-
-
Notifications
You must be signed in to change notification settings - Fork 361
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#321 #334
#321 #334
Conversation
@aeneasr probably, it would make sense to discuss the draft, to verify whether I am heading the right direction. |
@ayzu yes, I will review it now. By the way, did you see the E-Mail from Jared? |
Yes, I replied to it recently.
…On Thu, 9 Jan 2020, 10:31 hackerman, ***@***.***> wrote:
@ayzu <https://github.com/ayzu> yes, I will review it now. By the way,
did you see the E-Mail from Jared?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#334?email_source=notifications&email_token=AMAKVPFICD7GN5GZPBLNP4TQ43VGHA5CNFSM4KEONRJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIPTZDQ#issuecomment-572472462>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMAKVPALLE22EN2W25OLSADQ43VGHANCNFSM4KEONRJA>
.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really good! I just have some small nit picks but I think this is on track!
|
||
f.enqueueEvent(events, event{et: eventRepositoryConfigChanged, source: "entrypoint"}) | ||
|
||
viperx.AddWatcher(func(e fsnotify.Event) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to myself: Check if this will work as intended
@@ -138,14 +140,6 @@ type Upstream struct { | |||
|
|||
var _ json.Unmarshaler = new(Rule) | |||
|
|||
func NewRule() *Rule { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A particular reason for removing this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't see usages of it.
@@ -115,9 +110,19 @@ func (a *AuthorizerKetoEngineACPORY) Authorize(r *http.Request, session *authn.A | |||
|
|||
var b bytes.Buffer | |||
u := fmt.Sprintf("%s://%s%s", r.URL.Scheme, r.URL.Host, r.URL.Path) | |||
|
|||
action, err := rule.Replace(u, cf.RequiredAction) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aeneasr Do you intend to have this Replace functionality for regexp strategy only or for both regexp and glob?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, that is a good question. I'm not sure if we can actually use this for glob, right?
I also think that we should really update this handler and make it more generic. So it would be fine for me to just support this specific handler for regexp, and throw an error if glob is used (for now).
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, that is a good question. I'm not sure if we can actually use this for glob, right?
I also think that we should really update this handler and make it more generic. So it would be fine for me to just support this specific handler for regexp, and throw an error if glob is used (for now).
What do you think?
I agree. I don't see the out-of-the-box replacement functionality for glob.
We can add a check for a flavour here: https://github.com/ory/oathkeeper/blob/master/pipeline/authz/keto_engine_acp_ory.go#L111 and return an error if it is not a blank string (defaults to regex), "regex" or "text". Otherwise, we invoke rule.ReplaceAllString
and proceed as usual. We can rename this method to RegexpReplaceAll
to show that currently only regexp replacement is supported. What do you think?
What's the difference, by the way, between "text" and "regex"? It seems like both flavours invoke regexp.ReplaceAllString
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return an error if it is not a blank string (defaults to regex), "regex" or "text". Otherwise, we invoke rule.ReplaceAllString and proceed as usual. We can rename this method to RegexpReplaceAll to show that currently only regexp replacement is supported. What do you think?
What's the difference, by the way, between "text" and "regex"? It seems like both flavours invoke regexp.ReplaceAllString.
So the flavor is actually only relevant for the upstream service (ORY Keto), not for ORY Oathkeeper itself. Therefore, the flavor does not matter regarding the logic here - we can simply decide based on the access_rule matching strategy!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, thank you, @aeneasr
As we discussed, I added a new interface MatchingEngine
and its glob implementation.
I will some tests and update documentation later.
@aeneasr one more general question, about copyright in newly created files. Is it supposed to be the same as in existing ones? How about the copyright years? |
Yeah we haven't really been super diligent with that. We definitely need something to automate this in the future. Maybe via the CI or something. |
@aeneasr I have created a corresponding PR in docs repo. I believe this PR now is review-ready:) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed
Hi @aeneasr ! As discussed, I have merged the tests. I have one check failing: https://circleci.com/gh/ory/oathkeeper/3381?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-checks-link
This is an indirect dependency. As far as I understand 0.1.1 is the latest stable version (though they do have some newer release candidates). What do you think? |
The CVE affects everything below 1.0.0-rc.7 I believe. I've updated ory/x (which uses ory/dockertest, which uses runc) to bump runc -> dockertest -> x. If you update ory/x (which it is on master I believe so a merge/rebase should be enough) it should work :) |
Yes, ory/x -> dockertst -> runc
ory/x v0.0.93 (latest tag) depends on runc 1.0.0-rc9 and we can use it.
Some other dependencies in `ory/oathkeeper` require the previous versions of
ory/x 0.0.88 and 0.0.85 (which in turn depend on a vulnerable version of runc):
``` go mod graph | grep github.com/ory/x
github.com/ory/oathkeeper github.com/ory/[email protected]
github.com/ory/sdk/[email protected]
github.com/ory/[email protected]
github.com/ory/[email protected] github.com/ory/[email protected]```
Do you want me to update them? An alternative would be to use `replace`
statement in `ory/oathkeeper` for dependency `runc` and therefore force every other dependency to use the right version of runc.
…On Mon, Feb 3, 2020 at 9:32 AM hackerman ***@***.***> wrote:
This is an indirect dependency. As far as I understand 0.1.1 is the latest
stable version (though they do have some newer release candidates).
The CVE affects everything below 1.0.0-rc.7 I believe. I've updated ory/x
(which uses ory/dockertest, which uses runc) to bump runc -> dockertest ->
x. If you update ory/x (which it is on master I believe so a merge/rebase
should be enough) it should work :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#334?email_source=notifications&email_token=AMAKVPH5EJZNQUQZKQUSP33RA7JB7A5CNFSM4KEONRJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKS54QI#issuecomment-581295681>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMAKVPDRWA3KQ2SGLOIQ5DTRA7JB7ANCNFSM4KEONRJA>
.
|
Yeah, you have to update ory/x to 0.0.93 :) The library is very unstable, there might be build issues but they should be easy to resolve. If not, I can help |
This update allows to use negative lookahead in regexp. Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
…p object This change can help to unify regexp and glob matching strategies. Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
… glob. Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Signed-off-by: Aynur Zulkarnaev <[email protected]>
ok, @aeneasr I did a rebase, so now it uses ory/x 0.0.93 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sweet! Just some minor things but I think this is good to merge after they have been addressed!
Signed-off-by: Aynur Zulkarnaev <[email protected]>
Thank you for the comments, I have updated the code. |
Awesome, thank you for your hard work! |
See ory/oathkeeper#334 Signed-off-by: Aynur Zulkarnaev <[email protected]>
Happy to commit and thank you for the reviews!
…On Wed, Feb 5, 2020 at 11:49 AM hackerman ***@***.***> wrote:
Awesome, thank you for your hard work!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#334?email_source=notifications&email_token=AMAKVPGHWFOC4ISLUWEE6WTRBKKR7A5CNFSM4KEONRJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEK27HBI#issuecomment-582349701>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMAKVPCMGC6JELYMB4UQDBLRBKKR7ANCNFSM4KEONRJA>
.
|
No problem, will probably roll out a new release for this soon :) |
Related issue
Closes #321
Proposed changes
Checklist
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
developer guide (if appropriate)
Further comments