Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#746 Multiple values in static claims #2131

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

#746 Multiple values in static claims #2131

wants to merge 1 commit into from

Conversation

asrasya-kosha
Copy link

@asrasya-kosha asrasya-kosha commented Jul 31, 2024
edited by raman-m
Loading

Closes #746

Proposed Changes

  • Changed RouteClaimsRequirements to accept multiple values for a single key
  • Changed ClaimsAuthorizer to validate with any of the given values for a key for a static claim
  • Adjusted ClaimsAuthorizer for dynamic claims to only accept the first value for a given key
  • Added test cases

Note : The proposed changed will only work for static claims. There shouldn't be any effect on the dynamic claims.

@asrasya-kosha asrasya-kosha mentioned this pull request Jul 31, 2024
Open
@raman-m raman-m changed the title Multiple values in static claims #746 Multiple values in static claims Jul 31, 2024
@raman-m raman-m added feature A new feature Configuration Ocelot feature: Configuration Authorization Ocelot feature: Authorization Oct'24 October 2024 release labels Jul 31, 2024
@raman-m raman-m added this to the Summer'24 milestone Jul 31, 2024
@raman-m raman-m added the high High priority label Jul 31, 2024
@raman-m
Copy link
Member

raman-m commented Jul 31, 2024

Thank you for the PR!
Please note that the development process mandates the inclusion of both unit and acceptance tests for every new feature and bug fix. New features should be accompanied by tests that cover the new functionality. Additionally, merely fixing existing tests does not suffice to warrant approval of the PR.

@ggnaegi
Copy link
Member

ggnaegi commented Aug 8, 2024

@raman-m reviewing it right now...

ggnaegi
ggnaegi reviewed Aug 8, 2024
View reviewed changes
Copy link
Member

@ggnaegi ggnaegi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@raman-m @asrasya-kosha Ok for me, but the ClaimsAuthorizer code is difficult to read. I think we could probably refactor it a bit.

src/Ocelot/Authorization/ClaimsAuthorizer.cs
@@ -32,7 +32,7 @@ List<PlaceholderNameAndValue> urlPathPlaceholderNameAndValues
if (values.Data != null)
{
// dynamic claim
var match = Regex.Match(required.Value, @"^{(?<variable>.+)}$");
var match = Regex.Match(required.Value!.FirstOrDefault() ?? string.Empty, "^{(?<variable>.+)}$");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not your code, I agree, Maybe we could use a compiled Regex and enhance security by specifying a timeout, 10 seconds...

[GeneratedRegex("^{(?<variable>.+)}$", RegexOptions.Compiled, 10000)]
private static partial Regex DynamicClaimRegex();

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in GenerateRegex, RegexOptions.Compiled is ignored

Copy link
Member

@raman-m raman-m Aug 30, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have well known open PR by Mohsen who followed Regex best practices, see #1348

@raman-m
Copy link
Member

raman-m commented Aug 9, 2024

@ggnaegi reviewed on Aug 8

Thanks for code review! But you know I will return to feature PRs after v23.3 Hotfixes release.
Also this PR has a lot of fake changes probably because of line endings problem so it's hard to read real changes.

@asrasya-kosha
Copy link
Author

Thank you for the PR! Please note that the development process mandates the inclusion of both unit and acceptance tests for every new feature and bug fix. New features should be accompanied by tests that cover the new functionality. Additionally, merely fixing existing tests does not suffice to warrant approval of the PR.

@raman-m I'll add acceptance tests and new unit tests (I thought I added them but I'll have a look once again) this weekend and update the PR. The line ending changes are perhaps a GitHub issue? because I don't see them in rider when I do sa side by side compare. Thanks

RaynaldM
RaynaldM approved these changes Aug 21, 2024
View reviewed changes
src/Ocelot/Authorization/ClaimsAuthorizer.cs
@@ -32,7 +32,7 @@ List<PlaceholderNameAndValue> urlPathPlaceholderNameAndValues
if (values.Data != null)
{
// dynamic claim
var match = Regex.Match(required.Value, @"^{(?<variable>.+)}$");
var match = Regex.Match(required.Value!.FirstOrDefault() ?? string.Empty, "^{(?<variable>.+)}$");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in GenerateRegex, RegexOptions.Compiled is ignored

src/Ocelot/Authorization/IClaimsAuthorizer.cs
@@ -8,7 +8,7 @@ public interface IClaimsAuthorizer
{
Response<bool> Authorize(
ClaimsPrincipal claimsPrincipal,
Dictionary<string, string> routeClaimsRequirement,
Dictionary<string, string[]> routeClaimsRequirement,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Dictionary<string, string[]> routeClaimsRequirement,
IDictionary<string, string[]> routeClaimsRequirement,

src/Ocelot/Configuration/Builder/DownstreamRouteBuilder.cs
@@ -126,7 +126,7 @@ public DownstreamRouteBuilder WithClaimsToClaims(List<ClaimToThing> input)
return this;
}

