Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RHCLOUD-27273] Enforce correct value/operation pairings #1418

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

[RHCLOUD-27273] Enforce correct value/operation pairings #1418

wants to merge 10 commits into from

Conversation

mjholder
Copy link
Contributor

@mjholder mjholder commented Jan 3, 2025
edited
Loading

BLOCKED BY: #1448

Link(s) to Jira

Description of Intent of Change(s)

The what, why and how.
In order to keep JSON parsing working we need to make sure the value types and operations provided by resourceDefinitions are compatible.
Specifically, if a String is provided the operation needs to be equals. Otherwise, if a List is provided, the operation needs to be in.
In order to achieve this I added some extra checks in the ResourceDefinition Serializer to make sure the pairings are correct.

Local Testing

How can the feature be exercised?
How can the bug be exploited and fix confirmed?
Is any special local setup required?

I added a couple tests to the unit test suite. If you want to test locally you can try to create a role with either of the following access definitions:

{
    "permission": "someApp:*:*",
    "resourceDefinitions": [
        {"attributeFilter": {"key": "keyA.id", "operation": "equals", "value": ["value1", "value2"]}}
    ],
}

OR

{
    "permission": "someApp:*:*",
    "resourceDefinitions": [
        {"attributeFilter": {"key": "keyA.id", "operation": "in", "value": "valueA"}}
    ],
}

Checklist

  • if API spec changes are required, is the spec updated?
  • are there any pre/post merge actions required? if so, document here.
  • are theses changes covered by unit tests?
  • if warranted, are documentation changes accounted for?
  • does this require migration changes?
    • if yes, are they backwards compatible?
  • is there known, direct impact to dependent teams/components?
    • if yes, how will this be handled?

Secure Coding Practices Checklist Link

Secure Coding Practices Checklist

  • Input Validation
  • Output Encoding
  • Authentication and Password Management
  • Session Management
  • Access Control
  • Cryptographic Practices
  • Error Handling and Logging
  • Data Protection
  • Communication Security
  • System Configuration
  • Database Security
  • File Management
  • Memory Management
  • General Coding Practices

@vbelchio
Copy link
Contributor

vbelchio commented Jan 3, 2025

@mjholder do we need to make changes in the OpenAPI specs?

@mjholder
Copy link
Contributor Author

mjholder commented Jan 3, 2025

@mjholder do we need to make changes in the OpenAPI specs?

That's a good question. We do have the types that are acceptable listed but not the fact that a string expects equals and a list expects in.
I'm looking to see if there is a way to achieve this in OpenAPI 3

@mjholder
Copy link
Contributor Author

mjholder commented Jan 3, 2025

@mjholder do we need to make changes in the OpenAPI specs?

That's a good question. We do have the types that are acceptable listed but not the fact that a string expects equals and a list expects in. I'm looking to see if there is a way to achieve this in OpenAPI 3

It looks like if we move to OpenAPI 3.1 we can use conditional blocks for schema validation but not in 3.0.0.
This if from the docs on what's added in 3.1: https://datatracker.ietf.org/doc/html/draft-bhutton-json-schema-00#page-42

astrozzc
astrozzc approved these changes Jan 6, 2025
View reviewed changes
rbac/management/role/serializer.py Show resolved Hide resolved
vkrizan
vkrizan suggested changes Jan 6, 2025
View reviewed changes
rbac/management/role/serializer.py Outdated
@@ -49,6 +49,18 @@ def validate_attributeFilter(self, value):
message = f"attributeFilter operation must be one of {ALLOWED_OPERATIONS}"
error = {key: [_(message)]}
raise serializers.ValidationError(error)
else:
values = value.get("value")
if type(values) is str and op == "in":
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These checks are insufficient, as these check only for string. If for example int was supplied, it would fall through. Why not check the expected type for each operator?

Be aware, that previously a documentation mentioned a string of comma separated values. Have you checked current state of the database? If users would have already stored badly formatted data, they could hit these errors.

I suggest to prefer isinstance over a strong type check. See Duck Typing.

astrozzc
astrozzc reviewed Jan 6, 2025
View reviewed changes
tests/management/role/test_view.py Outdated Show resolved Hide resolved
rbac/management/role/serializer.py Outdated Show resolved Hide resolved
@mjholder mjholder mentioned this pull request Jan 20, 2025
Merged
22 tasks
@lpichler lpichler changed the title Enforce correct value/operation pairings [RHCLOUD-27273] Enforce correct value/operation pairings Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astrozzc astrozzc astrozzc approved these changes

@vkrizan vkrizan vkrizan requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mjholder @vbelchio @vkrizan @astrozzc @lpichler