Skip to content

restrictions on permissions a non-admin is able to grant a new user#382

Open
JacobBarthelmeh wants to merge 3 commits into
wolfSSL:mainfrom
JacobBarthelmeh:auth_manager
Open

restrictions on permissions a non-admin is able to grant a new user#382
JacobBarthelmeh wants to merge 3 commits into
wolfSSL:mainfrom
JacobBarthelmeh:auth_manager

Conversation

@JacobBarthelmeh
Copy link
Copy Markdown
Contributor

@JacobBarthelmeh JacobBarthelmeh commented May 28, 2026
edited
Loading

Follow up to item 6 from #270

@JacobBarthelmeh JacobBarthelmeh self-assigned this May 28, 2026
Copilot AI review requested due to automatic review settings May 28, 2026 02:02
@JacobBarthelmeh JacobBarthelmeh changed the title Auth manager restrictions on permissions a non-admin is able to grant a new user May 28, 2026
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens server-side authorization rules for user creation so that non-admin users can only create new users with a subset of their own permissions (including keyIds), and adds/extends auth tests to validate these restrictions and the backend’s max-user limit behavior.

Changes:

  • Enforce non-admin “subset-only” permission granting in wh_Auth_UserAdd, including keyId subset checks and a non-admin empty-credentials restriction.
  • Extend whTest_AuthAddUser to cover non-admin restrictions for actions, groups, keyIds, and credential presence.
  • Add a new whTest_AuthMaxUsers test and run it from whTest_AuthTest.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
src/wh_auth.c Adds non-admin subset enforcement and credential restriction in wh_Auth_UserAdd.
test/wh_test_auth.c Adds new negative/positive authorization tests and a max-user-capacity regression test.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wh_auth.c
Comment thread test/wh_test_auth.c Outdated
Comment thread test/wh_test_auth.c Outdated
Comment thread test/wh_test_auth.c Outdated
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #382

Scan targets checked: wolfhsm-core-bugs, wolfhsm-src

No new issues found in the changed files. ✅

@JacobBarthelmeh JacobBarthelmeh requested a review from Copilot May 28, 2026 22:33
Copilot AI reviewed May 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@JacobBarthelmeh JacobBarthelmeh marked this pull request as ready for review May 28, 2026 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@bigbrett bigbrett

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@JacobBarthelmeh @wolfSSL-Fenrir-bot @bigbrett @wolfSSL-Bot