Skip to content

fix: check authz for evaluation endpoints #3438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 9, 2024
Merged

fix: check authz for evaluation endpoints #3438

merged 7 commits into from
Sep 9, 2024

Conversation

markphelps
Copy link
Collaborator

Reported in Discord: https://discord.com/channels/960634591000014878/1281742374275649569

A user reported that with authz enabled evaluation for client side SDKs did not work. This fixes that and adds more testing

Also disables authz checking for ofrep server endpoints

@codecov Codecov
Copy link

codecov bot commented Sep 7, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.50000% with 6 lines in your changes missing coverage. Please review.

Project coverage is 64.66%. Comparing base (c4a0f96) to head (59773d1).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/server/middleware/grpc/middleware.go 82.85% 5 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3438      +/-   ##
==========================================
+ Coverage   64.63%   64.66%   +0.03%     
==========================================
  Files         174      174              
  Lines       13916    13918       +2     
==========================================
+ Hits         8994     9000       +6     
+ Misses       4231     4227       -4     
  Partials      691      691
Flag Coverage Δ
unittests 64.66% <87.50%> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@markphelps markphelps marked this pull request as ready for review September 7, 2024 01:27
@markphelps markphelps requested a review from a team as a code owner September 7, 2024 01:27
@markphelps
chore: add missing test
138218a 
Signed-off-by: Mark Phelps <[email protected]>
@markphelps markphelps requested review from erka and GeorgeMac September 7, 2024 02:18
GeorgeMac
GeorgeMac requested changes Sep 7, 2024
View reviewed changes
Copy link
Member

@GeorgeMac GeorgeMac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update the authz engine to support requesting at least read flag in the requested namespace here. Or go as far as the authz engine supporting request more than one resource to do flag and segment.
by blanket disabling it you let anyone with authn but no authz read from any namespace.

@GeorgeMac GeorgeMac mentioned this pull request Sep 7, 2024
Merged
@GeorgeMac
Copy link
Member

I made a PR on this PR ☝️

@markphelps markphelps added the needs docs Requires documentation updates label Sep 7, 2024
@flipt-release-bot flipt-release-bot bot mentioned this pull request Sep 7, 2024
Open
@erka
Copy link
Contributor

erka commented Sep 7, 2024

@markphelps is it any reason why ofrep and evaluation endpoints should not have authz?

@markphelps
chore: fix lint error
a16b7e1 
Signed-off-by: Mark Phelps <[email protected]>
@markphelps markphelps changed the title fix: disable authz for all evaluation endpoints fix: check authz for evaluation endpoints Sep 7, 2024
@markphelps
Copy link
Collaborator Author

@markphelps is it any reason why ofrep and evaluation endpoints should not have authz?

I guess I could undo that change for now? although we skipped evaluation server-side authz on purpose it seems when we initially implemented it. I think it gets harder for bulk eval as idk if we wanna check each flag?

@erka
Copy link
Contributor

erka commented Sep 8, 2024
edited
Loading

as idk if we wanna check each flag?

What is it? I don't see any restrictions for a specific flag during CRUD.

We could have another action like evaluate for flag or namespace resource. It may be helpful for those who use one Flipt instance for different environments with different namespaces.

@GeorgeMac
Copy link
Member

GeorgeMac commented Sep 9, 2024
edited
Loading

We could have another action like evaluate for flag or namespace resource. It may be helpful for those who use one Flipt instance for different environments with different namespaces.

My gut leans on adding a new action / verb as @erka suggests here, specifically for evaluations (eval + ofrep, but not necessarily snapshot data).
Long term, I think a specific verb/action makes sense. It makes it clearer what the intent is and allows e.g. audit log consumers to ignore evaluations (if they wish), which might be high-volume output. Adding in read flag and segment on evaluation kind of bulks up the audit log stream potentially quite a bit.

I think maybe read flag / segment might still make sense for the eval snapshot data endpoint though.
The caller is not specifically evaluating, they're reading all flags and segments in a namespace.
Since it is designed to be fetched less frequently that actual evaluations, it doesn't have the same impact on audit log volume. So less concerned about that in this instance.

@erka
Copy link
Contributor

erka commented Sep 9, 2024

@markphelps @GeorgeMac Let's move this discussion to another issue or PR. I believe it's the best to resolve the original issue right now.

@markphelps markphelps requested a review from GeorgeMac September 9, 2024 13:24
@markphelps
Copy link
Collaborator Author

@erka @GeorgeMac are we good to merge this to unblock the user in Discord? I agree we should prob discuss evaluation server side authz in another issue

GeorgeMac
GeorgeMac approved these changes Sep 9, 2024
View reviewed changes
Copy link
Member

@GeorgeMac GeorgeMac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes @markphelps 👍

@markphelps markphelps added the automerge Used by Kodiak bot to automerge PRs label Sep 9, 2024
@kodiakhq kodiakhq bot merged commit a524185 into main Sep 9, 2024
64 checks passed
@kodiakhq kodiakhq bot deleted the authz-eval-fixes branch September 9, 2024 15:12
markphelps added a commit that referenced this pull request Sep 9, 2024
@markphelps
Merge branch 'main' into release-1.49
bfb7dfc 
* main:
  fix: check authz for evaluation endpoints (#3438)
  chore(deps): bump github.com/twmb/franz-go from 1.17.0 to 1.17.1 (#3446)
  chore(deps): bump github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0 (#3447)
  chore(deps): bump github.com/mattn/go-sqlite3 from 1.14.22 to 1.14.23 (#3448)
  chore(deps): bump go.opentelemetry.io/otel/sdk/metric (#3445)
  chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#3449)
  chore(deps): bump alpine from 3.20.2 to 3.20.3 in /build (#3450)
  chore(deps-dev): bump vite from 5.4.2 to 5.4.3 in /ui (#3441)
  chore(deps-dev): bump @tailwindcss/forms from 0.5.8 to 0.5.9 in /ui (#3440)
  docs: add lzakharov as a contributor for code (#3437)
  Enable pgx simple protocol if prepared statements disabled (#3436)
  chore: prep for 1.49.1 (#3434)
@markphelps markphelps mentioned this pull request Sep 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GeorgeMac GeorgeMac GeorgeMac approved these changes

@erka erka Awaiting requested review from erka

Assignees
No one assigned
Labels
automerge Used by Kodiak bot to automerge PRs needs docs Requires documentation updates
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@markphelps @GeorgeMac @erka