Skip to content

Commit 10ff726

Browse files
ciprianjichiciciprianjichici
committed
Fix role assignment evaluation
1 parent 5a884b3 commit 10ff726

File tree

2 files changed

+11
-5
lines changed

2 files changed

+11
-5
lines changed

src/dotnet/AuthorizationEngine/Services/AuthorizationCore.cs

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,9 @@ private ResourcePathAuthorizationResult ProcessAuthorizationRequestForResourcePa
356356
SubordinateResourcePathsAuthorizationResults = []
357357
};
358358

359+
var mustCheckOptionalRole = authorizationRequest.RoleName?.EndsWith('!') ?? false;
360+
var optionalRole = authorizationRequest.RoleName?.TrimEnd('!') ?? string.Empty;
361+
359362
// Combine the principal id and security group ids into one list.
360363
var securityPrincipalIds = new List<string> { authorizationRequest.UserContext.SecurityPrincipalId };
361364
if (authorizationRequest.UserContext.SecurityGroupIds != null)
@@ -388,20 +391,22 @@ private ResourcePathAuthorizationResult ProcessAuthorizationRequestForResourcePa
388391
// Check if the actions of the role definition include the requested action.
389392
if (resourcePath.IncludesResourcePath(roleAssignment.ScopeResourcePath!))
390393
{
391-
if (roleAssignment.RoleDefinition!.Name == authorizationRequest.RoleName)
394+
if (roleAssignment.RoleDefinition!.Name == optionalRole)
392395
result.HasRequiredRole = true;
393396

394397
if (roleAssignment.AllowedActions.Contains(authorizationRequest.Action))
395398
{
396399
result.Authorized = true;
397400

398-
// If we are not asked to include roles or actions and not asked to expand resource paths,
401+
// If we are not asked to include roles or actions, not asked to expand resource paths,
402+
// and checking the assignment of the optional role is not mandatory,
399403
// we can return immediately (this is the most common case).
400404
// Otherwise, we need to go through the entire list of security principals and their role assignments,
401-
// to include collect all the roles/actions and/or all the subordinate authorized resource paths.
405+
// to include all the roles/actions and/or all the subordinate authorized resource paths.
402406
if (!authorizationRequest.IncludeRoles
403407
&& !authorizationRequest.IncludeActions
404-
&& !authorizationRequest.ExpandResourceTypePaths)
408+
&& !authorizationRequest.ExpandResourceTypePaths
409+
&& !mustCheckOptionalRole)
405410
return result;
406411

407412
allSecurableActions.UnionWith(roleAssignment.AllowedActions);

src/dotnet/Common/Constants/ResourceProviders/AgentResourceProviderMetadata.cs

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,8 @@ public static class AgentResourceProviderMetadata
6262
{
6363
AllowedTypes = [
6464
new ResourceTypeAllowedTypes(HttpMethod.Get.Method, AuthorizableOperations.Read, [], [], [typeof(ResourceProviderGetResult<AgentAccessToken>)]),
65-
new ResourceTypeAllowedTypes(HttpMethod.Post.Method, $"{AuthorizableOperations.Write}|{RoleDefinitionNames.Agent_Access_Tokens_Contributor}", [], [typeof(AgentAccessToken)], [typeof(ResourceProviderUpsertResult)]),
65+
// The ! in the authorization requirements string indicates that role assignment evaluation is mandatory.
66+
new ResourceTypeAllowedTypes(HttpMethod.Post.Method, $"{AuthorizableOperations.Write}|{RoleDefinitionNames.Agent_Access_Tokens_Contributor}!", [], [typeof(AgentAccessToken)], [typeof(ResourceProviderUpsertResult)]),
6667
new ResourceTypeAllowedTypes(HttpMethod.Delete.Method, AuthorizableOperations.Delete, [], [], [])
6768
],
6869
Actions = [

0 commit comments

Comments
 (0)