Merge pull request #341 from TeskaLabs/feature/remove-seacat-access

Deprecate "seacat:access" resource ID

Author: byewokko

CHANGELOG.md

@@ -1,8 +1,20 @@
 # CHANGELOG
 
+## v24.06
+
+### Pre-releases
+- `v24.06-alpha1`
+
+### Features
+- Deprecate "seacat:access" resource ID (#341, `v24.06-alpha1`)
+
+---
+
+
 ## v23.47
 
 ### Pre-releases
+- `v23.47-beta2`
 - `v23.47-alpha7`
 - `v23.47-alpha6`
 - `v23.47-beta`

docs/access/resources.md

@@ -49,4 +49,3 @@ The following resources are automatically available in an installation of SeaCat
 * `seacat:session:access`: List sessions and view session details.
 * `seacat:credentials:edit`: Edit and suspend credentials.
 * `seacat:credentials:access`: List credentials and view credentials details.
-* `seacat:access`: Access to Seacat Admin API and UI.

docs/installation/provisioning.md

@@ -51,10 +51,8 @@ In the WebUI you will see that a provisioning tenant and a provisioning role hav
 ## Setting up the environment
 
 - **Create a tenant.** Any user must have at least one tenant assigned to them to be allowed into SeaCat WebUI.
-- **Create a superuser role.** To be able to execute some administrative commands it is necessary to have a superuser role assigned. This role must be created as **global**. After creating it, open the role detail and add the `authz:superuser` resource into the role. It is advisable to have at least one user with superuser rights.
-- `OPTIONAL` **Create a seacat-user role.** If you are using resource-based authorization in SeaCat WebUI or API, it is useful to have a role that allows its bearer to access the SeaCat WebUI but doesn't grant them superuser administrative rights. Create a role and assign the `seacat:access` resource to it.
 - **Create a user account.** The password will be sent via email or SMS, depending on what contact info you fill in. **Make sure that your SMTP or SMS provider is set up properly in SeaCat Auth config.**
-- Open the user detail and **assign the tenant and the role** that you created earlier.
+- Open the user detail and **assign the tenant** that you created earlier and the **`*/superuser` role**.
 - You can now log out of the provisioning superuser session.
 - Check if you have received the reset password link for your new credentials. Proceed to reset the password and then log in!
 

docs/reference/resources.md

@@ -33,8 +33,6 @@ title: Resources
 
 ## SeaCat Auth admin resources
 
-### `seacat:access`
-
 ### `authz:superuser`
 
 ### `authz:tenant:access`

seacatauth/__init__.py

@@ -71,10 +71,6 @@
 		# Specifies if non-public endpoints require authentication
 		"require_authentication": "yes",
 
-		# Specifies resource required for API access
-		# If set to "DISABLED", no authorization is required
-		"authorization_resource": "seacat:access",
-
 		# DEV ONLY!
 		# Allow authentication via access token
 		# This imposes the risk of the access token being misused by 3rd party app (user impersonation)

seacatauth/authz/resource/service.py

@@ -22,9 +22,6 @@ class ResourceService(asab.Service):
 
 	# TODO: gather these system resources automatically
 	_BuiltinResources = {
-		"seacat:access": {
-			"description": "Access to Seacat Admin API and UI.",
-		},
 		"authz:superuser": {
 			"description": "Grants superuser access, including the access to all tenants.",
 		},

seacatauth/middleware.py

@@ -28,7 +28,6 @@ async def app_middleware(request, handler):
 def private_auth_middleware_factory(app):
 	oidc_service = app.get_service("seacatauth.OpenIdConnectService")
 	require_authentication = asab.Config.getboolean("seacat:api", "require_authentication")
-	api_resource_id = asab.Config.get("seacat:api", "authorization_resource")
 	_allow_access_token_auth = asab.Config.getboolean("seacat:api", "_allow_access_token_auth")
 	asab_api_required_bearer_token = asab.Config.get("asab:api:auth", "bearer", fallback=None)
 
@@ -83,22 +82,7 @@ def has_resource_access(tenant: str, resource: str) -> bool:
 
 		# All API endpoints are considered non-public and have to pass authn/authz
 		if request.Session is not None and request.Session.Authorization.Authz is not None:
-			if api_resource_id == "DISABLED":
-				return await handler(request)
-			# Resource authorization is required: scan ALL THE RESOURCES
-			#   for `authorization_resource` or "authz:superuser"
-			authorized_resources = set(
-				resource
-				for resources in request.Session.Authorization.Authz.values()
-				for resource in resources
-			)
-			# Check the session is authorized to access Seacat API
-			if "authz:superuser" in authorized_resources or api_resource_id in authorized_resources:
-				return await handler(request)
-			else:
-				L.log(asab.LOG_NOTICE, "Not authorized to access Seacat API", struct_data={
-					"resource_id": api_resource_id})
-				return aiohttp.web.HTTPForbidden()
+			return await handler(request)
 
 		# ASAB API can be protected with a pre-configured bearer token
 		if (request.path.startswith("/asab/v1") or request.path in ("/doc", "/oauth2-redirect.html")) \