Group membership check #1074

chkeita · 2021-07-15T19:45:55Z

This PR enables the restriction of certain api to some user based on their principalid or their group membership

Api Restriction rules

We provide the ability to create a set of rules that specify which group has access to an api
The set of rules is a list of RuleDefinition defined set in the property api_access_rules of the Instance configuration

  [
      {
          "methods": ["get", "post"],
          "endpoint": ["/api/jobs"],
          "allowed_groups": ["<group_id>"]
      }
  ]

We store and manage in the RequestAccess class defined in #1420

Rules enforcement

Those rules are enforced when the request is received by the service.
A call to check_access determine if the request is authorized or not.

Group membership information retrieval

The group membership is retrieved from azure call to msgraph in the AzureADGroupMembership class
This call requires specific permissions which depending on the environmentt can only be granted by an admin.
We also provide for testing purposes a StaticGroupMembership class to provide the access restriction functionality without querying azure.
The class is initialized with the group membership information stored in the Instance configuration in the field group_membership

Testing

A functional test is provided in api_restriction_test.py

fix preauthorized application

- add timeout to access rule cache - update python version in deployment - update unit tests

fix type in static group memebership

fix group membership check logic

make the group membership query transitive

api_access_rules is now a dictionary add environment variable to disable cache

src/api-service/functional_tests/api_restriction_test.py

src/api-service/__app__/onefuzzlib/request.py

src/api-service/__app__/onefuzzlib/azure/group_membership.py

src/api-service/__app__/onefuzzlib/request.py

src/api-service/functional_tests/api_restriction_test.py

fix functional test

chkeita added 30 commits June 7, 2021 11:08

migrate to msgraph

bd8d425

add subscription id to query_microsoft_graph

1ad0f5a

migrating remaingin references

ac0f400

formatting

4902528

adding missing dependencies

a4379c8

Merge branch 'main' into msgraph

098ac3c

flake fix

e1fa0ad

fix get_tenant_id

c130d6d

Merge branch 'main' into msgraph

b6bf69f

cleanup

681867e

formatting

8230024

Merge remote-tracking branch 'upstream/main' into msgraph

1a60c07

Merge remote-tracking branch 'upstream/main' into msgraph

dd989fb

migrate application creation in deploy.py

0403485

foramt

6245563

mypy fix

431200d

isort

71bceef

isort

7e1b93c

format

7ba55de

bug fixes

09107ab

specify the correct signInAudience

73a135f

fix backing service principal creation

be18ab9

fix preauthorized application

remove remaining references to graphrbac

295c56e

fix ms graph authentication

9c47159

Merge branch 'main' into msgraph

99df719

Merge branch 'main' into msgraph

b9915c1

formatting

128c7f8

Merge branch 'main' into msgraph

d5ec3cc

add a data structure to store permission for each url

83a2904

adding logic

f536f77

chkeita added 12 commits November 15, 2021 13:56

- return None when not rule is found

1cba246

- add timeout to access rule cache - update python version in deployment - update unit tests

fix type in tests

670dc9c

fix type in static group memebership

fix test

c1023a2

better error message

b475c1f

fix group membership check logic

format

51e84cf

remove old implementation of check_access

735e7b1

make the group membership query transitive

Merge branch 'main' into chkeita/group_check

4996949

fix typo is name

130891a

api_access_rules is now a dictionary add environment variable to disable cache

generate docs

0ad5d0f

format

00c4358

format

93e1236

mypy fix

5cf3729

chkeita commented Nov 17, 2021

View reviewed changes

src/api-service/functional_tests/api_restriction_test.py Show resolved Hide resolved

chkeita mentioned this pull request Nov 17, 2021

Move the access control functional test to check-pr #1460

Open

chkeita marked this pull request as ready for review November 17, 2021 17:19

Merge branch 'main' into chkeita/group_check

d46fa1a

chkeita commented Nov 18, 2021

View reviewed changes

src/api-service/__app__/onefuzzlib/request.py Show resolved Hide resolved

chkeita mentioned this pull request Nov 18, 2021

Move call to check_access to call_if #1465

Closed

add unit tests to StaticGroupMembership

5f73e99

stishkin reviewed Nov 18, 2021

View reviewed changes

src/api-service/__app__/onefuzzlib/azure/group_membership.py Show resolved Hide resolved

stishkin reviewed Nov 19, 2021

View reviewed changes

src/api-service/__app__/onefuzzlib/request.py Outdated Show resolved Hide resolved

stishkin reviewed Nov 19, 2021

View reviewed changes

src/api-service/__app__/onefuzzlib/request.py Show resolved Hide resolved

stishkin reviewed Nov 19, 2021

View reviewed changes

src/api-service/functional_tests/api_restriction_test.py Show resolved Hide resolved

stishkin approved these changes Nov 19, 2021

View reviewed changes

chkeita added 5 commits November 19, 2021 12:38

adding comments

5c46c7d

removing NO_REQUEST_ACCESS_RULES_CACHE

abb2a90

fix functional test

format

882ebd4

more formatting

41d9c24

Merge branch 'main' into chkeita/group_check

5aac3ef

chkeita merged commit aa74550 into microsoft:main Nov 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Group membership check #1074

Group membership check #1074

chkeita commented Jul 15, 2021 •

edited

Group membership check #1074

Group membership check #1074

Conversation

chkeita commented Jul 15, 2021 • edited

Api Restriction rules

Rules enforcement

Group membership information retrieval

Testing

chkeita commented Jul 15, 2021 •

edited