[SERVER-54501] Write AuthorizationContract class Created: 12/Feb/21  Updated: 29/Oct/23  Resolved: 26/Feb/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.0 Required
Fix Version/s: 4.9.0

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-54499 Encode action type information into IDL Closed
depends on SERVER-54500 Encode access_checks and resource_pat... Closed
is depended on by SERVER-54521 Extend access_check for simple and pr... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2021-03-08
Participants:

 Description   
  • We need to add create a class that can track the checks and privileges made by AuthorizationSession and a class for IDL to store its contract
  • AuthorizationSessionImpl will be augmented with this class in a later ticket
  • IDL will write this contract into a member variable of the generated command class

This class should have at minimal the following information to support its needs

  • Constructor(initializer_list<acess_checks>, initializer_list<privileges>) - to be used to IDL to generate code
  • Stores a stdx::unordered_map<ResourcePattern, ActionSet>
  • Stores a bitset for all the access checks in AuthorizationSession except for privilege checks
    • Note the privilege check isAuthorizedForAnyActionOnAnyResourceInDB - counts as a access check
    • Has getters/setters
    • Add a method to verify a contract is a subset of another
    • Naive O(N^2) algo should be fine since number of checks is usually 1-3 except for agg

C++ Unit Tests to add

  • Validate a none generated contract
  • Validate a simple generated contract with a privilege
  • Validate a simple generated contract with a check
  • Validate a complex generated contract with a mix of privileges and checks


 Comments   
Comment by Githook User [ 26/Feb/21 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-54501 Write AuthorizationContract class
Branch: master
https://github.com/mongodb/mongo/commit/977f5f0b3305e87183a567144ef11481cec43872

Generated at Thu Feb 08 05:33:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.