Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guard buttons around iam:projects:update #4300

Closed
blakestier opened this issue Sep 2, 2020 · 2 comments
Closed

Guard buttons around iam:projects:update #4300

blakestier opened this issue Sep 2, 2020 · 2 comments
Assignees
@msorens
Labels
auth-team anything that needs to be on the auth team board automate-auth bug 🐛 Something isn't working customer-reported issues reported by customers emergent
Milestone
Auth: Sprint 21

Comments

@blakestier
Copy link

Describe the problem

Users who have iam:projects:update permissions, and therefore should be able to see the CreateRule button on the project details page, cannot see the button bc of this guard:

<app-authorized [allOf]="['/apis/iam/v2/projects', 'post']">

Users who do not have permission to update projects, should not be able to see the Add Condition or Save buttons on the Rule detail view.

Replication Case

Create a project Foo with associated policies.
Create a user and add them to the Project Foo Viewers policy.
Sign in as that user and observe the exposed buttons.

Add a new policy to give that user permissions to update projects. Observe that the "Create Rule" button is not visible.

Possible Solution

These buttons should have app-authorized guards for iam:projects:update on their project.
@blakestier blakestier added bug 🐛 Something isn't working auth-team anything that needs to be on the auth team board automate-auth and removed bug 🐛 Something isn't working labels Sep 2, 2020
@susanev susanev added customer-reported issues reported by customers emergent labels Sep 3, 2020
@susanev susanev added this to the Auth: Sprint 21 milestone Sep 3, 2020
@msorens
Copy link
Contributor

msorens commented Sep 3, 2020
edited
Loading

Just a bit more detail.

(1) As stated above, the guard for CreateRule here...

automate/components/automate-ui/src/app/pages/project/details/project-details.component.html

Lines 59 to 61 in 22e5d7d

<app-authorized [allOf]="['/apis/iam/v2/projects', 'post']">
<chef-button [routerLink]="['/settings', 'projects', project?.id, 'rules']" primary>Create Rule</chef-button>
</app-authorized>

...is for CreateProject, not for CreateRule.

The correct guard for CreateRule is

<app-authorized [allOf]="['/apis/iam/v2/projects/{project_id}/rules', 'post', project?.id]">

(2) The guard for Add Condition should be (though you have to make projectId and ruleId variables available here!):

<app-authorized [allOf]="['/apis/iam/v2/projects/{project_id}/rules/{id}', 'put', [projectId, ruleId]">

(3) The Save button guard is inside a stencil component, so this involves more work. I think the simplest approach is to use an AuthorizedChecker (to do <app-authorized> in code). That provides an isAuthorized result that can be used as a guard on this property:

automate/components/automate-ui/src/app/pages/project/rules/project-rules.component.html

Line 3 in 228e5a1

[attr.confirm-btn-text]=" saving ? 'Saving Rule...' : 'Save Rule' "

...by changing the evaluation to this (why? because an empty value hides the button bar):

[attr.confirm-btn-text]="isAuthorized? saving ? 'Saving Rule...' : 'Save Rule' : ''"

@msorens msorens self-assigned this Sep 3, 2020
@blakestier
Copy link
Author

If the Save button is too involved, we can ship it separately. Create Rule button is more important imo.

Thanks for this detailed write up!

@msorens msorens closed this as completed Sep 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@msorens msorens

Labels
auth-team anything that needs to be on the auth team board automate-auth bug 🐛 Something isn't working customer-reported issues reported by customers emergent
Projects
None yet
Milestone
Auth: Sprint 21
Development

No branches or pull requests
3 participants
@susanev @msorens @blakestier