feat: add policy variable support #415
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merged
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
5a4cbbb to
1193d04
Compare
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
0470133 to
c44eef6
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...eengrass/integrationtests/deviceauth/EvaluateClientDeviceActionsWithPolicyVariablesTest.java
Fixed
Show fixed
Hide fixed
jcosentino11
reviewed
Jan 5, 2024
| return PermissionEvaluationUtils.isAuthorized(request.getOperation(), request.getResource(), | ||
| groupManager.getApplicablePolicyPermissions(session)); | ||
| return permissionEvaluationUtils.isAuthorized(request.getOperation(), request.getResource(), | ||
| permissionEvaluationUtils.transformGroupPermissionsWithVariableValue(session, |
There was a problem hiding this comment.
while we're at it, we can clean up by making groupManager a dependency of PermissionEvaluationUtils, then we can do something like
permissionEvaluationUtils.isAuthorized(request, session)
There was a problem hiding this comment.
lets also take performance into account, e.g. when evaluating w/ same permissions we shouldn't do variable substitution again
There was a problem hiding this comment.
lets also take performance into account, e.g. when evaluating w/ same permissions we shouldn't do variable substitution again
Thinking through this more, variables are substituted based on current session, so a caching solution for this would be a bit more involved, assuming it would even be useful, so lets table for now
jcosentino11
reviewed
Jan 8, 2024
| @@ -60,7 +66,8 @@ public static boolean isAuthorized(String operation, String resource, | |||
| return false; | |||
| } | |||
|
|
|||
| for (Map.Entry<String, Set<Permission>> entry : groupToPermissionsMap.entrySet()) { | |||
| for (Map.Entry<String, Set<Permission>> entry : | |||
| groupToPermissionsMap.entrySet()) { | |||
There was a problem hiding this comment.
nit: do we need this formatting change?
| return PermissionEvaluationUtils.isAuthorized(request.getOperation(), request.getResource(), | ||
| groupManager.getApplicablePolicyPermissions(session)); | ||
| return permissionEvaluationUtils.isAuthorized(request.getOperation(), request.getResource(), | ||
| permissionEvaluationUtils.transformGroupPermissionsWithVariableValue(session, |
There was a problem hiding this comment.
lets also take performance into account, e.g. when evaluating w/ same permissions we shouldn't do variable substitution again
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
027a98b to
87e85b3
Compare
MikeDombo
reviewed
Jan 9, 2024
src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java
Show resolved
Hide resolved
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
a68376e to
7698ed9
Compare
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
3609884 to
6f755b8
Compare
|
Code Coverage Report
Minimum allowed coverage is Generated by 🐒 cobertura-action against cdfc054 |
jcosentino11
reviewed
Jan 9, 2024
| } | ||
| } else { | ||
| logger.atWarn().kv("policyVariable", policyVariable) | ||
| .log("Policy variable detected but could not be parsed"); |
There was a problem hiding this comment.
policy variable unsupported, and can also guide user w/ next steps (e.g. fix config)
| String attributeName = vars[2]; | ||
|
|
||
| // this supports the ThingName attribute only | ||
| if (THING_NAME_VARIABLE.equals(policyVariable)) { |
There was a problem hiding this comment.
i think we'd want to be case insensitive, would need to configure the matcher too
| Coerce.toString(session.getSessionAttribute(attributeNamespace, attributeName)); | ||
|
|
||
| if (policyVariableValue == null) { | ||
| logger.atWarn().kv("attributeName", attributeName) |
There was a problem hiding this comment.
i think we'd want to error here rather than log, it's a failure mode--not doing substitution would mean the policy is acting differently than intended
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
5665f8b to
b7bb2cb
Compare
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
0ea3f4c to
6135f3e
Compare
sameerzuberi
force-pushed
the
policy-variable-support
branch
from
0a76038 to
f62ea96
Compare
MikeDombo
reviewed
Jan 26, 2024
src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java
Show resolved
Hide resolved
| private static final Map<String, Pair<String,String>> policyVariableResolver = | ||
| new HashMap<String, Pair<String,String>>() { | ||
| { | ||
| put("iot:Connection.Thing.ThingName", new Pair<>("Thing", "ThingName")); |
There was a problem hiding this comment.
lets make the attr namespace and properties constants
|
|
||
| private static final Map<String, Pair<String,String>> policyVariableResolver = | ||
| new HashMap<String, Pair<String,String>>() { | ||
| { |
There was a problem hiding this comment.
nit: avoid {{}} initializers
| } | ||
| } else { | ||
| logger.atWarn().kv("policyVariable", policyVariable) | ||
| .log("Policy variable unsupported. Only thing name variables are supported, please fix the " |
There was a problem hiding this comment.
