Jarupatj/wildcardissue#576
Closed
jarupatj wants to merge 7 commits into
Closed
Conversation
jarupatj
requested review from
Aniruddh25,
JelteF,
Mathos1432,
aaronburtle,
aaronpowell,
abhishekkumams,
ayush3797,
gledis69,
junsu0ms,
mbhaskar,
milismsft,
seantleonard,
swviswan and
tarazou9
as code owners
Contributor
Author
|
This change will be merged with #577 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
close #572
Issue
#544 change caused a regression in wildcard handling. Entity with actions that contains wildcard will cause the hawaii engine failure to start.
Why are we not catching this issue earlier? Why did the existing test not catch this issue?
We have 2 tests related to wildcard action
TestWildcardResolvesAsAllActions
TestWildcardPolicyResolvesToEmpty
However, these 2 tests generate an actions configuration that looks like this
This actions configuration is an array of JSON object.
However, the issue happen when we have a wildcard that is an array of string
"actions": ["*"]We are handling array of object and array of string differently. That's why the test did not catch this issue.
Fix
The fix for this issue is to expand the wildcard action to actual explicit action in Authorization internal data structure.
We look up if the action is permitted using actual action name not wildcard.
For example, does this role have a permission to UPDATE an entity or not. We are not asking if this role have a WILDCARD permission to this entity or not. During runtime, we know exactly what action we would like to use.
As a result, I think it is better to remove wildcard action from Authorization internal data structure and replace it with actual action. It will also remove special wildcard checks that we have around authZ.
Minor fixes included in this change are
Test
I modified these 2 test - TestWildcardResolvesAsAllActions, TestWildcardPolicyResolvesToEmpty
to address wildcard input correctly.
I also add tests in Authorization Unittest to verify that we expand wildcard to explicit action correctly.