fix(rbac): lowercase user and group entity references #1937

dzemanov · 2024-11-15T11:57:16Z

Hey, I just made a Pull Request!

Roles and permissions are not applied correctly when users or groups contain uppercase.
Auth can return lowercased sub and lowercased ownershipEntityRefs, which means we are not getting matches when comparing with casbin_rule v0 that has original references that could contain uppercase, or possibly in other places, like 1, 2
Entity references are case insensitive.
Entity references are saved in relations_table in lowercase.

This change:

migrates users and groups to lowercase in casbin_rule v0
lowercases users and groups in user inputs so we are always working with lowercase (can confuse users when we will refer to their inputs in lowercase)
Still left to do: conditions

How to test

Login as a user with a username containing uppercase - in all example queries/data, please change user:default/User to your user.

1. Add to Catalog locations a file with these users/groups

apiVersion: backstage.io/v1alpha1
kind: Group
metadata:
 name: group-A
spec:
 type: team
 children: ["group-B"]
---
apiVersion: backstage.io/v1alpha1
kind: Group
metadata:
 name: group-B
spec:
 type: team
 children: []
---
apiVersion: backstage.io/v1alpha1
kind: Group
metadata:
 name: group-e
spec:
 type: team
 children: []
---
apiVersion: backstage.io/v1alpha1
kind: User
metadata:
 name: User
spec:
 memberOf:
   - group-B

    - type: file
      target: /path/to/entities.yaml
      rules:
        - allow: [User, Group]

2. Test Config

permission:
enabled: true
rbac:
 pluginsWithPermission:
   - catalog
   - permission
   - scaffolder
 admin:
   users:
     - name: user:default/User

You should be able to see RBAC page

3. Test API

Create role:

curl -X POST "http://localhost:7007/api/permission/roles" -d '{ "memberReferences":  ["group:default/group-B" ], "name": "role:default/Test" }' -H "Content-Type: application/json" -H "Authorization: Bearer $token"

Create permissions:

curl -X POST "http://localhost:7007/api/permission/policies" -d '[{"entityReference": "role:default/Test", "permission": "catalog-entity", "policy": "update", "effect":"allow"}]' -H "Content-Type: application/json" -H "Authorization: Bearer $token"

curl -X POST "http://localhost:7007/api/permission/policies" -d '[{"entityReference": "role:default/Test", "permission": "catalog-entity", "policy": "delete", "effect":"allow"}]' -H "Content-Type: application/json" -H "Authorization: Bearer $token"

curl -X POST "http://localhost:7007/api/permission/policies" -d '[{"entityReference": "role:default/Test", "permission": "catalog.entity.create", "policy": "create", "effect":"allow"}]' -H "Content-Type: application/json" -H "Authorization: Bearer $token"

You should be able to create and delete Catalog entities.

Update role:

curl -X PUT "http://localhost:7007/api/permission/roles/role/default/Test" -d '{ "oldRole": { "memberReferences":  [ "group:default/group-B" ], "name": "role:default/Test" }, "newRole": { "name": "role:default/Test", "memberReferences": [ "user:default/User", "group:default/group-e" ] } }' -H "Content-Type: application/json" -H "Authorization: Bearer $token"

DELETE your user from role:

curl -X DELETE "http://localhost:7007/api/permission/roles/role/default/Test?memberReferences=user:default/User" -H "Content-Type: application/json" -H "Authorization: Bearer $token"

4. Test csv

Create uppercase.csv:

p, role:default/test-Delete, catalog-entity, delete, allow
g, group:default/group-A, role:default/test-Delete
p, role:default/test-Create, catalog.entity.create, create, allow
p, role:default/test-Create, catalog.location.create, create, allow
g, group:default/group-e, role:default/test-Create
g, group:default/group-B, role:default/test-Create

Add to app-config.yaml:

permission:
 enabled: true
 rbac:
   policies-csv-file: path/to/uppercase.csv

Confirm your User can delete and create entities.
You can add csv reload:

permission:
 enabled: true
 rbac:
   policies-csv-file: path/to/uppercase.csv
   policyFileReload: true

And change uppercase.csv to for example:

p, role:default/test-Changed, catalog-entity, delete, allow
g, user:default/User, role:default/test-Changed
p, role:default/test-Create, catalog.entity.create, create, allow
g, group:default/group-e, role:default/test-Create

2. Test Migration

Run the old code to populate database with uppercase users/groups.
You can use csv file for this, for example:

p, role:default/test-Delete, catalog-entity, delete, allow
g, group:default/group-A, role:default/test-Delete
g, group:default/group-e, role:default/test-Delete
g, user:default/User, role:default/test-Delete
p, role:default/test-ok, catalog-entity.create, create, allow

Go back to this branch.
Change knexfile.js to your database, e.g:

module.exports = {
  client: pg,
  connection: {
    host: '127.0.0.1',
    port: 5432,
    user: USER,
    password: PASSWORD,
  },
  useNullAsDefault: true,
  migrations: {
    directory: './migrations',
  },
};

