Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

service IP pool lookup returns wrong authz error #3933

Merged
merged 2 commits into from
Aug 23, 2023
Merged

service IP pool lookup returns wrong authz error #3933

merged 2 commits into from
Aug 23, 2023

Conversation

davepacheco
Copy link
Collaborator

I noticed this while reading code debugging #3889. Basically, it's a wrong pattern to map_err() the result of authorize() to replace a Forbidden error with a NotFound. Distinguishing between these two is the responsibility of the authz subsystem because it should be consistent for all callers of authorize(). If we want it to be a NotFound, the authz subsystem supports that via the impl of AuthorizedResource::on_unauthorized() for the resource. Concretely, we could preserve the existing behavior (while still delegating it to the authz subsystem) by customizing the impl for IpPoolList:

omicron/nexus/db-queries/src/authz/api_resources.rs

Lines 433 to 441 in 94cde6d

fn on_unauthorized(
&self,
_: &Authz,
error: Error,
_: AnyActor,
_: Action,
) -> Error {
error
}

to look more like the one for most non-synthetic resources (which do return NotFound when someone's not authorized to read them):

omicron/nexus/db-queries/src/authz/api_resources.rs

Lines 132 to 154 in 94cde6d

fn on_unauthorized(
&self,
authz: &Authz,
error: Error,
actor: AnyActor,
action: Action,
) -> Error {
if action == Action::Read {
return self.not_found();
}
// If the user failed an authz check, and they can't even read this
// resource, then we should produce a 404 rather than a 401/403.
match authz.is_allowed(&actor, Action::Read, self) {
Err(error) => Error::internal_error(&format!(
"failed to compute read authorization to determine visibility: \
{:#}",
error
)),
Ok(false) => self.not_found(),
Ok(true) => error,
}
}

I started looking at that when I saw that we're doing a ListChildren here, not a Read. The resource itself ("the list of service IP pools") is not really hidden from end users -- the URL is even published in the OpenAPI spec. So I think it makes more sense to return Forbidden here, just like if you try to list IP pools when not authorized to do so.

david-crespo
david-crespo reviewed Aug 23, 2023
View reviewed changes
nexus/db-queries/src/db/datastore/ip_pool.rs Outdated
@@ -118,14 +118,7 @@ impl DataStore {
// If they don't, return "not found" instead of "forbidden".
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is no longer accurate

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch.

david-crespo
david-crespo approved these changes Aug 23, 2023
View reviewed changes
Copy link
Contributor

@david-crespo david-crespo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, reasoning makes sense. I also don't see a reason for special handling.

@davepacheco davepacheco enabled auto-merge (squash) August 23, 2023 02:43
@davepacheco davepacheco merged commit 0bc7bf0 into main Aug 23, 2023
@davepacheco davepacheco deleted the dap/ip-pool-authz branch August 23, 2023 04:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@david-crespo david-crespo david-crespo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davepacheco @david-crespo