Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v13] Fix authorization rules to the Assistant and UserPreferences service #29961

Merged
merged 13 commits into from
Aug 4, 2023
Merged

[v13] Fix authorization rules to the Assistant and UserPreferences service #29961

merged 13 commits into from
Aug 4, 2023

Commits on Aug 2, 2023

  1. "Add authorization rules to the Assistant and UserPreferences service" 

    This commit introduces authorization rules into the Assistant service to restrict operations based on the authenticated user's role permissions.

Now each method in the Assistant service checks if the authenticated user has necessary permissions to perform the requested operation. The permissions are checked via defined RBAC rules.

A user requires specific permissions to perform various operations such as creating a conversation, updating a conversation, fetching a user's conversations, deleting a conversation, and adding a message to a conversation.

Also, even if a user has necessary permissions, they cannot perform operations for a different user. Each user can only access their own data.
    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    541fa6b View commit details
    Browse the repository at this point in the history

  2. Add missing logger

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    adaaf20 View commit details
    Browse the repository at this point in the history

  3. "Refactor user preferences request handling" 

    This commit refactors how GetUserPreferences and UpsertUserPreferences handle requests.
The `username` field is removed from request parameters. Instead of having the client send the user's username in a request, the server now automatically uses the username of the authenticated user making the request.
This change improves the security by preventing a user from attempting to fetch or manipulate another user's preferences. Removed tests were specifically testing the old, insecure behavior.
    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    b48c414 View commit details
    Browse the repository at this point in the history

  4. Refactor to use authz.HasBuiltinRole 

    Refactored code in the 'auth_with_roles.go' file to use 'authz.HasBuiltinRole' instead of 'HasBuiltinRole'. This change is in line with recommended practices for deprecation and makes the code more standard and easier to manage. The original 'HasBuiltinRole' function is marked as deprecated and will be removed in future once 'teleport.e' is updated to use 'authz.HasBuiltinRole'.
    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    d62eff5 View commit details
    Browse the repository at this point in the history

  5. Reserve removed username again?

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    c104386 View commit details
    Browse the repository at this point in the history

  6. Fix UT

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    04d2aaa View commit details
    Browse the repository at this point in the history

  7. Add local user permissions checks in authz 

    This commit introduces two new methods in permissions.go to check if a user is a local user, and if a given action is performed by a local user. These permission checks are then used to replace existing checks in service.go, when performing actions like creating conversation, updating, listing, etc. This simplifies checks and provides a more consolidated and unified method for verifying user actions.
    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    d483ad6 View commit details
    Browse the repository at this point in the history

  8. Fix tests

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    2815f84 View commit details
    Browse the repository at this point in the history

  9. Tweak RBAC

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    9cffecc View commit details
    Browse the repository at this point in the history

  10. Address review comments

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    883a58b View commit details
    Browse the repository at this point in the history

  11. Separate client and server interfaces for user preference services.

    @Joerger
    Joerger authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    9478535 View commit details
    Browse the repository at this point in the history

  12. Apply core review suggestions

    @jakule
    jakule authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    f52f53b View commit details
    Browse the repository at this point in the history

  13. Apply suggestions from code review 

    Co-authored-by: Brian Joerger <bjoerger@goteleport.com>
    @jakule @Joerger
    2 people authored and github-actions committed Aug 2, 2023
    Configuration menu
    Copy the full SHA
    2ef61fb View commit details
    Browse the repository at this point in the history