Combine User and UserTokenContext for user-backed identities in requests
#15757
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
facutuesca
commented
Apr 11, 2024
| @@ -104,7 +104,7 @@ class RequestUser(Caveat): | |||
| user_id: StrictStr | |||
|
|
|||
| def verify(self, request: Request, context: Any, permission: str) -> Result: | |||
| if not isinstance(request.identity, UserTokenContext): | |||
| if not isinstance(request.identity, UserContext): | |||
| return Failure("token with user restriction without a user") | |||
|
|
|||
There was a problem hiding this comment.
Should there be a new extra check here?:
if request.identity.macaroon is None:
return Failure("token with user restriction without a macaroon")or will that never happen?
There was a problem hiding this comment.
I think this can't happen, since the only place we end up checking the caveats is in MacaroonSecurityPolicy.permits, where request.identity will invariably either be an PublisherTokenContext or a UserContext that always has its macaroon set.
That being said, I see no harm in it as a sanity check either 🙂.
facutuesca
changed the title
User and UserTokenContext for user-backed identities
facutuesca
changed the title
User and UserTokenContext for user-backed identitiesUser and UserTokenContext for user-backed identities in requests
facutuesca
force-pushed
the
combine-request-identity-user
branch
2 times, most recently
from
45cf7cb
to
4cc055f
Compare
We have three types that a request.identity can be: - `User`: when the identity is a user backed by a login session - `UserTokenContext`: when the identity is a user backed by an API token (i.e. macaroon) - `PublisherTokenContext`: when the identity is an OIDCPublisher backed by an API token Of these, User and UserTokenContext are confusable and prone to error. This change collapses them into a single UserContext type.
facutuesca
force-pushed
the
combine-request-identity-user
branch
from
4cc055f
to
d3bf7f2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #15748.
We have three types that a
request.identitycan be:User: when the identity is a user backed by a login sessionUserTokenContext: when the identity is a user backed by an API token (i.e. macaroon)PublisherTokenContext: when the identity is anOIDCPublisherbacked by an API tokenOf these,
UserandUserTokenContextare confusable and prone to error.This PR collapses them into a single
UserContexttype.cc @woodruffw @di