product-is icon indicating copy to clipboard operation
product-is copied to clipboard

Published 20 hours ago verified publisher icon wso2

[Migration] Add a fine grained permission for CORS Config Management APIs

Open AnuradhaSK opened this issue 2 years ago • 1 comments

Describe the issue: In order to function CORS management rest APIs in IS-5.11.0, it requires at least /permission/admin/manage permissions, due to the following issue.

  • The permissions populated in the permission tree: (/permission/admin/manage/cors/origin/view)

https://github.com/wso2/carbon-identity-framework/blame/master/components/cors-mgt/org.wso2.carbon.identity.cors.mgt.core/src/main/resources/META-INF/component.xml#L19-L31

  • But the permissions required for API access control: (/permission/admin/manage/identity/cors/origins/view)

https://github.com/wso2/carbon-identity-framework/blob/6c3c2f6b57d736ab393af0aa9dd17b1c142807cf/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/identity.xml.j2#L2534-L2541

  • internal_cors_origins_view scope-permission mapping uses /permission/admin/manage/identity/cors/origins/view permission https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/4b75ae155a144a90796fffdcbe9d181d4a141a86/features/org.wso2.carbon.identity.oauth.server.feature/resources/oauth-scope-bindings.xml#L884-L887

Nonworking cases due to the issue mentioned above:

  1. In order to view application mgt pannel of the console, a user needs to have at least the following scope-related permissions https://github.com/wso2/carbon-identity-framework/blob/2327dd5f32d9627bbd16dd8b0b03a5b07a185c8a/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/org.wso2.carbon.identity.core.server.feature.default.json#L686-L693 Since the cors config, API-related permission string in the permission tree doesn't map to the permission used in oauth-scope-binding, the scope is not returning correctly.
  2. The user who has only CORS permission assigned through the permission tree, will not be able to access CORS REST APIs

So, in order to function the CORS config APIs, the user should at least have /permission/admin/manage permission.

With change: https://github.com/wso2/carbon-identity-framework/pull/4124 , we are correcting the permissions added into the permission tree.

It is required to mention this configuration change in the 5.12.0 migration docs. Now fined grained permission is enough to access the CORS config APIs.

AnuradhaSK avatar Jul 17 '22 21:07 AnuradhaSK

https://github.com/wso2/carbon-identity-framework/pull/4124 is merged. But keeping the issue open for the migration.

madurangasiriwardena avatar Jul 18 '22 05:07 madurangasiriwardena

Addressed in https://github.com/wso2/docs-is/pull/3232

ashendes avatar Aug 16 '22 13:08 ashendes