Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New permission ClientsRead and new router middleware RequireAtLeastOnePermission #324

Merged
merged 5 commits into from
Jan 19, 2024
Merged

New permission ClientsRead and new router middleware RequireAtLeastOnePermission #324

merged 5 commits into from
Jan 19, 2024

Conversation

elikmiller
Copy link
Collaborator

@elikmiller elikmiller commented Jan 18, 2024
edited
Loading

Description

A new permission, ClientsRead, is introduced and assigned to the User role. Additionally, the ClientsManage permission has been revoked from the User role.

A new router middleware, RequireAtLeastOnePermission, is introduced. This middleware forbids access to a resource unless the requester has at least one of the listed permissions. This is in contrast to RequirePermissions which forbids access to a resource unless the requester has all of the listed permissions.

Motivation and Context

This change enables desired behavior in BloodHound Enterprise.

How Has This Been Tested?

Existing unit tests have been updated and new unit tests have been added.

Types of changes

  • Chore (a change that does not modify the application functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • Documentation updates are needed, and have been made accordingly.
  • I have added and/or updated tests to cover my changes.
  • All new and existing tests passed.
  • My changes include a database migration.

@elikmiller
feat: add new permission ClientsRead, assign ClientsRead to role User…
7818e9f 
…, revoke ClientsManage from role User
@elikmiller
feat: introduce new middleware PermissionsCheckAtLeastOne to check th…
a708a0b 
…at a requester has at least one listed permission in order to access a given resource
@elikmiller
chore: ensure comment accuracy
80cbc20
mistahj67
mistahj67 reviewed Jan 18, 2024
View reviewed changes
cmd/api/src/api/middleware/auth.go Outdated Show resolved Hide resolved
cmd/api/src/api/router/router.go Show resolved Hide resolved
cmd/api/src/api/middleware/auth_test.go Show resolved Hide resolved
@zinic
Copy link
Collaborator

zinic commented Jan 18, 2024

Nothing stands out to me. There's potential for some DRY work here but I feel like it's squeezing for the sake of abstraction so I'm happy to approve this as-is but feel free to refactor based on other comments.

superlinkx
superlinkx previously requested changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@superlinkx superlinkx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing the criteria for Upload Only role currently. Not sure if we want to put that into this PR or open a new PR with that change in it. Otherwise, just a couple small housekeeping items and I think this looks good.

cmd/api/src/api/middleware/auth.go Outdated Show resolved Hide resolved
cmd/api/src/api/middleware/auth.go Outdated Show resolved Hide resolved
@elikmiller
Copy link
Collaborator Author

elikmiller commented Jan 19, 2024
edited
Loading

This is missing the criteria for Upload Only role currently. Not sure if we want to put that into this PR or open a new PR with that change in it. Otherwise, just a couple small housekeeping items and I think this looks good.

@superlinkx It looks like this requested change was already made in #131

@elikmiller elikmiller requested a review from superlinkx January 19, 2024 15:29
@superlinkx
Copy link
Contributor

Oh, awesome! I'll go ahead and give this the thumbs up as is then

@superlinkx superlinkx dismissed their stale review January 19, 2024 15:57

Fixes added

superlinkx
superlinkx approved these changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@superlinkx superlinkx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@elikmiller elikmiller merged commit bc9064a into main Jan 19, 2024
2 checks passed
@elikmiller elikmiller deleted the BED-3961 branch January 19, 2024 15:58
@github-actions github-actions bot locked and limited conversation to collaborators Jan 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mistahj67 mistahj67 mistahj67 left review comments

@superlinkx superlinkx superlinkx approved these changes

@zinic zinic zinic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@elikmiller @zinic @superlinkx @mistahj67