fix bug in acl config validation #982
Conversation
| @@ -199,10 +199,24 @@ impl PolicyEnforcer { | |||
| ) -> ZResult<PolicyInformation> { | |||
| let mut policy_rules: Vec<PolicyRule> = Vec::new(); | |||
| for config_rule in config_rule_set { | |||
| // config validation | |||
| if config_rule.interfaces.is_empty() | |||
There was a problem hiding this comment.
It seems that with this PR the interface list becomes always required, am I correct?
If that's the case, then I believe this is not an acceptable behaviour.
There was a problem hiding this comment.
for 0.11 it should be required in the rules field, since it will not make logical sense to have a rule without a subject to implement it for. For 1.0, this will be modified to have any one of : cert_name, username or interface fields present and non-empty.
There was a problem hiding this comment.
Why? I could simply want to deny key_expression on any interface/operation a priori.
There was a problem hiding this comment.
For that we will require explicit keywords like ALL (this lies in the territory of Groups and Roles). Equating empty list in our explicit rules to ALL is bad access control logic. For example, we already implement similar behavior for key-expressions where ALL is signified specifically using ** and not empty list.
There was a problem hiding this comment.
I don't think that we need some special keyword for all, IMHO, if filter filed absent it means that filter not applied for this field.
If filed interfaces absent - apply for all interfaces
If filed flows absent - apply for all flows
And for key-expressions will be better to have the same logic
There was a problem hiding this comment.
I agree for interfaces and flows.
I'm still inclined to having key_exprs mandatory though...
|
@oteffahi can you help in reviewing this PR? |
| @@ -66,7 +66,7 @@ pub(crate) fn acl_interceptor_factories( | |||
| enforcer: Arc::new(policy_enforcer), | |||
| })) | |||
| } | |||
| Err(e) => tracing::error!("Access control inizialization error: {}", e), | |||
| Err(e) => tracing::error!("Access control not enabled due to: {}", e), | |||
There was a problem hiding this comment.
Since a security feature that the user wished to enable did not go through correctly, in my opinion it seems dangerous to proceed. Shouldn't we stop execution?
| Err(e) => tracing::error!("Access control not enabled due to: {}", e), | |
| Err(e) => panic!("Access control not enabled due to: {}", e), |
There was a problem hiding this comment.
I think the upper logic should decide what to do with the execution. The interceptor has the freedom to return an error here and it should do so. I wouldn't panic directly at this level.
Co-authored-by: oteffahi <70609372+oteffahi@users.noreply.github.com>
Co-authored-by: oteffahi <70609372+oteffahi@users.noreply.github.com>
|
@Mallets as requested, I added a way to allow empty I'd like to mention that I maintain my position regarding this change: implicit wildcards are in my opinion a bad practice for security-related features, and that we should not proceed with this change. I added warning logs to alert the user whenever these implicit wildcards are enabled. In the future it would be better to replace this with explicit wildcards that the user has to set for each list to be populated automatically, preferably in alternatively-named configuration fields for each list (i.e: |
There is a difference between implicit and not-specified. Here we are tackling the configuraiton-aspect of the problem and not the implementation of it. To me, interfaces are not mandatory as part of the ACL rules, especially looking at the evolution of this configuration. Let's assume we make the evolve this ACL towards a |
oteffahi
force-pushed
the
fix_bug_acl_config
branch
from
24f1afc
to
f56829d
Compare
|
@Mallets I changed it so the
I also made it so we error out when ACL cannot be enabled (the function returns an Error which as you suggested is handled by upper logic, which was already setup to exit in case of a returned Error from interceptor factories) |
* fix bug in acl config validation * Update ACL config error messages * Apply suggestions from code review Co-authored-by: oteffahi <70609372+oteffahi@users.noreply.github.com> * Update zenoh/src/net/routing/interceptor/authorization.rs Co-authored-by: oteffahi <70609372+oteffahi@users.noreply.github.com> * Fix mistake in ACL config error message * Allow empty interfaces and flows in config * Add warning logs for implicit wildcard ACL config * Fix linting * Add support for undefined interfaces and flows lists This reverts commits a2db2d7 5008e38 e204f2d. * Error out when ACL cannot be enabled --------- Co-authored-by: oteffahi <70609372+oteffahi@users.noreply.github.com> Co-authored-by: Luca Cominardi <luca.cominardi@gmail.com> Co-authored-by: Oussama Teffahi <oussama.teffahi@zettascale.tech>
This PR fixes input validation issue in access control config.