Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GraphQL - Finish admin per domain support #3642

Merged
merged 9 commits into from
May 11, 2022
Merged

GraphQL - Finish admin per domain support #3642

merged 9 commits into from
May 11, 2022

Conversation

Premwoik
Copy link
Contributor

@Premwoik Premwoik commented May 5, 2022
edited
Loading

This PR addresses MIM-1644 and finishes the admin per domain support.

  • Secure storing of passwords (store salted hashes instead of plain passwords), see mongoose_scram:(de)serialize
  • Allow restricting fields to be executable only by global admin (not by domain admins).
  • Extend domain check for the domain-protected fields to support subdomains, JIDs, and input types.
  • Extend domain check for the domain-protected fields to support lists.
  • Decide and mark fields that should be domain protected or executable only by global admin.
  • Add other missing test cases.

Currently, the password storing method is not configurable, and it uses the SCRAM with default values.

Types of the permission check:

  • GLOBAL - only global admin can execute field;
  • DOMAIN - domain admin can execute field only with own domain;
  • DEFAULT - anyone authorized can execute.

@codecov
Copy link

codecov bot commented May 5, 2022
edited
Loading

Codecov Report

Merging #3642 (65faea9) into feature/graphql (a6a323b) will increase coverage by 0.04%.
The diff coverage is 95.00%.

@@                 Coverage Diff                 @@
##           feature/graphql    #3642      +/-   ##
===================================================
+ Coverage            81.76%   81.80%   +0.04%     
===================================================
  Files                  479      479              
  Lines                33348    33369      +21     
===================================================
+ Hits                 27266    27298      +32     
+ Misses                6082     6071      -11
Impacted Files Coverage Δ
src/domain/mongoose_domain_api.erl 98.41% <85.71%> (-1.59%) ⬇️
src/graphql/mongoose_graphql_permissions.erl 90.62% <95.00%> (+1.21%) ⬆️
src/domain/mongoose_domain_sql.erl 94.28% <100.00%> (+0.12%) ⬆️
src/graphql/mongoose_graphql_errors.erl 87.50% <100.00%> (+0.54%) ⬆️
src/mongoose_scram.erl 71.59% <100.00%> (+0.66%) ⬆️
src/elasticsearch/mongoose_elasticsearch.erl 76.92% <0.00%> (-7.70%) ⬇️
...rc/smart_markers/mod_smart_markers_rdbms_async.erl 85.18% <0.00%> (-3.71%) ⬇️
src/mam/mod_mam_elasticsearch_arch.erl 85.08% <0.00%> (-1.76%) ⬇️
src/pubsub/mod_pubsub.erl 72.88% <0.00%> (-0.07%) ⬇️
src/mod_muc_log.erl 63.21% <0.00%> (ø)
... and 6 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a6a323b...65faea9. Read the comment docs.

@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
Premwoik added 4 commits May 9, 2022 09:21
@Premwoik
Check domain permissions in for lists and support optional arguments
f2dc989
@Premwoik
Add global permissions check
d7cd136 
The fields marked with GLOBAL type protected directive can be accessed only by the global admin.
The domain admin is not permitted to execute such fields.
@Premwoik
Store domain admin password as a scram
9acc523 
The iteration count and sha types are default values.
@Premwoik
Mark admin fields to be DOMAIN protected or executable only by GLOBAL…
745c80a 
… admin
@Premwoik Premwoik force-pushed the graphql/support-admin-per-domain-cont branch from c531e4c to 745c80a Compare May 9, 2022 07:22
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im

This comment was marked as outdated.

Sign in to view
@Premwoik Premwoik marked this pull request as ready for review May 9, 2022 09:47
chrzaszcz
chrzaszcz reviewed May 9, 2022
View reviewed changes
Copy link
Member

@chrzaszcz chrzaszcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good in general, I added some comments, questions and suggestions.

priv/graphql/schemas/admin/muc.gql Show resolved Hide resolved
priv/graphql/schemas/admin/muc.gql Outdated Show resolved Hide resolved
priv/graphql/schemas/admin/muc.gql Outdated Show resolved Hide resolved
src/graphql/mongoose_graphql_permissions.erl Outdated Show resolved Hide resolved
src/graphql/mongoose_graphql_permissions.erl Outdated Show resolved Hide resolved
test/mongoose_graphql_SUITE.erl Outdated Show resolved Hide resolved
test/mongoose_graphql_SUITE.erl Outdated Show resolved Hide resolved
test/mongoose_graphql_SUITE.erl Outdated Show resolved Hide resolved
test/mongoose_graphql_SUITE.erl Outdated Show resolved Hide resolved
test/mongoose_graphql_SUITE_data/permissions_schema.gql Outdated Show resolved Hide resolved
Premwoik added 2 commits May 10, 2022 17:10
@Premwoik
Apply review - Fix domain admin protected fields
68b23a9
@Premwoik
Apply review - Make no_permission error more readable, Use domain API…
a630e1f 
… to check domain admin permissions to subdomain

Fix other minor things pointed out in the review.
@mongoose-im

This comment was marked as outdated.

Sign in to view
@mongoose-im
Copy link
Collaborator

mongoose-im commented May 10, 2022
edited
Loading

small_tests_24 / small_tests / 65faea9
Reports root / small

small_tests_23 / small_tests / 65faea9
Reports root / small

dynamic_domains_mysql_redis_24 / mysql_redis / 65faea9
Reports root/ big
OK: 3068 / Failed: 0 / User-skipped: 150 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 65faea9
Reports root/ big
OK: 3085 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / 65faea9
Reports root/ big
OK: 3085 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 65faea9
Reports root/ big
OK: 3085 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

ldap_mnesia_23 / ldap_mnesia / 65faea9
Reports root/ big
OK: 1689 / Failed: 0 / User-skipped: 443 / Auto-skipped: 0

ldap_mnesia_24 / ldap_mnesia / 65faea9
Reports root/ big
OK: 1689 / Failed: 0 / User-skipped: 443 / Auto-skipped: 0

internal_mnesia_24 / internal_mnesia / 65faea9
Reports root/ big
OK: 1735 / Failed: 0 / User-skipped: 397 / Auto-skipped: 0

pgsql_mnesia_24 / pgsql_mnesia / 65faea9
Reports root/ big
OK: 3459 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

pgsql_mnesia_23 / pgsql_mnesia / 65faea9
Reports root/ big
OK: 3459 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

mysql_redis_24 / mysql_redis / 65faea9
Reports root/ big
OK: 3454 / Failed: 0 / User-skipped: 147 / Auto-skipped: 0

elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 65faea9
Reports root/ big
OK: 2049 / Failed: 0 / User-skipped: 398 / Auto-skipped: 0

mssql_mnesia_24 / odbc_mssql_mnesia / 65faea9
Reports root/ big
OK: 3459 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

riak_mnesia_24 / riak_mnesia / 65faea9
Reports root/ big
OK: 1896 / Failed: 0 / User-skipped: 393 / Auto-skipped: 0

@Premwoik Premwoik requested a review from chrzaszcz May 10, 2022 22:07
chrzaszcz
chrzaszcz approved these changes May 11, 2022
View reviewed changes
Copy link
Member

@chrzaszcz chrzaszcz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍

@chrzaszcz chrzaszcz merged commit 6b21198 into feature/graphql May 11, 2022
@chrzaszcz chrzaszcz deleted the graphql/support-admin-per-domain-cont branch May 11, 2022 08:53
@chrzaszcz chrzaszcz added this to the 6.0.0 milestone Dec 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrzaszcz chrzaszcz chrzaszcz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Premwoik @mongoose-im @chrzaszcz