Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature read restriction #41

Merged
merged 25 commits into from
Jun 17, 2024
Merged

Feature read restriction #41

merged 25 commits into from
Jun 17, 2024

Conversation

Akopti8
Copy link
Collaborator

@Akopti8 Akopti8 commented May 16, 2024

Add read restriction to endpoints that can be accessed by allUsers.

@Akopti8 Akopti8 requested a review from ShaneMPutnam May 16, 2024 14:46
Base automatically changed from bug-list-size-overload to main June 12, 2024 19:53
ShaneMPutnam
ShaneMPutnam requested changes Jun 14, 2024
View reviewed changes
Copy link
Member

@ShaneMPutnam ShaneMPutnam left a comment
edited by Akopti8
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall! I made the following changes: e93254e and provided some inline comments. Please also:

  • Update the example env with the new AUTH_LIMITED_READER_ROLE variable
  • Update postman or add an issue to do so, since the check_user_permission endpoint is missing
  • Double check error messages to make sure you are being consistent with calling things objects verses keys.

@Akopti8 Akopti8 requested a review from ShaneMPutnam June 14, 2024 18:03
ShaneMPutnam
ShaneMPutnam requested changes Jun 17, 2024
View reviewed changes
Copy link
Member

@ShaneMPutnam ShaneMPutnam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Getting close, just 3 comments

blobstore/blobhandler.go
@@ -323,6 +323,14 @@ func (bh *BlobHandler) HandleCheckS3UserPermission(c echo.Context) error {
log.Info("Checked user permissions successfully")
return c.JSON(http.StatusOK, true)
}
initAuth := os.Getenv("INIT_AUTH")

if initAuth == "0" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how this would ever be true? If initAuth == "0" then line 324 would have already returned

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the new init auth that will turn on and off auth in general, not the auth level which indicates whether we want FGAC or not. This is because when auth is turned off we can't get the user email from the claims which would break this endpoint.
I've just added checks to two other functions that are used in endpoints that require the claims.

blobstore/list.go Outdated
errMsg := fmt.Errorf("request must include a `delimiter`, options are `true` or `false`")
log.Error(errMsg.Error())
return c.JSON(http.StatusUnprocessableEntity, errMsg.Error())

}
if delimiter && !strings.HasSuffix(prefix, "/") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why dont you also need to do this in the detailed version of this function?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was because of the root directory check but I just added a tertiary check to see if the prefix is empty we don't add a '/' and added it for both of them. Thanks!

@Akopti8 Akopti8 requested a review from ShaneMPutnam June 17, 2024 17:17
ShaneMPutnam
ShaneMPutnam reviewed Jun 17, 2024
View reviewed changes
blobstore/list.go
@@ -76,7 +76,8 @@ func (bh *BlobHandler) HandleListByPrefix(c echo.Context) error {
}

}
if delimiter && !strings.HasSuffix(prefix, "/") {

if delimiter && prefix != "" && !strings.HasSuffix(prefix, "/") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldnt this be after CheckAndAdjustPrefix like in the HandleListByPrefixWithDetails? It doesnt make sense that they are in two different places within the function

@Akopti8 Akopti8 requested a review from ShaneMPutnam June 17, 2024 18:30
ShaneMPutnam
ShaneMPutnam approved these changes Jun 17, 2024
View reviewed changes
Copy link
Member

@ShaneMPutnam ShaneMPutnam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, thanks!

@ShaneMPutnam ShaneMPutnam merged commit 2726603 into main Jun 17, 2024
1 check passed
@ShaneMPutnam ShaneMPutnam deleted the feature-read-restriction branch June 17, 2024 20:46
@Akopti8 Akopti8 mentioned this pull request Jun 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShaneMPutnam ShaneMPutnam ShaneMPutnam approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Akopti8 @ShaneMPutnam