Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Task: Implement a dynamic list of allowed scopes when issuing tokens #409

Open
1 task done
kairoaraujo opened this issue Aug 17, 2023 · 0 comments
Open
1 task done

Task: Implement a dynamic list of allowed scopes when issuing tokens #409

kairoaraujo opened this issue Aug 17, 2023 · 0 comments

Comments

@kairoaraujo
Copy link
Member

kairoaraujo commented Aug 17, 2023
edited
Loading

What is the task about?

This task generates a dynamic list of allowed scopes when issuing tokens.

This is a static list that excludes write:token as can see here:

repository-service-tuf-api/repository_service_tuf_api/token.py

Lines 86 to 94 in 7597519

scopes: List[
Literal[
SCOPES_NAMES.read_bootstrap.value,
SCOPES_NAMES.read_settings.value,
SCOPES_NAMES.read_tasks.value,
SCOPES_NAMES.read_token.value,
SCOPES_NAMES.write_targets.value,
SCOPES_NAMES.delete_targets.value,
]

This list can be originated from

repository-service-tuf-api/repository_service_tuf_api/token.py

Line 86 in 7597519

scopes: List[
or

repository-service-tuf-api/repository_service_tuf_api/__init__.py

Lines 54 to 66 in 7597519

SCOPES = {
SCOPES_NAMES.read_bootstrap.value: "Read (GET) bootstrap",
SCOPES_NAMES.read_settings.value: "Read (GET) settings",
SCOPES_NAMES.read_tasks.value: "Read (GET) tasks",
SCOPES_NAMES.read_token.value: "Read (GET) tokens",
SCOPES_NAMES.read_metadata.value: "Read (GET) metadata",
SCOPES_NAMES.write_targets.value: "Write (POST) targets",
SCOPES_NAMES.write_token.value: "Write (POST) token",
SCOPES_NAMES.write_bootstrap.value: "Write (POST) bootstrap",
SCOPES_NAMES.write_settings.value: "Write (PUT) settings",
SCOPES_NAMES.write_metadata.value: "Write (POST) metadata",
SCOPES_NAMES.delete_targets.value: "Delete (DELETE) targets",
}

Note:

It must exclude write:token
Currently the write:bootstrap is not allowed also as scope in token, it is good to discuss it in this issue.

repository-service-tuf-api/tests/bdd/features/tokens/generate.feature

Lines 41 to 56 in 7597519

Scenario Outline: Admin cannot generate Token using HTTP API for certain scopes
Given the admin has the admin password
And the admin gets an 'access_token' by logging in to '/api/v1/token' with a 'write:token' scope
And the admin adds Authorization Bearer 'access_token' in the 'headers'
And the admin adds JSON payload with scopes: <scopes> and expires: <expires>
When the admin sends a POST request to '/api/v1/token/new' with not allowed 'scopes' in 'payload'
Then the admin should get status code '422'
Examples:
| scopes | expires |
| ['write:token'] | 24 |
| ['read:bootstrap','write:token'] | 24 |
| ['write:bootstrap'] | 24 |
| ['write:bootstrap', 'read:settings'] | 24 |
| [] | 24 |
| [''] | 24 |

Parent feature

References

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct
@kairoaraujo kairoaraujo mentioned this issue Aug 17, 2023
Merged
6 tasks
kairoaraujo pushed a commit to kairoaraujo/repository-service-tuf-api that referenced this issue Aug 17, 2023
Remove a non-allowed scope
d909ddd 
According with FT the `write:bootstrap.value` is not allowed to be
issued as scope in a token.

I'm adding it to be discussed in the repository-service-tuf#409

Signed-off-by: Kairo de Araujo <[email protected]>
MVrachev pushed a commit that referenced this issue Aug 17, 2023
fix: scopes in the API body validation for token (#410)
f6c42ae 
* fix: scopes in the API body validation for token

Fix the missing scopes in the API body validation for issuing tokens.

Closes: 408

Signed-off-by: Kairo de Araujo <[email protected]>

* Update Swagger documentation

Update Swagger documentation including the new scopes.

Signed-off-by: Kairo de Araujo <[email protected]>

* Remove a non-allowed scope

According with FT the `write:bootstrap.value` is not allowed to be
issued as scope in a token.

I'm adding it to be discussed in the #409

Signed-off-by: Kairo de Araujo <[email protected]>

* Fix docs after removing `write:bootstrap`

Signed-off-by: Kairo de Araujo <[email protected]>

---------

Signed-off-by: Kairo de Araujo <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kairoaraujo