Only thing name variables are supported
let's remove, otherwise we'll have to update this every time we add new ones
|
Putting here for later reference: With regex on the policy eval path, throughput is ~200k ops/s (for variable substitution test case). Before we were hitting 400k. We talked about identifying variables during config time, which should get those perf numbers back up |
MikeDombo
reviewed
Jan 30, 2024
src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java
Show resolved
Hide resolved
src/main/java/com/aws/greengrass/clientdevices/auth/iot/Thing.java
Outdated
Show resolved
Hide resolved
src/main/java/com/aws/greengrass/clientdevices/auth/iot/Certificate.java
Outdated
Show resolved
Hide resolved
| @@ -17,4 +20,10 @@ public class Permission { | |||
| @NonNull String operation; | |||
|
|
|||
| @NonNull String resource; | |||
There was a problem hiding this comment.
nit: i think renaming to resourceFormat or similar would make it clearer that this shouldn't be used directly anymore
| @@ -17,4 +20,10 @@ public class Permission { | |||
| @NonNull String operation; | |||
|
|
|||
| @NonNull String resource; | |||
|
|
|||
| List<String> policyVariables; | |||
There was a problem hiding this comment.
lets name this resourcePolicyVariables, since these don't apply to operation or principal
| * @param session current device session | ||
| * @return updated resource | ||
| */ | ||
| public static String resolvePolicyVariables(List<String> policyVariables, String resource, Session session) { |
There was a problem hiding this comment.
note: in follow up we'll also need to add more validations to the policy (e.g. bad policy variable name, etc), after #418 is merged too
| private static final String THING_NAMESPACE = "Thing"; | ||
| private static final String THING_NAME_ATTRIBUTE = "ThingName"; | ||
|
|
||
| static { |
| import java.util.Map; | ||
|
|
||
| public final class PolicyVariableResolver { | ||
| private static final Map<String, Pair<String,String>> policyVariableMap; |
There was a problem hiding this comment.
could use a more descriptive name
| String policyVariableValue = Coerce.toString(session.getSessionAttribute(attributeNamespace, | ||
| attributeName)); | ||
| if (policyVariableValue == null) { | ||
| throw new IllegalArgumentException("No attribute found for current session"); |
There was a problem hiding this comment.
lets avoid unchecked exceptions, may need to make your own if there's not a suitable one
There was a problem hiding this comment.
include attribute name/space in message as well
| if (policyVariableValue == null) { | ||
| throw new IllegalArgumentException("No attribute found for current session"); | ||
| } else { | ||
| substitutedResource = StringUtils.replace(substitutedResource, policyVariable, policyVariableValue); |
There was a problem hiding this comment.
probably worth a quick comment about why this replace impl
| @@ -198,19 +198,19 @@ void GIVEN_valid_group_configuration_WHEN_start_service_THEN_instantiated_config | |||
|
|
|||
| Permission[] tempSensorPermissions = | |||
| {Permission.builder().principal("myTemperatureSensors").operation("mqtt" + ":connect") | |||
| .resource("mqtt:clientId:foo").build(), | |||
| .resource("mqtt:clientId:foo").policyVariables(Collections.emptyList()).build(), | |||
There was a problem hiding this comment.
would also be ok to default policyVariables to empty list within Permission itself
|
|
||
| package com.aws.greengrass.clientdevices.auth.exception; | ||
|
|
||
| public class AttributeProviderException extends Exception { |
There was a problem hiding this comment.
nit: how about PolicyException?
| // TODO: Return other possible DeviceAttributes | ||
| return null; | ||
| // TODO: Support other DeviceAttributes | ||
| return new WildcardSuffixAttribute(thingName); |
There was a problem hiding this comment.
from convo: if we want to still have attributeName passed in we'll need to use it, otherwise would need to be reverted back to just getDeviceAttributes() that returns a map
src/main/java/com/aws/greengrass/clientdevices/auth/configuration/PolicyVariableResolver.java
Show resolved
Hide resolved
jcosentino11
previously approved these changes
Feb 1, 2024
src/main/java/com/aws/greengrass/clientdevices/auth/configuration/PolicyVariableResolver.java
Outdated
Show resolved
Hide resolved
jcosentino11
previously approved these changes
Feb 1, 2024
MikeDombo
reviewed
Feb 1, 2024
src/main/java/com/aws/greengrass/clientdevices/auth/PermissionEvaluationUtils.java
Outdated
Show resolved
Hide resolved
MikeDombo
reviewed
Feb 1, 2024
src/main/java/com/aws/greengrass/clientdevices/auth/configuration/PolicyVariableResolver.java
Outdated
Show resolved
Hide resolved
MikeDombo
approved these changes
Feb 1, 2024
jcosentino11
approved these changes
Feb 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
PermissionEvaluationUtilsto use non static methods for future wildcard supportWhy is this change necessary:
How was this change tested:
Unit and integration tests
Any additional information or context required to review the change:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.