mirror of
https://github.com/Unleash/unleash.git
synced 2024-12-28 00:06:53 +01:00
3acb116ab2
## What As part of the move to enable custom-root-roles, our permissions model was found to not be granular enough to allow service accounts to only be allowed to create read-only tokens (client, frontend), but not be allowed to create admin tokens to avoid opening up a path for privilege escalation. ## How This PR adds 12 new roles, a CRUD set for each of the three token types (admin, client, frontend). To access the `/api/admin/api-tokens` endpoints you will still need the existing permission (CREATE_API_TOKEN, DELETE_API_TOKEN, READ_API_TOKEN, UPDATE_API_TOKEN). Once this PR has been merged the token type you're modifying will also be checked, so if you're trying to create a CLIENT api-token, you will need `CREATE_API_TOKEN` and `CREATE_CLIENT_API_TOKEN` permissions. If the user performing the create call does not have these two permissions or the `ADMIN` permission, the creation will be rejected with a `403 - FORBIDDEN` status. ### Discussion points The test suite tests all operations using a token with operation_CLIENT_API_TOKEN permission and verifies that it fails trying to do any of the operations against FRONTEND and ADMIN tokens. During development the operation_FRONTEND_API_TOKEN and operation_ADMIN_API_TOKEN permission has also been tested in the same way. I wonder if it's worth it to re-add these tests in order to verify that the permission checker works for all operations, or if this is enough. Since we're running them using e2e tests, I've removed them for now, to avoid hogging too much processing time.
32 lines
1.7 KiB
JavaScript
32 lines
1.7 KiB
JavaScript
exports.up = function (db, cb) {
|
|
db.runSql(
|
|
`
|
|
INSERT INTO permissions(permission, display_name, type) VALUES
|
|
('CREATE_ADMIN_API_TOKEN', 'Allowed to create new ADMIN tokens', 'root'),
|
|
('UPDATE_ADMIN_API_TOKEN', 'Allowed to update ADMIN tokens', 'root'),
|
|
('DELETE_ADMIN_API_TOKEN', 'Allowed to delete ADMIN tokens', 'root'),
|
|
('READ_ADMIN_API_TOKEN', 'Allowed to read ADMIN tokens', 'root'),
|
|
('CREATE_CLIENT_API_TOKEN', 'Allowed to create new CLIENT tokens', 'root'),
|
|
('UPDATE_CLIENT_API_TOKEN', 'Allowed to update CLIENT tokens', 'root'),
|
|
('DELETE_CLIENT_API_TOKEN', 'Allowed to delete CLIENT tokens', 'root'),
|
|
('READ_CLIENT_API_TOKEN', 'Allowed to read CLIENT tokens', 'root'),
|
|
('CREATE_FRONTEND_API_TOKEN', 'Allowed to create new FRONTEND tokens', 'root'),
|
|
('UPDATE_FRONTEND_API_TOKEN', 'Allowed to update FRONTEND tokens', 'root'),
|
|
('DELETE_FRONTEND_API_TOKEN', 'Allowed to delete FRONTEND tokens', 'root'),
|
|
('READ_FRONTEND_API_TOKEN', 'Allowed to read FRONTEND tokens', 'root');
|
|
`,
|
|
cb,
|
|
);
|
|
};
|
|
|
|
exports.down = function (db, cb) {
|
|
db.runSql(
|
|
`
|
|
DELETE FROM permissions WHERE permission IN ('CREATE_ADMIN_API_TOKEN', 'UPDATE_ADMIN_API_TOKEN', 'DELETE_ADMIN_API_TOKEN', 'READ_ADMIN_API_TOKEN');
|
|
DELETE FROM permissions WHERE permission IN ('CREATE_CLIENT_API_TOKEN', 'UPDATE_CLIENT_API_TOKEN', 'DELETE_CLIENT_API_TOKEN', 'READ_CLIENT_API_TOKEN');
|
|
DELETE FROM permissions WHERE permission IN ('CREATE_FRONTEND_API_TOKEN', 'UPDATE_FRONTEND_API_TOKEN', 'DELETE_FRONTEND_API_TOKEN', 'READ_FRONTEND_API_TOKEN');
|
|
`,
|
|
cb,
|
|
);
|
|
};
|