feat(authz): owner-scoped authorizer with per-row visibility#360
Merged
Conversation
authz.Resource gains Owner and an optional Scoper interface for row-level read filtering. New OwnerScoped implementation: catalog rows (system/provider/host owners) stay readable by everyone and mutable by admins only; user-owned rows are visible and mutable only to their owner (or admin); mutations without owner context fail closed. Wiring: - CRUD factory: lists filter through Scoper.Visible before pagination (Total reflects the scoped set); get/update/delete return 404 for rows the caller may not see; create authorizes after owner stamping. - Cross-entity refs: relay-key spec.policyId and policy spec.hostKeyIds must reference rows visible to the caller. - Rotate, policy attach/detach, host-key health, and references get the same treatment; reload, master-key, settings, usage, logs, and debug endpoints authorize explicitly. - mutationGuard now receives ctx. Selected via RELAY_MULTI_USER=on in the composition root; the default remains AlwaysAllowAuthenticated (which does not implement Scoper), so existing single-user deployments behave identically.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an opt-in owner-scoped authorizer behind the existing
authz.Authorizerseam.authz.ResourcegainsOwner; new optionalScoperinterface for row-level read filtering.OwnerScopedimplementation: catalog rows (system/provider/host owners) readable by everyone, mutable by admins; user-owned rows visible/mutable only to their owner or an admin; mutations without owner context fail closed.Scoper.Visiblebefore pagination (totalreflects the scoped set); get/update/delete return 404 for rows the caller may not see; create authorizes after owner stamping.spec.policyIdand policyspec.hostKeyIdsmust reference rows visible to the caller.RELAY_MULTI_USER=on; the default remainsAlwaysAllowAuthenticated(which does not implementScoper), so existing deployments behave identically — covered by a regression test.Tested: unit matrix over the ownership policy, httptest harness over the CRUD factory with both authorizers, full suite + lint-rules + test-integration.