Add support of target_user_id claim + tests #56
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[#179181398]
If the user has
target_user_id
claim, he would be able to download AWS credentials.I'm not specifying any new rule access rule type. It's based on the owner rule. If it adds some value, we could actually disable or enable target_user_id access in resource settings. But not sure if it's worth it unless we want to explicitly disable it somewhere.
Some other changes:
isOwnerOrMember
helper and related tests. It felt overloaded at this point. canCreateKeys use other methods directly. Tests assertions have been redistributed to correct places (they were in fact replicating other tests, as it was OR join of few methods), so no tests have been lost I hope.index.tests.ts
has a new JWT claim -jwtTokenWithTargetUserId
. It's a different pattern than most of the old tests used. They seemed to simulate access using rules. This time I've tried to use a different JWT, as it didn't feel right to includetarget_user_id
to the defaultjwtToken
used by most of the tests. And setup would be more confusing. In fact, we could actually refactor most of the tets to use different JWTs (likejwtTokenContextMember
,jwtTokenMember
, etc.). I think it's pretty symmetric, but probably easier to type JWT name in a new test rather than copy and modify the array of access rules.