Uploaded image for project: 'Repose'
  1. REP-7064

Valkyrie filter should check user's highest device permission during authorization

    Details

    • Type: Bug
    • Status: Resolved (View workflow)
    • Priority: Medium
    • Resolution: Done
    • Affects versions: None
    • Fix versions: 8.9.1.0
    • Components: None
    • Labels:
      None
    • Sprint:
      Sprint 171
    • Story Points:
      2
    • Capitalizable:
      True

      Description

      When the Valkyrie filter checks the user's permissions for a device, it expects a single permission (i.e. the highest permission the user has for the device). However, as of June 2018, Valkyrie is giving us all of the implicit permissions as well (e.g. if the user has the admin_product permission for a device, they implicitly have the edit_product and view_product permissions on that device as well, and Valkyrie is explicitly including those other two permissions in the response now).

      It is unclear at this time why this has become an issue now. The Valkyrie feature was first released with this specific behavior in April 2015 for Dedicated LBaaS and followed architecture's design as defined in REP-808 Resolved (see attached PPT, slide 13). Whether or not this was always an issue or is a change to the API, we should update Repose to be able to handle both scenarios.

      This is where we're expecting only one permission per device with our use of .find():
      ValkyrieAuthorizationFilter.scala - line 209

      We parse the JSON recursively, and it looks like we're doing a prepend (i.e. storing the values in reverse-order):
      ValkyrieAuthorizationFilter - line 128
      Scala 2.11.7: List.+:

      This causes us to use the last permission for the device in the JSON. The observed behavior in Production according to the Apache wire logs seems to confirm this:

      FAIL:   admin, edit, view
      SUCCES: edit,  view, admin
      

      Acceptance Criteria:

      • The Valkyrie filter uses the highest permission the user has for a device during authorization.
        • Permissions should be considered in this order (use the highest present for the device):
          • admin_product
          • edit_product
          • view_product
        • Don't change any other part of the permission logic.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                damien.johnson Damien Johnson
                Reporter:
                mario.lopez Mario Lopez
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: