Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local Authorization Check for RBAC #157

Merged
merged 5 commits into from
Dec 8, 2023
Merged

Local Authorization Check for RBAC #157

merged 5 commits into from
Dec 8, 2023

Conversation

nikhil-stytch
Copy link
Contributor

@nikhil-stytch nikhil-stytch commented Dec 6, 2023
edited
Loading

  • Works alongside sdk-codegen changes
  • Validated that local authorization_check and new client constructions work as expected

@nikhil-stytch nikhil-stytch requested a review from a team as a code owner December 6, 2023 23:13
@nikhil-stytch nikhil-stytch requested review from jbolduc-stytch and removed request for jbolduc-stytch December 6, 2023 23:13
@nikhil-stytch nikhil-stytch marked this pull request as draft December 6, 2023 23:13
logan-stytch
logan-stytch reviewed Dec 6, 2023
View reviewed changes
stytch/b2b/b2bstytchapi/b2bstytchapi.go Outdated Show resolved Hide resolved
stytch/b2b/rbac/types.go Show resolved Hide resolved
stytch/b2b/sessions_test.go Show resolved Hide resolved
stytch/shared/rbac_local.go Outdated Show resolved Hide resolved
@nikhil-stytch nikhil-stytch changed the title [DNM] Local Authorization Check Local Authorization Check for RBAC Dec 7, 2023
@nikhil-stytch nikhil-stytch marked this pull request as ready for review December 7, 2023 21:16
logan-stytch
logan-stytch approved these changes Dec 7, 2023
View reviewed changes
Copy link
Contributor

@logan-stytch logan-stytch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a few comments that should be addressed, but I'm going to approve to unblock. Can you change this to merge into v12-prerelease?

stytch/b2b/rbac.go Outdated
lastUpdatedAt time.Time
}

const refreshCadence = 300 * time.Second
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[dust] Would 5 * time.Minute be better here?

stytch/b2b/rbac.go Outdated
Comment on lines 58 to 62
return time.Since(pc.lastUpdatedAt) > refreshCadence
}

func (pc *PolicyCache) Get(ctx context.Context) (*rbac.Policy, error) {
if pc.policy == nil || pc.shouldRefreshPolicy() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's go all the way here

Suggested change
return time.Since(pc.lastUpdatedAt) > refreshCadence
}
func (pc *PolicyCache) Get(ctx context.Context) (*rbac.Policy, error) {
if pc.policy == nil || pc.shouldRefreshPolicy() {
return pc.policy == nil || time.Since(pc.lastUpdatedAt) > refreshCadence
}
func (pc *PolicyCache) Get(ctx context.Context) (*rbac.Policy, error) {
if pc.shouldRefreshPolicy() {

stytch/b2b/sessions.go
"github.com/stytchauth/stytch-go/v11/stytch/stytcherror"
)

type SessionsClient struct {
C stytch.Client
JWKS *keyfunc.JWKS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Meta-thought: I don't think the XClients should be exposing any of these fields externally -- we should hide this and only expose the method calls and sub-services. With that said, that can go into the backlog for SDK improvements.

stytch/b2b/sessions.go Outdated
Comment on lines 345 to 368
}

err = shared.PerformAuthorizationCheck(policy, claims.Roles, memberSession.OrganizationID, authorizationCheck)
if err != nil {
return nil, err
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[boulder] This check belongs inside the if authorizationCheck != nil block -- otherwise you're about to do an auth check against a nil policy

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, I read below that shared.PerformAuthorizationCheck will check if the authCheck is nil, but I still think it'd be safer to put this inside the block above to be crystal clear.

stytch/config/version.go
@@ -1,3 +1,3 @@
package config

const APIVersion = "11.5.2"
const APIVersion = "11.6.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely a MAJOR update, I'm going to cut a v12 branch to prepare a few things

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, let's have this merge into v12-prerelease branch

stytch/shared/rbac_local_test.go
)
assert.NoError(t, err)
})
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👨‍🍳 💋 Great tests

@logan-stytch logan-stytch changed the base branch from main to v12-prerelease December 8, 2023 02:23
@logan-stytch logan-stytch merged commit e07cfc3 into v12-prerelease Dec 8, 2023
@logan-stytch logan-stytch deleted the nd/authz-2 branch December 8, 2023 02:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@logan-stytch logan-stytch logan-stytch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nikhil-stytch @logan-stytch