New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#913 #1066 ScopesAuthorizer refactoring #1478
base: release/24.0
Are you sure you want to change the base?
Conversation
The build is broken, it fails on irrelevant part from this PR. #1436 fixes is I think. |
This is still an issue. Adding my 👍 to get this small and valuable PR merged. |
Please do the following:
|
Mehmet, Unfortunately the last build is failed: 5 acceptance tests have failed! Why is your PR code so unstable? |
I haven't found out the reason why the tests failed with a quick look. I couldn't figure out the tests structure. When I have time I'll look into it. |
@mehyaa Could you add me as collaborator to your forked repo please? I will fix develop branch because now it has the diff, but both develop branches should be identical. |
@raman-m I've fixed the tests. Failing tests were written for the bug that requires one of allowed scopes. I've changed the claims and allowed scopes on tests so they can test the correct conditions. For adding new tests to test |
@raman-m I've added you as collaborator on my fork, you can fix the diff or guide me to how-to. |
Interestingly some irrelevant tests fail irregularly. |
Thanks for fixing of failed tests!
No, at least one new test should cover claims logic having them multiple in the related config property. Come on! We've changed the logic from single Scope to multiple ones! And it is definitely right time to cover these changes. I have idea: let's write tests for each linked issue:
Sounds good? |
Thanks for adding me as collaborator! |
Don't worry! This is unstable scenario: Ocelot.AcceptanceTests.ConfigurationReloadTests.should_reload_config_on_change |
@mehyaa |
Possible dependency
|
The branch has been rebased onto release/24.0 with top commit 59b63ea ! |
@mehyaa Mehmet, Development is required❕ |
Scopes can be a space separated list in a single claim. Include this possibility on allowed scopes check.
Failed acceptance test: |
var matchesScopes = routeAllowedScopes.Intersect(userScopes); | ||
|
||
if (!matchesScopes.Any()) | ||
if (routeAllowedScopes.Any(s => !userScopes.Contains(s))) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Denial is more costly:
To make scope checking more efficient and less costly, a good practice is to invert the condition.
You can also use a method that minimizes the number of iterations required in the collections, making sure that all required scopes are present in the user scopes.
if (routeAllowedScopes.TrueForAll(userScopes.Contains))
{
return new OkResponse<bool>(true);
}
return new ErrorResponse<bool>(
new ScopeNotAuthorizedError($"User scopes: '{string.Join(",", userScopes)}' do not have all allowed scopes: '{string.Join(",", routeAllowedScopes)}'"));
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right! Thanks!
It makes sense to invert the condition.
Fixes #913 #1066
Scopes can be a space separated list in a single claim. Include this possibility on allowed scopes check.
Proposed Changes