Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support injection of temporary policy subjects from JWTs #926

Closed
yufei-cai opened this issue Dec 21, 2020 · 2 comments · Fixed by #945
Closed

Support injection of temporary policy subjects from JWTs #926

yufei-cai opened this issue Dec 21, 2020 · 2 comments · Fixed by #945
Milestone
2.0.0-M1

Comments

@yufei-cai
Copy link
Contributor

After #890, temporary authorization subjects based on expiring JWT is possible. However, adding such subjects require WRITE permission on the policy. It would be better to inject the temporary subjects when the user presents a JWT without elevated privilege.

One way to achieve it:

  • Add HTTP API to inject authorization subjects based on the JWT in the request
  • Add a new permission EXECUTE to authorize subject injection
@yufei-cai yufei-cai added this to the 2.0.0 milestone Dec 21, 2020
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add ActivateSubject and ActivateSubjectResponse.
c0f94d0 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add a command to deactivate a token subject.
b859f81 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add a command to activate a subject on the policy…
f60d865 
… level.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add a command to deactivate a subject at the poli…
683ab71 
…cy level; relax timing requirement in ThingPersistenceActorSnapshottingTest.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add events for subject activation; rename Activat…
f595551 
…eSubjectForPolicy to ActivateSubjects.
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add command and event strategies for ActivateSubj…
c9d1b91 
…ect.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add command and event strategies for ActivateSubj…
23d261f 
…ects.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] remove raw type usage in persistence actors.
e9f270f 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add irrelevant signals to registry tests of polic…
7a13c00 
…ies made visible due to ditto-model-placeholders.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add SubjectDeactivated and SubjectsDeactivated ev…
f0b601b 
…ents.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add command and event strategies for DeactivateSu…
474f077 
…bject(s)

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] extend authentication result to include JWT.
a2b7f19 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add HTTP API for activateTokenIntegration and dea…
3fc926d 
…ctivateTokenIntegration.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Replace issuer 'integration' by token issuer in t…
0df160e 
…he default token integration subject ID.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] remove raw types from enforcements.
ca8349c 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] add policy enforcement for policy action commands.
097d6c6 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] remove raw types from preEnforcer.
6dc7cd7 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] make subject Id resolver of policy actions config…
e517083 
…urable.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] fix deserialization of PolicyActionFailedExceptio…
edc5200 
…n; fix status code when executing an action on a nonexistent policy entry.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] document policy token integration.
4cf48cc 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: moved policy actions to own package in co…
70849aa 
…mmands

* renamed classes to match the action name, e.g. "ActivateTokenIntegration"
* don't let PolicyActionCommand inherit PolicyModifyCommand
* added PolicyActionCommandResponse which the action responses implement
* added new Command.Category enum value "ACTION"
* moved PolicyActionFailedException to commands module
* adjusted routes to not use the route path from constants in the PolicyActionFailedException but use it from the action's NAME constant

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] fixed command registry tests by adding action com…
86723df 
…mand of new package

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: removed unnecessary action events
2a1d9c9 
* renamed required action events to SubjectsDeletedPartially and SubjectsModifiedPartially
* moved PolicyEntryPlaceholder to the "placeholders" module
* added new SubjectIdFromActionResolver interface with a default implementation using the PolicyEntryPlaceholder
* replaced Class.forName("") with loading classes via the Akka actorSystem

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Fix default subject ID resolver class name.
37b75c9 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Remove unnecessary field subjectId from Activate-…
b7ce02b 
… and DeactivatePolicyTokenIntegrationResponse.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Reject activateTokenIntegration actions on entrie…
850f995 
…s without READ permission for things.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: added unit test for OAuthTokenIntegration…
510640f 
…SubjectIdFactory

* added some javadoc fixes

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Mention in documentation the requirement for READ…
01e65e2 
… permission granted on things by the policy action activateTokenIntegration.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] document status 404 for policy actions.
676f25d 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] adjust resource keys used to authorize top level …
90614b7 
…policy actions.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: added missing javadocs for projected cache
67f872d 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: changed status code of repsonses to 204 -…
5c3af06 
… no content

* removed subjectId from DeactivateTokenIntegrationResponse

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: added check that only policy entries with…
9167eac 
… a subject contained in the authorized subjects are considered for activate/deactivate tokenIntegration actions

* removed check that only subjects containing an expiry should be deleted by the "deactivateTokenIntegration" action

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Add generic TopLevelActionCommand for policies.
7004aa6 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Merge branch 'origin/feature/subject-activation'
74b2391 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>

Conflicts:
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/AbstractPolicyActionCommandStrategy.java
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategy.java
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategy.java
	services/policies/persistence/src/main/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/DeactivateTokenIntegrationStrategy.java
	services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivatePolicyTokenIntegrationStrategyTest.java
	services/policies/persistence/src/test/java/org/eclipse/ditto/services/policies/persistence/actors/strategies/commands/ActivateTokenIntegrationStrategyTest.java
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] fix PolicyCommandEnforcementTest.
538172f 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: added factor "subject ID of authenticated…
de0a06f 
… JWT must also be present in policy entry" to documentation

