New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support injection of temporary policy subjects from JWTs #926
Milestone
Comments
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… level. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…cy level; relax timing requirement in ThingPersistenceActorSnapshottingTest. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…eSubjectForPolicy to ActivateSubjects.
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…ect. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…ects. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…ies made visible due to ditto-model-placeholders. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…ents. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…bject(s) Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…ctivateTokenIntegration. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…he default token integration subject ID. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…urable. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…n; fix status code when executing an action on a nonexistent policy entry. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…mmands * renamed classes to match the action name, e.g. "ActivateTokenIntegration" * don't let PolicyActionCommand inherit PolicyModifyCommand * added PolicyActionCommandResponse which the action responses implement * added new Command.Category enum value "ACTION" * moved PolicyActionFailedException to commands module * adjusted routes to not use the route path from constants in the PolicyActionFailedException but use it from the action's NAME constant Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…mand of new package Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
* renamed required action events to SubjectsDeletedPartially and SubjectsModifiedPartially * moved PolicyEntryPlaceholder to the "placeholders" module * added new SubjectIdFromActionResolver interface with a default implementation using the PolicyEntryPlaceholder * replaced Class.forName("") with loading classes via the Akka actorSystem Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… and DeactivatePolicyTokenIntegrationResponse. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…s without READ permission for things. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…SubjectIdFactory * added some javadoc fixes Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… permission granted on things by the policy action activateTokenIntegration. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…policy actions. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… no content * removed subjectId from DeactivateTokenIntegrationResponse Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… a subject contained in the authorized subjects are considered for activate/deactivate tokenIntegration actions * removed check that only subjects containing an expiry should be deleted by the "deactivateTokenIntegration" action Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io> Conflicts: services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/AbstractPolicyActionCommandStrategy.java services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategy.java services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategy.java services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/DeactivateTokenIntegrationStrategy.java services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategyTest.java services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategyTest.java
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… JWT must also be present in policy entry" to documentation * did some reformatting in the OpenAPI docs * fixed supported placeholders for the action Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…tion commands and responses. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…ctivateTokenIntegration Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…tion Signed-off-by: Yufei Cai <yufei.cai@bosch.io> Conflicts: services/concierge/enforcement/src/test/java/org/eclipse/ditto/services/concierge/enforcement/EnforcerRetrieverTest.java services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/mqtt/hivemq/AbstractMqttConsumerActor.java services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/rabbitmq/RabbitMQConsumerActor.java
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
pushed a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… policy entries. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…PolicyActionCommand * use HttpStatus instead of deprecated HttpStatusCode enum * policy routes method renamings * some javadoc enhancements Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…rray of strings instead of only plain strings * the JwtPlaceholder works the same * added "expansion" algorithm to expand inlines JsonArrays to multiple SubjectIds to TokenIntegrationSubjectIdFactory * adjusted PolicyActionCommands to work on multiple subjects/subjectIds * adjusted the default token-integration-subject to "integration:{{policy-entry:label}}:{{jwt:aud}}" Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…icyActionCommands * also moved building the PolicyActionFailedException when not applicable for a PolicyActionCommand to the PolicyActionCommands * added another test for a JWT with nested path Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
* added "Authenticated subjects" section to basic-auth * adjusted the "Subjects" section in basic-policy to be more detailled * fixed links Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
…izable PolicyActionFailedException because of missing "message" in the exception JSON Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 21, 2021
… model in order to keep order when e.g. modifying policies Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 22, 2021
…ail in license header year check Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 22, 2021
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
yufei-cai
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 23, 2021
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
yufei-cai
added a commit
to bosch-io/ditto
that referenced
this issue
Jan 23, 2021
…Factory; fix policy action event aggregation. Changes 1. Replaced TokenIntegrationSubjectIdFactory.JSON_ARRAY_PATTERN by a regex using possessive qualifiers only. 2. Added a test for activating multiple subjects in multiple policy entries. Fixed it. Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle
added a commit
that referenced
this issue
Jan 25, 2021
#926: inject configurable policy subjects into policies via new added JWT evaluating policy action
Just to check back about the new situation with #512 being implemented now. If it's not already implemented, should there be a follow up for this issue to also provide ability to parse temporary subjects from JWT claims? |
It is already implemented as part of this PR, see also the blogpost (and documentation) about it: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After #890, temporary authorization subjects based on expiring JWT is possible. However, adding such subjects require WRITE permission on the policy. It would be better to inject the temporary subjects when the user presents a JWT without elevated privilege.
One way to achieve it:
The text was updated successfully, but these errors were encountered: