Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(webapi): Require base service provider scope on search endpoint #1476

Merged
merged 6 commits into from
Nov 19, 2024

Conversation

oskogstad
Copy link
Collaborator

@oskogstad oskogstad commented Nov 15, 2024

Description

Related Issue(s)

Verification

  • Your code builds clean without any errors or warnings
  • Manual testing done (required)
  • Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

  • Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

Summary by CodeRabbit

  • New Features
    • Enhanced authorization logic for the ServiceProviderSearch policy, improving specificity and security.
  • Bug Fixes
    • Refined error handling during initialization to ensure valid settings are used.

@oskogstad oskogstad requested a review from a team as a code owner November 15, 2024 13:41
Copy link
Contributor

coderabbitai bot commented Nov 15, 2024

📝 Walkthrough

Walkthrough

The changes in this pull request primarily involve the AuthorizationOptionsSetup class in two files, focusing on the Configure method. The definition of the AuthorizationPolicy.ServiceProviderSearch has been modified to combine it with the ServiceProvider policy retrieved via options.GetPolicy(AuthorizationPolicy.ServiceProvider)! instead of the default policy. This adjustment refines the construction of the ServiceProviderSearch policy while maintaining the overall structure and error handling of the method.

Changes

File Path Change Summary
src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs Modified Configure method to change how ServiceProviderSearch policy is defined.
src/Digdir.Domain.Dialogporten.WebApi/Common/Authorization/AuthorizationOptionsSetup.cs Updated Configure method to combine ServiceProviderSearch policy with ServiceProvider policy.

Possibly related PRs

Suggested reviewers

  • arealmaas: Suggested reviewer for the changes made in the AuthorizationOptionsSetup class.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)
src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs (1)

32-36: LGTM! Consider extracting scope constants to a shared configuration.

The changes look good:

  • Making ServiceProviderScope private improves encapsulation
  • The new ServiceProviderSearchScope follows consistent naming
  • TODO comment accurately reflects multiple scopes

As mentioned in issue #647, consider extracting these scope constants to a shared auth library or configuration to avoid duplication and maintain consistency across the codebase.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between cec11e8 and a9d120f.

📒 Files selected for processing (1)
  • src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs (2 hunks)
🔇 Additional comments (1)
src/Digdir.Domain.Dialogporten.Application/Common/Extensions/ClaimsPrincipalExtensions.cs (1)

Line range hint 248-252: LGTM! Verify scope usage in authentication middleware.

The changes correctly address the 403 error by allowing either ServiceProviderScope or ServiceProviderSearchScope to grant ServiceOwner access.

Let's verify that these are the only places where the scopes are used:

✅ Verification successful

Let me gather more information about the scope usage in authorization checks.


LGTM! The scope usage is consistent across the codebase.

The verification confirms that both scopes (ServiceProviderScope and ServiceProviderSearchScope) are properly handled:

  • Both scopes are defined as constants in WebApi and GraphQL authorization policies
  • Authorization middleware correctly configures distinct policies for each scope
  • The GetUserType method's changes align with the authorization setup, granting ServiceOwner access for either scope
  • No inconsistencies found in scope usage across the codebase
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other usages of the service provider scopes
# to ensure consistent handling across the codebase

# Search for any references to the scopes
rg -i "dialogporten\.serviceprovider"

# Search for scope-based authorization checks
ast-grep --pattern 'HasScope($scope)'

Length of output: 5788


Script:

#!/bin/bash
# Search for HasScope method usage with context
rg -A 3 "HasScope\(" 

# Search for authorization policy configurations
rg -A 5 "AddAuthorization|RequireScope"

Length of output: 12351

@oskogstad oskogstad changed the title fix(webapi): SO search returns 403 when using search scope only fix(webapi): SO search returns 403 when using search scope Nov 15, 2024
elsand
elsand previously requested changes Nov 18, 2024
Copy link
Member

@elsand elsand left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ref prat på Slack

@oskogstad oskogstad requested a review from elsand November 18, 2024 16:21
@oskogstad oskogstad dismissed elsand’s stale review November 18, 2024 16:27

Ref. Slack, keeping scopes separate for .search

@oskogstad oskogstad changed the title fix(webapi): SO search returns 403 when using search scope fix(webapi): Require base service provider scope on search endpoint Nov 19, 2024
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)
src/Digdir.Domain.Dialogporten.WebApi/Common/Authorization/AuthorizationOptionsSetup.cs (1)

38-39: LGTM! Consider adding documentation about policy inheritance.

