Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Developer should only see organizations they belong to when authenticating with a ClientCert #168

Closed
gcapizzi opened this issue Oct 5, 2021 · 0 comments · Fixed by #231
Closed

[Feature]: Developer should only see organizations they belong to when authenticating with a ClientCert #168

gcapizzi opened this issue Oct 5, 2021 · 0 comments · Fixed by #231
Assignees
@gcapizzi @kieron-dev
Labels
Authorization
Milestone
v0.1

Comments

@gcapizzi
Copy link
Contributor

gcapizzi commented Oct 5, 2021

Background

At the moment, GET /v3/organizations returns the full list of organizations present on the foundation. We should only return the organizations the user making the request belongs to, e.g. organizations the user has some role in.

We want to keep this behaviour behind a feature flag for now, to avoid having a mix of authenticated and unauthenticated endpoints exposed.

Acceptance Criteria

GIVEN a cf root namespace exists
AND the org1, org2 and org3 subnamespaces of cf exist
AND user has RoleBindings (to any role for now) in org1 and org3
AND a token issued to user exists
WHEN user performs a GET /v3/organizations including the Authorization: ClientCert <the-client-cert-and-key> header
THEN they only see org1 and org3 in the resources field

GIVEN a cf root namespace exists
AND the org1, org2 and org3 subnamespaces of cf exist
AND user has RoleBindings (to any role for now) in org1 and org3
WHEN user performs a GET /v3/organizations without the Authorization header
THEN they get a 401 Unauthorized response with a NotAuthenticated error message

Dev Notes

  • Possible formats for the header:
    • Authorization: ClientCert XXX/YYY
    • Authorization: ClientCert XXX ClientKey YYY
@Birdrock Birdrock transferred this issue from cloudfoundry/cf-k8s-api Nov 2, 2021
This was referenced Nov 2, 2021
Closed
Closed
kieron-dev pushed a commit that referenced this issue Nov 10, 2021
@gcapizzi
WIP: trying to automate cert generation
35d071e 
Issue: #168
Co-authored-by: Giuseppe Capizzi <gcapizzi@pivotal.io>
Co-authored-by: Kieron Browne <kbrowne@vmware.com>
@mnitchev mnitchev mentioned this issue Nov 11, 2021
Closed
kieron-dev pushed a commit that referenced this issue Nov 11, 2021
@gcapizzi
Teach identity provider how to read client certs
c402649 
When auth uses the ClientCert type, the identity provider can get the
username by decoding the passed client certificate and extracting the
common name from the subject

Issue: #168
Co-authored-by: Giuseppe Capizzi <gcapizzi@pivotal.io>
kieron-dev pushed a commit that referenced this issue Nov 11, 2021
@gcapizzi
Teach identity provider how to read client certs
cec455c 
When auth uses the ClientCert type, the identity provider can get the
username by decoding the passed client certificate and extracting the
common name from the subject

Issue: #168
Co-authored-by: Giuseppe Capizzi <gcapizzi@pivotal.io>
@kieron-dev kieron-dev mentioned this issue Nov 11, 2021
Merged
@gcapizzi gcapizzi linked a pull request Nov 11, 2021 that will close this issue
Teach identity provider how to read client certs #231
Merged
@gcapizzi gcapizzi added this to the v0.1 milestone Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gcapizzi gcapizzi

@kieron-dev kieron-dev

Labels
Authorization
Projects
Korifi - Backlog
Archived in project
Milestone
v0.1
Development

Successfully merging a pull request may close this issue.

Teach identity provider how to read client certs cloudfoundry/korifi
2 participants
@gcapizzi @kieron-dev