security-setup #3

Merged

christoph.lienhard merged 0 commits from refs/pull/3/head into develop 2020-05-31 15:31:10 +02:00

Conversation 1 Commits - Files Changed -

christoph.lienhard commented 2020-05-30 12:39:16 +02:00 (Migrated from git.verdigado.com)

Copy Link

Introduce basic security.

There are four roles:

• Editor
• Candidate
• User
• Anonym

Their respective permissions are summarized in security considerations.

The setup basically follows these guides:

• https://www.graphile.org/postgraphile/postgresql-schema-design/#authentication-and-authorization
• https://www.graphile.org/postgraphile/security/

How to test

There are a lot of possibilities that should be tested. They all resolve around acting like one of the four roles and trying to do things (However, in the current state, there is not much difference between user and Anonym except for the possibility to log in).

Pose as a member of one of the roles

To pose as one of the three roles use the grphiql interface and authenticate as

• erika@musterman.de (ditor)
• max@mustermann.de (candidate)
• happy@user.de (normal user)

The password is always "password".

Use following graphQL Query:

mutation CreateAnswer($answer: AnswerInput!) {
  createAnswer(input: {answer: $answer}) {
    answer {
      text
      nodeId
    }
  }
}

Variables:

{
  "email": "max@mustermann.de",
  "password": "password"
}

The jwtToken in the respone has to be added to the headers in the following way:

{
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiY2FuZHltYXRfY2FuZGlkYXRlIiwicGVyc29uX2lkIjoyLCJleHAiOjE1OTEwNDgzMzgsImlhdCI6MTU5MDg3NTUzNywiYXVkIjoicG9zdGdyYXBoaWxlIiwiaXNzIjoicG9zdGdyYXBoaWxlIn0.21Lu51_suJ5O2RU-UKN2Y6fvKw4SYe-oqx_QqlU0-GE"
}

Penetrate the security setup

Creating questions

Should only be possible as "editor". Use the following mutation:

mutation CreateQuestion($text: String!) {
  createQuestion(input: {question: {text: $text}}) {
    question {
      text
      id
    }
  }
}

with the variables

{
  "text": "Die Antwort auf die Frage nach dem Leben, dem Universum und dem ganzen Rest?"
}

Creating categories

Should only be possible as "editor".

Mutation:

mutation CreateCategory($title: String!) {
  createCategory(input: {category: {title: $title}}) {
    category {
      title
      id
    }
  }
}

Variables

{
  "title": "Verkehr"
}

Creating answers

Should only be possible as "candidate". Also the personId needs to be 2 (the id of Max Mustermann). It should be impossible for a candidate to pose as a different candidate when answering a question.

Mutation:

mutation CreateAnswer($position: Int!, $questionId: Int!, $personId: Int!) {
  createAnswer(input: {answer: {position: $position, questionId: $questionId, personId: $personId}}) {
    answer {
      position      
    }
  }
}

}

Variables

{
  "questionId": 1,
  "personId": 2,
  "position": 2
}

Also change the personId to see that the candidate can only answer for themself.

Updating, Deleting

In principle they should be tested, too. However, for a manual test the creation should be enough for now since the security configurations in postgres are always done for inser, update and delete together.

Introduce basic security. There are four roles: * Editor * Candidate * User * Anonym Their respective permissions are summarized in [security considerations](src/branch/security-setup/backend/security_considerations.md). The setup basically follows these guides: * https://www.graphile.org/postgraphile/postgresql-schema-design/#authentication-and-authorization * https://www.graphile.org/postgraphile/security/ ### How to test There are a lot of possibilities that should be tested. They all resolve around acting like one of the four roles and trying to do things (However, in the current state, there is not much difference between user and Anonym except for the possibility to log in). #### Pose as a member of one of the roles To pose as one of the three roles use the grphiql interface and authenticate as * `erika@musterman.de` (ditor) * `max@mustermann.de` (candidate) * `happy@user.de` (normal user) The password is always "password". Use following graphQL Query: ``` mutation CreateAnswer($answer: AnswerInput!) { createAnswer(input: {answer: $answer}) { answer { text nodeId } } } ``` Variables: ``` { "email": "max@mustermann.de", "password": "password" } ``` The jwtToken in the respone has to be added to the headers in the following way: ``` { "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiY2FuZHltYXRfY2FuZGlkYXRlIiwicGVyc29uX2lkIjoyLCJleHAiOjE1OTEwNDgzMzgsImlhdCI6MTU5MDg3NTUzNywiYXVkIjoicG9zdGdyYXBoaWxlIiwiaXNzIjoicG9zdGdyYXBoaWxlIn0.21Lu51_suJ5O2RU-UKN2Y6fvKw4SYe-oqx_QqlU0-GE" } ``` #### Penetrate the security setup ##### Creating questions Should only be possible as "editor". Use the following mutation: ``` mutation CreateQuestion($text: String!) { createQuestion(input: {question: {text: $text}}) { question { text id } } } ``` with the variables ``` { "text": "Die Antwort auf die Frage nach dem Leben, dem Universum und dem ganzen Rest?" } ``` ##### Creating categories Should only be possible as "editor". Mutation: ``` mutation CreateCategory($title: String!) { createCategory(input: {category: {title: $title}}) { category { title id } } } ``` Variables ``` { "title": "Verkehr" } ``` ##### Creating answers Should only be possible as "candidate". Also the `personId` needs to be `2` (the id of Max Mustermann). It should be impossible for a candidate to pose as a different candidate when answering a question. Mutation: ``` mutation CreateAnswer($position: Int!, $questionId: Int!, $personId: Int!) { createAnswer(input: {answer: {position: $position, questionId: $questionId, personId: $personId}}) { answer { position } } } } ``` Variables ``` { "questionId": 1, "personId": 2, "position": 2 } ``` Also change the `personId` to see that the candidate can only answer for themself. ##### Updating, Deleting In principle they should be tested, too. However, for a manual test the creation should be enough for now since the security configurations in postgres are always done for inser, update and delete together.

christoph.lienhard commented 2020-05-30 19:29:25 +02:00 (Migrated from git.verdigado.com)

Copy Link

For now make it possible for the anonymous user to see everything in answers, question category and user.

For now make it possible for the anonymous user to see everything in answers, question category and user.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Documentation

Issues related to documentation enhancement

  

Infrastructure

Issues related to infrastructure, like docker-compose or setting up a test framework.

  

Redaktions-App

Issues related to the candymat redaktions app

  

User-App

Issues related to the candymat user app

  

backend

Issues related to the backend

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

  

Effort

High

estimated 24 hours of work

  

Effort

Low

estimated 4 hours of work

  

Effort

Medium

estimated 12 hours of work

  

Prio

High

Mission critical

  

Prio

Low

Nice to have

  

Prio

Medium

Improves function or usability substantially

  

Type

Bug

Prevents existing functionality from being used

  

Type

Feature

Adds new features

No Label

Documentation

Infrastructure

Redaktions-App

User-App

backend

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Effort

High

Effort

Low

Effort

Medium

Prio

High

Prio

Low

Prio

Medium

Type

Bug

Type

Feature

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: NB-Public/kandimat#3

No description provided.