Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use RA roles when testing authorizations #417

Merged
merged 9 commits into from
Feb 26, 2024
Merged

Use RA roles when testing authorizations #417

merged 9 commits into from
Feb 26, 2024

Conversation

MKodde
Copy link
Member

@MKodde MKodde commented Feb 19, 2024
edited
Loading

Before these changes, the authorizations handed out to an Identity when logging in to RA could be escalated unjustly.

The FGA authorizations were previously evaluated to calculate the authz for an Identity. Where they (ofcourse) have to be based on the authorizations that are actually accredited to the Identity.

For many authz decisions in the applications, we do evaluate the Institution authorizations, but when it comes to the determination of the roles for an identity we now correctly look to the ra_listing projection.

Merge targets:

  • release/5.1
  • main

@MKodde MKodde force-pushed the feature/database-test-experiment branch from 5eb3493 to 1b35421 Compare February 20, 2024 07:44
@MKodde MKodde changed the title Database test experiment Use RA roles when testing authorizations Feb 20, 2024
@MKodde MKodde force-pushed the feature/database-test-experiment branch from 1b35421 to 15b5c25 Compare February 20, 2024 09:25
@MKodde
Test the authorization repository
0450b86
@MKodde
Use RA roles when testing authorizations
187390f 
Using the Insitution configuration role setting is semantically
incorrect. Using the RA role here is the right way here.

In order to get the select raa input for the select list displayed on
the forms that allow selection of RA(A) users, a new method was added on
the AuthorizationContextService
@MKodde
Improve documentation of authorization decision
daab0b9 
Documentation is improved by sharpening the logging. Making logging much
more verbose should give quick insights into which commands are executed
by which identity.

The in-line code documentation was also improved by adding insights to
some of the classes where this was lacking.
@MKodde
Improve documentation of authorization decision
93082da 
Documentation is improved by sharpening the logging. Making logging much
more verbose should give quick insights into which commands are executed
by which identity.

The in-line code documentation was also improved by adding insights to
some of the classes where this was lacking.
@MKodde
Add BC support for authoringSecondFactorIdentifier
7408630 
This field was renamed in the new MW release and updated in the mw
client bundle. But we need to allow the old self service to work with
the new Middleware. So adding (temporal) support for the old field seems
the easiest fix.

See: https://www.pivotaltracker.com/story/show/184749323
@MKodde
Update CHANGELOG.md
914d023
@MKodde
Loosen authorization rule for recoverty token search
4ea4694 
The authorization to read recovery tokens (RT) for ones institution was set
to require the RAA role. However, reading and removing RT is a RA
action.

This commit lowers authz to RA for searching the RT

See: https://www.pivotaltracker.com/story/show/184938232
@MKodde
Allow RA to revoke Recovery Token
305a963 
The RA user was not yet allowed to revoke a recovery token. This is now
allowed. As this is a RA role.

See: https://www.pivotaltracker.com/story/show/184938232
@MKodde MKodde force-pushed the feature/database-test-experiment branch from 15b5c25 to 305a963 Compare February 20, 2024 09:27
@MKodde
Support recovery token revocation in tests
8f378f5 
The CommandAuthorizationServiceTest did not yet correctly support the RT
revocation scenario. Resulting in two failing tests. They were
previously under the radar as the phpunit scritp would still return a 0
exit code even tho the tests failed.

That was remedied by adding a 'set -e' instruction to that file
@MKodde MKodde requested a review from pablothedude February 20, 2024 10:33
@MKodde MKodde mentioned this pull request Feb 20, 2024
Merged
pablothedude
pablothedude approved these changes Feb 22, 2024
View reviewed changes
src/Surfnet/StepupMiddleware/ApiBundle/Authorization/Service/AuthorizationContextService.php
@@ -69,40 +69,46 @@ public function __construct(
$this->authorizationRepository = $authorizationRepository;
}

public function buildSelectRaaInstitutionAuthorizationContext(IdentityId $actorId): InstitutionAuthorizationContext
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯 for splitting up the contexts

@MKodde MKodde merged commit a6d03f6 into release/5.1 Feb 26, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pablothedude pablothedude pablothedude approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MKodde @pablothedude