refactor(jans-cedarling): handle recoverable errors gracefully in authorization #10721
Conversation
Signed-off-by: rmarinn <[email protected]>
- gracefully handle authorization errors where the problem is just input errors or failing to build entities. - update AuthorizeResult to return deny with some information if the authz was denied because of malformed inputs Signed-off-by: rmarinn <[email protected]>
…ction Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
- move input errors from AuthorizeError to the new BadInputErrors enum Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
Signed-off-by: rmarinn <[email protected]>
|
try to merge #10591 before this one |
| }) | ||
| .set_message("Result of authorize.".to_string()), | ||
| ); | ||
| self.log_authz(LogAuthzArgs { |
There was a problem hiding this comment.
Please, do not touch logging part, to avoid conflicts in the #10705
There was a problem hiding this comment.
If you wish to make this update, how about extract this changes to another branch? And I will merge it to my branch
There was a problem hiding this comment.
The changes does not only involve moving the logging to another file, some of the inputs change as well. Thus, if you want to move the changes, you might as well merge this whole branch onto your branch.
There will be conflicts no matter what, and we'll just have to deal with it.
Another option is to just merge main into your branch if this merges first.
Or I could also just wait for your PR then fix the conflicts if you want.
|
|
||
| /// Error returned because of invalid or malformed inputs to [`Authz::authorize`] | ||
| #[derive(thiserror::Error, Debug)] | ||
| pub enum BadInputError { |
There was a problem hiding this comment.
Does all this error can happen only because of bad input only?
If we can't check jwt because of problems on issuer page (can't load keys), it is also bad input?
There was a problem hiding this comment.
If we can't check jwt because of problems on issuer page (can't load keys), it is also bad input?
Getting the keys happens on startup and in the background/SSE (not implemented yet) so JWT validation wont fail because of an HTTP request. However, if a decoding key cannot be found to decode the JWT or if the JWT is expired, etc., it's under the BadInputError.
| serialize_with = "serialize_reason_input", | ||
| skip_serializing_if = "Option::is_none" | ||
| )] | ||
| pub reason_input: Option<BadInputError>, |
There was a problem hiding this comment.
I think It should be Vec because it can be more that one recoverable errors.
And in the issue is said that for "decision": "DENY" will be key with "errors" and for "decision": "DENY" will be key with "warnings".
It is planning?
There was a problem hiding this comment.
I think It should be
Vecbecause it can be more that one recoverable errors.
We return immediately instead of going through the request the in the first recoverable error since there's no point continuing if for example the access token is malformed. In that context, is does Vec still make sense since i think it will always only have 1 item.
And in the issue is said that for "decision": "DENY" will be key with "errors" and for "decision": "DENY" will be key with "warnings".
Yeah, i just changed it from "warnings" to "reason_input" after looking at authzen. It looks like they prefer using "reason_*" for adding additional context.
There was a problem hiding this comment.
Hmm, the task handle recoverable errors gracefully in authorization. As I understand it means that if we have error on build role (for example) or other entity, and we can continue to execute authorize request we should continue. And this kind of errors should be collected in the vector (and be logged).
There was a problem hiding this comment.
@nynymike what do you think?
There was a problem hiding this comment.
I agree with your statement, but I think the scope of the issue was beyond authz. I don't want the Cedarling to crash ever... it should keep running. Your web server never crashes... A crash should only happen if something really catastrophic happens. Right now it seems like there are too many reasons the PDP might just crash.
That was my goal here...
There was a problem hiding this comment.
@SafinWasi does flask-sidecar crash on bad input? Do you use try ... expect ... statement like here?
There was a problem hiding this comment.
The sidecar does not crash on invalid input. It can catch cedarling exceptions and puts them in the response.
Signed-off-by: rmarinn <[email protected]>
Prepare
Description
This PR implements gracefully handling recoverable errors -- specifically, "bad input" errors where the issue is either a malformed or invalid input. In the case of a bad input, the call to
Cedarling::authorizewill not no longer return an error but will return anOkwith aDENYdecision together with a reason.Target issue
closes #10589
Implementation Details
All the errors from the
AuthorizeErrorenum that are just bad inputs and recoverable has been moved to aBadInputErrorEnum.AuthorizeResulthas been updated to this:which looks like this when serialized to json:
{ "workload": null, "user": null, "reason_input": "Invalid Access token: Failed to decode JWT from Base64: Invalid last symbol 48, offset 749.", "decision": false }Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.