-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PUT resource policy does not validate type or existence of identity IDs #1246
Comments
Yeah, this looks like a bug. It also seems like a separate bug if the resulting role assignment actually works. |
I have not yet tested whether it actually works, but I am working on that. |
Since @morlandi7 asked, I checked the code and can't see any evidence this has changed since being reported. Testing on colo rack: // trying to use the same ID twice. this 500s
(await oxide.policyUpdate({ body: { role_assignments: [
{ identity_type: "silo_group", identity_id: "7da1c977-ba19-4a26-bd68-3fb1463ab2c7", role_name: "admin" },
{ identity_type: "silo_group", identity_id: "7da1c977-ba19-4a26-bd68-3fb1463ab2c7", role_name: "admin" },
] } }))
// using a non-existent ID. this works just fine
(await oxide.policyUpdate({ body: { role_assignments: [
{ identity_type: "silo_group", identity_id: "7da1c977-ba19-4a26-bd68-3fb1463ab2c7", role_name: "admin" },
{ identity_type: "silo_group", identity_id: "00000000-0000-0000-0000-000000000000", role_name: "admin" },
] } })).data So I'm thinking a better framing of this issue is that there is simply no validation on the IDs passed in, whether on their existence or their "type". The second request above also results in this amusing situation in the UI because we cannot find the ID in the list of users and groups. |
silo_user
users
I've been using the system users from
/users
to test role assignment on orgs and projects because I can't list silo users yet (#1235). It just occurred to me that I should not be able to assign resource roles to system users! Here is the PUT body:It seems that as long as I say
identity_type: "silo_user"
, the API does not validate that that is true.omicron/nexus/src/db/datastore.rs
Lines 3761 to 3785 in 0588fac
The text was updated successfully, but these errors were encountered: