Automated testing of correct autorization on endpoints

[baszoetekouw]

I would like to have automatic tests to prevent bugs like #1457. Ideally there would be a test that iterates over all roles in the platform, tries to access all endpoints with all roles and checks that only the correct roles have access.

This is a huge piece of work, so I'm unsure on how to take this on. We should probably start with something like role definitions to see which role there are in the first place.

Or we could approach it from a different direction, and introduce a framework that helps with the mapping from user/token to role to access rights, and migrate all API authorisation to use a more structural framework like this.

@oharsta do you have an idea of there is a somewhat doable way to achieve this?

[baszoetekouw]

For example would a framework like these work for us?

• https://github.com/casbin/pycasbin
• https://github.com/YosaiProject/yosai

[mrvanes]

Of python -> Open Policy Agent https://opa-python.readthedocs.io/en/latest/

[oharsta]

@baszoetekouw perhaps it is a good idea to have a whiteboard session about this? What do we want to achieve, which problems it will solve and what would a MVP look like? There is an inherent risk of over-engineering this.