Restrict ACL association to the token accesses

Done

Description

The only way for someone to give access to another one, it's to have the 'auth.policy.#' access, wich will allow to update it's own policy or associate more access then allowed.

To avoid this scenario, wazo-auth should restrict accesses to the token used to create these accesses
It implies to cascade access from master-->admin-->user

ex:

master: #
admin: [confd.#, calld.#, phoned.# ....]
user: [<specific access>, ...]

Todo

handle negative access too
compare pattern against pattern (which are not currently supported)
migrate database to remove too permissive accesses

side note: the mechanic would be useful to create scoped refresh token too

Zendesk Ticket IDs

None

Linked work items

split to

WAZO-2530

wazo-auth: Cannot add a negative access to a policy

Activity

François Blackburn
June 25, 2021 at 7:44 PM

We will finally get rid of admin that add user/external_api with # access !!!!

Resize issue view side panel

Details

Priority

Medium

Assignee

François Blackburn

Reporter

François Blackburn

Approvers

Pascal Cadotte

Fix versions

21.09

Sprint