Enforcing Organization and Role API Permissions

[jacob6838]

PR Details

Description

This PR enforces organization and role permissions in the cvmanager api. This includes the following changes:

• Pulling all user properties from the decoded access token (name, username, super_user, and organizations/roles
• The user's info and org/role info is stored in the flask environment variable, under the key 'user'. This data is saved in the classes EnvironNoAuth, EnvironWithoutOrg, and EnvironWithOrg (saves Organization header for later use)
• Non-200 response codes (400, 403, 404, 500, and 503), are now handled by throwing specific exceptions, stored in common/errors.py. common/errors.py also registers error handlers for these exceptions, and emits the expected response code when each is thrown
• Authentication is enforced by decorators. This decorator, @require_permission, takes in 4 params:
  • required_role: minimum role required to access method
  • resource_type: Optional, 'intersection', 'rsu', 'user', or 'organization'. This enables enforcement of resource-specific permissions. When specified, the first argument in the decorated method must be the resource id (intersection_id, rsu_ip, user_email, or org_name). The decorator will use this resource ID and the user's organizations and role associations to identify whether the user has access to that resource, with at least the required_role level of access.
  • checker: Optional, a PermissionChecker class, to completely customize the authentication system
  • additional_check: Optional, an AdditionalCheck method, which can apply additional enforcement after the other authentication is evaluated. This can be seen in api/src/admin_intersection.py protecting modify_intersection_authorized from "organizations_to_add" and "organizations_to_remove" fields
  • The decorator pulls the user information from the flask environment, so there is no need to pass this into the decorator
  • For the most part, authentication and user property access is limited to this decorator. In some cases, queries can be modified to include user info, such as only filtering by organization if the user is not a super_user. In cases like this, a method can receive a PermissionRequest object from the decorator, by specifying the named parameter "permission_result". This includes the qualified organizations (if non-super user), and user info (super_user, all orgs/roles, and name/email). An example of this is in api/src/admin_intersection.py
• auth_tools helper methods
  • common/auth_tools.py holds many helper methods and types for authentication
• Unit tests
  • the src/tests/conftest.py method adds a fake user to the flask environment, to enable most tests to pass without modification. This can be easily overridden by patching the common.auth_tools.environ in an individual test

How Has This Been Tested?

This has been extensively tested by unit tests, going through the GUI, and making manual requests through postman, to test responses to malicious requests

Types of changes

• Defect fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that cause existing functionality to change)

Checklist:

• My changes require new environment variables:
  • I have updated the docker-compose, K8s YAML, and all dependent deployment configuration files.
• My changes require updates to the documentation:
  • I have updated the documentation accordingly.
• My changes require updates and/or additions to the unit tests:
  • I have modified/added tests to cover my changes.
• All existing tests pass.

[drewjj]

Some questions. Looks nice though.

[mcook42]

I love the test coverage and a lot of the additions. I have some chores and open questions that I think should be addressed before I'm ready to approve this

[mcook42]

question: is there value in keeping this commented out code around, or can we remove it?

[jacob6838]

removed

[mcook42]

Suggested change

	rsu_dict = get_organization_rsus(permission_result)
	rsu_dict = get_organization_rsus(permission_result, [])

[jacob6838]

updated to pass in qualified_orgs

[mcook42]

chore: remove unused variable

Suggested change

user: EnvironWithOrg = request.environ[ENVIRON_USER_KEY]

[jacob6838]

removed, along with similar unused variables

[mcook42]

question(non-blocking): How/when do we plan to address this TODO? Is there a work item to track it so it doesn't get forgotten?

[jacob6838]

went ahead and addressed this now!

[mcook42]

question: I'm seeing calls to get_rsu_data mostly without providing the positional arg of qualified_orgs. Should we be passing an empty list in for qualified_orgs everywhere, remove the qualified_orgs arg, or is there another approach that makes most sense?

[jacob6838]

get_rsu_info was updated to take in only what it needed, the user object and qualified organizations list

[payneBrandon]

A few questions so far

[payneBrandon]

If we're not doing anything with this particular error, do we need a called out "except" for it?

[jacob6838]

This is an oddity within the python try/except, while having a very broad Exception catcher at the end. Without the additional except IntersectionServerError: pass, then raise InternalServerError is caught by the last clause of the try catch. The real issue here is that the last except clause is way too broad

[jacob6838]

I just updated all of the following cases to catch a SQLAlchemyError instead of a generic Exception. This allowed me to remove the except InternalServerError: pass cases

[payneBrandon]

Does this just generically verify an authenticated user?

[jacob6838]

Yes, this ensures a user is authorized without requiring any organization access. This is technically unnecessary since the middleware already enforces it, but this way every single method has a decorator and it's obvious that it wasn't accidentally skipped

[payneBrandon]

Do we need this InternalSererError except?

[jacob6838]

same as above -

[payneBrandon]

Is this needed?

[jacob6838]

same as above -

[payneBrandon]

We've got pretty similary "enforce_xxx_permissions" in several of these admin file additions. Could we abstract to a shared location to reuse code?