-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Development
: Add tool token support
#9408
Conversation
As discussed before, I do not think that it is a good idea to offer a |
its still a draft, so I would like to first have a discussion about it, before declining this PR. |
We discussed this already several times. I'm not sure if additional discussions help, when my arguments against it are ignored :-( |
we agreed on a meeting in the afternoon, so please let us have this meeting first |
After the meeting the proposed solution looks as follows:
@krusche will provide further feedback on that |
Programming Exercise
Add re-key endpointProgramming Exercise
: Add re-key endpoint
Programming Exercise
: Add re-key endpointProgramming exercises
: Add re-key endpoint
Programming exercises
: Add re-key endpointProgramming exercises
: Add theia token for redirect
TODO, make endpoint only available if theia profile is active |
src/main/java/de/tum/cit/aet/artemis/core/web/open/PublicUserJwtResource.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reapprove
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code reapprove 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reapprove
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reapprove
Programming exercises
: Add tool token supportDevelopment
: Add tool token support
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reapprove
Checklist
General
Server
Changes affecting Programming Exercises
Motivation and Context
For the online IDE to guarantee a seamless login progress without prompting the user with a login dialog again, the JWT token has to be passed from the Artemis Angular Client to the Theia Online IDE in a redirect. Therefore the token can not be in an HTTP Cookie.
To work around this but still guarantee security, we generate a new token with a max lifespan of 1 day and add a particular Tool Claim to restrict its access to certain endpoints.
Description
This PR adds functionality for tool specific tokens. These tokens are restricted to accessing only certain endpoints to guarantee the principle of least privilege.
The PR show cases this functionality for the Scorpio VSCode extension and annotates the needed endpoints with the @AllowedTools(ToolTokenType.SCORPIO)
In addition this claim can also be used when authenticating the user with username and password to restrict the token to these endpoints there as well.
Affected Endpoints which should be allowed for the Scorpio Extension:
participations/{participationId}/results/{resultId}/details
fetch Result Feedback to display TestCase Feedback, and which tests failed for the submissionaccount/participation-vcs-access-token
to get the user VCS token to then generate a Clone URL with VCS Token, so that the user does not need to have SSH configured nor needs to input his/her credentialsaccount/participation-vcs-access-token
to generate the VCS Token if this user does not have one alreadycourses/for-dashboard
to display a course selection view in the Extension similar to the angular clientcourses/{courseId}/for-dashboard
to display a exercise selection view in the Extension similar to the angular clientexercises/{exerciseId}/participations
to start a programming exercise from within the extensionexercises/{exerciseId}/participation
to get the current participation for the displayed exercise/plantuml/svg
to generate the plantuml which should be displayed in the problem statementSteps for Testing
Postman testing or code review:
Postman Testing:
ArtemisTokens.postman_collection.json
Send a request to POST
{{base_url}}/api/public/authenticate?tool=SCORPIO
Send a request to GET
{{base_url}}/api/courses/for-dashboard
Verify that you get a response 200
Send a request to an GET
{{base_url}}/api/ide-settings
verify that you get an 403 Forbidden
2nd Part:
6. Send a request to POST
{{base_url}}/api/public/authenticate
!!! without the tool Parameter7. Send a request to GET
{{base_url}}/api/courses/for-dashboard
8. Verify a 200 response
9. Send a request to an GET
{{base_url}}/api/ide-settings
10. Verify a 200 response
Testserver States
Note
These badges show the state of the test servers.
Green = Currently available, Red = Currently locked
Click on the badges to get to the test servers.
Review Progress
Performance Review
Code Review
Manual Tests
Test Coverage
Summary by CodeRabbit
Summary by CodeRabbit
New Features
AllowedTools
annotation for enhanced access control.ToolTokenType
enumeration for tool-specific token management.TokenResource
for managing tool tokens via REST API.ToolsInterceptor
for access control based on JWT claims.Improvements
Bug Fixes
Chores