-
Notifications
You must be signed in to change notification settings - Fork 447
feat: local auth disabled mode and dev images #4325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 44 commits
c1ce69f
e0eb1c0
31afe32
62f1aaf
afeb5fb
9e16f52
ad36f41
b398a8d
3160acb
1b90b11
7b91740
5ee5b2e
4a3f9cb
8190d2c
1239b41
b574633
a2621cf
f7b85f6
ee09f00
186511d
2801cf2
7e70b77
6f35c6a
955ceca
e84bee1
ddc7655
07fd6b9
89882df
be1d730
e3da4fe
898e04b
172c9df
f558c89
c0ad591
f5dfd4e
a36199c
afa0ead
6db028a
f3f18cf
819c13c
305d709
ed7d836
54b76a4
ed9477f
07c3852
d5c467e
a327291
7e954e8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,3 +3,4 @@ version: 2 | |
| secret: | ||
| ignored_paths: | ||
| - 'frontend/app/cypress/e2e/**' | ||
| - 'pkg/authmode/keyset/**' | ||
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| //go:build authdisabled | ||
|
|
||
| package authn | ||
|
|
||
| import ( | ||
| "net/http" | ||
|
|
||
| "github.com/labstack/echo/v4" | ||
| ) | ||
|
|
||
| func (a *AuthN) authPreflight(c echo.Context) (handled bool, err error) { | ||
| ctx := c.Request().Context() | ||
|
|
||
| user, err := a.config.V1.User().GetUserByEmail(ctx, a.config.Seed.AdminEmail) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. open question: should this be the seeded user or should we force an email env var or something?
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I chose to simply reuse the seeded tenant and user to avoid adding in more config options |
||
|
|
||
| if err != nil { | ||
| a.l.Error().Ctx(ctx).Err(err).Msg("authdisabled: could not resolve the seeded admin user") | ||
|
|
||
| return true, echo.NewHTTPError(http.StatusInternalServerError, "authdisabled: could not resolve the seeded admin user; ensure the database was seeded (ADMIN_EMAIL/ADMIN_PASSWORD)") | ||
| } | ||
|
|
||
| c.Set("user", user) | ||
| c.Set("auth_strategy", "authdisabled") | ||
|
|
||
| return true, nil | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| //go:build !authdisabled | ||
|
|
||
| package authn | ||
|
|
||
| import "github.com/labstack/echo/v4" | ||
|
|
||
| func (a *AuthN) authPreflight(c echo.Context) (handled bool, err error) { | ||
| return false, nil | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| //go:build authdisabled | ||
|
|
||
| package authz | ||
|
|
||
| import ( | ||
| "github.com/labstack/echo/v4" | ||
|
|
||
| "github.com/hatchet-dev/hatchet/api/v1/server/middleware" | ||
| ) | ||
|
|
||
| func (a *AuthZ) authPreflight(c echo.Context, r *middleware.RouteInfo) (handled bool, err error) { | ||
| if err := a.authorizeTenantOperations("NOAUTH", r); err != nil { | ||
| return true, err | ||
| } | ||
|
|
||
| return true, a.validateUserTenantPermissions(c, r) | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| //go:build !authdisabled | ||
|
|
||
| package authz | ||
|
|
||
| import ( | ||
| "github.com/labstack/echo/v4" | ||
|
|
||
| "github.com/hatchet-dev/hatchet/api/v1/server/middleware" | ||
| ) | ||
|
|
||
| func (a *AuthZ) authPreflight(c echo.Context, r *middleware.RouteInfo) (handled bool, err error) { | ||
| return false, nil | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -48,6 +48,13 @@ func (a *AuthZ) authorize(c echo.Context, r *middleware.RouteInfo) error { | |
| return nil | ||
| } | ||
|
|
||
| // authPreflight only returns handled=true in authdisabled builds, where it authorizes the | ||
| // request against the NOAUTH role and short-circuits the strategy switch below. In normal | ||
| // builds it is a no-op (returns false), so authorization always proceeds. Do not invert this. | ||
| if handled, err := a.authPreflight(c, r); handled { | ||
| return err | ||
| } | ||
|
mnafees marked this conversation as resolved.
|
||
|
|
||
| var err error | ||
|
|
||
| switch c.Get("auth_strategy").(string) { | ||
|
|
@@ -182,7 +189,7 @@ func (a *AuthZ) validateUserTenantPermissions(c echo.Context, r *middleware.Rout | |
| c.Set("tenant-member", tenantMember) | ||
|
|
||
| // authorize tenant operations | ||
| if err := a.authorizeTenantOperations(tenantMember.Role, r); err != nil { | ||
| if err := a.authorizeTenantOperations(string(tenantMember.Role), r); err != nil { | ||
| a.l.Debug().Ctx(ctx).Err(err).Msgf("error authorizing tenant operations") | ||
|
|
||
| return unauthorized | ||
|
|
@@ -192,14 +199,14 @@ func (a *AuthZ) validateUserTenantPermissions(c echo.Context, r *middleware.Rout | |
| return nil | ||
| } | ||
|
|
||
| func (a *AuthZ) authorizeTenantOperations(tenantMemberRole sqlcv1.TenantMemberRole, r *middleware.RouteInfo) error { | ||
| func (a *AuthZ) authorizeTenantOperations(roleName string, r *middleware.RouteInfo) error { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what's the reason for this change?
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we now have an internal-only |
||
| // if the operation is in the allowed operations, skip the RBAC check this is needed for extensions | ||
| if rbac.OperationIn(r.OperationID, a.config.Auth.AllowedOperations) { | ||
| return nil | ||
| } | ||
|
|
||
| // at the moment, tenant members are only restricted from creating other tenant users. | ||
| if !a.rbac.IsAuthorized(string(tenantMemberRole), r.OperationID) { | ||
| if !a.rbac.IsAuthorized(roleName, r.OperationID) { | ||
| return echo.NewHTTPError(http.StatusUnauthorized, "Not authorized to perform this operation") | ||
| } | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| roles: | ||
| OWNER: | ||
| inherits: [ADMIN] | ||
| NOAUTH: | ||
| inherits: [MEMBER] | ||
| ADMIN: | ||
| inherits: [MEMBER] | ||
| permissions: | ||
|
|
||
|
mnafees marked this conversation as resolved.
|
Uh oh!
There was an error while loading. Please reload this page.