iris-web icon indicating copy to clipboard operation
iris-web copied to clipboard
verified publisher icon dfir-iris

[WIP] Access Control Enhancements

Open lowlandghost opened this issue 1 year ago • 0 comments

Revisiting my previous #518 PR and getting up to date with the latest of IRIS changes, continuing to work on the access control enhancements. This is heavily work in progress still. Feedback and input welcome. :)

I am going to overhaul the current access control, breaking down access to be per-action, per-resource kind and per-resource ID. Defining resources will be done in source/app/blueprints/authorization/resources.toml. I plan to support assignment to users, groups, and by case, similar to the current permissions setup. I am going to start implementing these changes with the V2 API and then slowly work backwards to the older and older routes.

# Example resource definition:
[case]
actions = ["create", "read", "update", "delete"]
description = "View and manage an individual Case"

Resources will have their primary kind with any additional classifiers added as dot-notated to the end of the name, such as [case.some_sub_classification] to restrict the scope.

Currently supported actions are:

  • create
  • read
  • update
  • delete

Permissions will be interacted with in code as an object, stored in the database as a delimited string.

To Do List

  • [x] Create resources.toml file
    • [x] Create JSON schema for resources.toml for validation & intellisense
  • [ ] Write method for parsing a permission string
    • [ ] Validate against resources.toml
  • [ ] Write method for creating a permission string
  • [ ] Write decorator @Authorization.required(resource, action) for checking access
    • [ ] Handling by resource ID
  • [x] Create Unauthorized exception
    • Add handler to blueprint(s)
      • [x] API V2
      • [ ] API V1
      • [ ] Non-API endpoints
  • [ ] Adding new field(s) for storing permissions in DB
    • [ ] User model
    • [ ] Group model
    • [ ] Case model
  • [ ] Updating endpoints for permission assignment
  • [ ] Migration for current permissions to the new permissions
  • 📚 Types
    • [ ] Resource kinds
    • [ ] Action types
  • 🔬 Tests
    • [ ] Test permission parsing & dumping
    • [ ] Test permission check validation and handling
    • [ ] Test creating, updating permission grants for
      • [ ] User model
      • [ ] Group model
      • [ ] Case model

Other Enhancements

  • Moving API V2 to use blueprint inheritance, so we aren't defining the entire API path in each individual route and can more cleanly import entire routes.
  • Moving API V2 to add exception handling for Unauthorized and BusinessProcessingError. Additional handlers will be created for other exceptions as I continue to learn the codebase better.
  • Best of my ability, will try to add tests to things I touch.

lowlandghost avatar Nov 30 '24 18:11 lowlandghost