Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ODS-3401] Cycles in claims taxonomy (security metadata for resource claims) causes requests to hang #993

Merged
merged 14 commits into from
Mar 8, 2024
Merged

[ODS-3401] Cycles in claims taxonomy (security metadata for resource claims) causes requests to hang #993

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
9762658
Implement validation of resource claim lineage
mjaksn Mar 5, 2024
88ab693
Empty-commit
mjaksn Mar 5, 2024
2315f4b
Fix unit tests
mjaksn Mar 5, 2024
7ea64e0
Refactor implementation
mjaksn Mar 5, 2024
0b578c7
Cleanup
mjaksn Mar 5, 2024
8723099
Switch HashSet to List and improve error message detail
mjaksn Mar 5, 2024
813d2f8
Add unit test
mjaksn Mar 5, 2024
4ab3b19
Fix error message
mjaksn Mar 5, 2024
70f4abf
Fix recursion logic
mjaksn Mar 5, 2024
0beab6d
Use consistent arrows in error message
mjaksn Mar 6, 2024
644a964
Check error message content in unit test
mjaksn Mar 6, 2024
58a5237
Fix unit test
mjaksn Mar 7, 2024
9a4ad5d
Update Contains statement to use Resource Claim name
mjaksn Mar 8, 2024
ba1758f
Address changes
mjaksn Mar 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 15 additions & 10 deletions Application/EdFi.Security.DataAccess/Repositories/SecurityRepository.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ public virtual AuthorizationStrategy GetAuthorizationStrategyByName(string autho

public virtual IList<ClaimSetResourceClaimAction> GetClaimsForClaimSet(string claimSetName)
{

return _securityTableGateway.GetClaimSetResourceClaimActions()
.Where(c => c.ClaimSet.ClaimSetName.Equals(claimSetName, StringComparison.OrdinalIgnoreCase))
.ToList();
Expand All @@ -54,10 +53,9 @@ public virtual IList<string> GetResourceClaimLineage(string resourceClaimUri)
.ToList();
}

private IEnumerable<ResourceClaim> GetResourceClaimLineageForResourceClaim(string resourceClaimUri)
private IEnumerable<ResourceClaim> GetResourceClaimLineageForResourceClaim(string resourceClaimUri, List<ResourceClaim> resourceClaimLineage = null)
{
var resourceClaimLineage = new List<ResourceClaim>();

resourceClaimLineage ??= new List<ResourceClaim>();
ResourceClaim resourceClaim;

try
Expand All @@ -72,14 +70,21 @@ private IEnumerable<ResourceClaim> GetResourceClaimLineageForResourceClaim(strin
throw new InvalidOperationException($"Multiple resource claims with a claim name of '{resourceClaimUri}' were found in the Ed-Fi API's security configuration. Authorization cannot be performed.", ex);
}

if (resourceClaim != null)
if (resourceClaim == null)
{
return resourceClaimLineage;
}

if (resourceClaimLineage.Any(rc => rc.ClaimName == resourceClaim.ClaimName))
{
resourceClaimLineage.Add(resourceClaim);
throw new InvalidOperationException($"A cycle was detected in the resource claim hierarchy of the security metadata: '{string.Join("' -> '", resourceClaimLineage.SkipWhile(rc => rc.ClaimName != resourceClaim.ClaimName).Select(rc => rc.ClaimName))}' -> '{resourceClaimUri}'");
}

resourceClaimLineage.Add(resourceClaim);

if (resourceClaim.ParentResourceClaim != null)
{
resourceClaimLineage.AddRange(GetResourceClaimLineageForResourceClaim(resourceClaim.ParentResourceClaim.ClaimName));
}
if (resourceClaim.ParentResourceClaim != null)
{
GetResourceClaimLineageForResourceClaim(resourceClaim.ParentResourceClaim.ClaimName, resourceClaimLineage);
}

return resourceClaimLineage;
Expand Down
21 changes: 21 additions & 0 deletions tests/EdFi.Security.DataAccess.UnitTests/Repositories/SecurityRepositoryTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
// The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
// See the LICENSE and NOTICES files in the project root for more information.

using System;
using System.Linq;

namespace EdFi.Security.DataAccess.UnitTests.Repositories;
Expand Down Expand Up @@ -165,6 +166,26 @@ public void GetResourceClaimLineage_ShouldReturnEmptyListForInvalidResourceClaim
// Assert
lineage.ShouldBeEmpty();
}

[Test]
public void GetResourceClaimLineage_ThrowsException_WhenResourceClaimLineageContainsCycle()
{
// Arrange
var resourceClaimA = new ResourceClaim { ClaimName = "uri-A", ResourceClaimId = 1, ParentResourceClaim = null, ParentResourceClaimId = null};
var resourceClaimB = new ResourceClaim { ClaimName = "uri-B", ResourceClaimId = 2, ParentResourceClaim = resourceClaimA, ParentResourceClaimId = 1};
var resourceClaimC = new ResourceClaim { ClaimName = "uri-C", ResourceClaimId = 3, ParentResourceClaim = resourceClaimB, ParentResourceClaimId = 2};
var resourceClaimD = new ResourceClaim { ClaimName = "uri-D", ResourceClaimId = 4, ParentResourceClaim = resourceClaimC, ParentResourceClaimId = 3};

resourceClaimA.ParentResourceClaimId = resourceClaimC.ResourceClaimId;
resourceClaimA.ParentResourceClaim = resourceClaimC;

A.CallTo(() => _securityTableGateway.GetResourceClaims())
.Returns(new List<ResourceClaim> { resourceClaimA, resourceClaimB, resourceClaimC, resourceClaimD });

// Act & Assert
Should.Throw<InvalidOperationException>(() => _securityRepository.GetResourceClaimLineage("uri-D"))
.Message.ShouldBe("A cycle was detected in the resource claim hierarchy of the security metadata: 'uri-C' -> 'uri-B' -> 'uri-A' -> 'uri-C'");
}

[Test]
public void GetResourceClaimLineageMetadata_ShouldReturnMetadataForValidResourceClaimAndAction()
Expand Down
Loading