Apply migrations:

yarn knex migrate:latest --knexfile /path/to/rbac-backend/knexfile.js

Verify casbin_rule v0 column has now lowercased users and groups, but roles stayed the same (e.g test-Delete)

✔️ Checklist

A changeset describing the change and affected packages. (more info)
Added or updated documentation
Tests for new functionality and regression tests for bug fixes
Screenshots attached (for UI changes)
All your commits have a Signed-off-by line in the message. (more info)

backstage-goalie · 2024-11-15T11:57:44Z

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage-community/plugin-rbac-backend	workspaces/rbac/plugins/rbac-backend	minor	`v5.2.9`

dzemanov · 2024-11-18T13:16:15Z

We will need to also lowercase users and groups in claims in conditional policies.

dzemanov · 2024-11-20T13:38:24Z

/cc @AndrienkoAleksandr @PatAKnight

PatAKnight · 2024-11-22T13:04:10Z

@dzemanov I am not certain that we need to lowercase users and groups for conditional policy claims. I was testing a variety of scenarios and it seems like whether I used my GitHub username as is or all lowercase, the conditional policy would still work for me. Could you share an example of where it didn't work for you?

AndrienkoAleksandr · 2024-11-28T11:58:41Z

Your current changes looks good to me, but I think you also need to handle upperCases for test cases:

user provided user or group entity reference with help of REST API( via curl or postman...)
user provider user entity reference with help of application config(permission/rbac/admin/users)

dzemanov · 2024-12-02T11:41:08Z

2024-12-02.12-25-33.mp4

@PatAKnight it would be amazing if we don't have to lowercase users and groups for conditional policy claims. Demo for using lowercase as opposed to uppercase:

PatAKnight · 2024-12-03T13:15:36Z

Yeah, let me try it again. I was using the GitHub auth provider with the usernameMatchingUserEntityName sign in resolver. Maybe the different auth providers also handle lowercase / uppercase differently?

awanlin

Hi @dzemanov, thanks for the contribution, you'll need to add a change set so that these changes get released, details on that are here: https://github.com/backstage/community-plugins/blob/main/CONTRIBUTING.md#creating-changesets

Also left one small optional comment 👍

workspaces/rbac/plugins/rbac-backend/__fixtures__/data/invalid-csv/duplicate-policy.csv

awanlin · 2024-12-06T18:42:58Z

Hi @AndrienkoAleksand, @divyanshiGupta, @PatAKnight, as owners of this plugin can you please review this PR? Once one of you have then I'm fine with hitting merge if you can't 👍

awanlin · 2024-12-20T13:08:39Z

Waiting for the owners to review and approve 👍

dzemanov · 2025-01-03T16:07:55Z

Waiting on #2166 to be merged first.

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

workspaces/rbac/plugins/rbac-backend/src/file-permissions/lowercase-file-adapter.ts

workspaces/rbac/plugins/rbac-backend/src/helper.ts

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> Co-authored-by: Oleksandr Andriienko <oandriie@redhat.com> Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

AndrienkoAleksandr

Tested, works like expected. Gread job, @dzemanov!

AndrienkoAleksandr · 2025-01-20T13:34:57Z

@awanlin, ping. I think @dzemanov handled code review feedback.

04kash

All requested changes were made, plugin owners have approved

Dismissing review as changeset was added

* Introduce LowercaseFileAdapter Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Introduce transformPolicyGroupToLowercase Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Introduce transformRolesGroupToLowercase Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Convert uppercase groups to lowecase in csv watcher Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Convert uppercase groups to lowercase in providers Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Add v0 migration of users groups to lowercase Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Update lowercase-file-adapter reference Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Fix prettier Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Introduce lowercasing memberReferences in role endpoints Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Lowercase admins entityRef from config Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Fix uppercase role Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Fix delete of role user Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Catch invalid calls to enforcer delegate Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Fix return type of mock implementation Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Add newline to duplicate-policy.csv Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Add changeset Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> * Unify lowecasing Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> Co-authored-by: Oleksandr Andriienko <oandriie@redhat.com> Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> --------- Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> Co-authored-by: Oleksandr Andriienko <oandriie@redhat.com>

dzemanov requested a review from a team as a code owner November 15, 2024 11:57

dzemanov requested a review from awanlin November 15, 2024 11:57

dzemanov marked this pull request as draft November 15, 2024 11:57

dzemanov force-pushed the fix-uppercase-entityrefs branch from 844aca2 to 0706751 Compare November 18, 2024 12:56

dzemanov force-pushed the fix-uppercase-entityrefs branch from 0706751 to daf4794 Compare December 2, 2024 09:59

dzemanov force-pushed the fix-uppercase-entityrefs branch from daf4794 to 31da182 Compare December 2, 2024 11:49

dzemanov force-pushed the fix-uppercase-entityrefs branch from de2e8db to 0c9a136 Compare December 6, 2024 13:03

dzemanov marked this pull request as ready for review December 6, 2024 15:42

dzemanov requested a review from christoph-jerolimov as a code owner December 6, 2024 15:42

awanlin previously requested changes Dec 6, 2024

View reviewed changes

workspaces/rbac/plugins/rbac-backend/__fixtures__/data/invalid-csv/duplicate-policy.csv Outdated Show resolved Hide resolved

