yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-07-26 02:40:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix #8323: GenerateToken can overwrite any relations that user may have (#9091)

Browse Source 
Co-authored-by: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com>
This commit is contained in:
Sriharsha Chintalapani 2022-12-01 01:51:32 -08:00 committed by GitHub
parent 0050243479
commit db91a2e1d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
openmetadata-service/src/main/java/org/openmetadata/service/resources/teams/UserResource.java
View File

@ -567,7 +567,7 @@ public class UserResource extends EntityResource<User, UserRepository> {
@Valid GenerateTokenRequest generateTokenRequest) @Valid GenerateTokenRequest generateTokenRequest)
throws IOException { throws IOException {
authorizer.authorizeAdmin(securityContext); authorizer.authorizeAdmin(securityContext);
User user = dao.get(uriInfo, id, Fields.EMPTY_FIELDS); User user = dao.get(uriInfo, id, dao.getFieldsWithUserAuth("*"));
JWTAuthMechanism jwtAuthMechanism = JWTAuthMechanism jwtAuthMechanism =
jwtTokenGenerator.generateJWTToken(user, generateTokenRequest.getJWTTokenExpiry()); jwtTokenGenerator.generateJWTToken(user, generateTokenRequest.getJWTTokenExpiry());
AuthenticationMechanism authenticationMechanism = AuthenticationMechanism authenticationMechanism =
@ -598,7 +598,7 @@ public class UserResource extends EntityResource<User, UserRepository> {
@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid RevokeTokenRequest revokeTokenRequest) @Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid RevokeTokenRequest revokeTokenRequest)
throws IOException { throws IOException {
authorizer.authorizeAdmin(securityContext); authorizer.authorizeAdmin(securityContext);
User user = dao.get(uriInfo, revokeTokenRequest.getId(), Fields.EMPTY_FIELDS); User user = dao.get(uriInfo, revokeTokenRequest.getId(), dao.getFieldsWithUserAuth("*"));
if (!user.getIsBot()) { if (!user.getIsBot()) {
throw new IllegalStateException(CatalogExceptionMessage.invalidBotUser()); throw new IllegalStateException(CatalogExceptionMessage.invalidBotUser());
} }

6
openmetadata-service/src/test/java/org/openmetadata/service/resources/teams/UserResourceTest.java
View File

@ -693,15 +693,19 @@ public class UserResourceTest extends EntityResourceTest<User, CreateUser> {
CreateUser create = CreateUser create =
createBotUserRequest("ingestion-bot-jwt") createBotUserRequest("ingestion-bot-jwt")
.withEmail("ingestion-bot-jwt@email.com") .withEmail("ingestion-bot-jwt@email.com")
.withRoles(List.of(ROLE1_REF.getId()))
.withAuthenticationMechanism(authMechanism); .withAuthenticationMechanism(authMechanism);
User user = createEntity(create, authHeaders("ingestion-bot-jwt@email.com")); User user = createEntity(create, authHeaders("ingestion-bot-jwt@email.com"));
user = getEntity(user.getId(), "*", ADMIN_AUTH_HEADERS);
assertEquals(user.getRoles().size(), 1);
TestUtils.put( TestUtils.put(
getResource(String.format("users/generateToken/%s", user.getId())), getResource(String.format("users/generateToken/%s", user.getId())),
new GenerateTokenRequest().withJWTTokenExpiry(JWTTokenExpiry.Seven), new GenerateTokenRequest().withJWTTokenExpiry(JWTTokenExpiry.Seven),
OK, OK,
ADMIN_AUTH_HEADERS); ADMIN_AUTH_HEADERS);
user = getEntity(user.getId(), ADMIN_AUTH_HEADERS); user = getEntity(user.getId(), "*", ADMIN_AUTH_HEADERS);
assertNull(user.getAuthenticationMechanism()); assertNull(user.getAuthenticationMechanism());
assertEquals(user.getRoles().size(), 1);
JWTAuthMechanism jwtAuthMechanism = JWTAuthMechanism jwtAuthMechanism =
TestUtils.get( TestUtils.get(
getResource(String.format("users/token/%s", user.getId())), JWTAuthMechanism.class, ADMIN_AUTH_HEADERS); getResource(String.format("users/token/%s", user.getId())), JWTAuthMechanism.class, ADMIN_AUTH_HEADERS);