feat(scopes): Enforce scope hierarchy #54510
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
Scope: Backend
Codecov Report
@@ Coverage Diff @@
## master #54510 +/- ##
===========================================
+ Coverage 55.22% 78.60% +23.37%
===========================================
Files 5069 5080 +11
Lines 218768 218661 -107
Branches 37052 37020 -32
===========================================
+ Hits 120825 171881 +51056
+ Misses 94455 41212 -53243
- Partials 3488 5568 +2080
|
schew2381
commented
Aug 10, 2023
schew2381
commented
Aug 10, 2023
Comment on lines
+30
to
+33
| "scopes": [ | ||
| "event:read", | ||
| "project:read", | ||
| ], |
There was a problem hiding this comment.
fix: refactor test to work with alphabetical order
schew2381
commented
Aug 10, 2023
| @@ -64,7 +64,7 @@ def setUp(self): | |||
| super().setUp() | |||
|
|
|||
| self.sentry_app = self.create_sentry_app( | |||
| name="external_app", organization=self.org, scopes=("org:write", "team:admin") | |||
| name="external_app", organization=self.org, scopes=("org:read", "team:read") | |||
There was a problem hiding this comment.
fix: refactor test to avoid implicit hierarchy
schew2381
commented
Aug 10, 2023
| @@ -79,4 +79,4 @@ def test_create_token(self): | |||
|
|
|||
| # verify token was created properly | |||
| assert api_token.expires_at == today | |||
| assert api_token.scope_list == ["org:write", "team:admin"] | |||
| assert api_token.scope_list == ["org:read", "team:read"] | |||
There was a problem hiding this comment.
fix: refactor test to avoid implicit hierarchy
schew2381
commented
Sep 11, 2023
| @@ -325,7 +325,7 @@ def test_valid_params_id_token_additional_scopes(self): | |||
| data = json.loads(resp.content) | |||
| token = ApiToken.objects.get(token=data["access_token"]) | |||
|
|
|||
| assert token.get_scopes() == ["openid", "profile", "email"] | |||
| assert token.get_scopes() == ["email", "openid", "profile"] | |||
There was a problem hiding this comment.
nit: change ordering b/c response scopes will be in alphabetical order
schew2381
changed the title
cathteng
reviewed
Sep 19, 2023
schew2381
changed the title
sentaur-athena
approved these changes
Sep 25, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
ref(token): Update create user token page to use dropdowns #54651
Implementation
To model the hierarchy I used a simple dict of scope -> all granted scopes. I chose this approach b/c it's very simple and easy to enforce in the code.
We use a pre-save signal on the
ApiKeyandApiTokenmodels to enforce scope hierarchy. The basic scope hierarchy for each resource is:When updating one of these models, there is no way to know if the scopes are enforced without fetching it from the DB. To avoid this trip, we always iterate through the hierarchy mapping.