dzemanov force-pushed the fix-uppercase-entityrefs branch 2 times, most recently from 0a990a5 to 82a9d70 Compare December 11, 2024 10:58

dzemanov force-pushed the fix-uppercase-entityrefs branch from 82a9d70 to 76799b8 Compare January 2, 2025 07:39

awanlin mentioned this pull request Jan 7, 2025

fix(rbac): use loadPolicy to keep in sync enforcer for edit operations #2166

Merged

5 tasks

dzemanov force-pushed the fix-uppercase-entityrefs branch from 76799b8 to b93415f Compare January 15, 2025 08:17

dzemanov requested review from AndrienkoAleksandr and PatAKnight as code owners January 15, 2025 08:17

dzemanov added 3 commits January 16, 2025 11:09

Introduce LowercaseFileAdapter

4b2d65a

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Introduce transformPolicyGroupToLowercase

6e7d237

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Introduce transformRolesGroupToLowercase

3fe0df3

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

dzemanov added 13 commits January 16, 2025 11:09

Convert uppercase groups to lowecase in csv watcher

8a9b580

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Convert uppercase groups to lowercase in providers

3adca1e

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Add v0 migration of users groups to lowercase

611d13c

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Update lowercase-file-adapter reference

0b4d4ef

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Fix prettier

e28d655

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Introduce lowercasing memberReferences in role endpoints

8ede9c0

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Lowercase admins entityRef from config

99bdd6c

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Fix uppercase role

c65b9b1

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Fix delete of role user

2fc49c2

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Catch invalid calls to enforcer delegate

8871523

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Fix return type of mock implementation

88955bf

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Add newline to duplicate-policy.csv

6acbdfc

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

Add changeset

4968b28

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

dzemanov force-pushed the fix-uppercase-entityrefs branch from b93415f to 4968b28 Compare January 16, 2025 10:15

AndrienkoAleksandr reviewed Jan 16, 2025

View reviewed changes

workspaces/rbac/plugins/rbac-backend/src/file-permissions/lowercase-file-adapter.ts Outdated Show resolved Hide resolved

AndrienkoAleksandr reviewed Jan 16, 2025

View reviewed changes

workspaces/rbac/plugins/rbac-backend/src/helper.ts Outdated Show resolved Hide resolved

Unify lowecasing

e5a8813

Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com> Co-authored-by: Oleksandr Andriienko <oandriie@redhat.com> Signed-off-by: Dominika Zemanovicova <dzemanov@redhat.com>

AndrienkoAleksandr approved these changes Jan 16, 2025

View reviewed changes

AndrienkoAleksandr enabled auto-merge (squash) January 21, 2025 14:57

04kash approved these changes Jan 21, 2025

View reviewed changes

04kash requested a review from awanlin January 21, 2025 15:10

AndrienkoAleksandr merged commit 53daff0 into backstage:main Jan 21, 2025
11 checks passed

dzemanov mentioned this pull request Feb 7, 2025

Org Member: dzemanov backstage/community#175

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(rbac): lowercase user and group entity references #1937

fix(rbac): lowercase user and group entity references #1937

dzemanov commented Nov 15, 2024 •

edited

Loading

backstage-goalie bot commented Nov 15, 2024 •

edited

Loading

dzemanov commented Nov 18, 2024

dzemanov commented Nov 20, 2024

PatAKnight commented Nov 22, 2024

AndrienkoAleksandr commented Nov 28, 2024

dzemanov commented Dec 2, 2024

PatAKnight commented Dec 3, 2024

awanlin left a comment

awanlin commented Dec 6, 2024

awanlin commented Dec 20, 2024

dzemanov commented Jan 3, 2025

AndrienkoAleksandr left a comment

AndrienkoAleksandr commented Jan 20, 2025 •

edited

Loading

04kash left a comment

fix(rbac): lowercase user and group entity references #1937

fix(rbac): lowercase user and group entity references #1937

Conversation

dzemanov commented Nov 15, 2024 • edited Loading

Hey, I just made a Pull Request!

How to test

✔️ Checklist

backstage-goalie bot commented Nov 15, 2024 • edited Loading

Changed Packages

dzemanov commented Nov 18, 2024

dzemanov commented Nov 20, 2024

PatAKnight commented Nov 22, 2024

AndrienkoAleksandr commented Nov 28, 2024

dzemanov commented Dec 2, 2024

PatAKnight commented Dec 3, 2024

awanlin left a comment

Choose a reason for hiding this comment

awanlin commented Dec 6, 2024

awanlin commented Dec 20, 2024

dzemanov commented Jan 3, 2025

AndrienkoAleksandr left a comment

Choose a reason for hiding this comment

AndrienkoAleksandr commented Jan 20, 2025 • edited Loading

04kash left a comment

Choose a reason for hiding this comment

dzemanov commented Nov 15, 2024 •

edited

Loading

backstage-goalie bot commented Nov 15, 2024 •

edited

Loading

AndrienkoAleksandr commented Jan 20, 2025 •

edited

Loading