Added authorization for teams (#80)

* Team-level authorization feature added
* Examples updated
* SECURITY.md updated (#75)
* Dependencies updated

.github/workflows/main.yml

@@ -15,7 +15,7 @@ jobs:
  matrix:
  python-version: [ 3.7, 3.8, 3.9 ]
  steps:
- - uses: actions/checkout@v2.3.4
+ - uses: actions/checkout@v2.4.0
  - name: Determine version
  id: get_version
  run: |
@@ -28,12 +28,12 @@ jobs:
  echo "::set-output name=version::$version"
 
  - name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2.2.2
+ uses: actions/setup-python@v2.3.1
  with:
  python-version: ${{ matrix.python-version }}
 
  - name: Install poetry
- uses: abatilo/[email protected].3
+ uses: abatilo/[email protected].4
 
  - name: Set version
  run: |

SECURITY.md

@@ -2,11 +2,5 @@ We acknowledge that every line of code that we write may potentially contain
 security issues. We are trying to deal with it responsibly and provide patches
 as quickly as possible.
 
-We host our bug bounty program on HackerOne, it is currently private, therefore
-if you would like to report a vulnerability and get rewarded for it, please ask
-to join our program by filling this form:
-
-https://corporate.zalando.com/en/services-and-contact#security-form
-
-You can also send your report via this form if you do not want to join our bug
-bounty program and just want to report a vulnerability or security issue.
+If you want to report a security vulnerability please reach out to the team of
+[maintainers](MAINTAINERS) via e-mail.

clin/clients/http_client.py

@@ -51,7 +51,7 @@ def el(key: str):
  {"data_type": key, "value": x} for x in getattr(auth, key + "s")[role]
  ]
 
- return el("user") + el("service")
+ return el("user") + el("service") + el("team")
 
  payload = {role: parse(role) for role in auth.get_roles()}
  if auth.any_token.get("read", False):
@@ -63,23 +63,26 @@ def el(key: str):
 
 
 def ro_auth_from_payload(payload: dict) -> Optional[ReadOnlyAuth]:
- return _auth_from_payload(ReadOnlyAuth({}, {}, {"read": False}), payload)
+ return _auth_from_payload(ReadOnlyAuth({}, {}, {}, {"read": False}), payload)
 
 
 def rw_auth_from_payload(payload: dict) -> Optional[ReadWriteAuth]:
  return _auth_from_payload(
- ReadWriteAuth({}, {}, {"read": False, "write": False}), payload
+ ReadWriteAuth({}, {}, {}, {"read": False, "write": False}), payload
  )
 
 
 def _auth_from_payload(auth: TAuth, payload: dict) -> Optional[TAuth]:
  if not payload:
  return None
 
- for role in auth.get_roles():
+ for role in auth.get_roles(): # admins, readers
+ auth.teams[role] = []
  auth.users[role] = []
  auth.services[role] = []
  for el in payload.get(role, []):
+ if el["data_type"] == "team":
+ auth.teams[role].append(el["value"])
  if el["data_type"] == "user":
  auth.users[role].append(el["value"])
  if el["data_type"] == "service":

clin/models/auth.py

@@ -9,6 +9,7 @@
 @dataclass
 class Auth(ABC):
  users: dict[str, list[str]]
+ teams: dict[str, list[str]]
  services: dict[str, list[str]]
  any_token: dict[str, bool]
 
@@ -26,13 +27,15 @@ def get_any_token_values(cls) -> list[str]:
  def from_spec(cls, spec: dict) -> Auth:
  return cls(
  users=cls._parse_section(spec, "users"),
+ teams=cls._parse_section(spec, "teams"),
  services=cls._parse_section(spec, "services"),
  any_token=cls._parse_any_token(spec),
  )
 
  def to_spec(self) -> dict[str, dict[str, list[str]]]:
  return {
  "users": {role: self.users[role] for role in self.get_roles()},
+ "teams": {role: self.teams[role] for role in self.get_roles()},
  "services": {role: self.services[role] for role in self.get_roles()},
  "anyToken": {
  role: self.any_token.get(role, False)

clin/processor.py

@@ -89,6 +89,8 @@ def get_changed_sections(diff: dict):
  diff.get("values_changed", {}).keys(),
  diff.get("iterable_item_removed", {}).keys(),
  diff.get("iterable_item_added", {}).keys(),
+ diff.get("dictionary_item_added", []),
+ diff.get("dictionary_item_removed", []),
  )
 
  return set(k.split(".")[1] for k in changed_keys)

docs/examples/single/event-type.yaml

@@ -1,8 +1,8 @@
 kind: event-type
 spec:
- name: derokhin.clin.test # event type name - if it already exists, it will be updated
+ name: clin.example.event-type # event type name - if it already exists, it will be updated
  category: business # business | data | undefined
- owningApplication: stups_your-application # application kio id with "stups_" prefix
+ owningApplication: your_application_id
  audience: component-internal # component-internal | business-unit-internal | company-internal | external-partner | external-public
  partitioning:
  strategy: hash # hash | random | user_defined
@@ -16,12 +16,17 @@ spec:
  compatibility: compatible # none | forward | compatible
  jsonSchema: @@@./schema.yaml # Includes file relatively to the current
  auth:
+ teams:
+ admins:
+ - your_team
+ readers:
+ - sibling_team
+ writers:
  users:
  admins:
  - {{USER}} # env vars will be used to resolve this template variable
  writers:
  - {{USER}}
- - pjain
  readers:
  services:
  admins:

docs/examples/single/sql-query.yaml

@@ -1,28 +1,30 @@
 kind: sql-query
 spec:
- name: derokhin.clin.test-query # query name - if it already exists, it will be updated
+ name: clin.example.sql # query name - if it already exists, it will be updated
  sql: |
  SELECT *
- FROM "derokhin.clin.test" AS e
+ FROM "clin.example.event-type" AS e
  WHERE e."important_key" = 'hello world'
  envelope: false
  outputEventType:
  category: business # business | data | undefined
- owningApplication: stups_your-application # application kio id with "stups_" prefix
+ owningApplication: your_application_id
  audience: component-internal # component-internal | business-unit-internal | company-internal | external-partner | external-public
  cleanup:
  policy: delete
  retentionTimeDays: 2
  auth:
+ teams:
+ admins:
+ - your_team
+ readers:
+ - sibling_team
  users:
  admins:
- - dstockhammer
+  - {{USER}} # env vars will be used to resolve this template variable
  readers:
- - dstockhammer
- - derokhin
+ - derokhin
  services:
  admins:
  readers:
- - stups_your-application
- anyToken:
- read: false
+ - your_application_id

docs/examples/single/subscription.yaml

@@ -1,14 +1,17 @@
 kind: subscription
 spec:
- owningApplication: stups_your-application
- eventTypes:
- - zprice.derokhin.temp.clin.test1
- - zprice.derokhin.temp.clin.test2
+ owningApplication: your_application_id
+ eventTypes: # list of event-types in subscription
+ - clin.example.event-type
  consumerGroup: main
  auth:
+ teams:
+ admins:
+ - your_team
+ readers:
  users:
  admins:
- - {{USER}}
+ - {{USER}} # env vars will be used to resolve this template variable
  readers:
  - {{USER}}
  services: