Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#321 #334

Merged
merged 15 commits into from
Feb 5, 2020
Merged

#321 #334

merged 15 commits into from
Feb 5, 2020

Conversation

ayzu
Copy link
Contributor

@ayzu ayzu commented Jan 8, 2020

Related issue

Closes #321

Proposed changes

Checklist

  • [X ] I have read the contributing guidelines
  • [X ] I have read the security policy
  • [X ] I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • [X ] I have added tests that prove my fix is effective or that my feature works
  • [X ] I have added necessary documentation within the code base (if appropriate)
  • [X ] I have documented my changes in the
    developer guide (if appropriate)

Further comments

@ayzu
Copy link
Contributor Author

ayzu commented Jan 8, 2020

@aeneasr probably, it would make sense to discuss the draft, to verify whether I am heading the right direction.

@aeneasr
Copy link
Member

aeneasr commented Jan 9, 2020

@ayzu yes, I will review it now. By the way, did you see the E-Mail from Jared?

@ayzu
Copy link
Contributor Author

ayzu commented Jan 9, 2020 via email

Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really good! I just have some small nit picks but I think this is on track!

driver/configuration/provider.go Outdated Show resolved Hide resolved

f.enqueueEvent(events, event{et: eventRepositoryConfigChanged, source: "entrypoint"})

viperx.AddWatcher(func(e fsnotify.Event) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to myself: Check if this will work as intended

rule/repository_memory.go Show resolved Hide resolved
@@ -138,14 +140,6 @@ type Upstream struct {

var _ json.Unmarshaler = new(Rule)

func NewRule() *Rule {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A particular reason for removing this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't see usages of it.

rule/rule.go Outdated Show resolved Hide resolved
rule/rule_test.go Show resolved Hide resolved
@@ -115,9 +110,19 @@ func (a *AuthorizerKetoEngineACPORY) Authorize(r *http.Request, session *authn.A

var b bytes.Buffer
u := fmt.Sprintf("%s://%s%s", r.URL.Scheme, r.URL.Host, r.URL.Path)

action, err := rule.Replace(u, cf.RequiredAction)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aeneasr Do you intend to have this Replace functionality for regexp strategy only or for both regexp and glob?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, that is a good question. I'm not sure if we can actually use this for glob, right?

I also think that we should really update this handler and make it more generic. So it would be fine for me to just support this specific handler for regexp, and throw an error if glob is used (for now).

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, that is a good question. I'm not sure if we can actually use this for glob, right?

I also think that we should really update this handler and make it more generic. So it would be fine for me to just support this specific handler for regexp, and throw an error if glob is used (for now).

What do you think?

I agree. I don't see the out-of-the-box replacement functionality for glob.

We can add a check for a flavour here: https://github.com/ory/oathkeeper/blob/master/pipeline/authz/keto_engine_acp_ory.go#L111 and return an error if it is not a blank string (defaults to regex), "regex" or "text". Otherwise, we invoke rule.ReplaceAllString and proceed as usual. We can rename this method to RegexpReplaceAll to show that currently only regexp replacement is supported. What do you think?

What's the difference, by the way, between "text" and "regex"? It seems like both flavours invoke regexp.ReplaceAllString.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return an error if it is not a blank string (defaults to regex), "regex" or "text". Otherwise, we invoke rule.ReplaceAllString and proceed as usual. We can rename this method to RegexpReplaceAll to show that currently only regexp replacement is supported. What do you think?

What's the difference, by the way, between "text" and "regex"? It seems like both flavours invoke regexp.ReplaceAllString.

So the flavor is actually only relevant for the upstream service (ORY Keto), not for ORY Oathkeeper itself. Therefore, the flavor does not matter regarding the logic here - we can simply decide based on the access_rule matching strategy!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, thank you, @aeneasr

As we discussed, I added a new interface MatchingEngine and its glob implementation.