The change correctly implements the authorization hierarchy by requiring both ServiceProvider and ServiceProviderSearch scopes. This makes sense from a security perspective as search capabilities should be restricted to authenticated service providers.

Consider adding a comment to document the policy inheritance chain for clarity:

 options.AddPolicy(AuthorizationPolicy.ServiceProviderSearch, builder => builder
+    // Inherits: DefaultPolicy -> ServiceProvider -> ServiceProviderSearch
     .Combine(options.GetPolicy(AuthorizationPolicy.ServiceProvider)!)
     .RequireScope(AuthorizationScope.ServiceProviderSearch));
src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (1)

42-43: Consider adding a code comment explaining the policy inheritance.

While the code is correct, adding a comment would help future maintainers understand why ServiceProviderSearch specifically inherits from ServiceProvider rather than using the default policy.

+            // ServiceProviderSearch must inherit ServiceProvider policy to ensure proper authorization context
             .Combine(options.GetPolicy(AuthorizationPolicy.ServiceProvider)!)
📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a9d120f and 87dac11.

📒 Files selected for processing (2)
  • src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (1 hunks)
  • src/Digdir.Domain.Dialogporten.WebApi/Common/Authorization/AuthorizationOptionsSetup.cs (1 hunks)
🔇 Additional comments (1)
src/Digdir.Domain.Dialogporten.GraphQL/Common/Authorization/AuthorizationOptionsSetup.cs (1)

42-43: LGTM! The authorization policy change correctly addresses the 403 issue.

The modification to combine ServiceProviderSearch with ServiceProvider policy instead of the default policy is the right approach, as it ensures that search operations inherit all necessary permissions from the service provider context.

Let's verify the authorization scopes are properly defined:

✅ Verification successful

Authorization scopes and policies are correctly defined and consistently used across both WebAPI and GraphQL

The verification confirms:

  • ServiceProviderSearch scope is properly defined as "digdir:dialogporten.serviceprovider.search"
  • Both WebAPI and GraphQL implementations consistently:
    • Combine ServiceProviderSearch policy with ServiceProvider policy
    • Require the correct scope for authorization
  • The policy inheritance structure matches between both implementations, ensuring consistent behavior
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the AuthorizationScope definitions and usage
# Expected: Find definitions of ServiceProvider and ServiceProviderSearch scopes
# and their usage in authorization policies

# Search for scope definitions
echo "=== Searching for scope definitions ==="
rg -A 1 "AuthorizationScope\." --type cs

# Search for policy usage
echo "=== Searching for policy usage ==="
rg -A 2 "ServiceProviderSearch|ServiceProvider.*scope" --type cs

Length of output: 13808

@oskogstad oskogstad merged commit 8c41f3d into main Nov 19, 2024
26 checks passed
@oskogstad oskogstad deleted the fix/so-search-with-correct-scope-results-in-forbidden branch November 19, 2024 13:27
arealmaas pushed a commit that referenced this pull request Nov 19, 2024
🤖 I have created a release *beep* *boop*
---


##
[1.36.0](v1.35.0...v1.36.0)
(2024-11-19)


### Features

* **azure:** create azure monitor workspace
([#1485](#1485))
([da0aa8f](da0aa8f))


### Bug Fixes

* **app:** Error details missing when user type is unknown
([#1493](#1493))
([9fbd2cf](9fbd2cf))
* **azure:** enable public access for azure monitor
([#1496](#1496))
([b0d5794](b0d5794))
* **azure:** ensure monitor workspace is reachable
([#1494](#1494))
([dc7fc1f](dc7fc1f))
* **webapi:** Require base service provider scope on search endpoint
([#1476](#1476))
([8c41f3d](8c41f3d))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants