[v12] Fix authorization rules to the Assistant and UserPreferences service#34090
Merged
jentfoo merged 3 commits intobranch/v12from Nov 6, 2023
Merged
[v12] Fix authorization rules to the Assistant and UserPreferences service#34090jentfoo merged 3 commits intobranch/v12from
jentfoo merged 3 commits intobranch/v12from
Conversation
…29481) * "Add authorization rules to the Assistant and UserPreferences service" This commit introduces authorization rules into the Assistant service to restrict operations based on the authenticated user's role permissions. Now each method in the Assistant service checks if the authenticated user has necessary permissions to perform the requested operation. The permissions are checked via defined RBAC rules. A user requires specific permissions to perform various operations such as creating a conversation, updating a conversation, fetching a user's conversations, deleting a conversation, and adding a message to a conversation. Also, even if a user has necessary permissions, they cannot perform operations for a different user. Each user can only access their own data. * Add missing logger * "Refactor user preferences request handling" This commit refactors how GetUserPreferences and UpsertUserPreferences handle requests. The `username` field is removed from request parameters. Instead of having the client send the user's username in a request, the server now automatically uses the username of the authenticated user making the request. This change improves the security by preventing a user from attempting to fetch or manipulate another user's preferences. Removed tests were specifically testing the old, insecure behavior. * Refactor to use authz.HasBuiltinRole Refactored code in the 'auth_with_roles.go' file to use 'authz.HasBuiltinRole' instead of 'HasBuiltinRole'. This change is in line with recommended practices for deprecation and makes the code more standard and easier to manage. The original 'HasBuiltinRole' function is marked as deprecated and will be removed in future once 'teleport.e' is updated to use 'authz.HasBuiltinRole'. * Reserve removed username again? * Fix UT * Add local user permissions checks in authz This commit introduces two new methods in permissions.go to check if a user is a local user, and if a given action is performed by a local user. These permission checks are then used to replace existing checks in service.go, when performing actions like creating conversation, updating, listing, etc. This simplifies checks and provides a more consolidated and unified method for verifying user actions. * Fix tests * Tweak RBAC * Address review comments * Separate client and server interfaces for user preference services. * Apply core review suggestions * Apply suggestions from code review Co-authored-by: Brian Joerger <bjoerger@goteleport.com> --------- Co-authored-by: joerger <bjoerger@goteleport.com>
jentfoo
added
the
no-changelog
jakule
approved these changes
Nov 3, 2023
zmb3
approved these changes
Nov 6, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v12 backport of #29481
This security fix was missed in backporting to v12. Because of the age and branch differences the backport was not straight forward.