Versions Compared

Old Version 4

changes.mady.by.user Bruce Hoff

Saved on

compared with

New Version 5

changes.mady.by.user John Hill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A new AccessRequirement (AR) type that can be created/managed by ACT to define one or more Claims that the caller must have in order to download restricted data.

  • A new Action type that informs callers when a passport visa is required in order to download a file.

  • Extend the Synapse OIDC Authentication system:

    • Add new OAuthProviderBinding implementation to connect with each passport Broker that we wish to support.

    • Extend the Synapse generated access_tokens system to append passport claims provided by passport Brokers to the Synapse access_token.

  • Add a passport visa interceptor that will validate passport visas from the Synapse access token and forward the valid sub-set to the thread local. Extend UserManagerImpl.getUserInfo() to add visas from the thread local to resulting UserInfo object.

  • Extend the EntityAuthorizationManagerImpl to match AR visa conditions to the principal’s visas in the thread localthe UserInfo.

  • Extend AsynchJobStatusManagerImpl append visa from UserInfo to the Job’s status.

PassportACTManagedAccessRequirement

...

Note: Since the interceptor excludes invalid visas, the PassportVisa.json does not include or any field used for validation or signing such as; conditions, asserted, alg, exp, jit, iat…

In the next section we will cover how download authorization code can use the passport visas to make download decisions.

Download Authorization

The EntityAuthorizationManagerImpl is responsible for making all entity related authorization decisions, including file download. The following is the current download decision chain:

...

...

Currently, the service layer calls: UserManagerImpl.getUserInfo() to get an in-memory representation of the User (UserInfo). This UserInfo object is then forwarded to all of the lower code layers. Therefore, we propose extending the UserManager to gather the Vias from the thread local and add them to the resulting UserInfo object. This abstracts most of the code from the thread local data.

In the next section we will cover how download authorization code can use the passport visas to make download decisions.

Download Authorization

The EntityAuthorizationManagerImpl is responsible for making all entity related authorization decisions, including file download. The following is the current download decision chain:

Code Block
			DENY_IF_HAS_UNMET_ACCESS_RESTRICTIONSDOES_NOT_EXIST,
			DENY_IF_IN_TRASH,
			DENY_IF_TWO_FA_REQUIREMENT_NOT_MET,
			GRANT_IF_OPEN_DATA_WITH_READ,
			DENY_IF_ANONYMOUS,
			DENY_IF_HAS_NOT_ACCEPTED_TERMS_OF_USE,
			GRANT_IF_HAS_DOWNLOAD,
			DENY

Currently, line:4 DENY_IF_HAS_UNMET_ACCESS_RESTRICTIONS is based on managed AR where the principal must be approved by ACT. This typically involves, checking if the principal has been granted approval for all ARs that have the given file as a subject.

...

GRANT_IF_ADMIN,
			DENY_IF_HAS_UNMET_ACCESS_RESTRICTIONS,
			DENY_IF_TWO_FA_REQUIREMENT_NOT_MET,
			GRANT_IF_OPEN_DATA_WITH_READ,
			DENY_IF_ANONYMOUS,
			DENY_IF_HAS_NOT_ACCEPTED_TERMS_OF_USE,
			GRANT_IF_HAS_DOWNLOAD,
			DENY

Currently, line:4 DENY_IF_HAS_UNMET_ACCESS_RESTRICTIONS is based on managed AR where the principal must be approved by ACT. This typically involves, checking if the principal has been granted approval for all ARs that have the given file as a subject.

We will need to extend the unmet AR check to look for the new passport AR type. The conditions of each passport AR must then be matched against the principal’s passport visas contained in the UserInfo object passed to the manager. The AR would be treated as ‘met’ if all visas match, and ‘unmet’ if one or more do not match. Note: The visa condition matching system should be the same as the system used to validate visas with conditions in the interceptor layer.

Asynchronous Jobs

A caller can start an asynchronous to download files as a zip. For this case one or more of the files to be download might require one or more visas in order to be authorized to download. For such a case, machine that executes the job will not be the same as the machine that originated the request, so the thread local visa information will unavailable on to the worker’s thread.

Note: A user might use multiple access tokens to make API calls at the same time. For example, a user might uses one token to make edits to a Synapse project in the web UI. At the same time, they might be running a headless workflow to update data in a different project. We cannot assume that both access tokens will have the same passport visas. Passport visas cannot be treated as global data automatically applied to a user.

In order to maintain the stateless nature of passport visas, we propose copping visas from thread that starts an asynchronous job into the job’s status. Specifically, the AsynchJobStatusManagerImpl.startJob() method can copy visas from the provided UserInfo into the job’s status. We can then extend the AsyncJobRunnerAdapter to pull the visas from the job’s state, and add them to the UserInfo used at the the start of each asynchronous worker run. This would allow download authorization checks from within asynchronous workers to behave the same as synchronous calls.