Skip to content

Commit 2a7095a

Browse files
authored
fix(authz): Add default role for every req. (#3664)
1.) Follow v1 flow and add `role:unknown` for every request. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Authorization now consistently evaluates requests with the default role included, improving policy matching for all requests. * Requests can now match policies tied to the fallback role even when other roles are present. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
1 parent 03021fa commit 2a7095a

2 files changed

Lines changed: 32 additions & 4 deletions

File tree

service/internal/auth/authz/casbin/v2/authorizer.go

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -200,10 +200,7 @@ func (a *Authorizer) authorize(ctx context.Context, req *authz.Request) (*authz.
200200
return nil, fmt.Errorf("v2 authorization subject extraction error: %w", err)
201201
}
202202

203-
// If no subjects found, use default role
204-
if len(subjects) == 0 {
205-
subjects = append(subjects, rolePrefix+defaultRole)
206-
}
203+
subjects = append(subjects, rolePrefix+defaultRole)
207204

208205
resourceDims, err := serializeDimensions(req.ResourceContext)
209206
if err != nil {

service/internal/auth/authz/casbin/v2/authorizer_test.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -794,6 +794,37 @@ p, role:unknown, /kas.AccessService/Rewrap, *, allow`,
794794
}
795795
}
796796

797+
func (s *CasbinAuthorizerSuite) TestAuthorizeV2_AllRequestsIncludeUnknownRole() {
798+
cfg := authz.Config{
799+
PolicyConfig: authz.PolicyConfig{
800+
Version: "v2",
801+
GroupsClaim: "realm_access.roles",
802+
Csv: "p, role:unknown, /kas.AccessService/Rewrap, *, allow",
803+
},
804+
Logger: s.logger,
805+
}
806+
807+
authorizer, err := s.newAuthorizer(cfg)
808+
s.Require().NoError(err)
809+
810+
token := createTestToken(s.T(), map[string]interface{}{
811+
"realm_access": map[string]interface{}{
812+
"roles": []interface{}{"standard"},
813+
},
814+
})
815+
816+
decision, err := authorizer.Authorize(context.Background(), &authz.Request{
817+
Token: token,
818+
RPC: "/kas.AccessService/Rewrap",
819+
Action: "read",
820+
})
821+
822+
s.Require().NoError(err)
823+
s.Require().NotNil(decision)
824+
s.True(decision.Allowed)
825+
s.Equal("role:unknown", decision.MatchedPolicy)
826+
}
827+
797828
// Test dimension matching logic
798829
func TestDimensionMatch(t *testing.T) {
799830
tests := []struct {

0 commit comments

Comments
 (0)