Added authorization for JsonRpc methods#10934
Added authorization for JsonRpc methods#10934sleshchenko merged 7 commits intoeclipse-che:masterfrom
Conversation
sleshchenko
added
status/in-progress
sleshchenko
force-pushed
the
jsonRpcAuthorization
branch
from
67f018e to
e5ee146
Compare
sleshchenko
force-pushed
the
jsonRpcAuthorization
branch
from
e5ee146 to
32852e3
Compare
skabashnyuk
left a comment
skabashnyuk
left a comment
There was a problem hiding this comment.
direction of this PR looks good to me.
| import org.eclipse.che.multiuser.api.permission.server.jsonrpc.RemoteSubscriptionPermissionManager; | ||
| import org.eclipse.che.multiuser.api.permission.server.model.impl.AbstractPermissions; | ||
|
|
||
| /** @author Sergii Leshchenko */ |
There was a problem hiding this comment.
Please describe purpose of this class in javadoc
There was a problem hiding this comment.
Do we need a test for this class?
sleshchenko
force-pushed
the
jsonRpcAuthorization
branch
2 times, most recently
from
4ff8bdb to
91fc90d
Compare
sleshchenko
changed the title
sleshchenko
added
status/code-review
|
@skabashnyuk @garagatyi PR is ready to review, please take a look. |
|
ci-test |
|
ci-test build report: |
|
ci-test |
sleshchenko
force-pushed
the
jsonRpcAuthorization
branch
2 times, most recently
from
a38532f to
7f3c55b
Compare
|
ci-test build report: |
sleshchenko
force-pushed
the
jsonRpcAuthorization
branch
from
96ff276 to
30d1735
Compare
|
ci-test |
|
As far as I understand there is no default permissions filter in this PR. This leads us to a situation when new JSON_RPC methods are not secure by default, but rather insecure by default. I find it a popular practice in modern software to make stuff secure by default since it leads to less critical vulnerabilities. Please, consider adding such an approach before merging this PR. |
I thought about it and decided to implement easier way, where there is no default permissions filter since the same situation as we have with our REST API service/methods (they are public by default).
I would merge this PR as it is since it introduces the authorization mechanism for Json Rpc methods and it can be improved in a separated issue and PR. BTW It's much secure to have a current approach than in master branch. I'll create a separate issue if you're OK with that. |
| String currentUserId = EnvironmentContext.getCurrent().getSubject().getUserId(); | ||
|
|
||
| try { | ||
| AbstractPermissions permissions = |
There was a problem hiding this comment.
Can you add a comment to the code with the explanation of why this part is implemented in this way?
|
@sleshchenko I'm OK with implementing the secure-by-default approach in a separate issue. Hope your team would be able to prioritize such a task |
|
ci-test build report: |
|
ci-test |
|
@garagatyi I've created an issue to make resources exposed by REST and WebSocket private by default #11007. Feel free to comment or edit. |
|
ci-test build report: |
|
ci-test |
|
ci-test build report: |
It allows to build a project without tests compiling
sleshchenko
force-pushed
the
jsonRpcAuthorization
branch
from
db03ee2 to
e62dbb7
Compare
benoitf
removed
the
status/code-review
|
ci-test build report: |
5 participants
What does this PR do?
Here is an example of an invocating JsonRpc method and remote subscribing without required permissions:
What issues does this PR fix or reference?
#10861
Release Notes
Added authorization checks before calling of JsonRpc methods
Docs PR
N/A