This repository has been archived by the owner on Dec 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(server): add privileges-based layered API access
This commit builds on top of 411e8e2 to provide a more layered authentication/authorization model, based on the thoughts described in #39. The goal of this commit is to transform the "all-or-nothing" authentication model into one that allows for fine-grained access control _and_ allow unauthenticated access to the system. This creates a more friendly environment for people within an organisation using Automaat for the first time. Instead of shoving them a login dialog in their face on their first visit, the server allows access to all GraphQL queries, to support a client that can show the full capabilities of API. Instead, a new privileges-based system is implemented that restricts GraphQL mutation access based on a set of matching rules where each mutation requires a specific privilege to be granted to a session. For tasks, each task can define one or more labels, for which at least one must match a session's privileges in order to run that task. If a task defines no labels, the task can be run by unauthenticated sessions. This allows for patterns where simple side-effect-free tasks can be used by anyone in the organisation to retrieve vital information via Automaat, without having to authenticate.
- Loading branch information
Showing
18 changed files
with
348 additions
and
34 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletions
2
src/server/migrations/2019-07-22-212737_add_labels_to_tasks_table/down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ALTER TABLE tasks DROP COLUMN labels; | ||
DROP FUNCTION automaat_validate_label; |
7 changes: 7 additions & 0 deletions
7
src/server/migrations/2019-07-22-212737_add_labels_to_tasks_table/up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
ALTER TABLE tasks ADD COLUMN labels Text[] NOT NULL DEFAULT '{}'; | ||
|
||
CREATE FUNCTION automaat_validate_label(txt Text[]) RETURNS boolean AS $$ | ||
SELECT bool_and (str ~ '^[a-z0-9_]+$') FROM unnest(txt) s(str); | ||
$$ IMMUTABLE STRICT LANGUAGE SQL; | ||
|
||
ALTER TABLE tasks ADD CONSTRAINT label_syntax CHECK (automaat_validate_label(labels)); |
2 changes: 2 additions & 0 deletions
2
src/server/migrations/2019-07-23-073237_add_privileges_to_sessions_table/down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ALTER TABLE sessions DROP COLUMN privileges; | ||
DROP FUNCTION automaat_validate_privilege; |
7 changes: 7 additions & 0 deletions
7
src/server/migrations/2019-07-23-073237_add_privileges_to_sessions_table/up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
ALTER TABLE sessions ADD COLUMN privileges Text[] NOT NULL DEFAULT '{}'; | ||
|
||
CREATE FUNCTION automaat_validate_privilege(txt Text[]) RETURNS boolean AS $$ | ||
SELECT bool_and (str ~ '^[a-z0-9_]+$') FROM unnest(txt) s(str); | ||
$$ IMMUTABLE STRICT LANGUAGE SQL; | ||
|
||
ALTER TABLE sessions ADD CONSTRAINT privilege_syntax CHECK (automaat_validate_privilege(privileges)); |
1 change: 1 addition & 0 deletions
1
...r/migrations/2019-07-23-130102_add_token_uniqueness_constraint_to_sessions_table/down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ALTER TABLE sessions DROP CONSTRAINT sessions_token_key; |
1 change: 1 addition & 0 deletions
1
...ver/migrations/2019-07-23-130102_add_token_uniqueness_constraint_to_sessions_table/up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ALTER TABLE sessions ADD UNIQUE (token); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.