public DownstreamRouteBuilder WithRouteClaimsRequirement(Dictionary<string, string> input)
public DownstreamRouteBuilder WithRouteClaimsRequirement(Dictionary<string, string[]> input)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public DownstreamRouteBuilder WithRouteClaimsRequirement(Dictionary<string, string[]> input)
public DownstreamRouteBuilder WithRouteClaimsRequirement(IDictionary<string, string[]> input)

src/Ocelot/Configuration/File/FileRoute.cs
public int Priority { get; set; }
public FileQoSOptions QoSOptions { get; set; }
public FileRateLimitRule RateLimitOptions { get; set; }
public string RequestIdKey { get; set; }
public Dictionary<string, string> RouteClaimsRequirement { get; set; }
public Dictionary<string, string[]> RouteClaimsRequirement { get; set; }
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public Dictionary<string, string[]> RouteClaimsRequirement { get; set; }
public IDictionary<string, string[]> RouteClaimsRequirement { get; set; }

src/Ocelot/Configuration/DownstreamRoute.cs
@@ -100,7 +100,7 @@ public DownstreamRoute(
public CacheOptions CacheOptions { get; }
public LoadBalancerOptions LoadBalancerOptions { get; }
public RateLimitOptions RateLimitOptions { get; }
public Dictionary<string, string> RouteClaimsRequirement { get; }
public Dictionary<string, string[]> RouteClaimsRequirement { get; }
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public Dictionary<string, string[]> RouteClaimsRequirement { get; }
public IDictionary<string, string[]> RouteClaimsRequirement { get; }

src/Ocelot/Configuration/Builder/DownstreamRouteBuilder.cs
@@ -13,7 +13,7 @@ public class DownstreamRouteBuilder
private bool _isAuthenticated;
private List<ClaimToThing> _claimsToHeaders;
private List<ClaimToThing> _claimToClaims;
private Dictionary<string, string> _routeClaimRequirement;
private Dictionary<string, string[]> _routeClaimRequirement;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private Dictionary<string, string[]> _routeClaimRequirement;
private IDictionary<string, string[]> _routeClaimRequirement;

src/Ocelot/Authorization/ClaimsAuthorizer.cs
@@ -16,7 +16,7 @@ public ClaimsAuthorizer(IClaimsParser claimsParser)

public Response<bool> Authorize(
ClaimsPrincipal claimsPrincipal,
Dictionary<string, string> routeClaimsRequirement,
Dictionary<string, string[]> routeClaimsRequirement,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Dictionary<string, string[]> routeClaimsRequirement,
IDictionary<string, string[]> routeClaimsRequirement,

@raman-m
Copy link
Member

raman-m commented Aug 30, 2024

@asrasya-kosha Please work on code review issues.
Also, we have to add at least one acceptance test.

@raman-m
Copy link
Member

raman-m commented Aug 30, 2024

@asrasya-kosha commented on Aug 20, 2024

The line ending changes are perhaps a GitHub issue?

The changes in line endings are not due to GitHub; rather, they are caused by your IDE. GitHub simply identifies the different line endings and highlights those lines.

because I don't see them in Rider when I do so side by side compare.

We have Visual Studio IDE settings for line endings here: .editorconfig#L19-L21 (common settings), *.{cs,vb} (C# CRLF ending). However, there is no settings file for Rider IDE.
The main issue is the .gitattributes file for Git, which means our settings do not override EOL and commits are made as-is (both CRLF for Windows and LF for Linux). Local/global Git settings may sometimes override EOL in this file.
Since you're using Rider IDE, ensure that your Git environment does not override EOL (a mixed mode is preferred).

@raman-m raman-m force-pushed the feature/multiple-values-in-routeclaims branch from 8204bbd to d2b9a2b Compare October 18, 2024 16:59
@raman-m raman-m added Autumn'24 Autumn 2024 release and removed Oct'24 October 2024 release labels Oct 26, 2024
@raman-m raman-m modified the milestones: October'24, Autumn'24 Oct 26, 2024
@asrasya-kosha @raman-m
Multiple values in static claims
a6eae47 
removed redundant tests
@raman-m raman-m force-pushed the feature/multiple-values-in-routeclaims branch from d2b9a2b to a6eae47 Compare November 2, 2024 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ggnaegi ggnaegi ggnaegi left review comments

@RaynaldM RaynaldM RaynaldM approved these changes

@raman-m raman-m Awaiting requested review from raman-m

Assignees

@asrasya-kosha asrasya-kosha

Labels
Authorization Ocelot feature: Authorization Autumn'24 Autumn 2024 release Configuration Ocelot feature: Configuration feature A new feature high High priority
Projects
None yet
Milestone
Autumn'24
Development

Successfully merging this pull request may close these issues.

Multiple values for single key in RouteClaimsRequirement
4 participants
@asrasya-kosha @raman-m @ggnaegi @RaynaldM