core: return ActorHasNoRolesOnTarget for empty scoped roles#742
Conversation
gtema
left a comment
gtema
left a comment
There was a problem hiding this comment.
thanks a lot for starting working on it. I totally get the the issue description is not detailed enough. In order to be able to mark issue as complete we should not only replace one error with another, but to actually introduce a test verifying that the status code is really 401. This can be achieved in 2 different ways:
- a new unittest in
crates/keystone/src/api/v3/auth/token/create.rssimulating the error being thrown - a new test in
tests/api/...that creates project/user and tries to authenticate new user to that new project with role being assigned to the user on the project expecting 401
Actually another issue in the current flow is that the function you adopted (fully_resolved) is only invoked when user is already authenticated (in the crates/core/src/api/auth.rs) and not when the user tries to authenticate which is what we try to verify here.
I would suggest moving the check (the whole match) into crates/keystone/core/src/auth.rs at the bottom of the new_with_roles (right between the if block that calculates roles and that returns the ValidatedSecurityContext. A new unittest would need to be created in this module testing that the particular exception is returned.
In addition you would need also to add a new unittest into crates/keystone/src/api/v3/auth/token/create.rs. Here the "expect_issue_token_context" mock method would return the ActorHasNoRolesOnTarget error converted into the TokenProviderError::Authorization. Since during the conversion of the TokenProviderError to the final API response an unauthorized error is being returned (crates/api-types/src/error_conv.rs lines 249 and 81) it should result exactly in the 401 status code coming back from the api
| .authorization | ||
| .as_ref() | ||
| .ok_or(AuthenticationError::SecurityContextNotResolved)?; | ||
| // Unscoped with no roles is valid. Scoped with no roles OR empty roles list is |
There was a problem hiding this comment.
can you please leave these comments lines in? they are relatively helpful explaining the match condition
ymh1874
force-pushed
the
fix/514-ensure-401-returned
branch
from
1bc1ca3 to
4a6eb7d
Compare
…ental#514) This patch ensures that the Keystone-NG authentication pipeline strictly returns a 401 Unauthorized HTTP status code when an authentication request specifies a target project scope, but the authenticating identity has zero effective roles assigned within that scope. Unscoped contexts continue to bypass this restriction safely as designed. Signed-off-by: Yousef Hussein <ymh1874@gmail.com>
ymh1874
force-pushed
the
fix/514-ensure-401-returned
branch
from
4a6eb7d to
97980e9
Compare
2 participants
Description
This PR resolves an issue where requesting a scoped authentication token with an explicitly empty roles array (
[]) causes an internal server crash (or incorrect context state tracking) instead of dropping cleanly into a 401 Unauthorized response.Changes Implemented
fully_resolvedevaluation insidecrates/core-types/src/auth.rs.None(roles have not yet been evaluated/populated from persistence) andSome(roles) if roles.is_empty()(roles were explicitly evaluated and the user holds zero assignments on the designated target).ActorHasNoRolesOnTargetauthentication error rather than falling back toSecurityContextNotResolved.make_auth_result_projectandmake_trust_with_rolessubmodule unit tests.Closes #514