Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: rename simple-authorization to legacy-authorization, change function footprint #5772

Merged
merged 91 commits into from
Dec 6, 2019
Merged

refactor: rename simple-authorization to legacy-authorization, change function footprint #5772

merged 91 commits into from
Dec 6, 2019

Conversation

kieckhafer
Copy link
Member

@kieckhafer kieckhafer commented Oct 31, 2019
edited
Loading

Impact: minor
Type: feature|refactor

As an interim step in our transition from our current authorization system to our new Keto based system, we have changed the function signature for our permission checks.

The new signiture looks like this, with legacyRoles being the array of roles previously sent into the legacy auth check:
validatePermissions("resource", "action", { shopId, legacyRoles: [], ...}

Testing

You should see no changes in how the app functions with this PR. The legacy auth service hasPermission check has been updated to use the new function signature.

Breaking Changes

Nothing for core code / Reaction 3.0, but this will break and third party / plugin auth checks.

kieckhafer and others added 8 commits October 31, 2019 11:28
@kieckhafer
refactor: change existing permissions to "legacy"
b920ab6 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: update context functions to be "legacy"
7a241ce 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: rename simple-auth to legacy-auth
730a3a3 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: add non-legacy functions back into buildContext
9258353 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
test: fix filenames in imports
cfa411c 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
feat: add checkPermissions in all places checkPermissionsLegacy is used
7ced5aa 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
temp: add TODO notes for userHasPermissionLegacy checks
eaf4d44 
Signed-off-by: Erik Kieckhafer <[email protected]>
@rosshadden
chore: rename check => validate
afc0bfc 
Signed-off-by: Ross Hadden <[email protected]>
@kieckhafer kieckhafer mentioned this pull request Nov 1, 2019
Closed
rosshadden and others added 21 commits November 1, 2019 19:11
@rosshadden
feat: resolved some auth TODOs
982024e 
Signed-off-by: Ross Hadden <[email protected]>
@rosshadden
chore: pluralized resource names
432c532 
Signed-off-by: Ross Hadden <[email protected]>
@kieckhafer
refactor: update permissions to use correct system
4f7b160 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: remove legacy wildcard shopId check
d642a1a 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
chore: TODO formatting
11d35c6 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: perform permissions checks separately on each item in an array
4c2ff68 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: check for multiple permission types in navigationTreeById q…
64debdd 
…uery

Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: rewrite queries to better use permissions
f8d685f 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: better permission checks on tags
6c055f1 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
style: typo fix
d171873 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
refactor: reorder permission checks for better performance
c208992 
Signed-off-by: Erik Kieckhafer <[email protected]>
@rosshadden
Merge remote-tracking branch 'origin/release-3.0.0' into feat-kieckha…
3c17ae5 
…fer-multiplePermissions

Signed-off-by: Ross Hadden <[email protected]>
@rosshadden
Modified arguments to legacy permissions validation function.
87cde3a 
Signed-off-by: Ross Hadden <[email protected]>
@rosshadden
Updated some order policy actions.
3f5f825 
Signed-off-by: Ross Hadden <[email protected]>
@rosshadden
Updated more order policy actions.
4865ade 
Signed-off-by: Ross Hadden <[email protected]>
@rosshadden
Added order policies.
1dc5934 
Signed-off-by: Ross Hadden <[email protected]>
@kieckhafer
add policies for product package
e986bc3 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
add policies for files package
c1e2a8e 
Signed-off-by: Erik Kieckhafer <[email protected]>
@rosshadden
Removed concern names from policy subjects.
b830b70 
Signed-off-by: Ross Hadden <[email protected]>
@rosshadden
Merge remote-tracking branch 'origin/release-3.0.0' into feat-kieckha…
2556f46 
…fer-multiplePermissions
@rosshadden
Added tag policies.
bc86d3b 
Signed-off-by: Ross Hadden <[email protected]>
aldeed
aldeed reviewed Dec 5, 2019
View reviewed changes
src/core-services/account/mutations/addAccountEmailRecord.js Outdated
if (!context.isInternalCall) {
await context.validatePermissions(`reaction:accounts:${account._id}`, "add:emails", {
shopId: account.shopId,
owner: account._id,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rosshadden @kieckhafer All validatePermissions calls should be using account.userId rather than account._id everywhere. We currently set them to the same string, but it's not a guarantee if people import them or something.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood, thank you!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Referring to owner value. In this case reaction:accounts:${account._id} probably is correct because that's the account you are accessing.

Copy link
Contributor

@rosshadden rosshadden Dec 5, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about context.accountId? We have a lot of properties that are (currently) the same thing.
All of these account references have database lookups to the Accounts collection. It looks like we could refactor a lot of places to use the account data on the context and save many DB calls.

rosshadden and others added 7 commits December 5, 2019 16:18
@rosshadden
feat: use userId instead of account id, even though they are currentl…
c06a24e 
…y the same

This future-proofs the code a bit.

Signed-off-by: Ross Hadden <[email protected]>
@kieckhafer
update tests with new footprint
22f87ca 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
Merge branch 'feat-kieckhafer-multiplePermissions' of github.com:/rea…
e593141 
…ctioncommerce/reaction into feat-kieckhafer-multiplePermissions
@kieckhafer
lint fixes
586bc33 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
fix tests
6018e6b 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
lint fixes
8936871 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
revert accidental commit of numbers
6ff21d8 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer kieckhafer changed the title [WIP] refactor simple-authorization to legacy-authorization, and add keto-authorization capabilites refactor: rename simple-authorization to legacy-authorization, change function footprint Dec 5, 2019
@kieckhafer kieckhafer requested a review from mikemurray December 5, 2019 22:44
@kieckhafer
fix integration tests
ca564b9 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
test updates
aa06461 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
lint fixes
426ce16 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
fix addOrderFulfillmentGroup tests
7de81e8 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
add user to tags test
553e220 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
fix addAccountToGroup tests
03be6c2 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer
fix groups test
648deb5 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer kieckhafer marked this pull request as ready for review December 6, 2019 21:14
@kieckhafer
Copy link
Member Author

@rosshadden I believe this is ready to go on my end. Have you updated the values @aldeed mentioned?

@kieckhafer
add shopId to tests (required now)
b8780d5 
Signed-off-by: Erik Kieckhafer <[email protected]>
@kieckhafer kieckhafer mentioned this pull request Dec 6, 2019
Closed
@kieckhafer
Copy link
Member Author

Failing tests ticket #5861

mikemurray
mikemurray approved these changes Dec 6, 2019
View reviewed changes
Copy link
Member

@mikemurray mikemurray left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. This ticket is too big and too crucial to future tests to leave sitting for any longer. I'm going to approve and merge this now and work on fixing the tests immediately. Any other comments or changes to this PR by other reviewers should be made into tickets.

@mikemurray mikemurray merged commit de93575 into release-3.0.0 Dec 6, 2019
@mikemurray mikemurray deleted the feat-kieckhafer-multiplePermissions branch December 6, 2019 22:17
@kieckhafer kieckhafer mentioned this pull request Dec 7, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosshadden rosshadden rosshadden left review comments

@aldeed aldeed aldeed left review comments

@mikemurray mikemurray mikemurray approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kieckhafer @mikemurray @rosshadden @aldeed