Each REST endpoint can now define what's the required scope to access it with an OAuth2 access token with an annotation `@oauth2-scope`. This AOP approch has been choosed as it seems to be the easiest option to add new scopes for developers and the most secure one as it does fail open in case of issue. Others approaches has been evaluated: * force each endpoint to validate the OAuth2 access token: this will lead to a lot of copy/paste for each REST endpoint to validate and potentially refuse the access if the OAuth2 access token does not have the required scope. Also if one endpoint gets the validation wrong it means data can be accessed withotu having the proper authorization. * hiding resources declaration behind a generated proxy to filter the calls: this is not easy to integrate with Restler as it requires to have the capability to generate the code of the proxies with the annotations from the proxified resource. Also it brings the complexity of code generation and the issues that comes with it (e.g. we would need to cache the generated proxies for performance reasons) in the production code. * forcing each resource class to define what is the scope it can be accessed with: this forces to edit all the resource classes and it is not possible (without a exposing cumbersome API to the developpers) to provide fine grained scopes to, for example, distinguish read/write scopes. Having an OAuth2 access token with the required scope does give access to all information exposed by a REST endpoint behind this scope. It's a supplemental condition to access it, the usual permissions handling still applies. In order to test this contribution, a new OAuth2 scope has been introduced. 'read:project' allows to get access to information about projects in a read-only mode. To use it, you will need to create an access token associated with it: mysql > INSERT INTO oauth2_access_token (user_id, verifier) VALUES(<user_id>, SHA2('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa', 256)); mysql > INSERT INTO oauth2_access_token_scope (access_token_id, scope_key) VALUES(<token_autogenerated_id>, 'read:project'); shell > curl \ -H 'Authorization: Bearer tlp-oauth2-at1-<token_autogenerated_id>.6161616161616161616161616161616161616161616161616161616161616161' \ https://tuleap.example.com/api/projects This is part of story #14542: have OAuth2 flow Change-Id: I443f97f5b1796e7c14c9001106cb0514c47a7349

+555 −33

Author

Thomas Gerbet (tgerbet) 2020-02-19 16:33

Committer

Thomas Gerbet (tgerbet) 2020-02-19 16:33

Hash 9764d635c3e42410858d14953b334fdcaa7cb51f

Parent d19c6275b3e9c44214c0013d5cca810a3b2a5c85

Reference git #tuleap/stable/9764d635c3e42410858d14953b334fdcaa7cb51f