Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Caching of system users authorization details are broken #1363

Closed
elsand opened this issue Oct 31, 2024 · 0 comments
Closed

Caching of system users authorization details are broken #1363

elsand opened this issue Oct 31, 2024 · 0 comments
Assignees
@elsand
Labels
bug Something isn't working

Comments

@elsand
Copy link
Member

elsand commented Oct 31, 2024

Description

When generating cache keys for system users, the system user id is not part of the list of identifiable claims on which the key is based

Reproduction

  1. Perform a request to a dialog, using a system user that has been granted access to the dialog, owned by the same organization (consumer/supplier)
  2. Perform a request to a dialog, using a different system user that has NOT been granted access to the dialog, owned by the same organization (consumer/supplier)

Expected behavior

  1. OK
  2. Unauthorized

Actual behavior

  1. OK
  2. OK

Additional information

The two requests will have identical cache keys, causing the second request from to hit the cache for the PDP call. This is a security issue, but mitigated by the fact that it must be owned by the same organization.
@elsand elsand added the bug Something isn't working label Oct 31, 2024
@elsand elsand self-assigned this Oct 31, 2024
@elsand elsand mentioned this issue Oct 31, 2024
Merged
3 tasks
elsand added a commit that referenced this issue Oct 31, 2024
@elsand
fix: Add system user id to identifying claims (#1362)
16f160d 
## Description

This adds a check to include the system user id in the list of
identifiable claims, which is in turn used to generate a cache key for
authorization requests on dialog details accesses.

## Related Issue(s)

- #1363

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [x] Manual testing done (required)
- [x] Relevant automated test added (if you find this hard, leave it and
we'll help out)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Introduced methods to simplify the retrieval of system user IDs from
claims.
- Enhanced claims processing to include system user identifiers from
authorization details.

- **Bug Fixes**
- Streamlined logic in handling user ID extraction, improving
efficiency.

- **Tests**
- Added a test to verify the correct extraction of system user
identifiers from claims.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@elsand elsand closed this as completed Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elsand elsand

Labels
bug Something isn't working
Projects
Dialogporten / Arbeidsflate - NY
Status: Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elsand