I will some tests and update documentation later.

rule/rule.go Outdated Show resolved Hide resolved
@ayzu
Copy link
Contributor Author

ayzu commented Jan 12, 2020

@aeneasr one more general question, about copyright in newly created files. Is it supposed to be the same as in existing ones? How about the copyright years?

@aeneasr
Copy link
Member

aeneasr commented Jan 13, 2020

@aeneasr one more general question, about copyright in newly created files. Is it supposed to be the same as in existing ones? How about the copyright years?

Yeah we haven't really been super diligent with that. We definitely need something to automate this in the future. Maybe via the CI or something.

@ayzu ayzu marked this pull request as ready for review January 15, 2020 15:42
@ayzu
Copy link
Contributor Author

ayzu commented Jan 15, 2020

@aeneasr I have created a corresponding PR in docs repo. I believe this PR now is review-ready:)

Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed

api/decision_test.go Outdated Show resolved Hide resolved
api/rule_test.go Outdated Show resolved Hide resolved
@ayzu
Copy link
Contributor Author

ayzu commented Feb 2, 2020

Hi @aeneasr !

As discussed, I have merged the tests.

I have one check failing: https://circleci.com/gh/ory/oathkeeper/3381?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-checks-link

[198/323] pkg:golang/github.com/opencontainers/[email protected] [Vulnerable] 1 known vulnerabilities affecting installed version

This is an indirect dependency. As far as I understand 0.1.1 is the latest stable version (though they do have some newer release candidates).

What do you think?

@aeneasr
Copy link
Member

aeneasr commented Feb 3, 2020

This is an indirect dependency. As far as I understand 0.1.1 is the latest stable version (though they do have some newer release candidates).

The CVE affects everything below 1.0.0-rc.7 I believe. I've updated ory/x (which uses ory/dockertest, which uses runc) to bump runc -> dockertest -> x. If you update ory/x (which it is on master I believe so a merge/rebase should be enough) it should work :)

@ayzu
Copy link
Contributor Author

ayzu commented Feb 3, 2020 via email

@aeneasr
Copy link
Member

aeneasr commented Feb 3, 2020

Yeah, you have to update ory/x to 0.0.93 :) The library is very unstable, there might be build issues but they should be easy to resolve. If not, I can help

Aynur Zulkarnaev added 12 commits February 3, 2020 13:35
This update allows to use negative lookahead in regexp.

Signed-off-by: Aynur Zulkarnaev <[email protected]>
…p object

This change can help to unify regexp and glob matching strategies.

Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Aynur Zulkarnaev added 2 commits February 3, 2020 13:35
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
@ayzu
Copy link
Contributor Author

ayzu commented Feb 3, 2020

ok, @aeneasr

I did a rebase, so now it uses ory/x 0.0.93

Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweet! Just some minor things but I think this is good to merge after they have been addressed!

README.md Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
rule/engine_glob.py.go Outdated Show resolved Hide resolved
rule/engine_regexp.go Outdated Show resolved Hide resolved
rule/engine_glob.py.go Outdated Show resolved Hide resolved
rule/matcher_test.go Show resolved Hide resolved
Signed-off-by: Aynur Zulkarnaev <[email protected]>
@ayzu
Copy link
Contributor Author

ayzu commented Feb 4, 2020

Sweet! Just some minor things but I think this is good to merge after they have been addressed!

Thank you for the comments, I have updated the code.

@aeneasr
Copy link
Member

aeneasr commented Feb 5, 2020

Awesome, thank you for your hard work!

@aeneasr aeneasr merged commit 5f983ab into ory:master Feb 5, 2020
aeneasr pushed a commit to ory/docs that referenced this pull request Feb 5, 2020
@ayzu
Copy link
Contributor Author

ayzu commented Feb 5, 2020 via email

@aeneasr
Copy link
Member

aeneasr commented Feb 5, 2020

No problem, will probably roll out a new release for this soon :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Implement additional matching strategies and use negative lookahead regex
2 participants