Skip to content

Commit

Permalink
[CLOUDTRUST-2388] Fix incorrect usage of any target realms
Browse files Browse the repository at this point in the history
  • Loading branch information
@harture
harture committed Mar 4, 2020
1 parent 4a56bbb commit b3c58c6
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 8 deletions.
12 changes: 9 additions & 3 deletions pkg/events/authorization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package events
import (
"context"

cs "github.com/cloudtrust/common-service"
"github.com/cloudtrust/common-service/log"
"github.com/cloudtrust/common-service/security"
api "github.com/cloudtrust/keycloak-bridge/api/events"
Expand Down Expand Up @@ -48,7 +49,10 @@ func MakeAuthorizationManagementComponentMW(logger log.Logger, authorizationMana

func (c *authorizationComponentMW) GetActions(ctx context.Context) ([]api.ActionRepresentation, error) {
var action = EVGetActions.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.

// For this method, there is no target realm provided
// as parameter, so we pick the current realm of the user.
var targetRealm = ctx.Value(cs.CtContextRealm).(string)

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return []api.ActionRepresentation{}, err
Expand All @@ -59,7 +63,9 @@ func (c *authorizationComponentMW) GetActions(ctx context.Context) ([]api.Action

func (c *authorizationComponentMW) GetEvents(ctx context.Context, m map[string]string) (api.AuditEventsRepresentation, error) {
var action = EVGetEvents.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.

// For this method, there is no target realm, as events from any realm can be retrieved the target realm is any realm.
var targetRealm = "*"

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return api.AuditEventsRepresentation{}, err
Expand All @@ -70,7 +76,7 @@ func (c *authorizationComponentMW) GetEvents(ctx context.Context, m map[string]s

func (c *authorizationComponentMW) GetEventsSummary(ctx context.Context) (api.EventSummaryRepresentation, error) {
var action = EVGetEventsSummary.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.
var targetRealm = "*" // For this method, there is no target realm, as events from any realm can be retrieved the target realm is any realm.

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return api.EventSummaryRepresentation{}, err
Expand Down
6 changes: 5 additions & 1 deletion pkg/kyc/authorization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package kyc
import (
"context"

cs "github.com/cloudtrust/common-service"
"github.com/cloudtrust/common-service/log"
"github.com/cloudtrust/common-service/security"
apikyc "github.com/cloudtrust/keycloak-bridge/api/kyc"
Expand Down Expand Up @@ -55,7 +56,10 @@ func MakeAuthorizationRegisterComponentMW(realmName string, logger log.Logger, a
// authorizationComponentMW implements Component.
func (c *authorizationComponentMW) GetActions(ctx context.Context) ([]apikyc.ActionRepresentation, error) {
var action = KYCGetActions.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.

// For this method, there is no target realm provided
// as parameter, so we pick the current realm of the user.
var targetRealm = ctx.Value(cs.CtContextRealm).(string)

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return []apikyc.ActionRepresentation{}, err
Expand Down
3 changes: 2 additions & 1 deletion pkg/kyc/authorization_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"errors"
"testing"

cs "github.com/cloudtrust/common-service"
logger "github.com/cloudtrust/common-service/log"
apikyc "github.com/cloudtrust/keycloak-bridge/api/kyc"
"github.com/cloudtrust/keycloak-bridge/pkg/kyc/mock"
Expand All @@ -19,8 +20,8 @@ func TestMakeAuthorizationRegisterComponentMW(t *testing.T) {
var mockComponent = mock.NewComponent(mockCtrl)
var mockAuthManager = mock.NewAuthorizationManager(mockCtrl)

var ctx = context.TODO()
var realm = "master"
var ctx = context.WithValue(context.Background(), cs.CtContextRealm, realm)
var user = apikyc.UserRepresentation{}
var userID = "user4673"
var groupIDs = []string{"group1", "group2"}
Expand Down
11 changes: 9 additions & 2 deletions pkg/management/authorization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package management
import (
"context"

cs "github.com/cloudtrust/common-service"
"github.com/cloudtrust/common-service/log"
"github.com/cloudtrust/common-service/security"
api "github.com/cloudtrust/keycloak-bridge/api/management"
Expand Down Expand Up @@ -86,7 +87,10 @@ func MakeAuthorizationManagementComponentMW(logger log.Logger, authorizationMana

func (c *authorizationComponentMW) GetActions(ctx context.Context) ([]api.ActionRepresentation, error) {
var action = MGMTGetActions.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.

// For this method, there is no target realm provided
// as parameter, so we pick the current realm of the user.
var targetRealm = ctx.Value(cs.CtContextRealm).(string)

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return []api.ActionRepresentation{}, err
Expand All @@ -98,7 +102,10 @@ func (c *authorizationComponentMW) GetActions(ctx context.Context) ([]api.Action
// authorizationComponentMW implements Component.
func (c *authorizationComponentMW) GetRealms(ctx context.Context) ([]api.RealmRepresentation, error) {
var action = MGMTGetRealms.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.

// For this method, there is no target realm provided
// as parameter, so we pick the current realm of the user.
var targetRealm = ctx.Value(cs.CtContextRealm).(string)

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return []api.RealmRepresentation{}, err
Expand Down
6 changes: 5 additions & 1 deletion pkg/statistics/authorization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package statistics
import (
"context"

cs "github.com/cloudtrust/common-service"
"github.com/cloudtrust/common-service/log"
"github.com/cloudtrust/common-service/security"
api "github.com/cloudtrust/keycloak-bridge/api/statistics"
Expand Down Expand Up @@ -51,7 +52,10 @@ func MakeAuthorizationManagementComponentMW(logger log.Logger, authorizationMana

func (c *authorizationComponentMW) GetActions(ctx context.Context) ([]api.ActionRepresentation, error) {
var action = STGetActions.String()
var targetRealm = "*" // For this method, there is no target realm, so we use the wildcard to express there is no constraints.

// For this method, there is no target realm provided
// as parameter, so we pick the current realm of the user.
var targetRealm = ctx.Value(cs.CtContextRealm).(string)

if err := c.authManager.CheckAuthorizationOnTargetRealm(ctx, action, targetRealm); err != nil {
return []api.ActionRepresentation{}, err
Expand Down

0 comments on commit b3c58c6

Please sign in to comment.