* did some reformatting in the OpenAPI docs
* fixed supported placeholders for the action

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Delete Activate- and DeactivatePolicyTokenIntegra…
db46a6c 
…tion commands and responses.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] adjusted OpenAPI doc wording "the -> a" subject
ce859dc 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] adjusted documentation wording about the action a…
21fe605 
…ctivateTokenIntegration

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] Merge branch 'master' into feature/subject-activa…
1f02f79 
…tion

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>

Conflicts:
	services/concierge/enforcement/src/test/java/org/eclipse/ditto/services/concierge/enforcement/EnforcerRetrieverTest.java
	services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/mqtt/hivemq/AbstractMqttConsumerActor.java
	services/connectivity/messaging/src/main/java/org/eclipse/ditto/services/connectivity/messaging/rabbitmq/RabbitMQConsumerActor.java
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] improve type safety of AbstractCommandStrategies.
cfa9145 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle pushed a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@yufei-cai
[eclipse-ditto#926] prevent random failing tests due to reordering of…
2c1aa95 
… policy entries.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] review: renamed TopLevelActionCommand to TopLevel…
0a4d841 
…PolicyActionCommand

* use HttpStatus instead of deprecated HttpStatusCode enum
* policy routes method renamings
* some javadoc enhancements

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] added possibility to use JWT claims being a jsona…
3b2163c 
…rray of strings instead of only plain strings

* the JwtPlaceholder works the same
* added "expansion" algorithm to expand inlines JsonArrays to multiple SubjectIds to TokenIntegrationSubjectIdFactory
* adjusted PolicyActionCommands to work on multiple subjects/subjectIds
* adjusted the default token-integration-subject to "integration:{{policy-entry:label}}:{{jwt:aud}}"

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] moved "isApplicable" logic from strategies to Pol…
a1f6108 
…icyActionCommands

* also moved building the PolicyActionFailedException when not applicable for a PolicyActionCommand to the PolicyActionCommands
* added another test for a JWT with nested path

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] added Blogpost about the new policy actions feature
af546e3 
* added "Authenticated subjects" section to basic-auth
* adjusted the "Subjects" section in basic-policy to be more detailled
* fixed links

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] fixed internal server error cause by non-deserial…
ffb49b9 
…izable PolicyActionFailedException because of missing "message" in the exception JSON

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 21, 2021
@thjaeckle
[eclipse-ditto#926] use LinkedHashMaps and LinkedHashSets in policies…
5df4a8b 
… model in order to keep order when e.g. modifying policies

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
@thjaeckle thjaeckle mentioned this issue Jan 21, 2021
Merged
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 22, 2021
@thjaeckle
[eclipse-ditto#926] fix copyright header year for added files which f…
876276c 
…ail in license header year check

Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
thjaeckle added a commit to bosch-io/ditto that referenced this issue Jan 22, 2021
@thjaeckle
[eclipse-ditto#926] javadoc error
8d030e8 
Signed-off-by: Thomas Jaeckle <thomas.jaeckle@bosch.io>
yufei-cai added a commit to bosch-io/ditto that referenced this issue Jan 23, 2021
@yufei-cai
[eclipse-ditto#926] fix grammar.
3dfeb3e 
Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
yufei-cai added a commit to bosch-io/ditto that referenced this issue Jan 23, 2021
@yufei-cai
[eclipse-ditto#926] Prevent backtracking in TokenIntegrationSubjectId…
a492eb4 
…Factory; fix policy action event aggregation.

Changes

1. Replaced TokenIntegrationSubjectIdFactory.JSON_ARRAY_PATTERN
   by a regex using possessive qualifiers only.

2. Added a test for activating multiple subjects in multiple
   policy entries. Fixed it.

Signed-off-by: Yufei Cai <yufei.cai@bosch.io>
thjaeckle added a commit that referenced this issue Jan 25, 2021
@thjaeckle
Merge pull request #945 from bosch-io/feature/subject-activation
66a9029 
#926: inject configurable policy subjects into policies via new added JWT evaluating policy action
@yufei-cai yufei-cai mentioned this issue Feb 10, 2021
Closed
@w4tsn
Copy link
Contributor

w4tsn commented Feb 25, 2021

Just to check back about the new situation with #512 being implemented now. If it's not already implemented, should there be a follow up for this issue to also provide ability to parse temporary subjects from JWT claims?

@thjaeckle
Copy link
Member

It is already implemented as part of this PR, see also the blogpost (and documentation) about it:
https://www.eclipse.org/ditto/2021-01-22-policy-subject-activate-token-integration.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.0-M1
3 participants
@thjaeckle @w4tsn @yufei-cai