RBAC: Add OAuth provider scopes separately to fixed:authentication.config:writer (#78202)

Add OAuth provider setting scopes to fixed:authentication writer

* Change SSO Settings api scopes

* Remove unused RBAC Action
This commit is contained in:
Misi 2023-11-16 09:15:51 +01:00 committed by GitHub
parent d641f9153e
commit 7ae0ff1309
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 51 additions and 10 deletions

View File

@ -396,7 +396,6 @@ const (
// Settings scope // Settings scope
ScopeSettingsAll = "settings:*" ScopeSettingsAll = "settings:*"
ScopeSettingsAuth = "settings:auth:*"
ScopeSettingsSAML = "settings:auth.saml:*" ScopeSettingsSAML = "settings:auth.saml:*"
// Team related actions // Team related actions
@ -467,6 +466,10 @@ var (
// Team scope // Team scope
ScopeTeamsID = Scope("teams", "id", Parameter(":teamId")) ScopeTeamsID = Scope("teams", "id", Parameter(":teamId"))
ScopeSettingsOAuth = func(provider string) string {
return Scope("settings", "auth."+provider, "*")
}
// Annotation scopes // Annotation scopes
ScopeAnnotationsRoot = "annotations" ScopeAnnotationsRoot = "annotations"
ScopeAnnotationsProvider = NewScopeProvider(ScopeAnnotationsRoot) ScopeAnnotationsProvider = NewScopeProvider(ScopeAnnotationsRoot)

View File

@ -202,19 +202,59 @@ var (
Permissions: []Permission{ Permissions: []Permission{
{ {
Action: ActionSettingsRead, Action: ActionSettingsRead,
Scope: ScopeSettingsAuth, Scope: ScopeSettingsSAML,
}, },
{ {
Action: ActionSettingsWrite, Action: ActionSettingsWrite,
Scope: ScopeSettingsAuth, Scope: ScopeSettingsSAML,
}, },
{ {
Action: ActionSettingsRead, Action: ActionSettingsRead,
Scope: ScopeSettingsSAML, Scope: ScopeSettingsOAuth("azuread"),
}, },
{ {
Action: ActionSettingsWrite, Action: ActionSettingsWrite,
Scope: ScopeSettingsSAML, Scope: ScopeSettingsOAuth("azuread"),
},
{
Action: ActionSettingsRead,
Scope: ScopeSettingsOAuth("okta"),
},
{
Action: ActionSettingsWrite,
Scope: ScopeSettingsOAuth("okta"),
},
{
Action: ActionSettingsRead,
Scope: ScopeSettingsOAuth("github"),
},
{
Action: ActionSettingsWrite,
Scope: ScopeSettingsOAuth("github"),
},
{
Action: ActionSettingsRead,
Scope: ScopeSettingsOAuth("gitlab"),
},
{
Action: ActionSettingsWrite,
Scope: ScopeSettingsOAuth("gitlab"),
},
{
Action: ActionSettingsRead,
Scope: ScopeSettingsOAuth("google"),
},
{
Action: ActionSettingsWrite,
Scope: ScopeSettingsOAuth("google"),
},
{
Action: ActionSettingsRead,
Scope: ScopeSettingsOAuth("generic_oauth"),
},
{
Action: ActionSettingsWrite,
Scope: ScopeSettingsOAuth("generic_oauth"),
}, },
}, },
} }

View File

@ -43,13 +43,11 @@ func (api *Api) RegisterAPIEndpoints() {
auth := ac.Middleware(api.AccessControl) auth := ac.Middleware(api.AccessControl)
scopeKey := ac.Parameter(":key") scopeKey := ac.Parameter(":key")
settingsScope := ac.Scope("settings", "auth."+scopeKey, "*") settingsScope := ac.ScopeSettingsOAuth(scopeKey)
reqWriteAccess := auth(ac.EvalAny( reqWriteAccess := auth(ac.EvalPermission(ac.ActionSettingsWrite, settingsScope))
ac.EvalPermission(ac.ActionSettingsWrite, ac.ScopeSettingsAuth),
ac.EvalPermission(ac.ActionSettingsWrite, settingsScope)))
router.Get("/", auth(ac.EvalPermission(ac.ActionSettingsRead, ac.ScopeSettingsAuth)), routing.Wrap(api.listAllProvidersSettings)) router.Get("/", auth(ac.EvalPermission(ac.ActionSettingsRead)), routing.Wrap(api.listAllProvidersSettings))
router.Get("/:key", auth(ac.EvalPermission(ac.ActionSettingsRead, settingsScope)), routing.Wrap(api.getProviderSettings)) router.Get("/:key", auth(ac.EvalPermission(ac.ActionSettingsRead, settingsScope)), routing.Wrap(api.getProviderSettings))
router.Put("/:key", reqWriteAccess, routing.Wrap(api.updateProviderSettings)) router.Put("/:key", reqWriteAccess, routing.Wrap(api.updateProviderSettings))
router.Delete("/:key", reqWriteAccess, routing.Wrap(api.removeProviderSettings)) router.Delete("/:key", reqWriteAccess, routing.Wrap(api.removeProviderSettings))