list can fail but once it's in scope, checking if something is in the list is just a shared.ValueInSlice
.
This is an oversight from #12914.