-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACLs - Making use of resolved GeorchestraUser's roles along with the resolved authorities #89
Conversation
I can confirm the problem is solved, but getting theses changes from DT fork brought back many changes that cancels changes that were made to this main branch. First commit is sufficient to resolve the problem encountered in PR#84. However other changes are interesting in general case, we may use this current PR to add them to main branch, after fixing some regressions they cause. |
So, is that ok if we merge this one, and see afterwards for regressions ? Are there any way of having possible regressions being tested ? |
@emmdurin it'd be great if you had a list of regressions so we can fix them. Especially if we can add tests to ensure they don't happen again. |
No, we have to fix regressions first. But we can merge PR#84 which contains the fix for the problem encountered, as soon as there is an approved review, do not hesitate to review it if you want. Then in this PR#89 will remains some interesting changes that should be useful in the future but are not needed for now. We can merge them when regressions are fixed.
I will check this when I have time, as I stated above there is no hurry. Just now I can tell that OAuth2 configurable logout endpoint code has been removed, and custom JWT decoding needed for some cases has also been removed (trying to use FranceConnect crashes because of a missing JWT URI endpoint), and there may be other problems. About testing, for example writing a test for the first one should be quite easy, but for the second one it's quite harder. So you're right pointing that some tests are missing, but I'm not sure how much we can test all of the changes we did on OAuth2 authentication process. Theses regressions are introduced because of the changes me and Marwane made to this repository but that were not replicated to DT repository. So when some code is retrieved back from DT repository, it cancels some of theses changes. This problem has already occurred. |
I can't remember if this PR is still needed somewhere, TBH ... |
Clarify treatment of Authentication authority names and resolved `GeorchestraUser` role names. The `Authentication` authority names are not changed at all, whereas previously they where being appended the `ROLE_` prefix only when the authentication came from LDAP. Instead, leave the `Authentication` object always unchanged and use a `GeorchestraUserCustomizerExtension` (`RolePrefixGeorchestraUserCustomizerExtension`), to ensure all `GeorchestraUser` roles are prefixed, since those are the ones to be sent to the downstream services in the `sec-roles` header.
Allows to normalize role names coming from any Authentication provider authority names. Previously it only worked for Ldap. Configuration change: `georchestra.gateway.security.oidc.*` properties moved as child of `oauth2`: `georchestra.gateway.security.oauth2.oidc.*`
* Testsuite broken because sending a request with no Accept header (or "Accept: */*") will make spring sending a 401 instead of a 302 redirect to /login * restoring previous work on csrf/cors not present in DT's fork (#73, #59) * restoring some other works related to login/logout controllers/templates
1fab7fd
to
885806f
Compare
rebased onto main today, but I'm getting confused, maybe I missed some recent modifications introduced from other PRs ... |
closing, as work has been done in #84 |
When defining accesses rules to the targets, e.g.:
Initially, only the
Authentication.Authorities
were used to determine if the user was member of the different roles. But we also resolve the geOrchestra roles onto theGeorchestraUser.Roles
object created, no matter if the user is coming from an external OIDC provider, is preauthenticated via another upstream proxy server via http headers, or via the classical geOrchestra LDAP. These roles were not used for access evaluation, though.The intent of this pull-request is to also check the accesses to the proxified targets against the GeorchestraUser's roles being resolved.
Note: this work was already done onto Deutsche-Telekom georchestra-gateway fork and has been backported here.