Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

actually enforce that Guardian users have at grid_access permission #4271

Merged
merged 1 commit into from May 23, 2024
Merged

actually enforce that Guardian users have at grid_access permission #4271

merged 1 commit into from May 23, 2024

Conversation

twrichards
Copy link
Contributor

@twrichards twrichards commented May 7, 2024
edited

#4270 added logging for users without any permission whilst we can get everybody's permissions in good shape.

What does this change?

This makes use of the hasAnyGridPermission val we created in #4270 for the result of the validateUser function. We also override the showUnauthedMessage function to return a more useful 403 response...
image

NOTE: as with #4270 this should be no-op for other organisations using Grid (since they'll be plugging their own AuthorisationProvider or relying on the default implementation of the key function hasBasicAccess which returns true).

How should a reviewer test this change?

Assuming https://github.com/guardian/permissions/pull/186 is deployed to CODE then deploy this branch to TEST main (or run locally) and experiment accessing grid with and without some form of grid permission (incl. new grid_access permission), observe the logs and you should see something like the image above.

How can success be measured?

adhering better to our security principles guardian/recommendations@b4746d4/README.md#security-principles

Who should look at this?

@guardian/digital-cms @guardian/newsroom-resilience @RichardLe @AndyKilmory @Conalb97

Tested? Documented?

  • locally by committer
  • locally by Guardian reviewer
  • on the Guardian's TEST environment
  • relevant documentation added or amended (if needed)

@github-actions GitHub Actions
Copy link

github-actions bot commented May 7, 2024
edited

Deploy build 12488 to TEST

All deployment options

From guardian/actions-riff-raff.

@twrichards twrichards force-pushed the logging-new-grid_access-permission-in-PermissionsAuthorisationProvider branch from 42c0be5 to 6e9210b Compare May 13, 2024 13:56
Base automatically changed from logging-new-grid_access-permission-in-PermissionsAuthorisationProvider to main May 13, 2024 15:27
@twrichards twrichards marked this pull request as ready for review May 23, 2024 10:46
@twrichards twrichards requested a review from a team as a code owner May 23, 2024 10:46
@twrichards twrichards changed the title actually enforce that Guardian users have at least some level of grid permission actually enforce that Guardian users have at grid_access permission May 23, 2024
@twrichards
Copy link
Contributor Author

twrichards commented May 23, 2024
edited

In #4270 we logged both whether the user accessing has grid_access permission and if not whether they have at least some other level of permission. There was only one user in the last two weeks who had the latter, so this PR actually simplifies to definitely require grid_access permission (see https://github.com/guardian/permissions/pull/186 - noting that grid_access permission is granted automatically based on some group membership)

CC @andrew-nowak given #4270 (review)

@twrichards twrichards enabled auto-merge May 23, 2024 15:15
andrew-nowak
andrew-nowak reviewed May 23, 2024
View reviewed changes
rest-lib/src/main/scala/com/gu/mediaservice/lib/auth/provider/AuthorisationProvider.scala
@@ -31,6 +31,5 @@ trait AuthorisationProvider extends Provider {
*/
def hasPermissionTo(permission: SimplePermission, principal: Principal): Boolean

def hasBasicAccessExplicitly(userEmail: String): Boolean = false // default implementation
def hasAtLeastBasicAccess(userEmail: String): Boolean = true // default implementation
def hasBasicAccess(userEmail: String): Boolean = true // default implementation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would make sense to leave this unimplemented with a comment; it should be easy (one-line change) for other (existing or new) organisations to override with true in their implementations if they don't want to do authorisation checks while still making it an explicit decision (and less chance of accidentally leaving open unintentionally)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm I did think about that, but didn't want the hassle/delay from other orgs implementing to delay this, after talking with you @andrew-nowak in person, I'll make the breaking change (which requires other orgs to implement in their plugged-in auth code) in a follow-up PR so I can merge this one now...

@twrichards twrichards merged commit 69891ba into main May 23, 2024
1 check passed
@twrichards twrichards deleted the enforce-minimum-permission branch May 23, 2024 15:25
@prout-bot
Copy link

Seen on auth, usage, image-loader, metadata-editor, thrall, leases, cropper, collections, media-api, kahuna (merged by @twrichards 8 minutes and 33 seconds ago) Please check your changes!

@twrichards twrichards mentioned this pull request May 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrew-nowak andrew-nowak andrew-nowak approved these changes

@blishen blishen Awaiting requested review from blishen

@paperboyo paperboyo Awaiting requested review from paperboyo

@bryophyta bryophyta Awaiting requested review from bryophyta

@KarenFrankel9 KarenFrankel9 Awaiting requested review from KarenFrankel9

Assignees
No one assigned
Labels
Seen-on-auth Seen-on-collections Seen-on-cropper Seen-on-image-loader Seen-on-kahuna Seen-on-leases Seen-on-media-api Seen-on-metadata-editor Seen-on-thrall Seen-on-usage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@twrichards @prout-bot @andrew-nowak